CN112953976B - Access method and device of network equipment - Google Patents

Access method and device of network equipment Download PDF

Info

Publication number
CN112953976B
CN112953976B CN202110519810.8A CN202110519810A CN112953976B CN 112953976 B CN112953976 B CN 112953976B CN 202110519810 A CN202110519810 A CN 202110519810A CN 112953976 B CN112953976 B CN 112953976B
Authority
CN
China
Prior art keywords
industrial switch
industrial
management
access
verification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110519810.8A
Other languages
Chinese (zh)
Other versions
CN112953976A (en
Inventor
金宏伟
何瑞丰
张长久
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jinrui Tongchuang Beijing Technology Co ltd
Original Assignee
Jinrui Tongchuang Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jinrui Tongchuang Beijing Technology Co ltd filed Critical Jinrui Tongchuang Beijing Technology Co ltd
Priority to CN202110519810.8A priority Critical patent/CN112953976B/en
Publication of CN112953976A publication Critical patent/CN112953976A/en
Application granted granted Critical
Publication of CN112953976B publication Critical patent/CN112953976B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • H04L12/2869Operational details of access network equipments
    • H04L12/287Remote access server, e.g. BRAS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2212/00Encapsulation of packets

Abstract

The embodiment of the application provides an access method and an access device of network equipment, which belong to the technical field of networks, and specifically comprise the following steps: generating, by an industrial switch, a machine fingerprint of the industrial switch; the machine fingerprint is led into a management access server through an industrial switch or a client platform; determining whether the industrial switch is allowed to access the network or not through a management access server according to a pre-acquired corresponding relation between the industrial switch and the machine fingerprint; and checking whether the machine fingerprint and data encryption mode of the industrial switch are legal or not through the management access server. According to the scheme, the legality of the industrial switch is verified, the industrial switch is allowed to access the network when the verification requirement is met, the safety of the industrial network system in the equipment access process is improved, and the operation and maintenance safety of the industrial network is guaranteed.

Description

Access method and device of network equipment
Technical Field
The present application relates to the field of network technologies, and in particular, to an access method and an access device for a network device.
Background
Currently, industrial automation network deployment is usually separated from an operating network based on security and stability considerations. The separation design has the characteristic of high customizable potential. With the increase of the intelligent demand, the network deployment also needs to meet various customized demands with higher pertinence. However, network functions provided by conventional network equipment manufacturers are generally specific to network environments such as operators and enterprises, and are not very high in verification specifications such as illegal access, incorrect operation, network loops, and the like. With the development of industrial internet, the realization and optimization problems in the aspect of security access of internet of things network equipment are urgently needed to be solved.
Disclosure of Invention
In view of this, embodiments of the present disclosure provide an access method and an access apparatus for a network device, which at least partially solve the problems in the prior art.
In a first aspect, an embodiment of the present disclosure provides an access method for a network device, which is applied to an industrial network
The network system comprises an industrial switch, a management admission server and a client platform, and the method comprises the following steps:
generating, by the industrial switch, a machine fingerprint of the industrial switch, the machine fingerprint being used to uniquely characterize the corresponding industrial switch;
importing the machine fingerprint into the management admission server through the industrial switch or the client platform;
determining whether the industrial switch is allowed to access the network or not through the management access server according to the pre-acquired corresponding relation between the industrial switch and the machine fingerprint;
and checking whether the machine fingerprint and the data encryption mode of the industrial switch are legal or not through the management access server.
Optionally, the checking, by the management admission server, whether the machine fingerprint and data encryption mode of the industrial switch are legal includes:
encrypting the verification information through the management access server to obtain an encrypted verification message, and sending the encrypted verification message to the industrial switch;
decrypting the encrypted verification message through the industrial switch to obtain corresponding verification information, generating response information corresponding to the verification information, encrypting the response information by adopting the same encryption mode as the encrypted verification message to obtain an encrypted response message, and sending the encrypted response message to the management admission service;
receiving the encrypted response message through the management access server, and decrypting the encrypted response message;
and if the encrypted response message cannot be decrypted, carrying out flow limitation on the upstream node of the industrial switch.
Optionally, the encrypting the verification information by the management admission server to obtain an encrypted verification message, and sending the encrypted verification message to the industrial switch includes:
and packaging the verification information according to the TCP message through the management access server, encrypting the packaged verification information to obtain an encrypted verification message, and sending the packaged encrypted verification message to the industrial switch.
Optionally, the checking, by the management admission server, whether the machine fingerprint and data encryption mode of the industrial switch are legal includes:
and checking whether the machine fingerprint and the data encryption mode of the industrial switch are legal or not through interval checking time or regular checking time set by the management access server according to the equipment importance degree.
Optionally, the method further includes:
determining a target encryption and decryption algorithm for encrypting the data to be transmitted according to the data type of the data to be transmitted or the encryption and decryption algorithm adopted by the client platform;
selecting an implementation mode of the target encryption and decryption algorithm according to a software architecture of a client platform;
and selecting a docking mode with the client platform according to a software development mode supported by the industrial switch.
In a second aspect, an embodiment of the present disclosure provides an access apparatus for a network device, which is applied to an industrial network system, where the industrial network system includes an industrial switch, a management admission server, and a client platform, and the apparatus includes:
a generating module for generating a machine fingerprint of the industrial switch through the industrial switch, the machine fingerprint being used for uniquely characterizing the corresponding industrial switch;
the import module is used for importing the machine fingerprint into the management admission server through the industrial switch or the client platform;
the determining module is used for determining whether the industrial switch is allowed to access the network or not according to the corresponding relation between the industrial switch and the machine fingerprint acquired in advance through the management access server;
and the verification module is used for verifying whether the machine fingerprint and data encryption mode of the industrial switch are legal or not through the management access server.
Optionally, the verification module includes:
the encryption submodule is used for encrypting the verification information through the management access server to obtain an encryption verification message and sending the encryption verification message to the industrial switch;
the first processing submodule is used for decrypting the encrypted verification message through the industrial switch to obtain corresponding verification information, generating response information corresponding to the verification information, encrypting the response information by adopting the same encryption mode as the encrypted verification message to obtain an encrypted response message, and sending the encrypted response message to the management access service;
the decryption submodule is used for receiving the encrypted response message through the management access server and decrypting the encrypted response message;
and the second processing submodule is used for limiting the flow of the upstream node of the industrial switch if the encrypted response message cannot be decrypted.
Optionally, the encryption sub-module is further configured to encapsulate, by the management access server, the verification information according to the TCP packet, encrypt the encapsulated verification information to obtain an encrypted verification packet, and send the subpackaged encrypted verification packet to the industrial switch.
Optionally, the verification module is further configured to verify whether the machine fingerprint and the data encryption manner of the industrial switch are legal or not through interval verification time or periodic verification time set by the management access server according to the equipment importance degree.
Optionally, the apparatus further comprises:
the processing module is used for determining a target encryption and decryption algorithm for encrypting the data to be transmitted according to the data type of the data to be transmitted or the encryption and decryption algorithm adopted by the client platform;
determining the implementation mode of the target encryption and decryption algorithm according to the software architecture of the client platform;
and determining a docking mode with the client platform according to a software development mode supported by the industrial switch.
In a third aspect, the disclosed embodiments also provide a computer program product, the computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions that, when executed by a computer, cause the computer to perform the access method of the network device in the implementation manner of the foregoing first aspect.
According to the access method and device of the network equipment in the embodiment of the disclosure, the machine fingerprint of the industrial switch is generated through the industrial switch, and the machine fingerprint is used for uniquely representing the corresponding industrial switch; importing the machine fingerprint into the management admission server through the industrial switch or the client platform; determining whether the industrial switch is allowed to access the network or not through the management access server according to the pre-acquired corresponding relation between the industrial switch and the machine fingerprint; and checking whether the machine fingerprint and the data encryption mode of the industrial switch are legal or not through the management access server. According to the scheme, the legality of the industrial switch is verified, the industrial switch is allowed to access the network when the verification requirement is met, the safety of the industrial network system in the equipment access process is improved, and the operation and maintenance safety of the industrial network is guaranteed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic flow chart of an access method of a network device according to an embodiment of the present disclosure;
fig. 2 is a schematic flow chart of step S104 in the access method of the network device according to the embodiment of the present application;
fig. 3 is a schematic structural diagram of an access apparatus of a network device according to an embodiment of the present application;
fig. 4 is another schematic structural diagram of an access apparatus of a network device according to an embodiment of the present application;
fig. 5 is another schematic structural diagram of an access apparatus of a network device according to an embodiment of the present application.
Detailed Description
The embodiments of the present application will be described in detail below with reference to the accompanying drawings.
The following description of the embodiments of the present application is provided by way of specific examples, and other advantages and effects of the present application will be readily apparent to those skilled in the art from the disclosure herein. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. The present application is capable of other and different embodiments and its several details are capable of modifications and/or changes in various respects, all without departing from the spirit of the present application. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It is noted that various aspects of the embodiments are described below within the scope of the appended claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the present application, one skilled in the art should appreciate that one aspect described herein may be implemented independently of any other aspects and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. Additionally, such an apparatus may be implemented and/or such a method may be practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present application, and the drawings only show the components related to the present application rather than the number, shape and size of the components in actual implementation, and the type, amount and ratio of the components in actual implementation may be changed arbitrarily, and the layout of the components may be more complicated.
In addition, in the following description, specific details are provided to facilitate a thorough understanding of the examples. However, it will be understood by those skilled in the art that the aspects may be practiced without these specific details.
The embodiment of the application provides an access method of network equipment.
Referring to fig. 1, an access method of a network device provided in an embodiment of the present disclosure includes:
and S101, generating the machine fingerprint of the industrial switch through the industrial switch.
In this embodiment, the machine fingerprint is used to uniquely characterize the corresponding industrial switch. It should be added that the industrial switch may also be referred to as an industrial ethernet switch, which may be understood as an ethernet switch device applied in the field of industrial control. Industrial switches have carrier-grade performance characteristics that can withstand harsh operating environments. The product series is rich, the port configuration is flexible, and the use requirements of various industrial fields can be met. In this embodiment, the machine fingerprint of the industrial switch may be a device serial number, a MAC address, and the like.
Step S102, the machine fingerprint is led into the management admission server through the industrial switch or the client platform;
in this embodiment, the client platform may be a development platform constructed by java, and the management admission server may provide visitor network access management that manages the terminal device by dividing different VLANs. Typically, the machine fingerprint is imported into the management admission server by a client platform, and in particular, the machine fingerprint is imported into the management admission server by an industrial switch.
Step S103, determining whether the industrial switch is allowed to access the network or not through the management access server according to the pre-acquired corresponding relation between the industrial switch and the machine fingerprint;
in this embodiment, whether the corresponding industrial switch allows access to the network may be set according to the correspondence between the industrial switch and the machine fingerprint when the operation and maintenance manager leaves the factory, or the correspondence between the industrial switch and the machine fingerprint when the operation and maintenance manager deploys in the network environment.
And step S104, verifying whether the machine fingerprint and data encryption mode of the industrial switch are legal or not through the management access server.
In this embodiment, the management admission server checks whether the machine fingerprint and the encryption/decryption algorithm are legal according to the topology of the industrial switch. For example, the management admission server checks regularly or checks time according to the importance setting interval of the internet of things equipment to check whether the machine fingerprint and the encryption and decryption algorithm are legal. The verification mode is that the verification information is packaged by a tcp message and then encrypted and sent to the industrial switch. The method combines the effectiveness and stability of the traditional https encryption, and avoids the characteristics of high delay and high load caused by the fact that the verification information is packaged in the https mode.
Compared with the method that the industrial switch actively sends the verification information to the admission server, the admission verification method for managing the admission server to actively send the information verification has the following advantages that: firstly, the flexibility is high, the admission state of the industrial switch can be acquired at any time according to the requirement of the management admission server, and secondly, the network load caused by the request of the admission of the industrial switch can be reduced under the deployment mode of a large number of industrial switches.
Therefore, the legality of the industrial switch is verified, the industrial switch is allowed to access the network when the verification requirement is met, the safety of the industrial network system in the equipment access process is improved, and the operation and maintenance safety of the industrial network is guaranteed.
Referring to fig. 2, in the access method of the network device shown in fig. 1, step S104 includes:
step S1041, encrypting the verification information by the management access server to obtain an encrypted verification message, and sending the encrypted verification message to the industrial switch;
optionally, step S1041 includes: and packaging the verification information according to the TCP message through the management access server, encrypting the packaged verification information to obtain an encrypted verification message, and sending the packaged encrypted verification message to the industrial switch.
Step S1042, decrypting the encrypted verification message through the industrial switch to obtain corresponding verification information, generating response information corresponding to the verification information, encrypting the response information by adopting the same encryption mode as the encrypted verification message to obtain an encrypted response message, and sending the encrypted response message to the management admission service;
step S1043, receiving the encrypted response message through the management access server, and decrypting the encrypted response message;
and step S1044, if the decryption operation cannot be executed on the encrypted response message, carrying out flow limitation on the upstream node of the industrial switch.
In this embodiment, the industrial switch decrypts the encrypted verification message to obtain the verification information, encrypts the response information in the same encryption manner as the encrypted verification message to obtain the encrypted response message, sends the encrypted response message to the management admission server, and manages the port state and the function of the industrial switch according to whether the access is permitted in the verification information, and whether to prompt the network operation and maintenance staff. The access situation may include: the password is wrong when the equipment fails to be admitted, the equipment is successfully admitted but the equipment is linked illegally, the model of the equipment is abnormal, the version of the equipment is abnormal, the equipment is abandoned, and the like. For example, device admission is successful but device linking is illegal, e.g., device port swap, misconnection, etc. The device model is abnormal, for example, replaced by another illegal device. The device version is abnormal, e.g., not upgraded to the correct version. Device obsolete, expired hardware device, etc.
Optionally, step S104 includes: and checking whether the machine fingerprint and the data encryption mode of the industrial switch are legal or not through interval checking time or regular checking time set by the management access server according to the equipment importance degree.
In this embodiment, the management admission server receives the encrypted response packet and decrypts the encrypted response packet. And if the data can not be decrypted, the upstream node of the industrial switch in the management topology carries out flow limitation, and malicious access is prevented.
Optionally, the access method of the network device further includes:
determining a target encryption and decryption algorithm for encrypting the data to be transmitted according to the data type of the data to be transmitted or the encryption and decryption algorithm adopted by the client platform;
selecting an implementation mode of the target encryption and decryption algorithm according to a software architecture of a client platform;
and selecting a docking mode with the client platform according to a software development mode supported by the industrial switch.
In this embodiment, since different application scenarios have different requirements for the encryption and decryption algorithms, a suitable encryption and decryption algorithm needs to be selected according to the application scenarios. For example: the method is suitable for large-flow operations such as video monitoring, alarm information, log collection, data backup and the like of a monitoring scene, and a symmetric encryption algorithm can be selected. If the data transmission package decompression speed needs to be considered, a simple encryption algorithm needs to be selected. And the data with high requirements on device authentication and user authentication security needs to select a dynamic key algorithm. Meanwhile, the client platform is considered to be in butt joint, and the encryption algorithm is consistent with the existing encryption and decryption algorithm adopted by the client platform as much as possible.
In this embodiment, a software implementation manner corresponding to the encryption algorithm is selected according to different software architectures of the client platforms. The client platform may authenticate the service management platform for the client, etc. For example, if a common client platform is developed by using a java platform, the encryption and decryption algorithm needs to be implemented in a java docking mode.
In this embodiment, the docking manner with the client platform is selected according to the software development manner supported by the industrial switch, for example, the docking manner includes HTTP, SNMP, log receiving and sending, and custom encryption link. It should be noted that if there is a perfect application that can be borrowed, the function is first implemented and optimized in a secondary development manner. And then transplanting the development operation environment corresponding to the application to an industrial switch platform to realize docking.
It should be added that, the maintenance of network environments such as traditional operators and enterprises is generally performed by professional network operation and maintenance personnel. The encryption process is not integrated into the industrial switch in combination with the basic network configuration. In the embodiment, the encryption process is combined with the basic network configuration mode, so that the method has the advantage of being suitable for the industrial switching network environment, and simultaneously, the traditional network operation and maintenance mode and the operation and maintenance experience are combined, and the access security of the network equipment is improved.
According to the access method of the network equipment in the embodiment of the disclosure, the machine fingerprint of the industrial switch is generated through the industrial switch, and the machine fingerprint is used for uniquely representing the corresponding industrial switch; importing the machine fingerprint into the management admission server through the industrial switch or the client platform; determining whether the industrial switch is allowed to access the network or not through the management access server according to the pre-acquired corresponding relation between the industrial switch and the machine fingerprint; and checking whether the machine fingerprint and the data encryption mode of the industrial switch are legal or not through the management access server. According to the scheme, the legality of the industrial switch is verified, the industrial switch is allowed to access the network when the verification requirement is met, the safety of the industrial network system in the equipment access process is improved, and the operation and maintenance safety of the industrial network is guaranteed.
Corresponding to the above method embodiment, referring to fig. 3, the present disclosure also provides an access apparatus 300 of a network device, which is applied to an industrial network system including an industrial switch, a management admission server, and a client platform, and the apparatus includes:
a generating module 301, configured to generate, by the industrial switch, a machine fingerprint of the industrial switch, where the machine fingerprint is used to uniquely characterize the corresponding industrial switch;
an import module 302, configured to import the machine fingerprint into the management admission server through the industrial switch or the client platform;
a determining module 303, configured to determine, by the management admission server, whether to allow the industrial switch to access the network according to a pre-obtained correspondence between the industrial switch and the machine fingerprint;
a checking module 304, configured to check whether the machine fingerprint and the data encryption manner of the industrial switch are legal through the management admission server.
Optionally, the verification module 304 includes:
an encryption submodule 3041, configured to encrypt the verification information by the management access server to obtain an encrypted verification message, and send the encrypted verification message to the industrial switch;
a first processing sub-module 3042, configured to decrypt the encrypted verification packet through the industrial switch to obtain corresponding verification information, generate response information corresponding to the verification information, encrypt the response information in the same encryption manner as the encrypted verification packet to obtain an encrypted response packet, and send the encrypted response packet to the management admission service;
a decryption submodule 3043, configured to receive the encrypted response packet through the management admission server, and decrypt the encrypted response packet;
the second processing sub-module 3044 is configured to, if the decryption operation cannot be performed on the encrypted response packet, perform traffic limitation on an upstream node of the industrial switch.
Optionally, the encryption sub-module 3041 is further configured to encapsulate, by the management access server, the verification information according to the TCP packet, encrypt the encapsulated verification information to obtain an encrypted verification packet, and send the subpackaged encrypted verification packet to the industrial switch.
Optionally, the verification module 304 is further configured to verify, by the management admission server, whether the machine fingerprint and the data encryption manner of the industrial switch are legal or not according to an interval verification time or a periodic verification time set by the equipment importance degree.
Optionally, the apparatus 300 further includes:
a processing module 305, configured to determine, according to a data type of data to be transmitted or an encryption and decryption algorithm adopted by the client platform, a target encryption and decryption algorithm used for encrypting the data to be transmitted;
determining the implementation mode of the target encryption and decryption algorithm according to the software architecture of the client platform;
and determining a docking mode with the client platform according to a software development mode supported by the industrial switch.
The apparatus shown in fig. 3 may correspondingly execute the content in the above method embodiment, and details of the part not described in detail in this embodiment refer to the content described in the above method embodiment, which is not described again here.
The disclosed embodiments also provide a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, cause the computer to perform the access method of the network device in the aforementioned method embodiments.
It should be noted that the computer readable medium in the present disclosure can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable medium may be embodied in an electronic device; or may be present alone without being incorporated into the electronic device.
Computer program code for carrying out operations for aspects of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. Where the name of an element does not in some cases constitute a limitation on the element itself.
It should be understood that portions of the present disclosure may be implemented in hardware, software, firmware, or a combination thereof.
The above description is only for the specific embodiments of the present disclosure, but the scope of the present disclosure is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present disclosure should be covered within the scope of the present disclosure. Therefore, the protection scope of the present disclosure shall be subject to the protection scope of the claims.

Claims (8)

1. An access method of a network device is applied to an industrial network system, wherein the industrial network system comprises an industrial switch, a management admission server and a client platform, and the method comprises the following steps:
generating, by the industrial switch, a machine fingerprint of the industrial switch, the machine fingerprint being used to uniquely characterize the corresponding industrial switch;
importing the machine fingerprint into the management admission server through the industrial switch or the client platform;
determining whether the industrial switch is allowed to access the network or not through the management access server according to the pre-acquired corresponding relation between the industrial switch and the machine fingerprint;
checking whether the machine fingerprint and data encryption mode of the industrial switch are legal or not through the management access server;
the checking whether the machine fingerprint and data encryption mode of the industrial switch is legal through the management access server comprises the following steps:
encrypting the verification information through the management access server to obtain an encrypted verification message, and sending the encrypted verification message to the industrial switch;
decrypting the encrypted verification message through the industrial switch to obtain corresponding verification information, generating response information corresponding to the verification information, encrypting the response information by adopting the same encryption mode as the encrypted verification message to obtain an encrypted response message, and sending the encrypted response message to the management admission service;
receiving the encrypted response message through the management access server, and decrypting the encrypted response message;
if the decryption operation cannot be executed on the encrypted response message, carrying out flow limitation on an upstream node of the industrial switch;
according to whether the access is permitted in the verification information, managing the port state of the industrial switch, whether the function is limited, and whether network operation and maintenance personnel are prompted, wherein the access condition comprises the following steps: the method comprises the following steps of password error of equipment admission failure, equipment admission success but illegal equipment linkage, abnormal equipment model, abnormal equipment version, abandoned equipment and expired hardware equipment.
2. The access method of network equipment according to claim 1, wherein the encrypting the authentication information by the management admission server to obtain an encrypted authentication packet comprises:
and packaging the verification information according to the TCP message through the management access server, and encrypting the packaged verification information to obtain an encrypted verification message.
3. The method according to claim 1, wherein the checking whether the machine fingerprint and data encryption scheme of the industrial switch is legal by the management admission server comprises:
and checking whether the machine fingerprint and the data encryption mode of the industrial switch are legal or not through interval checking time or regular checking time set by the management access server according to the equipment importance degree.
4. The method for accessing a network device according to claim 1, wherein the method further comprises:
determining a target encryption and decryption algorithm for encrypting the data to be transmitted according to the data type of the data to be transmitted or the encryption and decryption algorithm adopted by the client platform;
selecting an implementation mode of the target encryption and decryption algorithm according to a software architecture of a client platform;
and selecting a docking mode with the client platform according to a software development mode supported by the industrial switch.
5. An access device of a network device, applied to an industrial network system, wherein the industrial network system comprises an industrial switch, a management admission server and a client platform, the device comprises:
a generating module for generating a machine fingerprint of the industrial switch through the industrial switch, the machine fingerprint being used for uniquely characterizing the corresponding industrial switch;
the import module is used for importing the machine fingerprint into the management admission server through the industrial switch or the client platform;
the determining module is used for determining whether the industrial switch is allowed to access the network or not according to the corresponding relation between the industrial switch and the machine fingerprint acquired in advance through the management access server;
the verification module is used for verifying whether the machine fingerprint and data encryption mode of the industrial switch are legal or not through the management access server;
the verification module comprises:
the encryption submodule is used for encrypting the verification information through the management access server to obtain an encryption verification message and sending the encryption verification message to the industrial switch;
the first processing submodule is used for decrypting the encrypted verification message through the industrial switch to obtain corresponding verification information, generating response information corresponding to the verification information, encrypting the response information by adopting the same encryption mode as the encrypted verification message to obtain an encrypted response message, and sending the encrypted response message to the management access service;
the decryption submodule is used for receiving the encrypted response message through the management access server and decrypting the encrypted response message;
the second processing submodule is used for limiting the flow of an upstream node of the industrial switch if the encrypted response message cannot be decrypted;
according to whether the access is permitted in the verification information, managing the port state of the industrial switch, whether the function is limited, and whether network operation and maintenance personnel are prompted, wherein the access condition comprises the following steps: the method comprises the following steps of password error of equipment admission failure, equipment admission success but illegal equipment linkage, abnormal equipment model, abnormal equipment version, abandoned equipment and expired hardware equipment.
6. The access device of the network device according to claim 5, wherein the encryption sub-module is further configured to encapsulate, by the management admission server, the authentication information according to the TCP packet, and encrypt the encapsulated authentication information to obtain an encrypted authentication packet.
7. The access device of network equipment according to claim 5, wherein the verification module is further configured to verify whether the machine fingerprint and the data encryption manner of the industrial switch are legal or not by using interval verification time or periodic verification time set by the management admission server according to the equipment importance degree.
8. The network device access apparatus of claim 5, wherein the apparatus further comprises:
the processing module is used for determining a target encryption and decryption algorithm for encrypting the data to be transmitted according to the data type of the data to be transmitted or the encryption and decryption algorithm adopted by the client platform;
determining the implementation mode of the target encryption and decryption algorithm according to the software architecture of the client platform;
and determining a docking mode with the client platform according to a software development mode supported by the industrial switch.
CN202110519810.8A 2021-05-13 2021-05-13 Access method and device of network equipment Active CN112953976B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110519810.8A CN112953976B (en) 2021-05-13 2021-05-13 Access method and device of network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110519810.8A CN112953976B (en) 2021-05-13 2021-05-13 Access method and device of network equipment

Publications (2)

Publication Number Publication Date
CN112953976A CN112953976A (en) 2021-06-11
CN112953976B true CN112953976B (en) 2021-08-13

Family

ID=76233783

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110519810.8A Active CN112953976B (en) 2021-05-13 2021-05-13 Access method and device of network equipment

Country Status (1)

Country Link
CN (1) CN112953976B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116506221B (en) * 2023-06-25 2023-09-19 金锐同创(北京)科技股份有限公司 Industrial switch admission control method, device, computer equipment and medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7836488B2 (en) * 2005-08-18 2010-11-16 Hong Kong Applied Science And Technology Research Institute Co. Ltd. Authentic device admission scheme for a secure communication network, especially a secure IP telephony network
WO2016064397A1 (en) * 2014-10-23 2016-04-28 Hewlett Packard Enterprise Development Lp Admissions control of a device

Also Published As

Publication number Publication date
CN112953976A (en) 2021-06-11

Similar Documents

Publication Publication Date Title
CN107094155B (en) Data security storage method and device based on alliance block chain
US11586709B2 (en) Secure provisioning and management of devices
US20220038295A1 (en) Scalable certificate management system architectures
CN110708388B (en) Vehicle body safety anchor node device, method and network system for providing safety service
CN110535653A (en) A kind of safe distribution terminal and its means of communication
WO2015171454A1 (en) Provisioning drm credentials on a client device using an update server
US20130212378A1 (en) Method for managing keys in a manipulation-proof manner
KR102177411B1 (en) Method for managing industrial control systems via physical one-way encryption remote monitoring
WO2017193949A1 (en) Code stream tampering monitoring method and device and communication system
CN110362984B (en) Method and device for operating service system by multiple devices
CN112953976B (en) Access method and device of network equipment
CN110445782B (en) Multimedia safe broadcast control system and method
CN111131849B (en) Streaming media live broadcast method and device and computer readable storage medium
US11902789B2 (en) Cloud controlled secure Bluetooth pairing for network device management
CN110838910B (en) Subway comprehensive monitoring system based on SM3 and SM4 communication encryption
CN110912941A (en) Transmission processing method and device for multicast data
CZ301928B6 (en) Method of and device for guaranteeing the integrity and authenticity of a data file
KR102534072B1 (en) Methods and Apparatus for Performing Secure Backup and Restore
CN114500064B (en) Communication security verification method and device, storage medium and electronic equipment
US20140189345A1 (en) Method for defining a filtering module, associated filtering module
CN108270601A (en) Mobile terminal, warning information acquisition, alarm information sender method and device
CN113300847A (en) Authentication without pre-knowledge of credentials
US20170222810A1 (en) User permission check system
CN117459763B (en) Audio and video safety protection method, equipment and system based on dynamic arrangement
US11539680B2 (en) Method and apparatus for providing secure short-lived downloadable debugging tools

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant