CN111385303B - Network security protection system and implementation method - Google Patents
Network security protection system and implementation method Download PDFInfo
- Publication number
- CN111385303B CN111385303B CN202010167478.9A CN202010167478A CN111385303B CN 111385303 B CN111385303 B CN 111385303B CN 202010167478 A CN202010167478 A CN 202010167478A CN 111385303 B CN111385303 B CN 111385303B
- Authority
- CN
- China
- Prior art keywords
- module
- bgp
- network
- data
- traction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
Abstract
The invention discloses a network safety protection system and a realization method, wherein the system comprises a firewall system and a core router, the core router supports BGP protocol, the firewall system comprises: the configuration module is used for configuring corresponding access rules when the access control is required to be carried out on the user network; the BGP traffic traction module is used for establishing BGP PEER with the core router and dynamically drawing the corresponding IP address network segment after analyzing and converting the access rule; the spectral mirror image data receiving module is used for receiving data; the data processing module is used for processing data; and the flow reinjection module is used for reinjecting the data to the original network after the data processing module processes the data so as to realize the data processing of the bypass. When the network security protection system is actually deployed in an industrial control environment, the network environment of a user does not need to be changed, when the firewall system has problems or needs to be upgraded, the fast switching can be realized, and the normal operation of user services is not influenced.
Description
Technical Field
The invention relates to the technical field of network security equipment, in particular to a network security protection system and an implementation method.
Background
The industrial control firewall system is a security gateway product oriented to the field of industrial control, and mainly solves the problem that industrial infrastructure is maliciously attacked by viruses, hackers and hostile forces in a network environment. The traditional firewall can not fully solve the network safety protection problem of the industrial control system, and the product not only has various standard functions of the traditional firewall, but also can meet the special safety requirements of the industrial control system on reliability, stability and industrial protocol analysis and filtration.
The industrial control firewall system can filter almost all industrial communication protocols, and can carry out deep filtering on Modbus TCP, OPC communication protocol, siemens S7 protocol and Siemens OP/PG protocol by means of the deep defense function, so that Dos/DDos and other attack prevention can be effectively carried out; providing user audit and authority management; and the method supports offline cache of security event logs and the like, thereby protecting the information security of the industrial Ethernet.
Currently, a very multi-purpose industrial control environment has high requirements on network stability, continuity and uninterrupted, and users are reluctant to change the network topology. The current industrial control firewall only supports a direct path deployment mode. When the method is deployed, the network topology of a user needs to be changed, meanwhile, network disconnection of the deployed network is inevitably caused, the actual application requirements are not met, and in addition, when the industrial control firewall has pressure or faults or needs to be upgraded, the stability and continuity of the industrial control network cannot be ensured by straight-path deployment.
Disclosure of Invention
Aiming at the defects of the prior art, the invention aims to provide a network security protection system which is reasonable in design, does not change the network environment of a user and reduces the influence on the user. The technical scheme is as follows:
a network security protection system comprising a firewall system and a core router, the core router supporting a BGP protocol, the firewall system comprising:
the configuration module is used for configuring corresponding access rules when the access control is required to be carried out on the user network;
the BGP flow traction module is used for establishing BGP PEER with the core router and dynamically traction the corresponding IP address network segment after analyzing and converting the access rule;
the light splitting mirror image data receiving module is used for receiving data;
the data processing module is used for processing data;
and the flow reinjection module is used for reinjecting the data to the original network after the data processing module processes the data so as to realize the data processing of the bypass.
As a further improvement of the present invention, the firewall system further includes a first deletion module, configured to delete the corresponding access rule when access control over the user network is no longer required;
the BGP flow traction module is also used for canceling the dynamic traction of the corresponding IP address network segment after the first deletion module deletes the corresponding access rule.
As a further improvement of the present invention, the firewall system further includes a second deleting module, configured to delete all access rules when the firewall system needs to be upgraded and maintained;
the BGP traffic traction module is further configured to cancel traction on all traffic after the second deletion module deletes all access rules.
As a further improvement of the present invention, the core router is further configured to cancel the route issued by the BGP traffic pulling module when the firewall system fails.
The second purpose of the invention is to provide a method for implementing a network security protection system with low cost and high efficiency. The technical scheme is as follows:
an implementation method of a network security protection system is used for any one of the above network security protection systems, and includes:
establishing a BGP PEER between a BGP flow traction module and a core router;
receiving data through a spectral mirror image data receiving module, processing the data through a data processing module, and simultaneously carrying out network monitoring through a network monitoring module;
when the user network needs to be accessed and controlled, a configuration module is used for configuring corresponding access rules, and a BGP flow traction module is used for analyzing and converting the access rules and then dynamically traction the corresponding IP address network segments;
and the data processing module transfers the processed data to the flow reinjection module to reinject the processed data to the original network, so that the data processing of the bypass is realized.
As a further improvement of the invention, the method also comprises the following steps:
when the access control of the user network is not needed any more, deleting the corresponding access rule, and after the BGP flow traction module analyzes and converts the access rule, cancelling the dynamic traction of the corresponding IP address network segment.
As a further improvement of the invention, the method also comprises the following steps:
and when the firewall system needs to be upgraded and maintained, deleting all the access rules, and simultaneously canceling the traction of all the flows by the BGP flow traction module.
As a further improvement of the invention, the method also comprises the following steps:
and when the firewall system breaks down, the core router cancels the route issued by the BGP flow traction module.
As a further improvement of the present invention, before establishing the BGP PEER between the BGP traffic traction module and the core router, the method further includes: adding a port mirror image from the core router, adding a mirror image port to a physical connection line of a port of the light splitting mirror image data receiving module, and adding a BGP interface of the core router to a physical connection line of the BGP flow traction module.
As a further improvement of the invention, the method also comprises the following steps:
and when the firewall system leaves the user environment, canceling the BGP Peer and canceling a physical connection between the split mirror image data receiving module and a BGP interface of the core router.
The invention has the beneficial effects that:
when the network security protection system is actually deployed in an industrial control environment, the user network environment does not need to be changed, when the firewall system has a problem or needs to be upgraded, the fast switching can be realized, and the normal operation of user services is not influenced.
The foregoing description is only an overview of the technical solutions of the present invention, and in order to make the technical means of the present invention more clearly understood, the present invention may be implemented in accordance with the content of the description, and in order to make the above and other objects, features, and advantages of the present invention more clearly understood, the following preferred embodiments are described in detail with reference to the accompanying drawings.
Drawings
FIG. 1 is a schematic diagram of a network security protection system in a preferred embodiment of the present invention;
fig. 2 is a schematic diagram of an implementation method of a network security protection system in a preferred embodiment of the present invention.
Detailed Description
The present invention is further described below in conjunction with the following figures and specific examples so that those skilled in the art may better understand the present invention and practice it, but the examples are not intended to limit the present invention.
Example one
As shown in fig. 1, the network security system in the embodiment of the present invention includes a firewall system and a core router, where the firewall system is an industrial control firewall system, the core router supports a BGP protocol, and the firewall system includes:
the configuration module is used for configuring corresponding access rules when the access control is required to be carried out on the user network;
and the BGP flow traction module is used for establishing BGP PEER with the core router and dynamically traction the corresponding IP address network segment after analyzing and converting the access rule.
And the light splitting mirror image data receiving module is used for receiving data. Specifically, it is mainly responsible for receiving all traffic data of the core router.
The data processing module is used for processing data; the data processing module has the functions of industrial protocol DPI identification, access control ACL (access control list) function based on industrial protocol DPI identification, virus identification and interception, DDOS (distributed denial of service) attack protection and the like.
And the flow reinjection module is used for reinjecting the data to the original network after the data processing module processes the data so as to realize the data processing of the bypass.
In one embodiment of the present invention, the firewall system further includes a first deletion module, configured to delete the corresponding access rule when access control over the user network is no longer required;
the BGP flow traction module is also used for canceling the dynamic traction of the corresponding IP address network segment after the first deletion module deletes the corresponding access rule.
In one embodiment of the present invention, the firewall system further includes a second deleting module, configured to delete all the access rules when the firewall system needs to be upgraded and maintained; the BGP flow traction module is also used for cancelling traction on all the flows after the second deletion module deletes all the access rules.
In one embodiment of the present invention, the core router is further configured to cancel the route issued by the BGP traffic pulling module when the firewall system fails.
Example two
As shown in fig. 2, the method for implementing network security protection in this embodiment is applied to the network security protection system in the first embodiment, and includes the following steps:
s10, establishing a BGP PEER between the BGP flow traction module and the core router;
s20, receiving data through a light splitting mirror image data receiving module, processing the data through a data processing module, and simultaneously carrying out network monitoring through a network monitoring module;
s30, when access control is needed to be carried out on a user network, a configuration module is used for configuring corresponding access rules, and a BGP flow traction module is used for carrying out analysis and conversion and then carrying out dynamic traction on corresponding IP address network segments;
and S40, the data processing module transfers the processed data to the flow reinjection module to reinject the processed data to the original network, so that the data processing of the bypass is realized.
In one embodiment, the method further comprises the following steps:
when the user network does not need to be accessed and controlled any more, deleting the corresponding access rule, and canceling the dynamic traction on the corresponding IP address network segment after the BGP flow traction module analyzes and converts the access rule.
And when the firewall system needs to be upgraded and maintained, deleting all the access rules, and simultaneously canceling the traction of all the flows by the BGP flow traction module. And zero influence on a user network is ensured in the upgrading and maintaining process.
And when the firewall system breaks down, the core router cancels the route issued by the BGP flow traction module. Preferably, the cancellation process is set to be completed within second level, so that when the firewall system breaks down, the user network can recover within second level, and normal operation of user service is not influenced.
In this embodiment, before step S10, the method further includes the steps of:
adding a port mirror image from the core router, adding a mirror image port to a physical connection line of a port of the light splitting mirror image data receiving module, and adding a BGP interface of the core router to a physical connection line of the BGP flow traction module.
Preferably, after step S40, the method further comprises the steps of:
and when the firewall system leaves the user environment, canceling the BGP Peer and canceling a physical connection between the split mirror image data receiving module and a BGP interface of the core router.
The above embodiments are merely preferred embodiments for fully illustrating the present invention, and the scope of the present invention is not limited thereto. The equivalent substitution or change made by the technical personnel in the technical field on the basis of the invention is all within the protection scope of the invention. The protection scope of the invention is subject to the claims.
Claims (8)
1. A network security protection system comprising a firewall system and a core router, the core router supporting a BGP protocol, the firewall system comprising:
the configuration module is used for configuring corresponding access rules when the access control is required to be carried out on the user network;
the BGP flow traction module is used for establishing BGP PEER with the core router and dynamically traction the corresponding IP address network segment after analyzing and converting the access rule;
the spectral mirror image data receiving module is used for receiving data;
the data processing module is used for processing data;
the flow reinjection module is used for reinjecting the data into the original network after the data processing module processes the data so as to realize the data processing of the bypass;
the firewall system also comprises a first deleting module used for deleting the corresponding access rule when the access control on the user network is no longer needed;
the BGP flow traction module is also used for cancelling the dynamic traction of the corresponding IP address network segment after the first deletion module deletes the corresponding access rule;
the firewall system also comprises a second deleting module which is used for deleting all the access rules when the firewall system needs to be upgraded and maintained;
the BGP traffic traction module is further configured to cancel traction on all traffic after the second deletion module deletes all access rules.
2. The network security protection system of claim 1, wherein the core router is further configured to cancel routes issued by the BGP traffic pulling module when the firewall system fails.
3. A method for implementing a network security protection system, which is used in the network security protection system according to any one of claims 1-2, and comprises:
establishing a BGP PEER between a BGP flow traction module and a core router;
receiving data through a light splitting mirror image data receiving module, processing the data through a data processing module, and simultaneously carrying out network monitoring through a network monitoring module;
when the user network needs to be accessed and controlled, a configuration module is used for configuring corresponding access rules, and a BGP flow traction module is used for analyzing and converting the access rules and then dynamically traction the corresponding IP address network segments;
and the data processing module transfers the processed data to the flow reinjection module to reinject the processed data to the original network, so that the data processing of the bypass is realized.
4. The method for implementing the network security protection system of claim 3, further comprising:
when the access control of the user network is not needed any more, deleting the corresponding access rule, and after the BGP flow traction module analyzes and converts the access rule, cancelling the dynamic traction of the corresponding IP address network segment.
5. The method for implementing the network security protection system of claim 3, further comprising:
and when the firewall system needs to be upgraded and maintained, deleting all the access rules, and simultaneously cancelling the traction of all the flows by the BGP flow traction module.
6. The method for implementing a network security protection system as claimed in claim 3, further comprising:
and when the firewall system fails, the core router cancels the route issued by the BGP flow traction module.
7. The method of claim 3, wherein before establishing the BGP PEER between the BGP traffic pulling module and the core router, the method further comprises: adding a port mirror image from the core router, adding a mirror image port to a physical connection line of a port of the light splitting mirror image data receiving module, and adding a BGP interface of the core router to a physical connection line of the BGP flow traction module.
8. The method for implementing a network security protection system as claimed in claim 7, further comprising:
and when the firewall system withdraws from the user environment, the BGP PEER is cancelled, and a physical connection line between the split mirror image data receiving module and a BGP interface of the core router is cancelled.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010167478.9A CN111385303B (en) | 2020-03-11 | 2020-03-11 | Network security protection system and implementation method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010167478.9A CN111385303B (en) | 2020-03-11 | 2020-03-11 | Network security protection system and implementation method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111385303A CN111385303A (en) | 2020-07-07 |
| CN111385303B true CN111385303B (en) | 2022-11-29 |
Family
ID=71222675
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010167478.9A Active CN111385303B (en) | 2020-03-11 | 2020-03-11 | Network security protection system and implementation method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111385303B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113301053B (en) * | 2021-05-31 | 2023-04-07 | 深圳市风云实业有限公司 | High-performance network boundary protection detection system and method based on expandability |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106161362A (en) * | 2015-04-03 | 2016-11-23 | 阿里巴巴集团控股有限公司 | A kind of network application means of defence and equipment |
| CN109818970A (en) * | 2019-03-07 | 2019-05-28 | 腾讯科技(深圳)有限公司 | A kind of data processing method and device |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101431449B (en) * | 2008-11-04 | 2011-05-04 | 中国科学院计算技术研究所 | Network flux cleaning system |
| CN107623661B (en) * | 2016-07-15 | 2020-12-08 | 阿里巴巴集团控股有限公司 | System, method and device for blocking access request and server |
| CN106411910B (en) * | 2016-10-18 | 2019-04-05 | 优刻得科技股份有限公司 | A kind of defence method and system of distributed denial of service attack |
| CN108667829B (en) * | 2018-04-26 | 2022-05-20 | 腾讯科技(深圳)有限公司 | Network attack protection method, device and storage medium |
| CN110113435B (en) * | 2019-05-27 | 2022-01-14 | 绿盟科技集团股份有限公司 | Method and equipment for cleaning flow |
-
2020
- 2020-03-11 CN CN202010167478.9A patent/CN111385303B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106161362A (en) * | 2015-04-03 | 2016-11-23 | 阿里巴巴集团控股有限公司 | A kind of network application means of defence and equipment |
| CN109818970A (en) * | 2019-03-07 | 2019-05-28 | 腾讯科技(深圳)有限公司 | A kind of data processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111385303A (en) | 2020-07-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3704846B1 (en) | Cloud-based multi-function firewall and zero trust private virtual network | |
| CN101431449B (en) | Network flux cleaning system | |
| US8261355B2 (en) | Topology-aware attack mitigation | |
| JP4634320B2 (en) | Device and network system for anti-abnormal communication protection | |
| US20050182950A1 (en) | Network security system and method | |
| JP2005197823A (en) | Illegitimate access control apparatus between firewall and router | |
| CN213521957U (en) | Network access system based on digital ship network security | |
| KR20160036201A (en) | Abnormal communication interception apparatus and method | |
| CN106789865A (en) | A kind of network safety protection method based on GRE network integration SDN technologies and Honeypot Techniques | |
| SA111320469B1 (en) | Secure System for Interconnection Between Two Public Networks | |
| CN111385303B (en) | Network security protection system and implementation method | |
| CN113194027A (en) | Safety communication gateway system for industrial internet of automatic wharf | |
| Patidar et al. | Information Theory-based Techniques to Detect DDoS in SDN: A Survey | |
| CN104050038A (en) | Virtual machine migration method based on policy perception | |
| Kaluvakuri et al. | Networking Alchemy: Demystifying the Magic behind Seamless Digital Connectivity | |
| CN110995586B (en) | BGP message processing method and device, electronic equipment and storage medium | |
| CN112437077A (en) | Third party ARP attack and exception handling method, VRRP network and system | |
| KR100427179B1 (en) | Attacker isolation method and system using packet filtering at the border router of ISP | |
| CN110868429A (en) | BGP routing protocol security protection method and device | |
| Yuhong et al. | Industrial internet security protection based on an industrial firewall | |
| CN114978563A (en) | Method and device for blocking IP address | |
| CN110896403A (en) | Application firewall architecture | |
| CN114401155B (en) | Network security protection method and system | |
| CN113364734B (en) | Internal network protection method and system | |
| CN117596220A (en) | Transmission method and system for shadow flow of bare metal server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |