CN112003861A - Method for OPC DA data packet low-delay penetration safety equipment - Google Patents

Method for OPC DA data packet low-delay penetration safety equipment Download PDF

Info

Publication number
CN112003861A
CN112003861A CN202010857349.2A CN202010857349A CN112003861A CN 112003861 A CN112003861 A CN 112003861A CN 202010857349 A CN202010857349 A CN 202010857349A CN 112003861 A CN112003861 A CN 112003861A
Authority
CN
China
Prior art keywords
opc
security
server
port
tcp
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010857349.2A
Other languages
Chinese (zh)
Other versions
CN112003861B (en
Inventor
肖海涛
迟永梅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Baomu Technology Tianjin Co ltd
Original Assignee
Baomu Technology Tianjin Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Baomu Technology Tianjin Co ltd filed Critical Baomu Technology Tianjin Co ltd
Priority to CN202010857349.2A priority Critical patent/CN112003861B/en
Publication of CN112003861A publication Critical patent/CN112003861A/en
Application granted granted Critical
Publication of CN112003861B publication Critical patent/CN112003861B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a method for OPC DA data packet low-delay penetration of a security device, which adds a security policy SP on the security device1(ii) a The OPC DA client initiates control connection to the OPC DA server through the security equipment to form an access vector SVx(ii) a Security device searches for access vector SV in security policy libraryxCompliance with a Security policy SP1And releasing, wherein the OPC DA client and the OPC DA server successfully establish control connection. According to the method for the OPC DA data packet to penetrate through the safety equipment with low time delay, the dynamic port distributed to the client by the OPC DA server is identified through a deep packet analysis technology, and a temporary safety strategy is formed through autonomous learning, so that data connection initiated by the OPC DA subsequently can penetrate through the safety equipment efficiently, and meanwhile, the throughput and the time delay performance are not influenced.

Description

Method for OPC DA data packet low-delay penetration safety equipment
Technical Field
The invention belongs to the field of network security, and particularly relates to a method for OPC DA data packet low-delay penetration security equipment.
Background
The OPC DA is an industrial data access protocol which is very common in an industrial control system, and generally comprises a client and a server, and an OPC DA protocol is used for data exchange between the client and the server, and in recent years, with the development of convergence of two types, the safety of the industrial control system is more and more emphasized, and according to the national level protection 2.0 specification, a safety device needs to be adopted between the OPC DA client and the server for network isolation.
Because the OPC DA adopts a dynamic port protocol, the OPC DA data packet cannot adopt the conventional TCP/IP 4 layer filtering technology when passing through the safety device. Under the prior art, common penetration technologies mainly include three-layer IP filtering technology and application layer proxy technology: ,
the method is simple, can be directly finished in a kernel state, and has the characteristics of low time delay and high performance, but has the defect of extremely low safety, and malicious software on the OPC DA client and the server can also pass through safety equipment to access each other, so that effective safety control cannot be formed.
The application layer agent technology is characterized in that when an OPC DA data packet passes through a safety device, a kernel of the safety device intercepts all data, the data is copied and then transferred to an agent of an application layer for processing, the application layer agent identifies the OPC DA packet in mixed flow according to keywords of an OPC DA protocol, and then copies the OPC DA packet and transfers the OPC DA packet to the kernel layer for forwarding.
Disclosure of Invention
In view of this, the present invention is directed to provide a method for OPC DA packet low-latency penetration of security devices, which can directly identify a dynamic port allocated to a client by an OPC DA server in a kernel state through a deep packet analysis technique, and autonomously learn to form a temporary security policy, so that data connection initiated by an OPC DA subsequently can efficiently penetrate the security devices without affecting throughput and latency performance.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
a method for OPC DA packet low latency penetration security devices, comprising:
step 1: adding a security policy SP to a security device1
Step 2: the OPC DA client initiates control connection to the OPC DA server through the security equipment to form an access vector SVx
And step 3: security device searches for access vector SV in security policy libraryxCompliance with a Security policy SP1Releasing, wherein the OPC DA client successfully establishes control connection with the OPC DA server;
and 4, step 4: the OPC DA client requests the OPC DA server to allocate a dynamic temporary port P through the control connection established in the step 3dThe OPC DA server allocates a dynamic temporary port P through the safety equipmentdGiving the OPC DA client;
and 5: the security device receives the distributed dynamic temporary port P sent by the OPC DA serverdAfter the message is received, deep packet analysis is carried out to obtain a dynamic temporary port P distributed by an OPC DA serverdThen automatically adding a corresponding temporary security policy SP in the security device2
Step 6: the OPC DA client receives the dynamic temporary port P distributed by the OPC DA serverdAnd then, initiating data connection to an OPC DA server through the security equipment to form an access vector SVyThe security device looks up the access vector SV in the security policy repositoryyCompliance with a Security policy SP2Releasing, wherein the OPC DA client successfully establishes data connection with the OPC DA server to perform normal data access; security device deleting temporary security policy SP2
Further, the OPC DA control connection adopts a TCP protocol, and the IP of the OPC DA server is D1The IP of the OPC DA client is S1
In step 1: security policy SP1=[S1,0,D1,135,TCP]Where 0 is any source port and 135 is D1The adopted port, TCP, represents the adoption of a connection protocol;
in step 2: access vector SVx=[S1,Px,D1,135,TCP]Wherein the source IP is S1The source port is PxDestination IP is D1The destination port is 135, and the protocol is TCP;
in step 5: temporary security policy SP2=[S1,0,D1,Pd,TCP]0 is an arbitrary source port, PdIs a distributed dynamic temporary port, and the protocol is TCP;
in step 6: access vector SVy=[S1,Py,D1,Pd,TCP]The source IP is S1,PyIs the source port with the destination IP as D1The destination port is PdThe protocol is TCP;
further, the security device includes: a firewall or a secure access gateway.
Compared with the prior art, the method for the OPC DA data packet low-delay penetration safety device has the following advantages that:
according to the method for the OPC DA data packet low-delay penetration safety equipment, all operations are carried out in the kernel mode, the delay performance is excellent, data do not need to be copied to an application layer or returned from the application layer, an operating system does not need to switch the application layer and the kernel layer, extra expenses such as Cache Misss and Page Fault do not exist, and time-consuming character string searching is not needed. The method can realize easy and low-delay OPC DA data packet penetration of the safety equipment, identifies the dynamic port distributed to the client by the OPC DA server through deep packet analysis, forms a temporary safety strategy through autonomous learning, does not influence service operation, and provides safety guarantee for OPC DA data access service.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate an embodiment of the invention and, together with the description, serve to explain the invention and not to limit the invention.
In the drawings:
fig. 1 is a flowchart illustrating a method for OPC DA packet low latency penetration security device according to an embodiment of the present invention.
Detailed Description
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict.
In the description of the present invention, it is to be understood that the terms "center", "longitudinal", "lateral", "up", "down", "front", "back", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like, indicate orientations or positional relationships based on those shown in the drawings, and are used only for convenience in describing the present invention and for simplicity in description, and do not indicate or imply that the referenced devices or elements must have a particular orientation, be constructed and operated in a particular orientation, and thus, are not to be construed as limiting the present invention. Furthermore, the terms "first", "second", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first," "second," etc. may explicitly or implicitly include one or more of that feature. In the description of the present invention, "a plurality" means two or more unless otherwise specified.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art through specific situations.
The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
As shown in fig. 1, a method for OPC DA packet low latency penetration of security devices, comprising:
step 1: adding a security policy SP to a security device1(ii) a Security policy SP1=[S1,0,D1,135,TCP]Where 0 is an arbitrary sourceMouth, 135 is D1The adopted port, TCP, represents the adoption of a connection protocol;
step 2: the OPC DA client initiates control connection to the OPC DA server through the safety equipment to form an access vector SVx; access vector SVx=[S1,Px,D1,135,TCP]Wherein the source IP is S1The source port is PxDestination IP is D1The destination port is 135, and the protocol is TCP;
and step 3: security device searches for access vector SV in security policy libraryxCompliance with a Security policy SP1Releasing, wherein the OPC DA client successfully establishes control connection with the OPC DA server;
and 4, step 4: the OPC DA client requests the OPC DA server to allocate a dynamic temporary port P through the control connection established in the step 3dThe OPC DA server allocates a dynamic temporary port P through the safety equipmentdGiving the OPC DA client;
and 5: the security device receives the distributed dynamic temporary port P sent by the OPC DA serverdAfter the message is received, deep packet analysis is carried out to obtain a dynamic temporary port P distributed by an OPC DA serverdThen automatically adding a corresponding temporary security policy SP in the security device2(ii) a Temporary security policy SP2=[S1,0,D1,Pd,TCP]0 is an arbitrary source port, PdIs a distributed dynamic temporary port, and the protocol is TCP;
step 6: the OPC DA client receives the dynamic temporary port P distributed by the OPC DA serverdAnd then, initiating data connection to an OPC DA server through the security equipment to form an access vector SVyAccess vector SVy=[S1,Py,D1,Pd,TCP]The source IP is S1,PyIs the source port with the destination IP as D1The destination port is PdThe protocol is TCP; security device searches for access vector SV in security policy libraryyCompliance with a Security policy SP2Releasing, the OPC DA client successfully establishes data connection with the OPC DA server, and normal data access is carried out(ii) a Security device deleting temporary security policy SP2
The security device includes: a firewall or a secure access gateway.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (3)

1. A method for OPC DA packet low latency penetration security devices, comprising: the method comprises the following steps:
step 1: adding a security policy SP to a security device1
Step 2: the OPC DA client initiates control connection to the OPC DA server through the security equipment to form an access vector SVx
And step 3: security device searches for access vector SV in security policy libraryxCompliance with a Security policy SP1Releasing, wherein the OPC DA client successfully establishes control connection with the OPC DA server;
and 4, step 4: the OPC DA client requests the OPC DA server to allocate a dynamic temporary port P through the control connection established in the step 3dThe OPC DA server allocates a dynamic temporary port P through the safety equipmentdGiving the OPC DA client;
and 5: the security device receives the distributed dynamic temporary port P sent by the OPC DA serverdAfter the message is received, deep packet analysis is carried out to obtain a dynamic temporary port P distributed by an OPC DA serverdThen the security device automatically adds a corresponding temporary security policy SP2
Step 6: the OPC DA client receives the dynamic temporary port P distributed by the OPC DA serverdAnd then, initiating data connection to an OPC DA server through the security equipment to form an access vector SVyThe security device looks up the access vector SV in the security policy repositoryyCompliance with a Security policy SP2Releasing, the OPC DA client successfully establishes data connection with the OPC DA server, and performing correctionFrequent data access; security device deleting temporary security policy SP2
2. A method for OPC DA packet low latency penetration of security devices according to claim 1, wherein: the OPC DA control connection adopts TCP protocol, and the IP of OPC DA server is D1The IP of the OPC DA client is S1
In step 1: security policy SP1=[S1,0,D1,135,TCP]Where 0 is any source port and 135 is D1The adopted port, TCP, represents the adoption of a connection protocol;
in step 2: access vector SVx=[S1,Px,D1,135,TCP]Wherein the source IP is S1The source port is PxDestination IP is D1The destination port is 135, and the protocol is TCP;
in step 5: temporary security policy SP2=[S1,0,D1,Pd,TCP]0 is an arbitrary source port, PdIs a distributed dynamic temporary port, and the protocol is TCP;
in step 6: access vector SVy=[S1,Py,D1,Pd,TCP]The source IP is S1,PyIs the source port with the destination IP as D1The destination port is PdThe protocol is TCP.
3. A method for OPC DA packet low latency penetration of security devices according to claim 1, wherein: the security device includes: a firewall or a secure access gateway.
CN202010857349.2A 2020-08-24 2020-08-24 Method for OPC DA data packet low-delay penetration safety equipment Active CN112003861B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010857349.2A CN112003861B (en) 2020-08-24 2020-08-24 Method for OPC DA data packet low-delay penetration safety equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010857349.2A CN112003861B (en) 2020-08-24 2020-08-24 Method for OPC DA data packet low-delay penetration safety equipment

Publications (2)

Publication Number Publication Date
CN112003861A true CN112003861A (en) 2020-11-27
CN112003861B CN112003861B (en) 2022-11-08

Family

ID=73470269

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010857349.2A Active CN112003861B (en) 2020-08-24 2020-08-24 Method for OPC DA data packet low-delay penetration safety equipment

Country Status (1)

Country Link
CN (1) CN112003861B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114006809A (en) * 2021-10-09 2022-02-01 北京天融信网络安全技术有限公司 Method, device, equipment and storage medium for adjusting industrial control firewall data transmission

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002013482A1 (en) * 2000-08-03 2002-02-14 Siemens Aktiengesellschaft System and method for transmitting opc data via data networks, in particular the internet using an asynchronous data connection
US20080114872A1 (en) * 2006-11-13 2008-05-15 Mark Fisher Computer systems and methods for process control environments
CN103036870A (en) * 2012-10-26 2013-04-10 青岛海天炜业自动化控制系统有限公司 Industrial firewall without industrial protocol (IP) distributed type depth check arithmetic based on industrial protocol object linking and embedding for process control (OPC) classic
CN104660593A (en) * 2015-02-09 2015-05-27 西北工业大学 Method for filtering OPC security gateway data packets
CN104734903A (en) * 2013-12-23 2015-06-24 中国科学院沈阳自动化研究所 Safety protection method of OPC protocol based on dynamic tracking technology
CN104753936A (en) * 2015-03-24 2015-07-01 西北工业大学 Opc security gateway system
CN104917776A (en) * 2015-06-23 2015-09-16 北京威努特技术有限公司 Industrial control network safety protection equipment and industrial control network safety protection method
CN109639701A (en) * 2018-12-25 2019-04-16 杭州迪普科技股份有限公司 Access control method, device, equipment and storage medium based on OPC agreement

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002013482A1 (en) * 2000-08-03 2002-02-14 Siemens Aktiengesellschaft System and method for transmitting opc data via data networks, in particular the internet using an asynchronous data connection
US20080114872A1 (en) * 2006-11-13 2008-05-15 Mark Fisher Computer systems and methods for process control environments
CN103036870A (en) * 2012-10-26 2013-04-10 青岛海天炜业自动化控制系统有限公司 Industrial firewall without industrial protocol (IP) distributed type depth check arithmetic based on industrial protocol object linking and embedding for process control (OPC) classic
CN104734903A (en) * 2013-12-23 2015-06-24 中国科学院沈阳自动化研究所 Safety protection method of OPC protocol based on dynamic tracking technology
CN104660593A (en) * 2015-02-09 2015-05-27 西北工业大学 Method for filtering OPC security gateway data packets
CN104753936A (en) * 2015-03-24 2015-07-01 西北工业大学 Opc security gateway system
CN104917776A (en) * 2015-06-23 2015-09-16 北京威努特技术有限公司 Industrial control network safety protection equipment and industrial control network safety protection method
CN109639701A (en) * 2018-12-25 2019-04-16 杭州迪普科技股份有限公司 Access control method, device, equipment and storage medium based on OPC agreement

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
杨之乐,郑学理,苏伟,费敏锐,付敬奇: "工业无线网络测控系统OPC数据服务器的设计实现", 《计算机测量与控制》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114006809A (en) * 2021-10-09 2022-02-01 北京天融信网络安全技术有限公司 Method, device, equipment and storage medium for adjusting industrial control firewall data transmission
CN114006809B (en) * 2021-10-09 2023-11-28 北京天融信网络安全技术有限公司 Method, device, equipment and storage medium for adjusting industrial control firewall data transmission

Also Published As

Publication number Publication date
CN112003861B (en) 2022-11-08

Similar Documents

Publication Publication Date Title
US7975024B2 (en) Virtual personal computer access over multiple network sites
US7702785B2 (en) Methods, systems and computer program products for selectively allowing users of a multi-user system access to network resources
JP2577538B2 (en) Method and system for maintaining a routing path
US20160323286A1 (en) Secure access to remote resources over a network
US20140237543A1 (en) Method and apparatus for policy-based network access control with arbitrary network access control frameworks
US10375025B2 (en) Virtual private network implementation method and client device
US20060109850A1 (en) IP-SAN network access control list generating method and access control list setup method
US7463593B2 (en) Network host isolation tool
CN110113439B (en) NAT traversal method
CN110351233A (en) A kind of two-way transparent transmission technology based on safety isolation network gate
CN113596159A (en) Cluster communication method and device based on k8s cloud container platform
JP7423014B2 (en) Ship network approach control method and device
CN112003861B (en) Method for OPC DA data packet low-delay penetration safety equipment
CN108881233A (en) anti-attack processing method, device, equipment and storage medium
US20150156167A1 (en) Nat traversal method, computer-readable medium, and system for mediating connection
WO2018096471A1 (en) Automatic forwarding of access requests and responses thereto
US20060253658A1 (en) Provisioning or de-provisioning shared or reusable storage volumes
CN109691158A (en) Mobile flow Redirectional system
CN116579019A (en) Computer information safety supervision system based on artificial intelligence
CN116545665A (en) Safe drainage method, system, equipment and medium
CN111526124B (en) Isolated communication system and method based on internal and external networks
CN114125039A (en) Discovery and control method and device for access relation between services
CN113691389A (en) Configuration method of load balancer, server and storage medium
KR102628441B1 (en) Apparatus and method for protecting network
CN115883256B (en) Data transmission method, device and storage medium based on encryption tunnel

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant