CN111835556A - Security control method and device and computer readable storage medium - Google Patents

Security control method and device and computer readable storage medium Download PDF

Info

Publication number
CN111835556A
CN111835556A CN202010522065.8A CN202010522065A CN111835556A CN 111835556 A CN111835556 A CN 111835556A CN 202010522065 A CN202010522065 A CN 202010522065A CN 111835556 A CN111835556 A CN 111835556A
Authority
CN
China
Prior art keywords
security
configuration
security gateway
gateway
alliance chain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010522065.8A
Other languages
Chinese (zh)
Other versions
CN111835556B (en
Inventor
殷柳国
裴玉奎
高天
许晋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN202010522065.8A priority Critical patent/CN111835556B/en
Publication of CN111835556A publication Critical patent/CN111835556A/en
Application granted granted Critical
Publication of CN111835556B publication Critical patent/CN111835556B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0823Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a method and a device for safety control and a computer readable storage medium, wherein one of the methods is applied to a safety gateway, the safety gateway, an attributive piping center and other safety gateways subordinate to the piping center form a safety gateway group through a alliance chain, and the alliance chain is constructed by all the safety gateways and the piping centers in a safety protection network; the method comprises the following steps: the security gateway acquires configuration information from the alliance chain; the configuration information is generated by a piping center aiming at the security gateway to execute key configuration behaviors; the key configuration behavior is a behavior for generating configuration information by configuration; operating according to the configuration information to obtain an operation result; and after all other nodes in the security association group perform identity authentication on the security gateway through the alliance chain, chaining the operation result. Therefore, cooperative protection among the devices is realized based on the alliance chain, and the safety protection capability is improved.

Description

Security control method and device and computer readable storage medium
Technical Field
Embodiments of the present invention relate to network security technologies, and in particular, to a method and an apparatus for security management and control, and a computer-readable storage medium.
Background
In a conventional communication network security protection system, security devices are deployed on the boundary of an intranet to provide security protection and data isolation for the intranet, and the security devices include gateways, gatekeepers, intrusion detection systems, firewalls, and the like. When the user terminal accesses the external network server, the data of the external network server can reach the user terminal after being checked and filtered by the safety equipment. The filtering rules of the safety equipment on the data are configured and managed by network safety maintenance personnel through a piping center.
However, as the network environment becomes more complex and various potential safety hazards increase, the traditional safety protection system exposes a lot of safety risks. For example, security devices and a piping center in a security protection system are deployed in a single point at present, and sensitive data such as gateway configuration and the like are easily intercepted in network transmission, so that security gateways deployed at the inner network boundary risk being hijacked and attacked. But the piping center can not effectively judge whether the gateway equipment is hijacked or attacked; therefore, once a certain security gateway or a piping center is attacked by a network and fails, the network security cannot be protected any more.
Therefore, the safety protection capability of the existing safety protection system is not high, and the requirement of the existing network environment cannot be met.
Disclosure of Invention
In view of this, an embodiment of the present invention provides a method for security management and control, which is applied to a security gateway, where the security gateway forms a security association group with an affiliated pipe center and other security gateways that belong to the pipe center through a federation chain, and the federation chain is constructed by all security gateways and pipe centers in a security protection network; the method comprises the following steps:
the security gateway acquires configuration information from the alliance chain; the configuration information is generated by a piping center aiming at the security gateway to execute key configuration behaviors; the key configuration behavior is a behavior for generating configuration information by configuration;
operating according to the configuration information to obtain an operation result;
and after all other nodes in the security association group perform identity authentication on the security gateway through the alliance chain, chaining the operation result.
Another embodiment of the present invention provides another method for security management and control, which is applied to a distribution center, where the distribution center and other distribution centers form a cooperative protection group through a federation chain, and the federation chain is constructed by all security gateways and distribution centers in a security protection network; the method comprises the following steps:
the piping center executes key configuration behaviors aiming at the security gateway to generate configuration information; the key configuration behavior is a behavior for generating configuration information by configuration;
and after all other nodes in the cooperative protection group perform identity authentication on the distribution center through the alliance chain, chaining the configuration information.
Another embodiment of the present invention provides another security control method, which is applied to a security protection network, where the network includes: the system comprises a plurality of piping centers and a plurality of safety gateways, wherein each piping center belongs to one or more safety gateways; all security gateways and piping centers in the safety protection network jointly construct a alliance chain, each piping center and subordinate security gateways form a safety association group through the alliance chain, and all piping centers form a cooperative protection group through the alliance chain; the method comprises the following steps:
the piping center executes key configuration behaviors aiming at the security gateway to generate configuration information; the key configuration behavior is a behavior for generating configuration information by configuration; after all other nodes in the cooperative protection group perform identity authentication on the distribution center through the alliance chain, chaining the configuration information;
the security gateway acquires the configuration information from the alliance chain; operating according to the configuration information to obtain an operation result; after all other nodes in the security association group perform identity authentication on the security gateway through the alliance chain, chaining the operation result;
and the piping center acquires the operation result from the alliance chain and executes corresponding operation according to the operation result.
An embodiment of the present invention further provides an electronic device, including: a memory, a processor, and a computer program stored on the memory and executable on the processor, the computer program, when executed by the processor, implementing any of the above-described methods of security management.
An embodiment of the present invention further provides a computer-readable storage medium, where an information processing program is stored on the computer-readable storage medium, and when the information processing program is executed by a processor, the method for security management and control is implemented.
The technical scheme provided by the embodiment of the invention realizes cooperative protection among the devices based on the alliance chain, and improves the safety protection capability.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. Other advantages of the present application may be realized and attained by the instrumentalities and combinations particularly pointed out in the specification and the drawings.
Drawings
The accompanying drawings are included to provide an understanding of the present disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the examples serve to explain the principles of the disclosure and not to limit the disclosure.
Fig. 1 is a flowchart illustrating a method for security management according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a method of security management according to another embodiment of the present invention;
fig. 3 is a flowchart illustrating a method of security management according to another embodiment of the present invention;
fig. 4 is a flowchart illustrating a method of security management according to another embodiment of the present invention;
fig. 5 is a flowchart illustrating a method of security management according to another embodiment of the present invention;
fig. 6 is a flowchart illustrating a method of security management according to another embodiment of the present invention;
fig. 7 is a flowchart illustrating a method of security management according to another embodiment of the present invention;
fig. 8 is a flowchart illustrating a method of security management according to another embodiment of the present invention;
fig. 9 is a flowchart illustrating a method of security management according to another embodiment of the present invention;
fig. 10 is a flowchart illustrating a method of security management according to another embodiment of the present invention;
fig. 11 is a flowchart illustrating a method of security management according to another embodiment of the present invention;
fig. 12 is a flowchart illustrating a method of security management according to another embodiment of the present invention;
fig. 13 is a schematic flowchart of a method for tracing configuration information by a piping center according to an embodiment of the present invention;
fig. 14 is a flowchart illustrating a method of security management according to another embodiment of the present invention;
fig. 15 is a schematic flowchart of a method for tracing a network packet by a distribution center according to an embodiment of the present invention;
fig. 16 is a flowchart illustrating a method of security management according to another embodiment of the present invention;
fig. 17 is a schematic flowchart of a method for a piping center to modify a configuration of a security gateway according to an embodiment of the present invention;
fig. 18 is a flowchart illustrating a security gateway self-checking alarm method according to an embodiment of the present invention;
fig. 19 is a flowchart illustrating a method of security management according to another embodiment of the present invention;
fig. 20 is a flowchart illustrating a method for implementing a heartbeat mechanism according to an embodiment of the present invention;
fig. 21 is a schematic diagram of an architecture of a security network according to an embodiment of the present invention;
fig. 22 is a schematic diagram illustrating an architecture of a piping center and a security gateway in a security protection system according to an embodiment of the present invention after grouping;
FIG. 23 is a block diagram illustrating an architecture of a security association set in a security system according to an embodiment of the present invention;
fig. 24 is a schematic structural diagram of an audit center and a distribution center according to an embodiment of the present invention.
Detailed Description
The present application describes embodiments, but the description is illustrative rather than limiting and it will be apparent to those of ordinary skill in the art that many more embodiments and implementations are possible within the scope of the embodiments described herein. Although many possible combinations of features are shown in the drawings and discussed in the detailed description, many other combinations of the disclosed features are possible. Any feature or element of any embodiment may be used in combination with or instead of any other feature or element in any other embodiment, unless expressly limited otherwise.
The present application includes and contemplates combinations of features and elements known to those of ordinary skill in the art. The embodiments, features and elements disclosed in this application may also be combined with any conventional features or elements to form a unique inventive concept as defined by the claims. Any feature or element of any embodiment may also be combined with features or elements from other inventive aspects to form yet another unique inventive aspect, as defined by the claims. Thus, it should be understood that any of the features shown and/or discussed in this application may be implemented alone or in any suitable combination. Accordingly, the embodiments are not limited except as by the appended claims and their equivalents. Furthermore, various modifications and changes may be made within the scope of the appended claims.
Further, in describing representative embodiments, the specification may have presented the method and/or process as a particular sequence of steps. However, to the extent that the method or process does not rely on the particular order of steps set forth herein, the method or process should not be limited to the particular sequence of steps described. Other orders of steps are possible as will be understood by those of ordinary skill in the art. Therefore, the particular order of the steps set forth in the specification should not be construed as limitations on the claims. Further, the claims directed to the method and/or process should not be limited to the performance of their steps in the order written, and one skilled in the art can readily appreciate that the sequences may be varied and still remain within the spirit and scope of the embodiments of the present application.
Fig. 1 is a schematic flowchart of a method for security management and control according to an embodiment of the present invention, where the method is applied to a security gateway, and the security gateway forms a security gateway group with an affiliated pipe center and other security gateways subordinate to the pipe center through a federation chain, where the federation chain is constructed by all security gateways and pipe centers in a security protection network;
as shown in fig. 1, the method includes:
step 101, the security gateway obtains configuration information from the alliance chain; the configuration information is generated by a piping center aiming at the security gateway to execute key configuration behaviors; the key configuration behavior is configured to generate a behavior of configuration information;
102, operating according to the configuration information to obtain an operation result;
103, after all other nodes in the security association set perform identity authentication on the security gateway through the alliance chain, chaining the operation result.
In one example, the method further comprises:
and when other nodes in the security association group have uplink data, the security gateway performs identity authentication on the other nodes through the alliance chain.
In one example, the configuration information is a configuration instruction for a security gateway, and the operation result is a configuration result for the security gateway;
the operating according to the configuration information includes: and carrying out configuration according to the configuration instruction.
In one example, the configuration information is an emergency plan generated for an alarm generated by a security gateway, and the operation result is an execution result of the emergency plan;
the operating according to the configuration information includes: and executing the emergency plan.
In one example, the method further comprises:
the security gateway acquires a corresponding configuration result from the alliance chain;
judging whether the actual configuration data of the security gateway is consistent with the corresponding configuration result;
and when the two nodes are inconsistent, generating an alarm, and linking the alarm after all other nodes in the security association group carry out identity authentication on the security gateway through the alliance chain.
In one example, the method further comprises:
the security gateway acquires a network data packet from the alliance chain; the network data packet is information generated by a piping center aiming at the security gateway to execute network data behaviors; the network data behavior is a behavior of generating information, and the generated information is a network data packet;
and executing corresponding operation according to the network data packet.
In one example, the network packet includes one or more of the following information: log timestamp, log time, host name, process name, MAC code, source address IP, destination address IP, packet length, service type, priority, lifetime, label, transport layer protocol type.
In an example, the configuration information includes one or more of the following:
the system comprises a target gateway Internet Protocol (IP) address, an administrator Identification (ID), a piping center IP address, a timestamp, configuration content and alarm configuration content.
According to the technical scheme provided by the embodiment of the invention, the security gateway realizes cooperative protection among gateway devices based on the alliance chain and the security association group, and the security protection capability is improved.
Fig. 2 is a flowchart of a method for security management and control according to another embodiment of the present invention, where the method is applied to a security gateway, and the security gateway forms a security gateway group with a belonging pipe center and other security gateways subordinate to the pipe center through a federation chain, where the federation chain is constructed by all security gateways and pipe centers in a security protection network;
as shown in fig. 2, the method includes:
step 201, the security gateway obtains configuration information from the alliance chain; the configuration information is a configuration instruction for the security gateway;
the configuration information is information generated by a piping center aiming at the security gateway to execute key configuration behaviors. In this example, the key configuration behavior is a behavior of the piping center configuring the security gateway to generate configuration instructions.
The configuration command may be any configuration command of the piping center to the security gateway, for example, a configuration command of the piping center to a firewall of the security gateway, an initialization configuration command to the security gateway, and the like.
In an example, the configuration information includes one or more of the following:
target gateway Internet Protocol (IP) address, administrator Identification (ID), piping center IP address, timestamp and configuration content. The configuration content refers to various types of parameter information for setting the security gateway.
Step 202, the security gateway configures according to the configuration instruction to obtain a configuration result;
for example, if the configuration information is a configuration instruction for a firewall of the security gateway, the configuration result is a configuration result for the firewall; and if the configuration information is an initialization configuration instruction for the security gateway, the configuration result is the initialization result of the security gateway.
In an example, before configuring according to the configuration instruction, the method further includes:
judging the validity of the configuration instruction;
and when the configuration instruction is legal, configuring according to the configuration instruction.
In an example, if the configuration information is encrypted data, the configuration information needs to be decrypted to obtain a configuration instruction in the configuration information.
In an example, the distribution center may pre-configure which data needs to be uplink and which data does not need to be uplink in the security gateway, and the data that does not need to be uplink may be stored locally.
Step 203, after all other nodes in the security association set perform identity authentication on the security gateway through the federation chain, the security gateway links the configuration result.
In an example, the security gateway needs to encrypt the configuration result and then link the encrypted configuration result.
The identity authentication between the nodes in the security association group is realized by the identity authentication technology of the alliance chain. How to perform identity authentication through a federation chain is the prior art, and details are not described here.
According to the technical scheme provided by the embodiment of the invention, the security gateway realizes cooperative protection among gateway devices based on the alliance chain and the security association group, and the security protection capability is improved. In addition, due to the non-tampering characteristic of the alliance chain, the information security can be better protected.
Fig. 3 is a flowchart of a method for security management and control according to another embodiment of the present invention, where the method is applied to a security gateway, and the security gateway forms a security gateway group with a belonging pipe center and other security gateways subordinate to the pipe center through a federation chain, where the federation chain is constructed by all security gateways and pipe centers in a security protection network;
as shown in fig. 3, the method includes:
step 301, the security gateway obtains a corresponding configuration result from the federation chain;
step 302, judging whether the actual configuration data of the security gateway is consistent with the corresponding configuration result;
step 303, when the two nodes are inconsistent, generating an alarm, and linking the alarm after all other nodes in the security association set perform identity authentication on the security gateway through the alliance chain;
step 304, obtaining configuration information from the alliance chain; the configuration information is an emergency plan generated by the piping center for the alarm generated by the security gateway;
in one example, the emergency protocol includes one or more of the following information:
the system comprises a target gateway Internet Protocol (IP) address, an administrator Identification (ID), a piping center IP address, a timestamp and alarm configuration content. Wherein, the alarm configuration content refers to the information related to the alarm.
Step 305, executing the emergency plan to obtain an execution result;
in one example, prior to executing the emergency protocol, the method further comprises:
judging the validity of the emergency plan;
and when the emergency plan is legal, executing the emergency plan.
In an example, if the configuration information is encrypted data, the configuration information is decrypted to obtain an emergency plan in the configuration information.
Step 306, after all other nodes in the security association set perform identity authentication on the security gateway through the federation chain, the security gateway links the execution result.
In an example, the execution result may be encrypted, and the encrypted execution result may be linked.
The identity authentication between the nodes in the security association group is realized by the identity authentication technology of the alliance chain. How to perform identity authentication through a federation chain is the prior art, and details are not described here.
In a specific example, the security gateway checks the chain and obtains the current configuration data on the chain, judges whether the local actual configuration data is consistent with the current configuration data, finds that the configuration is tampered when the local actual configuration data is inconsistent with the current configuration data, generates alarm information and gives an alarm; chaining the tampered configuration information; and acquiring and executing an emergency plan corresponding to the alarm, and linking the execution result.
According to the technical scheme provided by the embodiment of the invention, the security gateway realizes cooperative protection among gateway devices based on the alliance chain and the security association group, and the security protection capability is improved. In addition, due to the non-tampering characteristic of the alliance chain, the information security can be better protected.
Fig. 4 is a flowchart of a method for security management and control according to another embodiment of the present invention, where the method is applied to a security gateway, and the security gateway forms a security gateway group with a belonging pipe center and other security gateways subordinate to the pipe center through a federation chain, where the federation chain is constructed by all security gateways and pipe centers in a security protection network;
as shown in fig. 4, the method includes:
step 401, the security gateway obtains configuration information from the alliance chain; the configuration information is a configuration instruction of a piping center to a firewall of a security gateway;
in one example, if the configuration information is encrypted data, it needs to be decrypted first.
In an example, the configuration instructions include one or more of the following information:
target gateway Internet Protocol (IP) address, administrator Identification (ID), piping center IP address, timestamp and configuration content.
Step 402, the security gateway configures the firewall according to the configuration instruction to obtain a configuration result;
in an example, the validity of the configuration instruction may be determined first, and when the validity is legal, the firewall may be configured according to the configuration instruction.
Step 403, after all other nodes in the security association set perform identity authentication on the security gateway through the federation chain, the security gateway links the configuration result.
In an example, the configuration result may be encrypted first, and then the encrypted configuration result may be uplinked.
The identity authentication between the nodes in the security association group is realized by the identity authentication technology of the alliance chain. How to perform identity authentication through a federation chain is the prior art, and details are not described here.
In a specific example, the security gateway checks the chain and obtains a modification instruction on the chain, wherein the modification instruction is used for modifying the configuration of the firewall; decrypting and judging the validity of the modification instruction; the firewall module configuration is modified when legitimate.
According to the technical scheme provided by the embodiment of the invention, the security gateway realizes cooperative protection among gateway devices based on the alliance chain and the security association group, and the security protection capability is improved. In addition, due to the non-tampering characteristic of the alliance chain, the information security can be better protected.
Fig. 5 is a flowchart of a method for security management and control according to another embodiment of the present invention, where the method is applied to a security gateway, and the security gateway forms a security gateway group with a belonging pipe center and other security gateways subordinate to the pipe center through a federation chain, where the federation chain is constructed by all security gateways and pipe centers in a security protection network;
as shown in fig. 5, the method includes:
step 501, the security gateway obtains a network data packet from the alliance chain; the network data packet is information generated by a piping center aiming at the security gateway to execute network data behaviors; the network data behavior is a behavior of generating information, and the generated information is a network data packet;
network data behavior refers to the form of data transmission in a general computer network, such as the transmission in the form of "data packets" specified in the TCP/IP protocol. The data to be transmitted in the network data behavior is sent in the form of network data packets.
In one example, the network packet includes one or more of the following information: log timestamp, log time, host name, process name, MAC code, source address IP, destination address IP, packet length, service type, priority, lifetime, label, transport layer protocol type. Wherein, different network data packets correspond to different service types.
Step 502, the security gateway performs corresponding operations according to the network data packet.
Wherein, the operation to be executed recorded in the network data packet is completed according to various information carried by the network data packet.
In one example, decryption is performed first if the network packet is encrypted data.
In an example, the validity of the network data packet may be determined first, and when the validity is legal, corresponding operations are executed according to the network data packet.
According to the technical scheme provided by the embodiment of the invention, the security gateway acquires the network data packet based on the alliance chain, and the information security can be better protected due to the non-tampering characteristic of the alliance chain.
Fig. 6 is a flowchart of a method for security management and control according to another embodiment of the present invention, where the method is applied to a distribution center, and the distribution center and other distribution centers form a cooperative protection group through a federation chain, where the federation chain is constructed by all security gateways and distribution centers in a security protection network;
as shown in fig. 6, the method includes:
601, the piping center executes key configuration behaviors to generate configuration information for the security gateway; the key configuration behavior is a behavior for generating configuration information by configuration;
step 602, after all other nodes in the cooperative protection group perform identity authentication on the distribution center through the federation chain, chaining the configuration information.
In one example, the method further comprises:
when other nodes in the cooperative protection group have uplink data, the distribution center performs identity authentication on the other nodes through the alliance chain.
In one example, after the uplink of the configuration information, the method further comprises:
obtaining an operation result obtained by the security gateway operating according to the configuration information from the alliance chain;
and executing corresponding operation according to the operation result.
In an example, the key configuration behavior is a behavior of generating configuration instructions for configuring the security gateway, and the configuration information is the configuration instructions for the security gateway; the operation result is a configuration result of the security gateway configured according to the configuration instruction;
the executing corresponding operation according to the operation result comprises:
and judging whether the configuration instruction is successfully configured according to the configuration result.
In one example, the key configuration behavior is a behavior of analyzing an alarm generated by the security gateway to generate a corresponding emergency plan; the configuration information is an emergency plan corresponding to the alarm; the operation result is an execution result of the security gateway executing the emergency plan;
the executing corresponding operation according to the operation result comprises:
judging whether the emergency plan is executed successfully or not according to the execution result;
and releasing the alarm when the execution is successful.
In an example, before the piping center generates configuration information for a security gateway to perform a critical configuration action, the method further comprises:
and acquiring the alarm of the security gateway from the alliance chain.
In an example, the configuration information includes one or more of the following:
the IP address of the target gateway, the ID of an administrator, the IP address of the piping center, a timestamp, configuration content and alarm configuration content.
In one example, the method further comprises: the distribution center executes network data behaviors aiming at the security gateway to generate a network data packet; the network data behavior is a behavior of generating information, and the generated information is a network data packet;
and after all other nodes in the cooperative protection group perform identity authentication on the distribution center through the alliance chain, chaining the network data packet.
In one example, the network packet includes one or more of the following information: log timestamp, log time, host name, process name, MAC code, source address IP, destination address IP, packet length, service type, priority, lifetime, label, transport layer protocol type.
In one example, the method further comprises:
the method comprises the steps that a distribution center receives a query request to be traced, wherein the query request to be traced carries information to be traced;
inquiring the information to be traced in local and/or on-chain data;
and determining a tracing result of the information to be traced according to the query result.
In an example, the information to be traced comprises configuration information to be traced;
the distribution center and the subordinate security gateways form a security association group through the alliance chain, and all nodes in the security association group and the cooperative protection group locally and through the alliance chain, the configuration information and the corresponding operation result of each distribution center on each security gateway in the belonged security association group are stored in a distributed mode;
or, the information to be traced comprises a network data packet to be traced;
and the distribution center and the subordinate security gateways form a security association group through the alliance chain, and all nodes in the security association group and the cooperative protection group store network data packets of each security gateway in each distribution center pair attributive security association group locally and in a distributed manner through the alliance chain.
According to the technical scheme provided by the embodiment of the invention, the cooperative protection among the devices is realized by the piping center based on the alliance chain and the coordinated protection group, so that the safety protection capability is improved.
Fig. 7 is a flowchart of a method for security management and control according to another embodiment of the present invention, where the method is applied to a distribution center, and the distribution center and other distribution centers form a cooperative protection group through a federation chain, where the federation chain is constructed by all security gateways and distribution centers in a security protection network;
as shown in fig. 7, the method includes:
step 701, a piping center executes a key configuration behavior for a security gateway to generate configuration information; the key configuration behavior is a behavior for generating configuration information by configuration;
the configuration information may be any configuration information of the piping center on the security gateway, for example, the configuration information is a configuration instruction of the piping center on a firewall of the security gateway, or an initialization configuration instruction on the security gateway.
Step 702, after all other nodes in the cooperative protection group perform identity authentication on the distribution center through the alliance chain, chaining the configuration information;
in one example, the configuration information may be encrypted and then uplinked.
In an example, which data needs to be uplink and which data does not need to be uplink may be pre-configured in the piping center, and the data that does not need to be uplink may be stored locally.
Step 703, obtaining an operation result obtained by the security gateway operating according to the configuration information from the alliance chain;
in an example, when the configuration information is a configuration instruction for a firewall of a security gateway, the operation result is a configuration result for the firewall; or when the configuration information is an initialization configuration instruction for the security gateway, the operation result is an initialization configuration result.
And step 704, executing corresponding operation according to the operation result.
In one example, if the result of the operation is encrypted data, it is decrypted first.
In an example, the validity of the operation result may be determined first, and when the operation result is legal, the corresponding operation may be executed according to the operation result.
According to the technical scheme provided by the embodiment of the invention, the cooperative protection among the devices is realized by the piping center based on the alliance chain and the coordinated protection group, so that the safety protection capability is improved.
Fig. 8 is a flowchart of a method for security management and control according to another embodiment of the present invention, where the method is applied to a distribution center, and the distribution center and other distribution centers form a cooperative protection group through a federation chain, where the federation chain is constructed by all security gateways and distribution centers in a security protection network;
as shown in fig. 8, the method includes:
step 801, a piping center executes key configuration behaviors to generate configuration information for a security gateway; the configuration information is a configuration instruction for the security gateway;
in this example, the key configuration behavior is a behavior of generating configuration instructions for configuring the security gateway.
The configuration instruction may be any configuration instruction of the piping center to the security gateway, for example, the configuration information is a configuration instruction of the piping center to a firewall of the security gateway, or an initialization configuration instruction to the security gateway.
In an example, the configuration instructions include one or more of the following information:
target gateway IP address, administrator ID, piping center IP address, timestamp, configuration content.
Step 802, after all other nodes in the cooperative protection group perform identity authentication on the distribution center through the alliance chain, chaining the configuration instruction;
in one example, the configuration instructions may be encrypted and then linked up.
Step 803, obtaining a configuration result obtained by the security gateway according to the configuration instruction from the alliance chain;
step 804, comparing the configuration instruction with the configuration result, and determining whether the configuration instruction is configured successfully.
In one example, if the configuration result is encrypted data, decryption is performed first.
In an example, the validity of the configuration result may be determined, and when the configuration result is valid, the configuration instruction and the configuration result may be compared.
In a specific example, the method includes: the piping center generates a modification instruction for the security gateway, encrypts the modification instruction and links the chain; the security gateway acquires the linked data and modifies the gateway configuration, encrypts the modification result and links the link; and the piping center checks the chain and obtains a modification result, and whether the modification of the security gateway is successful is judged by self-checking.
According to the technical scheme provided by the embodiment of the invention, the cooperative protection among the devices is realized by the piping center based on the alliance chain and the coordinated protection group, so that the safety protection capability is improved.
Fig. 9 is a flowchart of a method for security management and control according to another embodiment of the present invention, where the method is applied to a distribution center, and the distribution center and other distribution centers form a cooperative protection group through a federation chain, where the federation chain is constructed by all security gateways and distribution centers in a security protection network;
as shown in fig. 9, the method includes:
step 901, the piping center obtains the alarm of the security gateway from the alliance chain;
step 902, generating configuration information for security gateway execution key configuration behavior; the configuration information is an emergency plan corresponding to the alarm;
in the present example, the key configuration behavior is a behavior of analyzing the alarm generated by the security gateway to generate a corresponding emergency plan;
in one example, the alert is decrypted first when the data is encrypted.
In an example, the validity of the alarm may be determined first, and when the alarm is valid, the alarm may be analyzed to generate a corresponding emergency plan.
Step 903, after all other nodes in the cooperative protection group perform identity authentication on the distribution center through the alliance chain, chaining the emergency plan;
in one example, the emergency plan may be encrypted before being uplinked.
Step 904, obtaining an execution result obtained by the security gateway executing the emergency plan from the alliance chain;
step 905, judging whether the emergency plan is executed successfully or not according to the execution result;
in one example, the execution results are decrypted first when the data is encrypted.
In an example, the validity of the execution result may be determined first, and when the execution result is legal, whether the emergency plan is executed successfully may be determined.
And step 906, releasing the alarm when the execution is successful.
In one particular example the method comprises: the distribution center acquires the alarm information of the security gateway from the alliance chain, records the alarm information into a warehouse, analyzes the alarm information, generates an emergency plan and chains the emergency plan; the security gateway acquires an emergency plan from the chain, executes the emergency plan and links the execution result; the piping center checks and judges whether the hidden danger is eliminated, namely, the chain is checked and the execution result of the emergency plan is obtained, whether the emergency plan is executed successfully is judged, and when the execution is successful, the contact warning is carried out.
According to the technical scheme provided by the embodiment of the invention, the cooperative protection among the devices is realized by the piping center based on the alliance chain and the coordinated protection group, so that the safety protection capability is improved.
Fig. 10 is a flowchart of a method for security management and control according to another embodiment of the present invention, where the method is applied to a distribution center, and the distribution center and other distribution centers form a cooperative protection group through a federation chain, where the federation chain is constructed by all security gateways and distribution centers in a security protection network;
as shown in fig. 10, the method includes:
1001, a piping center executes network data behaviors aiming at a security gateway to generate a network data packet; the network data behavior is a behavior of generating information, and the generated information is a network data packet;
in one example, the network packet includes one or more of the following information: log timestamp, log time, host name, process name, MAC code, source address IP, destination address IP, packet length, service type, priority, lifetime, label, transport layer protocol type.
Step 1002, after all other nodes in the cooperative protection group perform identity authentication on the distribution center through the federation chain, chaining the network data packet.
In one example, the network packet may be encrypted before being uplinked.
According to the technical scheme provided by the embodiment of the invention, the distribution center links the network data packet based on the alliance chain, and the information safety can be better protected due to the non-tampering characteristic of the alliance chain.
Fig. 11 is a flowchart of a method for security management and control according to another embodiment of the present invention, where the method is applied to a distribution center, and the distribution center and other distribution centers form a cooperative protection group through a federation chain, where the federation chain is constructed by all security gateways and distribution centers in a security protection network;
as shown in fig. 11, the method includes:
step 1101, a distribution center receives a query request to be traced, wherein the query request to be traced carries information to be traced;
step 1102, inquiring the information to be traced in local and/or on-chain data;
step 1103, determining a tracing result of the information to be traced according to the query result.
In an example, the information to be traced comprises configuration information to be traced;
and the distribution center and the subordinate security gateways form a security association group through the alliance chain, and all nodes in the security association group and the cooperative protection group store the configuration information and the corresponding operation result of each distribution center on each security gateway in the belonged security association group in a distributed manner locally and through the alliance chain.
In another example, the information to be traced comprises a network data packet to be traced;
and the distribution center and the subordinate security gateways form a security association group through the alliance chain, and all nodes in the security association group and the cooperative protection group store network data packets of each security gateway in each distribution center pair attributive security association group locally and in a distributed manner through the alliance chain.
According to the technical scheme provided by the embodiment of the invention, the previous information is traced, so that management of a manager is facilitated.
Fig. 12 is a flowchart of a method for security management and control according to another embodiment of the present invention, where the method is applied to a distribution center, and the distribution center and other distribution centers form a cooperative protection group through a federation chain, where the federation chain is constructed by all security gateways and distribution centers in a security protection network;
as shown in fig. 12, the method includes:
step 1201, the distribution center receives a first query request to be traced, and the first query request to be traced carries configuration information to be traced;
step 1202, querying the configuration information to be traced in local and on-chain data respectively;
step 1203, comparing the query results in the local and link data, and determining a tracing result of the configuration information to be traced according to the comparison result.
The comparison result means that the local query result is the same as or different from the query result of the data on the chain. The comparison result can be directly used as a tracing result.
And the distribution center and the subordinate security gateways form a security association group through the alliance chain, and all nodes in the security association group and the cooperative protection group store the configuration information and the corresponding operation result of each distribution center on each security gateway in the belonged security association group in a distributed manner locally and through the alliance chain.
In a specific example, a tracing method for the piping center to the policy behavior of the security gateway is provided, and each configuration policy (i.e. configuration information) of the security gateway has a record on the chain due to the characteristics of the blockchain itself, and is not falsifiable. The piping center can trace back the configuration policy of the security gateways of the same group. In this example, a policy behavior tracing mechanism for a piping center to trace configuration and modification of a security gateway is provided, including: inputting a query condition; simultaneously inquiring data in a local database and data on a link; comparing the data; and returning a tracing result.
In this example, the distribution center, as a software tool for performing configuration management on the policy of the security gateway in the security protection system, may include eleven modules: user management module, tracing module, network management module, gateway configuration module, data encryption and decryption module, heartbeat monitoring module, alarm processing module, threat and risk analysis module, recording and query module, database module and block chain module
As shown in fig. 13, includes:
step 1301, the piping center receives query conditions input by an operator and generates a request to be traced;
in this example, the operator may input the configuration information to be traced, and generate the request to be traced, where the request to be traced carries the configuration information to be traced.
Step 1302, the distribution center simultaneously queries data in the local database and data on the chain;
in this example, the data in the local database and the data on the link may be simultaneously queried by the record and query module of the piping center according to the query condition.
Step 1303, comparing the two data obtained by respectively querying the data in the local database and the data on the link;
in this example, the behavior trace module can compare the two data.
Step 1304, the piping center returns a tracing result according to the comparison result;
in this example, the trace back result of the configuration to be traced back is returned. For example, the piping center may further include a display module, and the tracing result may be displayed by the display module.
And the distribution center and the subordinate security gateways form a security association group through the alliance chain, and all nodes in the security association group and the cooperative protection group store the configuration information and the corresponding operation result of each distribution center on each security gateway in the belonged security association group in a distributed manner locally and through the alliance chain.
In another example, the piping center may query only the local or link data, for example, by the recording and query module, according to the query condition. And the configuration data is returned after the data on the chain is decrypted, and a tracing result is returned to the operator by the tracing module.
According to the technical scheme provided by the embodiment of the invention, the past configuration information is traced, so that a manager can conveniently analyze the past configuration information.
Fig. 14 is a flowchart of a method for security management and control according to an embodiment of the present invention, where the method is applied to a distribution center, and the distribution center and other distribution centers form a cooperative protection group through a federation chain, where the federation chain is constructed by all security gateways and distribution centers in a security protection network;
as shown in fig. 14, the method includes:
1401, the distribution center receives a second query request to be traced, where the second query request to be traced carries a network data packet to be traced;
step 1402, inquiring the network data packet to be traced back in the data on the chain;
step 1403, the queried network data packet is used as a tracing result.
And the distribution center and the subordinate security gateways form a security association group through the alliance chain, and all nodes in the security association group and the cooperative protection group store network data packets of each security gateway in each distribution center pair attributive security association group locally and in a distributed manner through the alliance chain.
In a specific example, in another specific example, there is further provided a tracing mechanism for a piping center to trace back a network data packet, including: inputting a query condition; querying the data on the chain; and returning a tracing result. In this example, the distribution center, as a software tool for performing configuration management on the policy of the security gateway in the security protection system, may include eleven modules: user management module, tracing module, network management module, gateway configuration module, data encryption and decryption module, heartbeat monitoring module, alarm processing module, threat and risk analysis module, recording and query module, database module and block chain module
As shown in fig. 15, includes:
step 1501, the piping center receives a query condition input by an operator and generates a request to be traced;
in this example, an operator may input a network data packet to be traced and generate a request to be traced, where the request to be traced carries the network data packet to be traced.
Step 1502, the distribution center queries data on the chain according to the request to be traced;
in this example, the recording and query module of the piping center may query the data on the chain according to the query condition, so as to query the data on the chain.
Step 1503, taking the inquired network data packet as a tracing result;
in this example, the data on the chain may be queried by the record and query module according to the query condition. And the data on the chain is decrypted and then returned to the network data packet data, and the behavior tracing module returns a tracing result to the operator.
Step 1504, return the trace back result.
In this example, a trace back result of the network packet to be traced back is returned. For example, the piping center may further include a display module, and the tracing result may be displayed by the display module.
In another example, the piping center may query only local or both local and on-chain data, such as querying the local and on-chain data, and then take the query result as a traceback result.
According to the technical scheme provided by the embodiment of the invention, the network data packet can be conveniently analyzed by a manager by tracing the conventional network data packet.
Fig. 16 is a flowchart illustrating a method for security management and control according to another embodiment of the present invention, where the method is applied to a security network, and the network includes: the system comprises a plurality of piping centers and a plurality of safety gateways, wherein each piping center belongs to one or more safety gateways; all security gateways and piping centers in the safety protection network jointly construct a alliance chain, each piping center and subordinate security gateways form a safety association group through the alliance chain, and all piping centers form a cooperative protection group through the alliance chain;
as shown in fig. 16, the method includes:
step 1601, the piping center executes a key configuration behavior for the security gateway to generate configuration information; the key configuration behavior is a behavior for generating configuration information by configuration; after all other nodes in the cooperative protection group perform identity authentication on the distribution center through the alliance chain, chaining the configuration information;
step 1602, the security gateway obtains the configuration information from the federation chain; operating according to the configuration information to obtain an operation result; after all other nodes in the security association group perform identity authentication on the security gateway through the alliance chain, chaining the operation result;
step 1603, the piping center obtains the operation result from the alliance chain, and executes corresponding operation according to the operation result.
For a detailed explanation of the key configuration behavior, the configuration information, various operations and operation results, etc., see the above embodiments, which are not described herein again.
In an example, a method for configuring and modifying a security gateway by a piping center is provided, where policy deployment and modification of the security gateway by the piping center depend on a block chain architecture, and collaborative management and control are realized through encryption, chaining, node signature endorsement, and information synchronization. After the gateway agent module of the security gateway extracts the configuration data from the blockchain, the goal of modifying the gateway configuration is achieved through the firewall module through operations such as data decryption, data assembly and the like.
In this example, the security gateway is deployed at a network boundary as a security protection system, and a network device combining software and hardware for performing security protection and isolation on an internal network may include four modules: a firewall module; a gateway proxy module; an encryption and decryption module; and a block chain module. The piping center as a software tool for configuration management of the policy of the security gateway in the security protection system may include eleven modules: the system comprises a user management module, a tracing module, a network management module, a gateway configuration module, a data encryption and decryption module, a heartbeat monitoring module, an alarm handling module, a threat and risk analysis module, a recording and query module, a database module and a block chain module.
As shown in fig. 17, the method includes:
step 1701, the piping center generates a modification instruction, wherein the modification instruction is used for modifying the firewall configuration of the security gateway;
in this example, a modification item may be input by an operator, and the piping center generates a modification instruction according to the modification item.
Step 1702, encrypting the modification command and linking up by the piping center;
in this example, the modification command is encrypted and then linked up through the block chain nodes inside the piping center, and this operation needs to be performed after the identity of the security gateway is confirmed and signed by the other security gateways in the same group. And after the modification command is linked up, the modification command is transmitted to all security gateway nodes in the same group through block broadcasting, and the security gateway nodes perform account book synchronization on the modification transaction.
Step 1703, the security gateway checks the chain and obtains a modification instruction on the chain;
in the example, the target security gateway acquires the data on the chain through the internal block link point, and decrypts the data to obtain the modification instruction.
The gateway agent of the security gateway can send a chain searching request to the blockchain module, and the target security gateway extracts data on the chain and obtains a modification instruction for the data.
Step 1704, the security gateway decrypts the modification instruction on the chain and judges the validity of the modification instruction;
in this example, the data on the link may be decrypted by the encryption/decryption module of the target security gateway and the validity of the modification instruction may be determined by the gateway proxy.
Step 1705, when the security gateway is legal, modifying the firewall configuration according to the modification instruction;
wherein when illegal, no modification is made.
Step 1706, the security gateway encrypts the modification result and uplinks;
in this example, the modified result of the firewall configuration of the target security gateway may be encrypted by the encryption/decryption module and then uplinked via the gateway proxy. The uplink operation also needs to be performed after the signature of other nodes in the same group. And then, the block broadcasting is carried out to other security gateways and piping centers in the same group, and the account book synchronization is carried out.
Step 1707, the piping center obtains the modification result, and determines whether the modification of the security gateway firewall configuration is successful by self-checking.
In this example, the piping center performs a comparison self-check on the modification instruction and the modification result, and determines whether the modification operation is completed.
The technical scheme provided by the example can realize multi-point cooperative protection based on the block chain technology, and avoid potential risks in the existing safety protection system. The multi-point collaborative deployment and collaborative protection of the network system security policy configuration information are realized through the block chain technology, compared with the traditional single-point security protection system, the security of policy configuration and management is effectively guaranteed, and the overall security protection capability of the network is improved.
In another example, a method for security gateway self-test alerting is provided. In this example, the security gateway has locally configured self-checking logic. The security gateway checks whether the current firewall configuration is consistent with the data on the link, and if the firewall configuration is tampered, an alarm is sent out. The piping center issues corresponding emergency plans after receiving the alarm information sent by the security gateway, the execution result of the emergency plans is confirmed, then the alarm is relieved, and if the emergency plans are invalid, manual intervention is carried out.
In this example, the security gateway is deployed at a network boundary as a security protection system, and a network device combining software and hardware for performing security protection and isolation on an internal network may include four modules: a firewall module; a gateway proxy module; an encryption and decryption module; and a block chain module. The piping center as a software tool for configuration management of the policy of the security gateway in the security protection system may include eleven modules: the system comprises a user management module, a tracing module, a network management module, a gateway configuration module, a data encryption and decryption module, a heartbeat monitoring module, an alarm handling module, a threat and risk analysis module, a recording and query module, a database module and a block chain module.
As shown in fig. 18, the method includes:
step 1801, the security gateway finds configuration tampering, and generates an alarm;
in this example, the gateway proxy in the security gateway sends a configuration acquisition request to the firewall and a chaining request to the blockchain, and compares the current configuration of the firewall with the data on the decrypted blockchain. If the current configuration is not matched with the data on the chain, an alarm is sent to the piping center.
Step 1802, the security gateway links the alarm;
in this example, the secure gateway will uplink the alarm and perform block broadcast and ledger synchronization. The uplink operation also needs to be executed after the signature of other nodes in the same group
1803, the piping center obtains the alarm from the chain, and records it into the warehouse;
in this example, after obtaining the alarm, the piping center first records the alarm through the recording and querying module and stores the alarm in the local database.
Step 1804, the piping center analyzes the alarm to generate an emergency plan, and links the emergency plan;
in this example, the threat and risk analysis module in the distribution center analyzes the alarm, and notifies the alarm handling module of the analysis result, and the alarm handling module generates an emergency plan which is encrypted and signed by other nodes and then uplinked for storage.
The uplink operation also needs to be performed after the signature of other nodes in the same group.
Step 1805, the security gateway looks up the chain to obtain an emergency plan and executes it;
in this example, the attacked security gateway obtains the emergency response and is performed by the firewall module.
Step 1806, the security gateway links the execution result of the emergency plan;
in this example, the execution result of the emergency plan is uplink stored, and the block broadcast and the ledger are synchronized.
The uplink operation also needs to be performed after the signature of other nodes in the same group.
Step 1807, the piping center obtains the execution result of the emergency plan from the chain, and determines whether the alarm is eliminated by self-checking.
In this example, the piping center extracts the plan execution result from the blockchain and decrypts it. And comparing the emergency plan with the execution result, and performing self-checking to judge whether the alarm can be relieved or further performing manual intervention.
The technical scheme provided by the embodiment of the invention can realize multi-point cooperative protection based on the block chain technology, and avoid potential risks in the conventional safety protection system. The multi-point cooperative deployment and cooperative protection of the network system strategy configuration behaviors are realized through the block chain technology, compared with the traditional single-point safety protection system, the safety of strategy configuration and management is effectively guaranteed, and the whole safety protection capability of the network is improved.
Fig. 19 is a flowchart illustrating a method for security management and control according to another embodiment of the present invention, where the method is applied to a security network, and the network includes: the system comprises a plurality of piping centers and a plurality of safety gateways, wherein each piping center belongs to one or more safety gateways; all security gateways and piping centers in the safety protection network jointly construct a alliance chain, each piping center and subordinate security gateways form a safety association group through the alliance chain, and all piping centers form a cooperative protection group through the alliance chain;
as shown in fig. 19, the method includes:
1901, the piping center executes network data behavior for the security gateway to generate a network data packet; the network data behavior is a behavior of generating information, and the generated information is a network data packet;
step 1902, the distribution center performs identity authentication on the distribution center through the federation chain at all other nodes in the cooperative protection group, and chains the network data packet;
step 1903, the security gateway obtains the network data packet from the federation chain; and executing corresponding operation according to the network data packet.
The detailed explanation of the network data behavior, the network data packet, various operations, etc. is given in the above embodiments, and will not be described herein again.
According to the technical scheme provided by the embodiment of the invention, the distribution center and the security gateway transmit the network data packet based on the alliance chain, and the information security can be better protected due to the non-falsification characteristic of the alliance chain.
In another example of the present invention, there is also provided a method for implementing a heartbeat mechanism, where the heartbeat mechanism listens to an operating state of a security gateway in real time through a data packet, as shown in fig. 20, the method includes:
step 2001, the security gateway sends heartbeat data packets at regular time;
in the example, the security gateway regularly assembles information such as the current device state into a heartbeat data packet and sends the heartbeat data packet to the piping center.
Step 2002, the tubing center stores the received heartbeat data packet;
in this example, the distribution center receives the heartbeat packet and stores it in the local database.
In step 2003, the piping center analyzes the heartbeat data packet.
In this example, the distribution center retrieves the heartbeat data packet from the database and analyzes the heartbeat data packet, and the analysis result is stored in the local database. And if the analysis result shows a problem, performing subsequent intervention treatment.
In another example, the piping center may also actively send a request to the security gateway to obtain heartbeat data packets. For example, if the piping center does not receive the heartbeat data packet sent by the security gateway, it actively sends a request to the security gateway to obtain information such as the current state of the security gateway.
According to the embodiment of the invention, the safety gateway can be conveniently analyzed by the piping center through the heartbeat data packet.
An embodiment of the present invention further provides a security protection network, where the security protection network may include a plurality of distribution centers and a plurality of security gateways, or may further include an audit center. As shown in fig. 21, the safety protection system includes: 1 audit center, 3 piping centers, 10 security gateways, 3 piping centers and 10 security gateways construct a alliance chain.
The functions of the piping center include configuring and managing security gateways in the network. For example, the target security gateway may be modified by the piping hub creating, editing, and issuing configuration information.
In an example, the piping center may further group security gateways according to a service, increase or decrease the security gateways in the group, the security gateways in the same group form a security association through a blockchain, maintain one distributed account book storing policy information, and multiple piping centers configured and managed for the security gateways in the network may be provided, and construct and maintain the same distributed account book by using the blockchain, share key operation information configured for the security gateways, and similarly form a multipoint cooperative protection group. For example, security gateways and piping centers may be grouped in advance by traffic type, one piping center subordinate to one or more security gateways, and the piping center configures and manages subordinate security gateways. The same security gateway can belong to multiple distribution centers simultaneously. As shown in fig. 21, the piping center a belongs to 3 security gateways, the piping center B belongs to 3 security gateways, the piping center C belongs to 5 security gateways, and the security gateways subordinate to the piping centers a and B overlap.
The configuration information of the security gateway configuration is shared, and a multi-point cooperative protection group is also formed.
In an example, all the pipe centers in the secure protection network form a cooperative protection group through an alliance chain, and each secure association group maintains a distributed ledger through the alliance chain, where the distributed ledger is used to store configuration information of each pipe center in the cooperative protection group, for example, a configuration instruction of a gateway or an emergency plan generated by analyzing an alarm sent by the gateway. In an example, a plurality of pipe centers form a cooperative protection group through a block chain underlying network, and configuration information of the pipe centers is synchronized to each node of the cooperative protection group through the block chain, so that cooperative protection for the pipe centers is formed.
Each piping center and its subordinate security gateway form a security association group through the federation chain, each security association group maintains a distributed ledger through the federation chain, the distributed ledger is used for storing policy information of the piping center to each security gateway in the security association group, and the policy information may be any kind of configuration information of the piping center to the security gateway, such as a configuration instruction to a gateway firewall and a corresponding configuration result. For example, as shown in fig. 22, the piping center a and the subordinate security gateways # a-1, # a-2, and # a-3 form a security association group a as a group a, the piping center B and the subordinate security gateways # B-1, # B-2, and # B-3 form a security association group B as a group B, and the piping center C and the subordinate security gateways # C-1, # C-2, # C-3, and # C-4 form a security association group C as a group C.
Each security gateway combines the relevant mechanism of the block chain, adds the distributed storage, the identity authentication, the key encryption, the consensus mechanism and the non-falsification characteristic into the basic function of the gateway, and changes the traditional single-point protection into the multi-point cooperative protection. And a block chain underlying network is formed between the same group of gateways and the piping center, a multipoint cooperative protection mechanism is also formed, and the policy configuration information of the security gateway is stored in a distributed manner. All uplink operations to the gateway node must be fully signed by other nodes before they can pass through, and after the blocks are formed, all nodes synchronize the operations and operation contents in time. For example, as shown in fig. 23, the piping center a and the security gateways # a-1, # a-2, and # a-3 form a group a by block connection, a coordinated multi-point protection mechanism is formed, policy configuration information of the security gateways is stored in a distributed manner, and uplink operations of any one of the security gateways # a-1, # a-2, and # a-3 must be completely signed by other nodes before passing through.
The auditing center can acquire and analyze the data of the whole network, and realizes the functions of auditing operation and analyzing data between the distribution centers with the same authority. For example, as shown in FIG. 24, the audit center may obtain data from the distribution center A, B, C for auditing operations and analysis. The auditing center can acquire and analyze data of the whole network, can form a safety situation report, and realizes functions of auditing operation and analyzing data between the same-authority distribution centers. The auditing center has read-only authority of all data of the whole network in the system. The method is used as an important component of data collection, data auditing and whole-network security situation generation. In one example, the auditing center, as a software tool for auditing and analyzing the whole network data in the security protection system, comprises eight modules: a security situation generating and displaying module; an on-chain data auditing module; a network threat analysis module; a database module; an encryption and decryption module; an on-chain data collection module; a threat data collection module; and a block chain module.
The auditing center and the piping center can be deployed on a PC, the security gateway can use special prototype equipment, and a virtual security gateway node can also be constructed by a server.
The embodiment of the invention adopts a alliance chain architecture, constructs a security gateway of security association, uses a plurality of piping centers to cooperate with a group management security gateway, and centrally and uniformly analyzes configured resource data by an audit center. The cooperative protection is realized through the characteristics of non-falsification, common identification mechanism and decentralization of the block chain distributed account book, and the safety protection capability is improved.
In another embodiment of the present invention, there is also provided an electronic apparatus including: the security management system comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein when the computer program is executed by the processor, the computer program realizes any one of the security management methods executed by the security gateway or any one of the security management methods executed by the piping center.
In another embodiment of the present invention, there is also provided a computer-readable storage medium having stored thereon an information processing program which, when executed by a processor, implements any one of the security management methods performed by the security gateway described above or any one of the security management methods performed by the piping center described above.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.

Claims (23)

1. A method for safety management and control is applied to a safety gateway, the safety gateway, an attributive piping center and other safety gateways subordinate to the piping center form a safety gateway group through a union chain, and the union chain is constructed by all safety gateways and the piping centers in a safety protection network; the method comprises the following steps:
the security gateway acquires configuration information from the alliance chain; the configuration information is generated by a piping center aiming at the security gateway to execute key configuration behaviors; the key configuration behavior is a behavior for generating configuration information by configuration;
operating according to the configuration information to obtain an operation result;
and after all other nodes in the security association group perform identity authentication on the security gateway through the alliance chain, chaining the operation result.
2. The method of claim 1, further comprising:
and when other nodes in the security association group have uplink data, the security gateway performs identity authentication on the other nodes through the alliance chain.
3. The method of claim 1,
the configuration information is a configuration instruction for a security gateway, and the operation result is a configuration result for the security gateway;
the operating according to the configuration information includes: and carrying out configuration according to the configuration instruction.
4. The method of claim 3,
the configuration information is an emergency plan generated for an alarm generated by a security gateway, and the operation result is an execution result of the emergency plan;
the operating according to the configuration information includes: and executing the emergency plan.
5. The method of claim 3, further comprising:
the security gateway acquires a corresponding configuration result from the alliance chain;
judging whether the actual configuration data of the security gateway is consistent with the corresponding configuration result;
and when the two nodes are inconsistent, generating an alarm, and linking the alarm after all other nodes in the security association group carry out identity authentication on the security gateway through the alliance chain.
6. The method of claim 1, further comprising:
the security gateway acquires a network data packet from the alliance chain; the network data packet is information generated by a piping center aiming at the security gateway to execute network data behaviors; the network data behavior is a behavior of generating information, and the generated information is a network data packet;
and executing corresponding operation according to the network data packet.
7. The method of claim 6,
the network data packet includes one or more of the following information: log timestamp, log time, host name, process name, MAC code, source address IP, destination address IP, packet length, service type, priority, lifetime, label, transport layer protocol type.
8. The method of claim 1,
the configuration information includes one or more of the following:
the system comprises a target gateway Internet Protocol (IP) address, an administrator Identification (ID), a piping center IP address, a timestamp, configuration content and alarm configuration content.
9. A safety control method is applied to a distribution center, the distribution center and other distribution centers form a cooperative protection group through a alliance chain, and the alliance chain is constructed by all safety gateways and the distribution centers in a safety protection network; the method comprises the following steps:
the piping center executes key configuration behaviors aiming at the security gateway to generate configuration information; the key configuration behavior is a behavior for generating configuration information by configuration;
and after all other nodes in the cooperative protection group perform identity authentication on the distribution center through the alliance chain, chaining the configuration information.
10. The method of claim 9, further comprising:
when other nodes in the cooperative protection group have uplink data, the distribution center performs identity authentication on the other nodes through the alliance chain.
11. The method of claim 9, wherein after the uplink of the configuration information, the method further comprises:
obtaining an operation result obtained by the security gateway operating according to the configuration information from the alliance chain;
and executing corresponding operation according to the operation result.
12. The method of claim 11,
the key configuration behavior is a behavior for configuring and generating a configuration instruction aiming at the security gateway, and the configuration information is the configuration instruction for the security gateway; the operation result is a configuration result of the security gateway configured according to the configuration instruction;
the executing corresponding operation according to the operation result comprises:
and judging whether the configuration instruction is successfully configured according to the configuration result.
13. The method of claim 11,
the key configuration behavior is a behavior of analyzing the alarm generated by the security gateway to generate a corresponding emergency plan; the configuration information is an emergency plan corresponding to the alarm; the operation result is an execution result of the security gateway executing the emergency plan;
the executing corresponding operation according to the operation result comprises:
judging whether the emergency plan is executed successfully or not according to the execution result;
and releasing the alarm when the execution is successful.
14. The method of claim 13, wherein prior to the piping hub generating configuration information for performing critical configuration activities for the security gateway, the method further comprises:
and acquiring the alarm of the security gateway from the alliance chain.
15. The method of claim 9,
the configuration information includes one or more of the following:
the IP address of the target gateway, the ID of an administrator, the IP address of the piping center, a timestamp, configuration content and alarm configuration content.
16. The method of claim 9, further comprising:
the distribution center executes network data behaviors aiming at the security gateway to generate a network data packet; the network data behavior is a behavior of generating information, and the generated information is a network data packet;
and after all other nodes in the cooperative protection group perform identity authentication on the distribution center through the alliance chain, chaining the network data packet.
17. The method of claim 16,
the network data packet includes one or more of the following information: log timestamp, log time, host name, process name, MAC code, source address IP, destination address IP, packet length, service type, priority, lifetime, label, transport layer protocol type.
18. The method of claim 9, further comprising:
the method comprises the steps that a distribution center receives a query request to be traced, wherein the query request to be traced carries information to be traced;
inquiring the information to be traced in local and/or on-chain data;
and determining a tracing result of the information to be traced according to the query result.
19. The method of claim 18,
the information to be traced comprises configuration information to be traced;
and the distribution center and the subordinate security gateways form a security association group through the alliance chain, and all nodes in the security association group and the cooperative protection group store the configuration information and the corresponding operation result of each distribution center on each security gateway in the belonged security association group in a distributed manner locally and through the alliance chain.
20. A method for security management and control is applied to a security protection network, and the network comprises: the system comprises a plurality of piping centers and a plurality of safety gateways, wherein each piping center belongs to one or more safety gateways; all security gateways and piping centers in the safety protection network jointly construct a alliance chain, each piping center and subordinate security gateways form a safety association group through the alliance chain, and all piping centers form a cooperative protection group through the alliance chain; the method comprises the following steps:
the piping center executes key configuration behaviors aiming at the security gateway to generate configuration information; the key configuration behavior is a behavior for generating configuration information by configuration; after all other nodes in the cooperative protection group perform identity authentication on the distribution center through the alliance chain, chaining the configuration information;
the security gateway acquires the configuration information from the alliance chain; operating according to the configuration information to obtain an operation result; after all other nodes in the security association group perform identity authentication on the security gateway through the alliance chain, chaining the operation result;
and the piping center acquires the operation result from the alliance chain and executes corresponding operation according to the operation result.
21. The method of claim 20, further comprising:
the distribution center executes network data behaviors aiming at the security gateway to generate a network data packet; the network data behavior is a behavior of generating information, and the generated information is a network data packet; after all other nodes in the cooperative protection group perform identity authentication on the distribution center through the alliance chain, chaining the network data packet;
the security gateway acquires the network data packet from the alliance chain; and executing corresponding operation according to the network data packet.
22. An electronic device, comprising: memory, processor and computer program stored on the memory and executable on the processor, the computer program, when executed by the processor, implementing a method of security management as claimed in any one of claims 1 to 8 or implementing a method of security management as claimed in any one of claims 9 to 19.
23. A computer-readable storage medium, characterized in that an information processing program is stored thereon, which when executed by a processor implements a method of security management as recited in any one of claims 1 to 8, or implements a method of security management as recited in any one of claims 9 to 19.
CN202010522065.8A 2020-06-10 2020-06-10 Security control method and device and computer readable storage medium Active CN111835556B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010522065.8A CN111835556B (en) 2020-06-10 2020-06-10 Security control method and device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010522065.8A CN111835556B (en) 2020-06-10 2020-06-10 Security control method and device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN111835556A true CN111835556A (en) 2020-10-27
CN111835556B CN111835556B (en) 2022-01-11

Family

ID=72899104

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010522065.8A Active CN111835556B (en) 2020-06-10 2020-06-10 Security control method and device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN111835556B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115412367A (en) * 2022-10-31 2022-11-29 清华大学 Distributed cooperation method, joint defense gateway device and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833270A (en) * 2018-09-10 2018-11-16 珠海格力电器股份有限公司 gateway communication method, gateway and energy system
CN109474599A (en) * 2018-11-19 2019-03-15 杭州安恒信息技术股份有限公司 Network protection method and device based on block chain
US20190333059A1 (en) * 2017-05-24 2019-10-31 NXM Technologies Inc. Network configuration management for networked client devices using a distributed ledger service
CN110572398A (en) * 2019-09-10 2019-12-13 腾讯科技(深圳)有限公司 block chain network control method, device, equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190333059A1 (en) * 2017-05-24 2019-10-31 NXM Technologies Inc. Network configuration management for networked client devices using a distributed ledger service
CN108833270A (en) * 2018-09-10 2018-11-16 珠海格力电器股份有限公司 gateway communication method, gateway and energy system
CN109474599A (en) * 2018-11-19 2019-03-15 杭州安恒信息技术股份有限公司 Network protection method and device based on block chain
CN110572398A (en) * 2019-09-10 2019-12-13 腾讯科技(深圳)有限公司 block chain network control method, device, equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115412367A (en) * 2022-10-31 2022-11-29 清华大学 Distributed cooperation method, joint defense gateway device and electronic equipment
CN115412367B (en) * 2022-10-31 2022-12-27 清华大学 Distributed cooperation method, joint defense gateway device and electronic equipment

Also Published As

Publication number Publication date
CN111835556B (en) 2022-01-11

Similar Documents

Publication Publication Date Title
Miloslavskaya et al. Internet of Things: information security challenges and solutions
US20230043229A1 (en) Enhanced monitoring and protection of enterprise data
US10498744B2 (en) Integrity monitoring in a local network
Kruegel et al. Intrusion detection and correlation: challenges and solutions
US8959573B2 (en) Noise, encryption, and decoys for communications in a dynamic computer network
CN110958262A (en) Ubiquitous Internet of things safety protection gateway system, method and deployment architecture in power industry
CN110049043A (en) Server log monitoring method and system based on block chain
KR20180120157A (en) Data set extraction based pattern matching
Suhail et al. Introducing secure provenance in IoT: Requirements and challenges
US20050021683A1 (en) Method and apparatus for correlating network activity through visualizing network data
CN111464563B (en) Protection method of industrial control network and corresponding device
Safford et al. The TAMU security package: An ongoing response to internet intruders in an academic environment
US20220103584A1 (en) Information Security Using Blockchain Technology
US20230037520A1 (en) Blockchain schema for secure data transmission
CN117040896A (en) Internet of things management method and Internet of things management platform
Wurzenberger et al. AECID: A Self-learning Anomaly Detection Approach based on Light-weight Log Parser Models.
US11757915B2 (en) Exercising security control point (SCP) capabilities on live systems based on internal validation processing
CN113411295A (en) Role-based access control situation awareness defense method and system
CN111835556B (en) Security control method and device and computer readable storage medium
Yeh et al. A collaborative DDoS defense platform based on blockchain technology
CN111586045B (en) Attribute encryption and dynamic security layer protection method and corresponding firewall
Xiao et al. GlobalView: building global view with log files in a distributed/networked system for accountability
Do et al. Privacy-preserving approach for sharing and processing intrusion alert data
CN109587134B (en) Method, apparatus, device and medium for secure authentication of interface bus
KR102131496B1 (en) security provenance providing system for providing of the root cause of security problems and the method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant