CN112003861A - Method for OPC DA data packet low-delay penetration safety equipment - Google Patents
Method for OPC DA data packet low-delay penetration safety equipment Download PDFInfo
- Publication number
- CN112003861A CN112003861A CN202010857349.2A CN202010857349A CN112003861A CN 112003861 A CN112003861 A CN 112003861A CN 202010857349 A CN202010857349 A CN 202010857349A CN 112003861 A CN112003861 A CN 112003861A
- Authority
- CN
- China
- Prior art keywords
- opc
- security
- server
- port
- tcp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/163—In-band adaptation of TCP data exchange; In-band control procedures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a method for OPC DA data packet low-delay penetration of a security device, which adds a security policy SP on the security device1(ii) a The OPC DA client initiates control connection to the OPC DA server through the security equipment to form an access vector SVx(ii) a Security device searches for access vector SV in security policy libraryxCompliance with a Security policy SP1And releasing, wherein the OPC DA client and the OPC DA server successfully establish control connection. According to the method for the OPC DA data packet to penetrate through the safety equipment with low time delay, the dynamic port distributed to the client by the OPC DA server is identified through a deep packet analysis technology, and a temporary safety strategy is formed through autonomous learning, so that data connection initiated by the OPC DA subsequently can penetrate through the safety equipment efficiently, and meanwhile, the throughput and the time delay performance are not influenced.
Description
Technical Field
The invention belongs to the field of network security, and particularly relates to a method for OPC DA data packet low-delay penetration security equipment.
Background
The OPC DA is an industrial data access protocol which is very common in an industrial control system, and generally comprises a client and a server, and an OPC DA protocol is used for data exchange between the client and the server, and in recent years, with the development of convergence of two types, the safety of the industrial control system is more and more emphasized, and according to the national level protection 2.0 specification, a safety device needs to be adopted between the OPC DA client and the server for network isolation.
Because the OPC DA adopts a dynamic port protocol, the OPC DA data packet cannot adopt the conventional TCP/IP 4 layer filtering technology when passing through the safety device. Under the prior art, common penetration technologies mainly include three-layer IP filtering technology and application layer proxy technology: ,
the method is simple, can be directly finished in a kernel state, and has the characteristics of low time delay and high performance, but has the defect of extremely low safety, and malicious software on the OPC DA client and the server can also pass through safety equipment to access each other, so that effective safety control cannot be formed.
The application layer agent technology is characterized in that when an OPC DA data packet passes through a safety device, a kernel of the safety device intercepts all data, the data is copied and then transferred to an agent of an application layer for processing, the application layer agent identifies the OPC DA packet in mixed flow according to keywords of an OPC DA protocol, and then copies the OPC DA packet and transfers the OPC DA packet to the kernel layer for forwarding.
Disclosure of Invention
In view of this, the present invention is directed to provide a method for OPC DA packet low-latency penetration of security devices, which can directly identify a dynamic port allocated to a client by an OPC DA server in a kernel state through a deep packet analysis technique, and autonomously learn to form a temporary security policy, so that data connection initiated by an OPC DA subsequently can efficiently penetrate the security devices without affecting throughput and latency performance.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
a method for OPC DA packet low latency penetration security devices, comprising:
step 1: adding a security policy SP to a security device1;
Step 2: the OPC DA client initiates control connection to the OPC DA server through the security equipment to form an access vector SVx;
And step 3: security device searches for access vector SV in security policy libraryxCompliance with a Security policy SP1Releasing, wherein the OPC DA client successfully establishes control connection with the OPC DA server;
and 4, step 4: the OPC DA client requests the OPC DA server to allocate a dynamic temporary port P through the control connection established in the step 3dThe OPC DA server allocates a dynamic temporary port P through the safety equipmentdGiving the OPC DA client;
and 5: the security device receives the distributed dynamic temporary port P sent by the OPC DA serverdAfter the message is received, deep packet analysis is carried out to obtain a dynamic temporary port P distributed by an OPC DA serverdThen automatically adding a corresponding temporary security policy SP in the security device2;
Step 6: the OPC DA client receives the dynamic temporary port P distributed by the OPC DA serverdAnd then, initiating data connection to an OPC DA server through the security equipment to form an access vector SVyThe security device looks up the access vector SV in the security policy repositoryyCompliance with a Security policy SP2Releasing, wherein the OPC DA client successfully establishes data connection with the OPC DA server to perform normal data access; security device deleting temporary security policy SP2。
Further, the OPC DA control connection adopts a TCP protocol, and the IP of the OPC DA server is D1The IP of the OPC DA client is S1:
In step 1: security policy SP1=[S1,0,D1,135,TCP]Where 0 is any source port and 135 is D1The adopted port, TCP, represents the adoption of a connection protocol;
in step 2: access vector SVx=[S1,Px,D1,135,TCP]Wherein the source IP is S1The source port is PxDestination IP is D1The destination port is 135, and the protocol is TCP;
in step 5: temporary security policy SP2=[S1,0,D1,Pd,TCP]0 is an arbitrary source port, PdIs a distributed dynamic temporary port, and the protocol is TCP;
in step 6: access vector SVy=[S1,Py,D1,Pd,TCP]The source IP is S1,PyIs the source port with the destination IP as D1The destination port is PdThe protocol is TCP;
further, the security device includes: a firewall or a secure access gateway.
Compared with the prior art, the method for the OPC DA data packet low-delay penetration safety device has the following advantages that:
according to the method for the OPC DA data packet low-delay penetration safety equipment, all operations are carried out in the kernel mode, the delay performance is excellent, data do not need to be copied to an application layer or returned from the application layer, an operating system does not need to switch the application layer and the kernel layer, extra expenses such as Cache Misss and Page Fault do not exist, and time-consuming character string searching is not needed. The method can realize easy and low-delay OPC DA data packet penetration of the safety equipment, identifies the dynamic port distributed to the client by the OPC DA server through deep packet analysis, forms a temporary safety strategy through autonomous learning, does not influence service operation, and provides safety guarantee for OPC DA data access service.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate an embodiment of the invention and, together with the description, serve to explain the invention and not to limit the invention.
In the drawings:
fig. 1 is a flowchart illustrating a method for OPC DA packet low latency penetration security device according to an embodiment of the present invention.
Detailed Description
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict.
In the description of the present invention, it is to be understood that the terms "center", "longitudinal", "lateral", "up", "down", "front", "back", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like, indicate orientations or positional relationships based on those shown in the drawings, and are used only for convenience in describing the present invention and for simplicity in description, and do not indicate or imply that the referenced devices or elements must have a particular orientation, be constructed and operated in a particular orientation, and thus, are not to be construed as limiting the present invention. Furthermore, the terms "first", "second", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first," "second," etc. may explicitly or implicitly include one or more of that feature. In the description of the present invention, "a plurality" means two or more unless otherwise specified.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art through specific situations.
The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
As shown in fig. 1, a method for OPC DA packet low latency penetration of security devices, comprising:
step 1: adding a security policy SP to a security device1(ii) a Security policy SP1=[S1,0,D1,135,TCP]Where 0 is an arbitrary sourceMouth, 135 is D1The adopted port, TCP, represents the adoption of a connection protocol;
step 2: the OPC DA client initiates control connection to the OPC DA server through the safety equipment to form an access vector SVx; access vector SVx=[S1,Px,D1,135,TCP]Wherein the source IP is S1The source port is PxDestination IP is D1The destination port is 135, and the protocol is TCP;
and step 3: security device searches for access vector SV in security policy libraryxCompliance with a Security policy SP1Releasing, wherein the OPC DA client successfully establishes control connection with the OPC DA server;
and 4, step 4: the OPC DA client requests the OPC DA server to allocate a dynamic temporary port P through the control connection established in the step 3dThe OPC DA server allocates a dynamic temporary port P through the safety equipmentdGiving the OPC DA client;
and 5: the security device receives the distributed dynamic temporary port P sent by the OPC DA serverdAfter the message is received, deep packet analysis is carried out to obtain a dynamic temporary port P distributed by an OPC DA serverdThen automatically adding a corresponding temporary security policy SP in the security device2(ii) a Temporary security policy SP2=[S1,0,D1,Pd,TCP]0 is an arbitrary source port, PdIs a distributed dynamic temporary port, and the protocol is TCP;
step 6: the OPC DA client receives the dynamic temporary port P distributed by the OPC DA serverdAnd then, initiating data connection to an OPC DA server through the security equipment to form an access vector SVyAccess vector SVy=[S1,Py,D1,Pd,TCP]The source IP is S1,PyIs the source port with the destination IP as D1The destination port is PdThe protocol is TCP; security device searches for access vector SV in security policy libraryyCompliance with a Security policy SP2Releasing, the OPC DA client successfully establishes data connection with the OPC DA server, and normal data access is carried out(ii) a Security device deleting temporary security policy SP2。
The security device includes: a firewall or a secure access gateway.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (3)
1. A method for OPC DA packet low latency penetration security devices, comprising: the method comprises the following steps:
step 1: adding a security policy SP to a security device1;
Step 2: the OPC DA client initiates control connection to the OPC DA server through the security equipment to form an access vector SVx;
And step 3: security device searches for access vector SV in security policy libraryxCompliance with a Security policy SP1Releasing, wherein the OPC DA client successfully establishes control connection with the OPC DA server;
and 4, step 4: the OPC DA client requests the OPC DA server to allocate a dynamic temporary port P through the control connection established in the step 3dThe OPC DA server allocates a dynamic temporary port P through the safety equipmentdGiving the OPC DA client;
and 5: the security device receives the distributed dynamic temporary port P sent by the OPC DA serverdAfter the message is received, deep packet analysis is carried out to obtain a dynamic temporary port P distributed by an OPC DA serverdThen the security device automatically adds a corresponding temporary security policy SP2;
Step 6: the OPC DA client receives the dynamic temporary port P distributed by the OPC DA serverdAnd then, initiating data connection to an OPC DA server through the security equipment to form an access vector SVyThe security device looks up the access vector SV in the security policy repositoryyCompliance with a Security policy SP2Releasing, the OPC DA client successfully establishes data connection with the OPC DA server, and performing correctionFrequent data access; security device deleting temporary security policy SP2。
2. A method for OPC DA packet low latency penetration of security devices according to claim 1, wherein: the OPC DA control connection adopts TCP protocol, and the IP of OPC DA server is D1The IP of the OPC DA client is S1:
In step 1: security policy SP1=[S1,0,D1,135,TCP]Where 0 is any source port and 135 is D1The adopted port, TCP, represents the adoption of a connection protocol;
in step 2: access vector SVx=[S1,Px,D1,135,TCP]Wherein the source IP is S1The source port is PxDestination IP is D1The destination port is 135, and the protocol is TCP;
in step 5: temporary security policy SP2=[S1,0,D1,Pd,TCP]0 is an arbitrary source port, PdIs a distributed dynamic temporary port, and the protocol is TCP;
in step 6: access vector SVy=[S1,Py,D1,Pd,TCP]The source IP is S1,PyIs the source port with the destination IP as D1The destination port is PdThe protocol is TCP.
3. A method for OPC DA packet low latency penetration of security devices according to claim 1, wherein: the security device includes: a firewall or a secure access gateway.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010857349.2A CN112003861B (en) | 2020-08-24 | 2020-08-24 | Method for OPC DA data packet low-delay penetration safety equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010857349.2A CN112003861B (en) | 2020-08-24 | 2020-08-24 | Method for OPC DA data packet low-delay penetration safety equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112003861A true CN112003861A (en) | 2020-11-27 |
CN112003861B CN112003861B (en) | 2022-11-08 |
Family
ID=73470269
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010857349.2A Active CN112003861B (en) | 2020-08-24 | 2020-08-24 | Method for OPC DA data packet low-delay penetration safety equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112003861B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114006809A (en) * | 2021-10-09 | 2022-02-01 | 北京天融信网络安全技术有限公司 | Method, device, equipment and storage medium for adjusting industrial control firewall data transmission |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002013482A1 (en) * | 2000-08-03 | 2002-02-14 | Siemens Aktiengesellschaft | System and method for transmitting opc data via data networks, in particular the internet using an asynchronous data connection |
US20080114872A1 (en) * | 2006-11-13 | 2008-05-15 | Mark Fisher | Computer systems and methods for process control environments |
CN103036870A (en) * | 2012-10-26 | 2013-04-10 | 青岛海天炜业自动化控制系统有限公司 | Industrial firewall without industrial protocol (IP) distributed type depth check arithmetic based on industrial protocol object linking and embedding for process control (OPC) classic |
CN104660593A (en) * | 2015-02-09 | 2015-05-27 | 西北工业大学 | Method for filtering OPC security gateway data packets |
CN104734903A (en) * | 2013-12-23 | 2015-06-24 | 中国科学院沈阳自动化研究所 | Safety protection method of OPC protocol based on dynamic tracking technology |
CN104753936A (en) * | 2015-03-24 | 2015-07-01 | 西北工业大学 | Opc security gateway system |
CN104917776A (en) * | 2015-06-23 | 2015-09-16 | 北京威努特技术有限公司 | Industrial control network safety protection equipment and industrial control network safety protection method |
CN109639701A (en) * | 2018-12-25 | 2019-04-16 | 杭州迪普科技股份有限公司 | Access control method, device, equipment and storage medium based on OPC agreement |
-
2020
- 2020-08-24 CN CN202010857349.2A patent/CN112003861B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002013482A1 (en) * | 2000-08-03 | 2002-02-14 | Siemens Aktiengesellschaft | System and method for transmitting opc data via data networks, in particular the internet using an asynchronous data connection |
US20080114872A1 (en) * | 2006-11-13 | 2008-05-15 | Mark Fisher | Computer systems and methods for process control environments |
CN103036870A (en) * | 2012-10-26 | 2013-04-10 | 青岛海天炜业自动化控制系统有限公司 | Industrial firewall without industrial protocol (IP) distributed type depth check arithmetic based on industrial protocol object linking and embedding for process control (OPC) classic |
CN104734903A (en) * | 2013-12-23 | 2015-06-24 | 中国科学院沈阳自动化研究所 | Safety protection method of OPC protocol based on dynamic tracking technology |
CN104660593A (en) * | 2015-02-09 | 2015-05-27 | 西北工业大学 | Method for filtering OPC security gateway data packets |
CN104753936A (en) * | 2015-03-24 | 2015-07-01 | 西北工业大学 | Opc security gateway system |
CN104917776A (en) * | 2015-06-23 | 2015-09-16 | 北京威努特技术有限公司 | Industrial control network safety protection equipment and industrial control network safety protection method |
CN109639701A (en) * | 2018-12-25 | 2019-04-16 | 杭州迪普科技股份有限公司 | Access control method, device, equipment and storage medium based on OPC agreement |
Non-Patent Citations (1)
Title |
---|
杨之乐,郑学理,苏伟,费敏锐,付敬奇: "工业无线网络测控系统OPC数据服务器的设计实现", 《计算机测量与控制》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114006809A (en) * | 2021-10-09 | 2022-02-01 | 北京天融信网络安全技术有限公司 | Method, device, equipment and storage medium for adjusting industrial control firewall data transmission |
CN114006809B (en) * | 2021-10-09 | 2023-11-28 | 北京天融信网络安全技术有限公司 | Method, device, equipment and storage medium for adjusting industrial control firewall data transmission |
Also Published As
Publication number | Publication date |
---|---|
CN112003861B (en) | 2022-11-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7975024B2 (en) | Virtual personal computer access over multiple network sites | |
US7702785B2 (en) | Methods, systems and computer program products for selectively allowing users of a multi-user system access to network resources | |
JP2577538B2 (en) | Method and system for maintaining a routing path | |
US20160323286A1 (en) | Secure access to remote resources over a network | |
US20140237543A1 (en) | Method and apparatus for policy-based network access control with arbitrary network access control frameworks | |
US10375025B2 (en) | Virtual private network implementation method and client device | |
US20060109850A1 (en) | IP-SAN network access control list generating method and access control list setup method | |
US7463593B2 (en) | Network host isolation tool | |
CN110113439B (en) | NAT traversal method | |
CN110351233A (en) | A kind of two-way transparent transmission technology based on safety isolation network gate | |
CN113596159A (en) | Cluster communication method and device based on k8s cloud container platform | |
JP7423014B2 (en) | Ship network approach control method and device | |
CN112003861B (en) | Method for OPC DA data packet low-delay penetration safety equipment | |
CN108881233A (en) | anti-attack processing method, device, equipment and storage medium | |
US20150156167A1 (en) | Nat traversal method, computer-readable medium, and system for mediating connection | |
WO2018096471A1 (en) | Automatic forwarding of access requests and responses thereto | |
US20060253658A1 (en) | Provisioning or de-provisioning shared or reusable storage volumes | |
CN109691158A (en) | Mobile flow Redirectional system | |
CN116579019A (en) | Computer information safety supervision system based on artificial intelligence | |
CN116545665A (en) | Safe drainage method, system, equipment and medium | |
CN111526124B (en) | Isolated communication system and method based on internal and external networks | |
CN114125039A (en) | Discovery and control method and device for access relation between services | |
CN113691389A (en) | Configuration method of load balancer, server and storage medium | |
KR102628441B1 (en) | Apparatus and method for protecting network | |
CN115883256B (en) | Data transmission method, device and storage medium based on encryption tunnel |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |