CN110620773B - TCP flow isolation method, device and related components - Google Patents
TCP flow isolation method, device and related components Download PDFInfo
- Publication number
- CN110620773B CN110620773B CN201910894836.3A CN201910894836A CN110620773B CN 110620773 B CN110620773 B CN 110620773B CN 201910894836 A CN201910894836 A CN 201910894836A CN 110620773 B CN110620773 B CN 110620773B
- Authority
- CN
- China
- Prior art keywords
- tcp
- message
- configuration information
- information
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a TCP flow isolation method, which comprises the steps of determining a black and white list of information transmission terminals based on the whole network, and generating configuration information; sending the configuration information to system edge equipment; if the system edge device receives the TCP SYN message, the message is intercepted and judged by matching configuration information, and corresponding message processing is carried out according to a judgment result. In addition, when a TCP SYN message is received, the matching configuration information judges the message through software, corresponding message processing is carried out according to the judgment result, and through the combination of the software and the hardware, the matching strategy can be reduced, and the occupation of hardware ACL resources is reduced. The application also provides a TCP flow isolation device, equipment and a readable storage medium, and the TCP flow isolation device, the equipment and the readable storage medium have the beneficial effects.
Description
Technical Field
The present application relates to the field of electronic technologies, and in particular, to a TCP flow isolation method and apparatus, a TCP flow isolation device, and a readable storage medium.
Background
After the intranet equipment is infected with a worm virus, rapid propagation is easily performed through a risk port (mainly a service port of TCP), and a network administrator needs to have a rapid and effective scheme to block risk access in the intranet horizontal direction.
The traditional switch can only limit the TCP (Transmission Control Protocol) flow of the intranet by configuring the hardware ACL (Access Control List, which is an instruction List of the router and the switch interface and is used for controlling the data packets entering and exiting from the port) rule, and the configuration process needs professional switch configuration knowledge and generally has no visible scheme; in addition, hardware ACL resources are often limited, especially for switches on an access layer, and there are 65535 kinds of TCP service ports theoretically, which far exceed the hardware resource limit, the access layer equipment hardware resource limit, and the configuration is complex, so that users cannot accurately perform TCP service isolation in the network, and the risk of intranet horizontal virus propagation is large.
Disclosure of Invention
The method can ensure the safety of equipment and reduce the occupation of hardware ACL resources; another object of the present application is to provide a TCP traffic isolation apparatus, device and readable storage medium.
In order to solve the above technical problem, the present application provides a TCP flow isolation method, including:
determining a black and white list of an information transmission terminal to generate configuration information;
sending the configuration information to system edge equipment;
if the system edge equipment receives a TCP SYN message, calling the configuration information to intercept and judge the message and generating a judgment result;
and carrying out corresponding message processing according to the judgment result.
Optionally, the determining a black and white list of the information transmission end includes:
dividing information transmission ends to be protected into protection area groups; wherein the protection zone group is configured to block TCP SYN packets by default;
dividing information transmission ends which are not to be protected into trust area groups; wherein the trusted zone group puts through a TCP SYN packet by default.
Optionally, the TCP traffic isolation method further includes:
setting a white list for the protection area group, and adding flow put-through equipment for an information transmission end to be protected into the white list;
and setting a blacklist for the trust zone group, and adding the traffic blocking equipment for the specified information transmission end which is not to be protected into the blacklist.
Optionally, the determining a black and white list of the information transmission end includes:
determining mapping data between a terminal type and a traffic blocking strategy;
correspondingly, if the system edge device receives a TCP SYN packet, calling the configuration information to perform interception judgment on the packet, including:
identifying the type of the terminal;
inquiring a flow blocking strategy corresponding to the terminal type according to the mapping data to obtain a terminal type matching strategy;
and calling the terminal type matching strategy to carry out interception judgment on the message.
Optionally, performing corresponding message processing according to the determination result, including:
if the judgment result is interception, performing TCP blocking;
and if the judgment result is put through, sending the current TCP SYN packet to a destination port.
Optionally, issuing the configuration information to a system edge device includes:
and issuing the configuration information to system edge equipment through an encryption tunnel.
Optionally, the TCP traffic isolation method further includes:
if the system edge equipment receives a TCP SYN message, acquiring access information and generating an access time record;
analyzing attack behaviors according to the access time record to generate a source end identity judgment result;
and performing corresponding source end behavior processing according to the source end identity judgment result.
Optionally, the TCP traffic isolation method further includes: and adjusting the configuration information according to the source end identity judgment result.
Optionally, the TCP traffic isolation method further includes:
acquiring an access time record of system edge equipment in a preset range to obtain system record information;
carrying out attacker risk analysis according to the system record information to generate a risk analysis result;
and displaying the risk analysis result.
Optionally, performing attacker risk analysis according to the system record information, including:
and performing high-risk attacker ranking, TCP service access statistics, interception statistics, terminal intercepted statistics and release statistics according to the system record information.
Optionally, the TCP traffic isolation method further includes:
according to the system record information, identity discrimination is carried out on each information transmission end in the system to obtain an identity discrimination result;
and performing feedback adjustment according to the identity judgment result.
The application also discloses a TCP flow isolation device, includes:
the configuration information generating unit is used for determining a black and white list of the information transmission terminal and generating configuration information;
the configuration information issuing unit is used for issuing the configuration information to the system edge equipment;
the interception judging unit is used for calling the configuration information to carry out interception judgment on the TCP SYN message if the system edge equipment receives the TCP SYN message and generating a judging result;
and the message processing unit is used for carrying out corresponding message processing according to the judgment result.
The application also discloses a TCP flow isolation device, includes:
a memory for storing a program;
and the processor is used for realizing the steps of the TCP flow isolation method when executing the program.
The application also discloses a readable storage medium, on which a program is stored, which when executed by a processor implements the steps of the TCP traffic isolation method.
According to the TCP flow isolation method, the equipment in the system is used for carrying out unified configuration on the information transmission end and sending the information transmission end to the edge equipment of each system, so that analysis and judgment of dangerous behaviors in the system can be guaranteed, the safety of the equipment is ensured, in addition, when a TCP SYN message is received, the configuration information is called, the message is judged through software, corresponding message processing is carried out according to the judgment result, through the combination of the software and the hardware, the matching strategy can be reduced, and the occupation of hardware ACL resources is reduced.
The application also provides a TCP flow isolation device, equipment and a readable storage medium, which have the beneficial effects and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a TCP traffic isolation method according to an embodiment of the present application;
fig. 2 is a schematic diagram illustrating a configuration information issuing process provided in an embodiment of the present application;
fig. 3 is a block diagram of a structure of a TCP traffic isolation device according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a TCP traffic isolation device according to an embodiment of the present application.
Detailed Description
The core of the application is to provide a TCP flow isolation method, which can ensure the safety of equipment and reduce the occupation of hardware ACL resources; at the other core of the application, a TCP traffic isolation device, equipment and a readable storage medium are provided.
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The first embodiment is as follows:
referring to fig. 1, fig. 1 is a flowchart of a TCP traffic isolation method according to the present embodiment; the method mainly comprises the following steps:
step s110, determining a black and white list of an information transmission terminal, and generating configuration information;
the information transmission end refers to a device that can implement information transmission in the system, such as a Switch (Switch), a port, a wireless network set identifier (SSID) of an Access Point (AP), and the like.
The black-and-white list of the information transmission terminal refers to the port configuration of each information transmission terminal in a system-specified range, for example, no. 1 to No. 5 ports of the switch 1 in the whole network prohibit other devices except the AP1 from transmitting data. The black-and-white list may be an individualized setting for each port of each device, or may be a unified setting for a certain type of ports, for example, the black-and-white list may be set for each port of the switch 1, or the black-and-white list may be set for switches in a certain area, which is not limited herein.
In addition, the configuration information in this embodiment may be configuration information based on the entire network, and may ensure secure transmission between apparatuses in the entire network.
Step s120, sending the configuration information to the system edge device;
the device type specifically included in the system edge device may refer to the introduction in the related art, and the system edge device in this application specifically includes hardware, such as a Switch (Switch), a port, a designated AP, and the like, which may receive a TCP SYN message of a user in the device, and the device type of the system edge device in this embodiment may be the same as that of the information transmission end in step s110 described above.
The process of issuing the configuration information may refer to an information issuing manner in the related art, which is not limited herein. In order to avoid that the configuration information is illegally tampered in the issuing process and the safety of the intranet equipment is influenced, optionally, the configuration information can be issued to the system edge equipment through an encryption tunnel, and the safety of the information can be ensured by issuing the information through the encryption tunnel.
Step s130, if the system edge device receives the TCP SYN message, calling configuration information to perform interception judgment on the message, and generating a judgment result;
in the process, referring to a hardware implementation manner in the related art, when a system edge device receives a message, the message needs to be analyzed, whether the message is a TCP message is determined, and whether the message is a SYN message is determined when the message is determined to be the TCP message, if the message is the TCP SYN message, subsequent interception determination is performed, and if the message is not the TCP SYN message, data forwarding or further determination may be directly performed according to the related art, which is not limited in this embodiment.
Because the virus propagation among the internal network transverse devices is mainly to transmit SYN messages through a TCP service port at present, the corresponding flow interception judgment is mainly carried out aiming at TCP services in the application.
The process of calling the configuration information to intercept and judge the message specifically comprises the following steps: analyzing the related service information in the message, mainly comprising a data sending source end and a destination end, judging whether the current service information meets the related standard of interception or release according to a port black-and-white list in the configuration information, if the current service information meets the interception criterion, judging that the current service information needs to be intercepted, and if the current service information meets the release criterion, judging that the current service information can be released. Determining the relevant intercepting or releasing standard according to the configuration information, for example, the configuration information includes that the port 1 to port 5 of the switch 1 prohibits other devices except the AP1 from transmitting data, and if the information output source end in the currently received TCP SYN message is AP2 and the transmission terminal is the port 2 of the switch, determining that the intercepting standard is met.
And step s140, performing corresponding message processing according to the judgment result.
The determination result mainly includes two categories, that is, interception is required and release is required, if the current configuration information does not include relevant interception or release standard information of the current TCP SYN packet, the determination result may further include an undetermined category, and the determination result may further notify relevant technicians to perform shape and image processing (for example, performing manual confirmation and performing corresponding configuration information supplement, etc.), and the processing manner under the determination result is not limited in this embodiment.
If the determination result is that interception is needed, information interception can be performed, so that threat of dangerous data to the intranet equipment is avoided, specifically, TCP blocking can be performed, which means a method for blocking TCP flow by analyzing a TCP SYN message, replying an RST message, and preventing establishment of a TCP connection.
If the result of the determination is that the message needs to be released, the message can be directly sent to the specified port without being changed, and of course, verification information and the like can be further added to the message. In this embodiment, only the above message processing means is taken as an example for description, and other blocking methods or transmission methods can refer to the description of this embodiment, and are not described herein again.
Based on the above description, the TCP traffic isolation method provided in this embodiment performs unified configuration on the information transmission end, and issues the configuration to each system edge device, so as to ensure analysis and judgment of dangerous behaviors in the system, and ensure device safety.
Example two:
different from the first embodiment, the present embodiment is further described on the basis of the first embodiment mainly from the viewpoint of the setting type of the configuration information. In the above embodiments, the manner of determining the black and white list of the information transmission end is not limited, and corresponding setting may be performed according to actual configuration needs, two determination manners are mainly described in this embodiment, and other determination manners may refer to the description of this embodiment, and are not described herein again.
1. A method for determining a black-and-white list of an information transmission terminal is as follows:
dividing an information transmission end to be protected into protection area groups; wherein, the protection zone group blocks TCP SYN packets by default;
dividing information transmission ends which are not to be protected into trust zone groups; wherein the trusted zone group puts through the TCP SYN packet by default.
The method comprises the steps that switches and ports needing to be protected or SSIDs of designated APs are divided into the same group, and the group is called a protection area; the switch and the port which do not need to be protected or the SSID of the appointed AP are divided into the same group to form a trust area group, the interception judgment standard of the group is preset in the determination mode, the equipment and the port are directly added into the corresponding group, the determination process of a black and white list can be simplified, and meanwhile effective flow isolation can be guaranteed.
In addition, a user-defined list can be further set for the protection area group and the trust area group, specifically, a white list can be set for the protection area group, the traffic of the specified information transmission end to be protected is put through the device and added into the white list, and if the traffic from some specific port groups and the AP SSID is to be put through, the traffic can be added into the white list of the group rule; setting a blacklist for the trust zone group, and adding the traffic blocking equipment of the specified information transmission end which is not to be protected into the blacklist; if traffic from certain port groups and the AP SSID are to be disallowed, they may be added to a blacklist for the set of rules. Through further configuration, the flexibility of setting rules can be enhanced, and flexible interception under various conditions is further ensured.
To further understand, the present embodiment introduces a configuration information generation and distribution process based on the foregoing manner, and fig. 2 is a schematic diagram illustrating distribution of configuration information.
In the figure, a is a port of a protected area switch, B is a port of a trusted area switch, C is an SSID of a protected area AP, and D is an SSID of a trusted area AP.
For a, protected area switch port:
(1) TCP flow default blocking;
(2) And TCP traffic from the whitelist source group is put through.
For B, trusted area switch port:
(1) Default opening of TCP flow;
(2) TCP traffic blocking from the blacklisted source group.
And after the configuration information is configured by the server, the configuration information is issued to each switch through the encryption tunnel.
In order to simplify the configuration process, a configuration information generation method for dynamically issuing a traffic blocking policy based on a terminal type is introduced below.
2. A method for determining a black and white list of an information transmission terminal based on a whole network comprises the following steps: and determining mapping data between the terminal type and the traffic blocking strategy.
The traffic blocking policies under various terminal types are configured in advance, the setting of the terminal types can be set according to actual traffic blocking needs, for example, the terminal can be divided into a switch, an AP end and the like according to the device types, and the terminal can also be divided into a terminal in a first area, a terminal in a second area and the like according to a setting area.
Correspondingly, if the system edge device receives the TCP SYN packet, the process of calling the configuration information to intercept and determine the packet is specifically as follows:
(1) Identifying the type of the terminal;
(2) Inquiring a flow blocking strategy corresponding to the terminal type according to the mapping data to obtain a terminal type matching strategy;
(3) And calling a terminal type matching strategy to intercept and judge the message.
For example, it is possible to dynamically match which TCP service ports should be opened and which should be blocked for a terminal of the type according to the type of the dynamically identified terminal. After the Dynamic flow blocking strategy based on the terminal type is started, the edge device reports the MAC Address (Media Access Control Address, also called local area network Address LAN Address, ethernet Address) or Physical Address, which is an Address for confirming the location of the device on the network, DHCP message (Dynamic Host Configuration Protocol), DNS (Domain Name System) message to the unified Control platform, and the unified Control platform identifies the type of the terminal according to these characteristics. And after the edge equipment TCP flow blocking module takes the message, the destination MAC address is taken out, the type of the obtained terminal is inquired, and the TCP flow to the MAC is released or blocked by matching the strategy corresponding to the type.
In the method, the service which the terminal of the type should put through can be automatically issued according to the type of the terminal, and the service which the terminal of the type should put through is rejected, so that the situation that a network manager often does not know how to configure the terminal of the type how to start the protection configuration is avoided, the process of configuring a user end is simplified, and the flexibility of the configuration process is enhanced.
Example three:
the embodiment is further expanded on the basis of the first embodiment mainly from the viewpoints of enhancing the comprehensiveness of the scheme and improving the user experience.
If the system edge device receives the TCP SYN packet, the following steps may be further performed:
(1) Acquiring access information and generating an access time record;
the access time record may specifically include: the specific information type may be set according to the subsequent information screening requirement, and is not limited herein, where the MAC is (Media Access Control Address), which is directly translated into a Media Access Control Address, also referred to as a local area network Address (LAN Address), an Ethernet Address (Ethernet Address) or a Physical Address (Physical Address), which is an Address used to confirm the location of the device on the network.
(2) Analyzing the attack behavior according to the access time record to generate a source end identity judgment result;
the purpose of the attack behavior analysis is to determine whether a certain terminal (a terminal uniquely labeled with a source MAC address) may have an attack behavior, and specifically, the implementation process of the attack behavior analysis may refer to implementation manners in related technologies, for example, analysis of the attack behavior according to information such as message content, message sending frequency, and message receiving end.
(3) And performing corresponding source end behavior processing according to the source end identity judgment result.
Specifically, after the terminal is determined as an attacker, configuration information of all edge switches or APs can be updated, the terminal is added to a blacklist of the terminal, all messages of the source MAC are lost, and the purpose of blocking attack traffic of the terminal is achieved; if it is determined not to be an attacker, no operation is possible.
For example, if the switch 1 is determined to be a secure switch before the configuration information is generated, the configuration information may be added to a white list of each system edge device, and if a large amount of attack behaviors are found after the switch 1 is subjected to behavior analysis, the configuration information may be adjusted and added to a black list. The configuration information is fed back and adjusted according to the source end identity judgment result, so that the equipment safety in the using process can be further improved, and defects and leakage can be checked and repaired.
In addition, further, in addition to the steps described in the first embodiment, the following steps may be further performed:
(1) Acquiring an access time record based on system edge equipment in a preset range to obtain system record information;
(2) Carrying out attacker risk analysis according to the system record information to generate a risk analysis result;
(3) And displaying the risk analysis result.
At present, in the related art, attack detection can be generally performed only for a single device, and if an attacker roams among a plurality of APs or (switch + any vendor AP) + (AP) roams, the flow of the single device cannot detect the attacker, the steps provided in this embodiment realize attack detection based on the flow (switch and AP) of the whole network, so that the identification efficiency of an attack source can be greatly improved, and the system security is ensured.
Specifically, the process of performing attacker risk analysis according to the system record information may specifically include: according to the system record information, high risk attacker ranking, TCP service access statistics, interception statistics, terminal intercepted statistics and release statistics are carried out, one or more of the statistics can be selected for analysis, and other analysis modes can be further selected without limitation. In addition, the display mode of the risk analysis result is not limited in this embodiment, and display setting can be performed according to the actual user information acquisition requirement through UI display and the like.
The behavior log event records are analyzed, high-risk attacker ranking is counted, statistics of TCP service access, interception statistics and terminal interception and release are displayed through a UI chart and the like, and through visual access, interception times and the like of the chart display service, managers can visualize behaviors, attacks and terminal behaviors of the TCP service, the efficiency of obtaining effective information by users is improved, and user experience is improved.
Further, in order to improve the utilization efficiency of the system recording information and further improve the setting accuracy of the black and white list, optionally, the following steps may be further performed to implement analysis statistics based on each device of the system:
according to the system record information, identity discrimination is carried out on each information transmission end in the system to obtain an identity discrimination result;
and performing feedback adjustment according to the identity judgment result.
Specifically, an identity discrimination process includes: after the number of the accessed devices exceeds a certain number or the number of the accessed ports exceeds a certain number in a short time, the source terminal can be basically judged to have an attack behavior, at the moment, a special blocking strategy based on the source attack MAC address can be dynamically issued to the access switch of the MAC, and the flow access of the switch is forbidden. The method can realize the feedback adjustment of the actual running state of the system on the black and white list of the system, judge the identity of the equipment according to the actual running condition of the equipment, improve the identification rate of the system on dangerous equipment and ensure the safety of the system.
In order to deepen understanding of the expansion scheme provided in this embodiment, a specific execution process is taken as an example in this embodiment to describe an overall query judgment process.
When an edge device such as a switch and an AP (access point) is configured to a designated port or an AP SSID (port in a trust area or a protection area) through a hardware ACL (access control list) and receives a TCP SYN message of a user, the TCP SYN message is analyzed according to a issued configuration strategy, whether the TCP SYN message is a message which is configured by the user and needs to be blocked is judged, and if the TCP SYN message needs to be blocked, an rst message is sent to a source (after the rst is sent, TCP connection is interrupted, namely, flow is interrupted). And if the blocking is not needed, the message is sent to the designated port without being changed.
Whether the access is blocked or not, an access event record (source MAC + destination MAC + service port number + source IP + destination IP + time, and the like) is reported to a unified control platform, and the position of the source MAC address, which port of which switch or which SSID of which AP is recorded in the inquiry of the unified recording module of the platform.
After receiving the access behavior event logs reported by edge devices such as all switches or APs, uniformly judging whether a certain terminal (the source MAC address is uniquely marked) has attack behaviors, if viruses exist, scanning whether ports of all terminals in an intranet are open or not in the first step, trying to connect by using a TCP SYN message, enabling the terminal to have a large number of behaviors in a short time, judging as an attacker, sending the attacker to all edge switches or APs, adding the attacker to a blacklist of the edge switches or APs, and discarding all source MAC messages to achieve the purpose of blocking the attack flow.
In addition, the behavior log event records are comprehensively analyzed, high-risk attacker ranking, TCP service access statistics, interception statistics and statistics of terminal interception and release are counted, and the statistics are displayed through a UI chart and the like, so that managers can visualize behaviors of TCP services, attacks and terminal behaviors.
The expansion scheme introduced by the embodiment can effectively guarantee that dangerous data are effectively intercepted, and meanwhile, the identification capability of the system for dangerous equipment is further improved, the safety of the system is guaranteed, and meanwhile, the user experience is improved.
Example four:
referring to fig. 3, fig. 3 is a block diagram of a TCP traffic isolation apparatus according to the present embodiment; the method can comprise the following steps: a configuration information generating unit 110, a configuration information issuing unit 120, an interception judging unit 130, and a message processing unit 140. The TCP traffic isolation apparatus provided in this embodiment may be contrasted with the TCP traffic isolation method described in the above embodiments.
The configuration information generating unit 110 is mainly configured to determine a black-and-white list of an information transmission end, and generate configuration information;
the configuration information issuing unit 120 is mainly configured to issue the configuration information to the system edge device;
the interception judgment unit 130 is mainly used for calling configuration information to perform interception judgment on a TCP SYN message if the system edge device receives the TCP SYN message, and generating a judgment result;
the message processing unit 140 is mainly configured to perform corresponding message processing according to the determination result.
Optionally, the configuration information generating unit may specifically be a first generating unit, and the first generating unit specifically includes:
the first dividing molecule unit is used for dividing the information transmission end to be protected into a protection area group; wherein, the protection zone group blocks TCP SYN packets by default;
the second dividing subunit is used for dividing the information transmission end which is not to be protected into the trust area group; wherein the trusted zone group puts through the TCP SYN packet by default.
Optionally, the first generating unit may further include:
the first setting subunit is used for setting a white list for the protection area group and adding the traffic of the information transmission terminal to be protected into the white list;
and the second setting subunit is used for setting a blacklist for the trust zone group and adding the traffic blocking equipment of the specified information transmission end which is not to be protected into the blacklist.
Optionally, the configuration information generating unit may specifically be a second generating unit, and the second generating unit is specifically configured to: determining mapping data between a terminal type and a flow blocking strategy;
correspondingly, the interception judging unit connected to the second generating unit specifically includes:
the type identification subunit is used for identifying the type of the terminal;
the strategy inquiry subunit is used for inquiring the flow blocking strategy corresponding to the terminal type according to the mapping data to obtain a terminal type matching strategy;
and the judging subunit is used for calling a terminal type matching strategy to carry out interception judgment on the message.
Optionally, the message processing unit may specifically include:
the first processing subunit is used for carrying out TCP blocking if the judgment result is interception;
and the second processing subunit is used for sending the current TCP SYN packet to the destination port if the judgment result is put through.
Optionally, the configuration information issuing unit may be specifically configured to: and transmitting the configuration information to the system edge equipment through the encrypted tunnel.
Optionally, the TCP traffic isolation apparatus described in this embodiment may further include: a behavior analysis unit; the behavior analysis unit specifically includes:
the information acquisition subunit is used for acquiring access information and generating an access time record if the system edge equipment receives a TCP SYN message;
the analysis subunit is used for carrying out attack behavior analysis according to the access time record and generating a source end identity judgment result;
and the source end processing subunit is used for performing corresponding source end behavior processing according to the source end identity judgment result.
Optionally, the behavior analysis unit may further include a feedback adjustment subunit, configured to adjust the configuration information according to the source identity determination result.
Optionally, the TCP traffic isolation apparatus described in this embodiment may further include: a display unit; the display unit specifically includes:
the recording acquisition subunit is used for acquiring the access time record of the system edge equipment within a preset range to obtain system record information;
the risk analysis subunit is used for carrying out attacker risk analysis according to the system record information to generate a risk analysis result;
and the display subunit is used for displaying the risk analysis result.
Optionally, the risk analysis subunit may be specifically configured to: and (4) performing high-risk attacker ranking, TCP service access statistics, interception statistics, terminal intercepted statistics and release statistics according to system record information.
Optionally, the risk analysis subunit may be further configured to: according to the system record information, identity discrimination is carried out on each information transmission end in the system to obtain an identity discrimination result; and performing feedback adjustment according to the identity judgment result.
The TCP traffic isolation apparatus described in this embodiment can ensure the security of the device and reduce the occupation of hardware ACL resources.
Example five:
in this embodiment, a specific setting manner of the TCP flow isolating device unit is introduced, where the configuration information generating unit and the configuration information issuing unit are disposed in the server, the interception determining unit and the message processing unit are disposed in the edge device, and the interception determining unit specifically may include: the system comprises a message receiving unit, an edge device TCP flow blocking unit and a position unified recording unit, and further comprises: the system comprises an attack event judging unit, a unified recording unit and an attack event recording unit.
The message receiving unit is used for sending the message to the TCP traffic blocking unit of the edge device on the software layer for processing when the TCP SYN message of the user is received by configuring the message to a designated port or an AP SSID (port in a trust area or a protection area) on the edge device such as a switch and an AP through a hardware ACL.
The edge device TCP flow judging unit is used for analyzing the TCP SYN message according to the issued configuration strategy, judging whether the message is a message which needs to be blocked and is configured by a user (comprising a TCP service port), and sending a configuration strategy analysis result to the message processing unit;
if the strategy matching is further configured with a black and white list, the source position (switch port or AP SSID) of the source MAC needs to be inquired, and the position unified recording unit of the unified control platform is inquired for inquiry;
in addition, whether the message is blocked or not, the edge device TCP flow judging unit is also used for reporting an access event record (source MAC + destination MAC + service port number + source IP + destination IP + time and the like) to an attack event judging unit of the unified control platform;
the message processing unit is used for sending an rst message to an upstream source if the rst message needs to be blocked (after the rst message is sent, a TCP connection is interrupted, namely, the flow is interrupted). If the message is not blocked, the message is sent to a designated port without being blocked;
the unified recording unit is used for inquiring the position of the source MAC address in the record, on which port of which switch or on which SSID of which AP.
An attack event recording unit for receiving access action event logs reported by edge devices such as all switches or APs, uniformly judging whether a certain terminal (with the source MAC address uniquely calibrated) has attack action or not, if virus exists, firstly scanning whether ports of all terminals in an intranet are open or not, trying to connect by using a TCP SYN message, and then the terminal has a large amount of action in a short time, and after being judged as an attacker, sending the attacker to all edge switches or APs, adding the attacker to a blacklist, discarding all source MAC messages, and achieving the purpose of blocking the attack flow
The attack event recording unit is used for comprehensively analyzing behavior log event records of the whole network, counting high-risk attacker ranking, TCP service access, interception counting and terminal intercepted and released counting, and displaying the statistics through a UI chart and the like to enable managers to visualize behaviors of TCP services, attacks and terminal behaviors.
In this embodiment, the location setting and the function setting of each unit are more specific, which is more beneficial to ensuring the efficient processing of the message and ensuring the processing effect.
Example six:
the present embodiment provides a TCP traffic isolation device, including: a memory and a processor.
Wherein, the memorizer is used for storing the procedure;
the steps of the TCP traffic isolation method described above may be implemented when the processor is used to execute a program, and specific reference may be made to the description of the TCP traffic isolation method in the foregoing embodiment, which is not described herein again.
Referring to fig. 4, a schematic structural diagram of a TCP traffic isolation device provided in this embodiment may generate a relatively large difference due to different configurations or performances, and the TCP traffic isolation device may include one or more processors (CPUs) 322 (e.g., one or more processors), a memory 332, and one or more storage media 330 (e.g., one or more mass storage devices) for storing applications 342 or data 344. Memory 332 and storage media 330 may be, among other things, transient storage or persistent storage. The program stored on the storage medium 330 may include one or more modules (not shown), each of which may include a sequence of instructions operating on the data processing apparatus. Still further, central processor 322 may be configured to communicate with storage medium 330 to execute a series of instruction operations in storage medium 330 on TCP traffic isolation device 301.
The TCP traffic isolation device 301 may also include one or more power supplies 326, one or more wired or wireless network interfaces 350, one or more input-output interfaces 358, and/or one or more operating systems 341, such as Windows Server, mac OS XTM, unixTM, linuxTM, freeBSDTM, etc.
The steps in the TCP traffic isolation method described in the foregoing embodiment may be implemented by the structure of the TCP traffic isolation device in this embodiment.
Example seven:
the present embodiment discloses a readable storage medium, on which a program is stored, and the program, when executed by a processor, implements the steps of the TCP traffic isolation method, for example, refer to the description of the TCP traffic isolation method in the foregoing embodiment.
The readable storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, an optical disk, or other various readable storage media capable of storing program codes.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The TCP traffic isolation method, apparatus, device and readable storage medium provided in the present application are described in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, without departing from the principle of the present application, the present application can also make several improvements and modifications, and those improvements and modifications also fall into the protection scope of the claims of the present application.
Claims (12)
1. A TCP traffic isolation method, comprising:
determining a black and white list of an information transmission terminal to generate configuration information; the black and white list of the information transmission terminal comprises port configuration information of the appointed information transmission terminal;
the configuration information is sent to system edge equipment;
if the system edge equipment receives a TCP SYN message, calling the configuration information to perform interception judgment on the message and generating a judgment result;
processing the corresponding message according to the judgment result;
wherein, the determining the black and white list of the information transmission terminal comprises: determining mapping data between a terminal type and a flow blocking strategy;
correspondingly, if the system edge device receives a TCP SYN packet, calling the configuration information to perform interception judgment on the packet, including: identifying the type of the terminal according to the destination MAC address of the message; inquiring a flow blocking strategy corresponding to the terminal type according to the mapping data to obtain a terminal type matching strategy; calling the terminal type matching strategy to intercept and judge the message;
acquiring an access time record of system edge equipment in a preset range to obtain system record information;
carrying out attacker risk analysis according to the system record information to generate a risk analysis result;
and displaying the risk analysis result.
2. The TCP traffic isolation method of claim 1, wherein the determining a black and white list of information transmitting ends comprises:
dividing an information transmission end to be protected into protection area groups; wherein the protection zone group is configured to block TCP SYN packets by default;
dividing information transmission ends which are not to be protected into trust zone groups; wherein the trusted zone group puts through a TCP SYN packet by default.
3. The TCP traffic isolation method of claim 2, further comprising:
setting a white list for the protection area group, and adding flow put-through equipment for an information transmission end to be protected into the white list;
and setting a blacklist for the trust zone group, and adding the traffic blocking equipment for the specified information transmission end which is not to be protected into the blacklist.
4. The TCP flow isolating method according to claim 1, wherein performing corresponding message processing according to the determination result comprises:
if the judgment result is interception, performing TCP blocking;
and if the judgment result is put through, sending the current TCP SYN packet to a destination port.
5. The TCP traffic isolation method of claim 1, wherein issuing the configuration information to a system edge device comprises:
and transmitting the configuration information to the system edge equipment through an encrypted tunnel.
6. The TCP traffic isolation method of claim 1, further comprising:
if the system edge equipment receives a TCP SYN message, acquiring access information and generating an access time record;
analyzing attack behaviors according to the access time records to generate a source end identity judgment result;
and performing corresponding source end behavior processing according to the source end identity judgment result.
7. The TCP traffic isolation method of claim 6, further comprising: and adjusting the configuration information according to the source end identity judgment result.
8. The TCP traffic isolation method of claim 1, wherein performing an attacker risk analysis based on the system log information comprises:
and performing high-risk attacker ranking, TCP service access statistics, interception statistics, terminal intercepted statistics and release statistics according to the system record information.
9. The TCP traffic isolation method of claim 1, further comprising:
according to the system record information, identity discrimination is carried out on each information transmission end in the system to obtain an identity discrimination result;
and performing feedback adjustment according to the identity judgment result.
10. A TCP traffic isolation device, comprising:
the configuration information generating unit is used for determining a black and white list of the information transmission terminal and generating configuration information; the black and white list of the information transmission terminal comprises port configuration information of the appointed information transmission terminal;
the configuration information issuing unit is used for issuing the configuration information to the system edge equipment;
the interception judgment unit is used for calling the configuration information to carry out interception judgment on the TCP SYN message if the system edge equipment receives the message, and generating a judgment result;
the message processing unit is used for carrying out corresponding message processing according to the judgment result;
the configuration information generating unit includes a second generating unit, and the second generating unit is specifically configured to: determining mapping data between a terminal type and a traffic blocking strategy;
correspondingly, the interception judgment unit connected to the second generation unit specifically includes:
the type identification subunit is used for identifying the type of the terminal according to the destination MAC address of the message;
the strategy inquiry subunit is used for inquiring the flow blocking strategy corresponding to the terminal type according to the mapping data to obtain a terminal type matching strategy;
the judging subunit is used for calling a terminal type matching strategy to carry out interception judgment on the message;
the TCP flow isolation device also comprises a display unit;
the display unit includes:
the recording acquisition subunit is used for acquiring an access time record of the system edge device within a preset range to obtain system record information;
the risk analysis subunit is used for carrying out attacker risk analysis according to the system record information to generate a risk analysis result;
and the display subunit is used for displaying the risk analysis result.
11. A TCP traffic isolation device, comprising:
a memory for storing a program;
a processor for implementing the steps of the TCP traffic isolation method according to any one of claims 1 to 9 when executing said program.
12. A readable storage medium, characterized in that the readable storage medium has stored thereon a program which, when being executed by a processor, carries out the steps of the TCP traffic isolation method according to any one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910894836.3A CN110620773B (en) | 2019-09-20 | 2019-09-20 | TCP flow isolation method, device and related components |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910894836.3A CN110620773B (en) | 2019-09-20 | 2019-09-20 | TCP flow isolation method, device and related components |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110620773A CN110620773A (en) | 2019-12-27 |
| CN110620773B true CN110620773B (en) | 2023-02-10 |
Family
ID=68923836
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910894836.3A Active CN110620773B (en) | 2019-09-20 | 2019-09-20 | TCP flow isolation method, device and related components |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110620773B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113114663B (en) * | 2021-04-08 | 2022-10-11 | 北京威努特技术有限公司 | Judgment method and device based on message scanning behavior |
| CN115001804B (en) * | 2022-05-30 | 2023-11-10 | 广东电网有限责任公司 | Bypass access control system, method and storage medium applied to field station |
| CN114915497A (en) * | 2022-07-13 | 2022-08-16 | 杭州云缔盟科技有限公司 | Network access blocking method, device and application for Windows process |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106470188A (en) * | 2015-08-18 | 2017-03-01 | 中国电信股份有限公司 | The detection method of security threat, device and security gateway |
| CN107710680A (en) * | 2016-03-29 | 2018-02-16 | 华为技术有限公司 | Network attack defence policies are sent, the method and apparatus of network attack defence |
| CN108574693A (en) * | 2018-04-17 | 2018-09-25 | 四川斐讯信息技术有限公司 | A kind of access management method and wireless router of wireless router |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8938800B2 (en) * | 2010-07-28 | 2015-01-20 | Mcafee, Inc. | System and method for network level protection against malicious software |
| CN103023707B (en) * | 2012-12-28 | 2016-03-09 | 华为技术有限公司 | Method, management server and network system that a kind of strategy configures |
| WO2017120512A1 (en) * | 2016-01-08 | 2017-07-13 | Belden, Inc. | Method and protection apparatus to prevent malicious information communication in ip networks by exploiting benign networking protocols |
-
2019
- 2019-09-20 CN CN201910894836.3A patent/CN110620773B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106470188A (en) * | 2015-08-18 | 2017-03-01 | 中国电信股份有限公司 | The detection method of security threat, device and security gateway |
| CN107710680A (en) * | 2016-03-29 | 2018-02-16 | 华为技术有限公司 | Network attack defence policies are sent, the method and apparatus of network attack defence |
| CN108574693A (en) * | 2018-04-17 | 2018-09-25 | 四川斐讯信息技术有限公司 | A kind of access management method and wireless router of wireless router |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110620773A (en) | 2019-12-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Scarfone et al. | Guide to intrusion detection and prevention systems (idps) | |
| US8176553B1 (en) | Secure gateway with firewall and intrusion detection capabilities | |
| US8707440B2 (en) | System and method for passively identifying encrypted and interactive network sessions | |
| CN110620773B (en) | TCP flow isolation method, device and related components | |
| WO2017210198A1 (en) | Methods and systems for detecting and preventing network connection compromise | |
| US20200107197A1 (en) | System and method for rogue access point detection | |
| EP3433749B1 (en) | Identifying and trapping wireless based attacks on networks using deceptive network emulation | |
| CN111641639B (en) | IPv6 network safety protection system | |
| Scarfone et al. | Sp 800-94. guide to intrusion detection and prevention systems (idps) | |
| Park et al. | Session management for security systems in 5g standalone network | |
| Dua et al. | Iisr: A secure router for iot networks | |
| Rahman et al. | Holistic approach to arp poisoning and countermeasures by using practical examples and paradigm | |
| Suroto | WLAN security: threats and countermeasures | |
| Nelle et al. | Securing IPv6 neighbor discovery and SLAAC in access networks through SDN | |
| Gonçalves et al. | IPS architecture for IoT networks overlapped in SDN | |
| KR102020986B1 (en) | Trust network system based block-chain | |
| Mateti | Hacking techniques in wireless networks hacking techniques in wireless networks | |
| Patel et al. | A Snort-based secure edge router for smart home | |
| Arreaga et al. | Security Vulnerability Analysis for IoT Devices Raspberry Pi using PENTEST | |
| Huang et al. | A whole-process WiFi security perception software system | |
| CN113411296B (en) | Situation awareness virtual link defense method, device and system | |
| Goel et al. | Wireless Honeypot: Framework, Architectures and Tools. | |
| Eschelbeck | Active Security—A proactive approach for computer security systems | |
| Nigam et al. | Man-in-the-middle-attack and proposed algorithm for detection | |
| Bojjagani et al. | Early DDoS Detection and Prevention with Traced-Back Blocking in SDN Environment. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |