CN113783894A - Method for realizing safety network service based on rule - Google Patents

Method for realizing safety network service based on rule Download PDF

Info

Publication number
CN113783894A
CN113783894A CN202111242594.3A CN202111242594A CN113783894A CN 113783894 A CN113783894 A CN 113783894A CN 202111242594 A CN202111242594 A CN 202111242594A CN 113783894 A CN113783894 A CN 113783894A
Authority
CN
China
Prior art keywords
interface
port
srp
platform
pfd
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202111242594.3A
Other languages
Chinese (zh)
Inventor
王志东
王志晓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Depth Detection Technology Co ltd
Original Assignee
Shenzhen Depth Detection Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Depth Detection Technology Co ltd filed Critical Shenzhen Depth Detection Technology Co ltd
Priority to CN202111242594.3A priority Critical patent/CN113783894A/en
Publication of CN113783894A publication Critical patent/CN113783894A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a method for realizing a rule-based secure network service, which comprises the following steps: s1: before use, the P0 interface of the protocol filter device PFD is directly connected to the management monitoring platform, and the P0 interface adopts predefined management IP addresses and ports, based on which the monitoring platform issues real-time configuration commands. The realization method of the safe network service based on the rules can provide the service according to the self-defined rules, and the requests sent by the client which does not meet the rules or the requests sent to the server are regarded as attacks, directly shielded and recorded with the alarm log for disposal; most general network service actions are listed as general safety requirement actions, key network service actions are listed as key safety actions, and only one set of pertinence rules are designed for the key safety actions, so that the safety of the network to key tasks is effectively guaranteed.

Description

Method for realizing safety network service based on rule
Technical Field
The invention relates to the technical field of embedded equipment and communication, in particular to a method for realizing a rule-based secure network service.
Background
As the market evolves, technology advances, and the concept of clients and servers becomes more and more generalized, the mechanism of requesting services and responding to services is used in many situations. Of course, as data becomes more important, request and response mechanisms are receiving more and more attention, as well as attacks.
The most important attacks are 1) counterfeiting identity attacks, such as counterfeiting the identity of a certain mobile phone/account, logging in the system, and thus stealing money or fraud of users; 2) illegal access attack, for example, by using special equipment, introducing illegal equipment on a special line link, attacking a large enterprise, implanting trojans and then lassoing; 3) and a password is used for bumping a library, and a system is logged in from a remote illegal address to steal and monopoly the commercial secrets.
Of course, these illegal attacks are very difficult to avoid for complex systems. However, our focus is not on these attacks, but on critical applications or data. Or, we try to put an end to illegal intrusion or data tampering by designing rules.
For example, the daily transaction data of the exchange needs to be backed up from the online node to a plurality of remote nodes after the collection. Then, we can design the following data transmission rule, 1, data is transmitted based on TCP in a way of super large file; before transmission, an initiator, namely a client, needs to generate a port of the client according to an internally agreed random number (date & time), and a TCP request is sent from the port; before transmission, a receiver, namely a server, needs to generate a port (date & time) of the server according to an internal random number, and receives a TCP request from the port; 4, data is transmitted in a Gbit/second mode; 5, transaction data is expected to be recorded in 10M transactions, each transaction record is 100 bytes long, namely 1GB =10Gbit, and data is expected to be transmitted within 10 seconds (10Gbit/1Gbit =10 seconds), so that 10-second redundancy can be provided; 6, once the receiving is finished, the client end finishes sending, the server end receives, and at the moment, any request from the IP address of the client end cluster to the IP address of the server end cluster is rejected; and 7, once the backup is finished, the client for storing the original transaction data and the server for dividing the original data are stopped, so that the data loss caused by malicious access is avoided. This means that: rules for the CLT to SRV bilateral ports may be constrained and executed by a Security Rules Platform (SRP). This ensures that, on the one hand, any client would like to transmit critical data to the foreign network through the network, which is not done, because modifying firewalls, routers, does not work; on the other hand, any server side can not transmit the key data to the external network through the network, because the firewall and the router are modified and do not work; on the other hand, any attack on this critical work task, whether intranet or extranet, is not feasible from the network. One is that it is not time to come, and the attack is started, and the attack object has finished working (or suspended service).
At present, field personnel lack training and experience in the technical field, and even though various intelligent systems have the problems of virus/trojan, malicious access, malicious login, malicious data tampering and the like, the field personnel are unknown at all. The method is urgently needed to be independent of a traditional operating system, a router, a firewall, an application platform and the like, a complex system is abandoned, and the mode of self-agreed rules is adopted to realize the shielding attack and the backup of key data.
Disclosure of Invention
The invention aims to provide a method for realizing a rule-based secure network service.
In order to achieve the purpose, the technical method adopted by the invention is as follows: the method for realizing the safe network service based on the rule comprises the following steps:
s1: before the protocol filtering device PFD is used, a P0 interface of the protocol filtering device PFD is directly connected to a management monitoring platform, a P0 interface adopts a predefined management IP address and a predefined port, the monitoring platform sends out a real-time configuration command based on the port, and the protocol filtering device PFD receives a configuration message of the monitoring platform and performs configuration;
s2: defining the network where the client machine group is located as a network C, connecting the network C to an Ethernet port P1 of the protocol filtering device PFD, defining the network where the server machine group is located as a network S, and connecting the network S to an Ethernet port P2 of the protocol filtering device PFD;
s3: the method comprises the steps that messages sent by any client are grouped at a P1 interface according to a source IP, a source PORT, a destination IP and a destination PORT during RX, a uniform request format is formed and reported to a Security Rule Platform (SRP), namely the CLT-MSG comprises an IP-SRC, a PORT-SRC, an IP-DST and a PORT-DST;
the method comprises the steps that messages received by any service end are grouped at a P2 interface according to a source IP, a source PORT, a destination IP and a destination PORT during TX, a uniform request format is formed and reported to a Security Rule Platform (SRP), namely the SRV-MSG comprises an IP-SRC, a PORT-SRC, an IP-DST and a PORT-DST;
s4: when the security rule platform SRP receives the CLT-MSG, the CLT-MSG can be admitted according to the appointed rule, and when the CLT-MSG meets the rule, the security rule platform SRP issues an instruction in real time and shields the request sent from the client at this time; the security rule platform SRP receives the SRV-MSG, can carry out access to the SRV-MSG according to the agreed rule, and when the rule is met, the SRP sends an instruction in real time to shield the request to the server;
s5: when an exception occurs, the protocol filter device PFD sends a message directly from the management/power supply interface, i.e. the ethernet P0 interface, to the default security rules platform SRP, where it is handled by the administrator.
Preferably, the hardware of the protocol filtering device PFD is any one of an FPGA, an ASIC, a CPLD, a DSP, a single chip microcomputer, an ARM chip, a RISC-V chip, a custom chip, a PC system, and a mobile phone system.
Preferably, the P0 interface, the P1 interface, and the P2 interface are ethernet interfaces, the ethernet interfaces of the P1 interface and the P2 interface are any one of a gigabit network port, and a hundred-megabyte network port, and the ethernet interface of the P0 interface is a hundred-megabyte network port.
Preferably, when the client cluster is connected to the P1 interface, the PFD submits each request to the security rule platform SRP for rule verification, and the security rule platform SRP performs real-time shielding;
when the protocol filtering device PFD is sent from the P2 interface to the server, various requests sent are submitted to the security rule platform SRP for rule verification, and are shielded in real time by the security rule platform SRP.
Preferably, the protocol filtering device PFD is connected to an egress router of the client cluster by a P1 interface, and the protocol filtering device PFD is connected to the remote external network by a P2 interface;
another protocol filter device PFD, connect to the far-end extranet with P1 interface, the said protocol filter device PFD connects to the server group with P2 interface; the P0 interfaces of the two PFDs are used to configure, supply power, report the security rule platform SRP, receive the real-time shielding indication of the security rule platform SRP, shield specific IP and port, and the shield includes a source IP, a destination IP, a source port and a destination port.
Preferably, in step S1, the P0 interface uses a predefined management IP address and port as admIP/9000, and the monitoring platform uses a port as srvoip/9000.
Preferably, the IP address and the port admIP of the protocol filtering device PFD are configured when receiving a configuration message in the format agreed by the srvIP of the monitoring platform.
Preferably, in step S2, the transmission flow of the network message is as follows:
when the client cluster is transmitted to a P1 interface of the PFD, a P1 interface is transmitted to a P2 interface, and a P2 interface is transmitted to a remote end, RX is analyzed in real time on the P1 interface, and a Security Rule Platform (SRP) butted by a P0 interface is reported and treated in real time;
when the far end is transmitted to a P1 interface of the PFD, a P1 interface is transmitted to a P2 interface, and a P2 interface is transmitted to the server cluster, the TX is analyzed on the P2 interface in real time, and a Security Rule Platform (SRP) docked by the P0 interface is reported and treated in real time.
Preferably, the protocol filter device PFD obtains CLT-MSG from P1 and submits the CLT-MSG to the security rules platform SRP from ethernet port P0, and the protocol filter device PFD obtains SRV-MSG from P2 and submits the SRV-MSG to the security rules platform SRP from ethernet port P0.
Compared with the prior art, the invention has the following beneficial effects:
1. the method is based on a protocol filter device PFD, and is realized by + three network ports in a simplest way, wherein the network ports are marked as a P1 interface, a P2 interface and a P0 interface, are called P1, P2 and P0 for short, and can be realized as → P1 → P2; → P2 → P1 →; the hardware equipment applying the invention is independent of specific client, server, operating system, protocol, firewall and router, and the safety configuration is based on independent P0 network port, without being affected by network attack, the configuration method is simple, and the user is not allowed to modify, thereby greatly improving the safety of the system; because the Ethernet message processing device works in the second layer of the ISO/OSI protocol and does not need to unpack TCP message packets, the Ethernet messages can be processed and analyzed at the line speed, the processing capability depends on the transceiving capability of a network port, and the Ethernet message processing device has the processing capability of 1G-10G or even 40G bits per second;
2. the method of the invention overcomes the huge cost required by hardware improvement, the huge workload required by various software/hardware configurations, the management cost brought by improving the security level, and effectively solves the problems of reliability, credibility and safety of network execution of key task work; the method is simple and effective; the specific method is that only aiming at the key task, the time node which can be executed by the key task, the source and the destination port of the execution are appointed;
the realization method of the safe network service based on the rules can provide the service according to the self-defined rules, and the requests sent by the client which does not meet the rules or the requests sent to the server are regarded as attacks, directly shielded and recorded with the alarm log for disposal; most general network service actions are listed as general safety requirement actions, key network service actions are listed as key safety actions, and only one set of pertinence rules are designed for the key safety actions, so that the safety of the network to key tasks is effectively guaranteed.
Drawings
FIG. 1 is a system framework diagram of the present invention;
FIG. 2 is a flow chart of the rule processing of the client of the present invention;
FIG. 3 is a flow chart of the rule processing of the server according to the present invention;
FIG. 4 is a flow chart of upstream analysis and handling of the present invention;
FIG. 5 is a flow chart of downstream analysis and handling of the present invention.
Detailed Description
In order to make the objects, technical methods and advantages of the embodiments of the present invention more apparent, the technical methods in the embodiments of the present invention will be described in detail and completely with reference to the accompanying drawings in the embodiments of the present invention, and it is to be understood that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be understood that, in various embodiments of the present invention, the sequence numbers of the processes do not mean the execution sequence, and the execution sequence of the processes should be determined by the functions and the internal logic of the processes, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
It should be understood that in the present application, "comprising" and "having" and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The technical method in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments; details of the same or similar concepts or processes may not be repeated in some embodiments.
Example 1:
a method for implementing a rule-based secure network service, comprising the steps of:
s1: before the protocol filtering device PFD is used, a P0 interface of the protocol filtering device PFD is directly connected to a management monitoring platform, a P0 interface adopts a predefined management IP address and a predefined port, the monitoring platform sends out a real-time configuration command based on the port, and the protocol filtering device PFD receives a configuration message of the monitoring platform and performs configuration;
s2: defining the network where the client machine group is located as a network C, connecting the network C to an Ethernet port P1 of the protocol filtering device PFD, defining the network where the server machine group is located as a network S, and connecting the network S to an Ethernet port P2 of the protocol filtering device PFD;
s3: the method comprises the steps that messages sent by any client are grouped at a P1 interface according to a source IP, a source PORT, a destination IP and a destination PORT during RX, a uniform request format is formed and reported to a Security Rule Platform (SRP), namely the CLT-MSG comprises an IP-SRC, a PORT-SRC, an IP-DST and a PORT-DST;
the method comprises the steps that messages received by any service end are grouped at a P2 interface according to a source IP, a source PORT, a destination IP and a destination PORT during TX, a uniform request format is formed and reported to a Security Rule Platform (SRP), namely the SRV-MSG comprises an IP-SRC, a PORT-SRC, an IP-DST and a PORT-DST;
s4: when the security rule platform SRP receives the CLT-MSG, the CLT-MSG can be admitted according to the appointed rule, and when the CLT-MSG meets the rule, the security rule platform SRP issues an instruction in real time and shields the request sent from the client at this time; the security rule platform SRP receives the SRV-MSG, can carry out access to the SRV-MSG according to the agreed rule, and when the rule is met, the SRP sends an instruction in real time to shield the request to the server;
s5: when an exception occurs, the protocol filter device PFD sends a message directly from the management/power supply interface, i.e. the ethernet P0 interface, to the default security rules platform SRP, where it is handled by the administrator.
The method is based on a protocol filter device PFD, and is realized by + three network ports in a simplest way, wherein the network ports are marked as a P1 interface, a P2 interface and a P0 interface, are called P1, P2 and P0 for short, and can be realized as → P1 → P2; → P2 → P1 →; the hardware equipment applying the invention is independent of specific client, server, operating system, protocol, firewall and router, and the safety configuration is based on independent P0 network port, without being affected by network attack, the configuration method is simple, and the user is not allowed to modify, thereby greatly improving the safety of the system; because the Ethernet message processing device works in the second layer of the ISO/OSI protocol and does not need to unpack TCP message packets, the Ethernet messages can be processed and analyzed at the wire speed, the processing capability depends on the transceiving capability of a network interface, and the Ethernet message processing device has the processing capability of 1G-10G or even 40G bits/second.
Example 2:
the hardware of the protocol filtering device PFD of this embodiment is any one of an FPGA, an ASIC, a CPLD, a DSP, a single chip microcomputer, an ARM chip, a RISC-V chip, a custom chip, a PC system, and a mobile phone system.
The P0 interface, the P1 interface, and the P2 interface of this embodiment are ethernet interfaces, the ethernet interfaces of the P1 interface and the P2 interface are any one of a gigabit network port, and a hundred-megabyte network port, and the ethernet interface of the P0 interface is a hundred-megabyte network port.
When the client cluster is connected to the P1 interface, the PFD of this embodiment submits various requests to the security rule platform SRP for rule verification, and performs real-time shielding by the security rule platform SRP;
when the protocol filtering device PFD is sent from the P2 interface to the server, various requests sent are submitted to the security rule platform SRP for rule verification, and are shielded in real time by the security rule platform SRP.
The protocol filtering device PFD of this embodiment is connected to an egress router of a client cluster through a P1 interface, and the protocol filtering device PFD is connected to a remote external network through a P2 interface;
another protocol filter device PFD, connect to the far-end extranet with P1 interface, the said protocol filter device PFD connects to the server group with P2 interface; the P0 interfaces of the two PFDs are used to configure, supply power, report the security rule platform SRP, receive the real-time shielding indication of the security rule platform SRP, shield specific IP and port, and the shield includes a source IP, a destination IP, a source port and a destination port.
In step S1 of this embodiment, the P0 interface uses a predefined management IP address and port as admIP/9000, and the monitoring platform uses a port as srvoip/9000.
The IP address and the port admIP of the PFD of this embodiment are configured when receiving a configuration message in the srvIP agreed format from the monitoring platform.
In step S2 of this embodiment, the transmission flow of the network message is as follows:
when the client cluster is transmitted to a P1 interface of the PFD, a P1 interface is transmitted to a P2 interface, and a P2 interface is transmitted to a remote end, RX is analyzed in real time on the P1 interface, and a Security Rule Platform (SRP) butted by a P0 interface is reported and treated in real time;
when the far end is transmitted to a P1 interface of the PFD, a P1 interface is transmitted to a P2 interface, and a P2 interface is transmitted to the server cluster, the TX is analyzed on the P2 interface in real time, and a Security Rule Platform (SRP) docked by the P0 interface is reported and treated in real time.
The protocol filter device PFD of this embodiment obtains CLT-MSG from P1 and submits the CLT-MSG to the security rules platform SRP from the ethernet port P0, and the protocol filter device PFD obtains SRV-MSG from P2 and submits the SRV-MSG to the security rules platform SRP from the ethernet port P0.
Referring to fig. 1-5, the protocol filter PFD is configured, assuming that it has three interfaces, which we refer to as P1 interface, P2 interface 2, and P0 interface 0, P0 is generally an interface for configuration and power interface, reporting, and real-time shielding, and we assume that the client → P1-RX → P2-TX → far end, and RX of P1, which is an upstream analysis and handling; distal → P1-RX → P2-TX → server, P2 at TX, which is downstream analysis and treatment.
The protocol filtering device PFD may support an unlimited number of clients and servers, and it may support only a client mode or only a server mode, and it may also support two working modes at the same time.
Application examples of the method of the invention:
application scenarios and environments are constructed according to fig. 1-5:
1. reporting of business data of enterprise units
Large enterprise units, such as the china aluminum industry main company, branch companies in various places need to report produced summarized data daily, the data of the enterprise will be finally concentrated in the private cloud of the headquarters, and specific clients of specific offices of various sub-companies need to report the data to the headquarters daily in a file manner.
Then, a reporting rule of the key data can be designed, for example, a time node for reporting is appointed, a port of the server side is appointed, at a specific time node, the client side appoints the port, namely, the appointed port of the server side can be accessed, and the data file is uploaded to the server side; at other times, in other occasions, no matter the port of the client or the port of the server is available; then, for the data reporting of the critical service, the reporting process is reliable, trusted and secure.
In summary, based on the PFD, the security of network transmission of critical data can be improved to a new boundary. The method is simple and effective, and does not need to modify the current business process and significantly upgrade the server, software and the like.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (10)

1. A method for implementing a rule-based secure network service, comprising the steps of: s1: before the protocol filtering device PFD is used, a P0 interface of the protocol filtering device PFD is directly connected to a management monitoring platform, a P0 interface adopts a predefined management IP address and a predefined port, the monitoring platform sends out a real-time configuration command based on the port, and the protocol filtering device PFD receives a configuration message of the monitoring platform and performs configuration; s2: defining the network where the client machine group is located as a network C, connecting the network C to an Ethernet port P1 of the protocol filtering device PFD, defining the network where the server machine group is located as a network S, and connecting the network S to an Ethernet port P2 of the protocol filtering device PFD; s3: the method comprises the steps that messages sent by any client are grouped at a P1 interface according to a source IP, a source PORT, a destination IP and a destination PORT during RX, a uniform request format is formed and reported to a Security Rule Platform (SRP), and the CLT-MSG comprises an IP-SRC, a PORT-SRC, an IP-DST and a PORT-DST; the method comprises the steps that messages received by any service end are grouped at a P2 interface according to a source IP, a source PORT, a destination IP and a destination PORT during TX, a uniform request format is formed and reported to a security rule platform SRP, and the SRV-MSG comprises an IP-SRC, a PORT-SRC, an IP-DST and a PORT-DST; s4: when the security rule platform SRP receives the CLT-MSG, the CLT-MSG can be admitted according to the appointed rule, and when the CLT-MSG meets the rule, the security rule platform SRP issues an instruction in real time and shields the request sent from the client at this time; the security rule platform SRP receives the SRV-MSG, can carry out access to the SRV-MSG according to the agreed rule, and when the rule is met, the SRP sends an instruction in real time to shield the request to the server; s5: when an exception occurs, the protocol filter device PFD sends a message directly from the management/power supply interface, i.e. the ethernet P0 interface, to the default security rules platform SRP, where it is handled by the administrator.
2. The method of claim 1, wherein the hardware of the PFD is any one of FPGA, ASIC, CPLD, DSP, single chip, ARM chip, RISC-V chip, custom chip, PC system, and mobile phone system.
3. The method of claim 1, wherein the P0, P1 and P2 interfaces are Ethernet interfaces, the Ethernet interfaces of the P1 and P2 interfaces are any one of ten gigabit, gigabit and hundred gigabit, and the Ethernet interface of the P0 interface is a hundred gigabit.
4. The method for implementing a rule-based secure network service according to claim 1, wherein the protocol filtering device PFD submits various requests to the security rule platform SRP for rule verification when the client cluster is connected to the P1 interface, and is shielded by the security rule platform SRP in real time; when the protocol filtering device PFD is sent from the P2 interface to the server, various requests sent are submitted to the security rule platform SRP for rule verification, and are shielded in real time by the security rule platform SRP.
5. The method of claim 1, wherein said protocol filter PFD is connected to egress routers of the client cluster by a P1 interface, and said protocol filter PFD is connected to the remote extranet by a P2 interface; another protocol filter device PFD, connect to the far-end extranet with P1 interface, the said protocol filter device PFD connects to the server group with P2 interface; the P0 interfaces of the two PFDs are used to configure, supply power, report the security rule platform SRP, receive the real-time shielding indication of the security rule platform SRP, shield specific IP and port, and the shield includes a source IP, a destination IP, a source port and a destination port.
6. The method for managing an implementation method of a rule-based secure network service according to claim 1, wherein in the step S1, the P0 interface uses a predefined management IP address and port admIP/9000, and the monitoring platform uses port srvIP/9000.
7. The method for managing a method for implementing a rules-based secure network service of claim 1, wherein the IP address and port admIP of the protocol filtering device PFD are configured when receiving a configuration message from the monitoring platform srvoip agreed format.
8. The method for managing a method for implementing a rule-based secure network service according to claim 1, wherein in step S2, the network message is transmitted through a flow of: when the client cluster is transmitted to a P1 interface of the PFD, a P1 interface is transmitted to a P2 interface, and a P2 interface is transmitted to a remote end, RX is analyzed in real time on the P1 interface, and a Security Rule Platform (SRP) butted by a P0 interface is reported and treated in real time; when the far end is transmitted to a P1 interface of the PFD, a P1 interface is transmitted to a P2 interface, and a P2 interface is transmitted to the server cluster, the TX is analyzed on the P2 interface in real time, and a Security Rule Platform (SRP) docked by the P0 interface is reported and treated in real time.
9. The method for managing a realization of a rules-based secure network service of claim 1, characterized in that said protocol filtering means PFD obtains the CLT-MSG from P1 and submits it from the ethernet port P0 to the security rules platform SRP.
10. The method for managing a realization of a rules-based secure network service of claim 1, characterized in that said protocol filtering means PFD obtains SRV-MSG from P2 and submits it from ethernet port P0 to the security rules platform SRP.
CN202111242594.3A 2021-10-25 2021-10-25 Method for realizing safety network service based on rule Withdrawn CN113783894A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111242594.3A CN113783894A (en) 2021-10-25 2021-10-25 Method for realizing safety network service based on rule

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111242594.3A CN113783894A (en) 2021-10-25 2021-10-25 Method for realizing safety network service based on rule

Publications (1)

Publication Number Publication Date
CN113783894A true CN113783894A (en) 2021-12-10

Family

ID=78956755

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111242594.3A Withdrawn CN113783894A (en) 2021-10-25 2021-10-25 Method for realizing safety network service based on rule

Country Status (1)

Country Link
CN (1) CN113783894A (en)

Similar Documents

Publication Publication Date Title
CN111193719A (en) Network intrusion protection system
US20170155682A1 (en) System and method for providing network and computer firewall protection with dynamic address isolation to a device
CN103491060B (en) A kind of method, apparatus and system of defence Web attacks
US20100325685A1 (en) Security Integration System and Device
CN112468518B (en) Access data processing method and device, storage medium and computer equipment
WO2008147475A2 (en) Providing a generic gateway for accessing protected resources
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
CN105743878A (en) Dynamic service handling using a honeypot
CN109558366A (en) A kind of firewall based on multiple processor structure
CN109361753A (en) A kind of Internet of things system framework and encryption method
CN110213214B (en) Attack protection method, system, device and storage medium
Jie et al. Industrial control system security
CN109165508A (en) A kind of external device access safety control system and its control method
Huang et al. An authentication scheme to defend against UDP DrDoS attacks in 5G networks
Ahmed et al. Detection and prevention of DDoS attacks on software defined networks controllers for smart grid
CN1326365C (en) Worm blocking system and method using hardware-based pattern matching
CN105245336B (en) A kind of file encryption management system
CN108737344A (en) A kind of network attack protection method and device
CN110868429A (en) BGP routing protocol security protection method and device
CN113783894A (en) Method for realizing safety network service based on rule
CN116668078A (en) Internet intrusion security defense system
CN106453336B (en) Method for internal network to actively provide external network host calling service
CN113965388A (en) Safe transmission device for calculating check sum according to classification
CN108471428B (en) DDoS attack active defense technology and equipment applied to CDN system
CN115776517A (en) Service request processing method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20211210

WW01 Invention patent application withdrawn after publication