CN113783894A - Method for realizing safety network service based on rule - Google Patents
Method for realizing safety network service based on rule Download PDFInfo
- Publication number
- CN113783894A CN113783894A CN202111242594.3A CN202111242594A CN113783894A CN 113783894 A CN113783894 A CN 113783894A CN 202111242594 A CN202111242594 A CN 202111242594A CN 113783894 A CN113783894 A CN 113783894A
- Authority
- CN
- China
- Prior art keywords
- interface
- port
- srp
- platform
- pfd
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a method for realizing a rule-based secure network service, which comprises the following steps: s1: before use, the P0 interface of the protocol filter device PFD is directly connected to the management monitoring platform, and the P0 interface adopts predefined management IP addresses and ports, based on which the monitoring platform issues real-time configuration commands. The realization method of the safe network service based on the rules can provide the service according to the self-defined rules, and the requests sent by the client which does not meet the rules or the requests sent to the server are regarded as attacks, directly shielded and recorded with the alarm log for disposal; most general network service actions are listed as general safety requirement actions, key network service actions are listed as key safety actions, and only one set of pertinence rules are designed for the key safety actions, so that the safety of the network to key tasks is effectively guaranteed.
Description
Technical Field
The invention relates to the technical field of embedded equipment and communication, in particular to a method for realizing a rule-based secure network service.
Background
As the market evolves, technology advances, and the concept of clients and servers becomes more and more generalized, the mechanism of requesting services and responding to services is used in many situations. Of course, as data becomes more important, request and response mechanisms are receiving more and more attention, as well as attacks.
The most important attacks are 1) counterfeiting identity attacks, such as counterfeiting the identity of a certain mobile phone/account, logging in the system, and thus stealing money or fraud of users; 2) illegal access attack, for example, by using special equipment, introducing illegal equipment on a special line link, attacking a large enterprise, implanting trojans and then lassoing; 3) and a password is used for bumping a library, and a system is logged in from a remote illegal address to steal and monopoly the commercial secrets.
Of course, these illegal attacks are very difficult to avoid for complex systems. However, our focus is not on these attacks, but on critical applications or data. Or, we try to put an end to illegal intrusion or data tampering by designing rules.
For example, the daily transaction data of the exchange needs to be backed up from the online node to a plurality of remote nodes after the collection. Then, we can design the following data transmission rule, 1, data is transmitted based on TCP in a way of super large file; before transmission, an initiator, namely a client, needs to generate a port of the client according to an internally agreed random number (date & time), and a TCP request is sent from the port; before transmission, a receiver, namely a server, needs to generate a port (date & time) of the server according to an internal random number, and receives a TCP request from the port; 4, data is transmitted in a Gbit/second mode; 5, transaction data is expected to be recorded in 10M transactions, each transaction record is 100 bytes long, namely 1GB =10Gbit, and data is expected to be transmitted within 10 seconds (10Gbit/1Gbit =10 seconds), so that 10-second redundancy can be provided; 6, once the receiving is finished, the client end finishes sending, the server end receives, and at the moment, any request from the IP address of the client end cluster to the IP address of the server end cluster is rejected; and 7, once the backup is finished, the client for storing the original transaction data and the server for dividing the original data are stopped, so that the data loss caused by malicious access is avoided. This means that: rules for the CLT to SRV bilateral ports may be constrained and executed by a Security Rules Platform (SRP). This ensures that, on the one hand, any client would like to transmit critical data to the foreign network through the network, which is not done, because modifying firewalls, routers, does not work; on the other hand, any server side can not transmit the key data to the external network through the network, because the firewall and the router are modified and do not work; on the other hand, any attack on this critical work task, whether intranet or extranet, is not feasible from the network. One is that it is not time to come, and the attack is started, and the attack object has finished working (or suspended service).
At present, field personnel lack training and experience in the technical field, and even though various intelligent systems have the problems of virus/trojan, malicious access, malicious login, malicious data tampering and the like, the field personnel are unknown at all. The method is urgently needed to be independent of a traditional operating system, a router, a firewall, an application platform and the like, a complex system is abandoned, and the mode of self-agreed rules is adopted to realize the shielding attack and the backup of key data.
Disclosure of Invention
The invention aims to provide a method for realizing a rule-based secure network service.
In order to achieve the purpose, the technical method adopted by the invention is as follows: the method for realizing the safe network service based on the rule comprises the following steps:
s1: before the protocol filtering device PFD is used, a P0 interface of the protocol filtering device PFD is directly connected to a management monitoring platform, a P0 interface adopts a predefined management IP address and a predefined port, the monitoring platform sends out a real-time configuration command based on the port, and the protocol filtering device PFD receives a configuration message of the monitoring platform and performs configuration;
s2: defining the network where the client machine group is located as a network C, connecting the network C to an Ethernet port P1 of the protocol filtering device PFD, defining the network where the server machine group is located as a network S, and connecting the network S to an Ethernet port P2 of the protocol filtering device PFD;
s3: the method comprises the steps that messages sent by any client are grouped at a P1 interface according to a source IP, a source PORT, a destination IP and a destination PORT during RX, a uniform request format is formed and reported to a Security Rule Platform (SRP), namely the CLT-MSG comprises an IP-SRC, a PORT-SRC, an IP-DST and a PORT-DST;
the method comprises the steps that messages received by any service end are grouped at a P2 interface according to a source IP, a source PORT, a destination IP and a destination PORT during TX, a uniform request format is formed and reported to a Security Rule Platform (SRP), namely the SRV-MSG comprises an IP-SRC, a PORT-SRC, an IP-DST and a PORT-DST;
s4: when the security rule platform SRP receives the CLT-MSG, the CLT-MSG can be admitted according to the appointed rule, and when the CLT-MSG meets the rule, the security rule platform SRP issues an instruction in real time and shields the request sent from the client at this time; the security rule platform SRP receives the SRV-MSG, can carry out access to the SRV-MSG according to the agreed rule, and when the rule is met, the SRP sends an instruction in real time to shield the request to the server;
s5: when an exception occurs, the protocol filter device PFD sends a message directly from the management/power supply interface, i.e. the ethernet P0 interface, to the default security rules platform SRP, where it is handled by the administrator.
Preferably, the hardware of the protocol filtering device PFD is any one of an FPGA, an ASIC, a CPLD, a DSP, a single chip microcomputer, an ARM chip, a RISC-V chip, a custom chip, a PC system, and a mobile phone system.
Preferably, the P0 interface, the P1 interface, and the P2 interface are ethernet interfaces, the ethernet interfaces of the P1 interface and the P2 interface are any one of a gigabit network port, and a hundred-megabyte network port, and the ethernet interface of the P0 interface is a hundred-megabyte network port.
Preferably, when the client cluster is connected to the P1 interface, the PFD submits each request to the security rule platform SRP for rule verification, and the security rule platform SRP performs real-time shielding;
when the protocol filtering device PFD is sent from the P2 interface to the server, various requests sent are submitted to the security rule platform SRP for rule verification, and are shielded in real time by the security rule platform SRP.
Preferably, the protocol filtering device PFD is connected to an egress router of the client cluster by a P1 interface, and the protocol filtering device PFD is connected to the remote external network by a P2 interface;
another protocol filter device PFD, connect to the far-end extranet with P1 interface, the said protocol filter device PFD connects to the server group with P2 interface; the P0 interfaces of the two PFDs are used to configure, supply power, report the security rule platform SRP, receive the real-time shielding indication of the security rule platform SRP, shield specific IP and port, and the shield includes a source IP, a destination IP, a source port and a destination port.
Preferably, in step S1, the P0 interface uses a predefined management IP address and port as admIP/9000, and the monitoring platform uses a port as srvoip/9000.
Preferably, the IP address and the port admIP of the protocol filtering device PFD are configured when receiving a configuration message in the format agreed by the srvIP of the monitoring platform.
Preferably, in step S2, the transmission flow of the network message is as follows:
when the client cluster is transmitted to a P1 interface of the PFD, a P1 interface is transmitted to a P2 interface, and a P2 interface is transmitted to a remote end, RX is analyzed in real time on the P1 interface, and a Security Rule Platform (SRP) butted by a P0 interface is reported and treated in real time;
when the far end is transmitted to a P1 interface of the PFD, a P1 interface is transmitted to a P2 interface, and a P2 interface is transmitted to the server cluster, the TX is analyzed on the P2 interface in real time, and a Security Rule Platform (SRP) docked by the P0 interface is reported and treated in real time.
Preferably, the protocol filter device PFD obtains CLT-MSG from P1 and submits the CLT-MSG to the security rules platform SRP from ethernet port P0, and the protocol filter device PFD obtains SRV-MSG from P2 and submits the SRV-MSG to the security rules platform SRP from ethernet port P0.
Compared with the prior art, the invention has the following beneficial effects:
1. the method is based on a protocol filter device PFD, and is realized by + three network ports in a simplest way, wherein the network ports are marked as a P1 interface, a P2 interface and a P0 interface, are called P1, P2 and P0 for short, and can be realized as → P1 → P2; → P2 → P1 →; the hardware equipment applying the invention is independent of specific client, server, operating system, protocol, firewall and router, and the safety configuration is based on independent P0 network port, without being affected by network attack, the configuration method is simple, and the user is not allowed to modify, thereby greatly improving the safety of the system; because the Ethernet message processing device works in the second layer of the ISO/OSI protocol and does not need to unpack TCP message packets, the Ethernet messages can be processed and analyzed at the line speed, the processing capability depends on the transceiving capability of a network port, and the Ethernet message processing device has the processing capability of 1G-10G or even 40G bits per second;
2. the method of the invention overcomes the huge cost required by hardware improvement, the huge workload required by various software/hardware configurations, the management cost brought by improving the security level, and effectively solves the problems of reliability, credibility and safety of network execution of key task work; the method is simple and effective; the specific method is that only aiming at the key task, the time node which can be executed by the key task, the source and the destination port of the execution are appointed;
the realization method of the safe network service based on the rules can provide the service according to the self-defined rules, and the requests sent by the client which does not meet the rules or the requests sent to the server are regarded as attacks, directly shielded and recorded with the alarm log for disposal; most general network service actions are listed as general safety requirement actions, key network service actions are listed as key safety actions, and only one set of pertinence rules are designed for the key safety actions, so that the safety of the network to key tasks is effectively guaranteed.
Drawings
FIG. 1 is a system framework diagram of the present invention;
FIG. 2 is a flow chart of the rule processing of the client of the present invention;
FIG. 3 is a flow chart of the rule processing of the server according to the present invention;
FIG. 4 is a flow chart of upstream analysis and handling of the present invention;
FIG. 5 is a flow chart of downstream analysis and handling of the present invention.
Detailed Description
In order to make the objects, technical methods and advantages of the embodiments of the present invention more apparent, the technical methods in the embodiments of the present invention will be described in detail and completely with reference to the accompanying drawings in the embodiments of the present invention, and it is to be understood that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be understood that, in various embodiments of the present invention, the sequence numbers of the processes do not mean the execution sequence, and the execution sequence of the processes should be determined by the functions and the internal logic of the processes, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
It should be understood that in the present application, "comprising" and "having" and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The technical method in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments; details of the same or similar concepts or processes may not be repeated in some embodiments.
Example 1:
a method for implementing a rule-based secure network service, comprising the steps of:
s1: before the protocol filtering device PFD is used, a P0 interface of the protocol filtering device PFD is directly connected to a management monitoring platform, a P0 interface adopts a predefined management IP address and a predefined port, the monitoring platform sends out a real-time configuration command based on the port, and the protocol filtering device PFD receives a configuration message of the monitoring platform and performs configuration;
s2: defining the network where the client machine group is located as a network C, connecting the network C to an Ethernet port P1 of the protocol filtering device PFD, defining the network where the server machine group is located as a network S, and connecting the network S to an Ethernet port P2 of the protocol filtering device PFD;
s3: the method comprises the steps that messages sent by any client are grouped at a P1 interface according to a source IP, a source PORT, a destination IP and a destination PORT during RX, a uniform request format is formed and reported to a Security Rule Platform (SRP), namely the CLT-MSG comprises an IP-SRC, a PORT-SRC, an IP-DST and a PORT-DST;
the method comprises the steps that messages received by any service end are grouped at a P2 interface according to a source IP, a source PORT, a destination IP and a destination PORT during TX, a uniform request format is formed and reported to a Security Rule Platform (SRP), namely the SRV-MSG comprises an IP-SRC, a PORT-SRC, an IP-DST and a PORT-DST;
s4: when the security rule platform SRP receives the CLT-MSG, the CLT-MSG can be admitted according to the appointed rule, and when the CLT-MSG meets the rule, the security rule platform SRP issues an instruction in real time and shields the request sent from the client at this time; the security rule platform SRP receives the SRV-MSG, can carry out access to the SRV-MSG according to the agreed rule, and when the rule is met, the SRP sends an instruction in real time to shield the request to the server;
s5: when an exception occurs, the protocol filter device PFD sends a message directly from the management/power supply interface, i.e. the ethernet P0 interface, to the default security rules platform SRP, where it is handled by the administrator.
The method is based on a protocol filter device PFD, and is realized by + three network ports in a simplest way, wherein the network ports are marked as a P1 interface, a P2 interface and a P0 interface, are called P1, P2 and P0 for short, and can be realized as → P1 → P2; → P2 → P1 →; the hardware equipment applying the invention is independent of specific client, server, operating system, protocol, firewall and router, and the safety configuration is based on independent P0 network port, without being affected by network attack, the configuration method is simple, and the user is not allowed to modify, thereby greatly improving the safety of the system; because the Ethernet message processing device works in the second layer of the ISO/OSI protocol and does not need to unpack TCP message packets, the Ethernet messages can be processed and analyzed at the wire speed, the processing capability depends on the transceiving capability of a network interface, and the Ethernet message processing device has the processing capability of 1G-10G or even 40G bits/second.
Example 2:
the hardware of the protocol filtering device PFD of this embodiment is any one of an FPGA, an ASIC, a CPLD, a DSP, a single chip microcomputer, an ARM chip, a RISC-V chip, a custom chip, a PC system, and a mobile phone system.
The P0 interface, the P1 interface, and the P2 interface of this embodiment are ethernet interfaces, the ethernet interfaces of the P1 interface and the P2 interface are any one of a gigabit network port, and a hundred-megabyte network port, and the ethernet interface of the P0 interface is a hundred-megabyte network port.
When the client cluster is connected to the P1 interface, the PFD of this embodiment submits various requests to the security rule platform SRP for rule verification, and performs real-time shielding by the security rule platform SRP;
when the protocol filtering device PFD is sent from the P2 interface to the server, various requests sent are submitted to the security rule platform SRP for rule verification, and are shielded in real time by the security rule platform SRP.
The protocol filtering device PFD of this embodiment is connected to an egress router of a client cluster through a P1 interface, and the protocol filtering device PFD is connected to a remote external network through a P2 interface;
another protocol filter device PFD, connect to the far-end extranet with P1 interface, the said protocol filter device PFD connects to the server group with P2 interface; the P0 interfaces of the two PFDs are used to configure, supply power, report the security rule platform SRP, receive the real-time shielding indication of the security rule platform SRP, shield specific IP and port, and the shield includes a source IP, a destination IP, a source port and a destination port.
In step S1 of this embodiment, the P0 interface uses a predefined management IP address and port as admIP/9000, and the monitoring platform uses a port as srvoip/9000.
The IP address and the port admIP of the PFD of this embodiment are configured when receiving a configuration message in the srvIP agreed format from the monitoring platform.
In step S2 of this embodiment, the transmission flow of the network message is as follows:
when the client cluster is transmitted to a P1 interface of the PFD, a P1 interface is transmitted to a P2 interface, and a P2 interface is transmitted to a remote end, RX is analyzed in real time on the P1 interface, and a Security Rule Platform (SRP) butted by a P0 interface is reported and treated in real time;
when the far end is transmitted to a P1 interface of the PFD, a P1 interface is transmitted to a P2 interface, and a P2 interface is transmitted to the server cluster, the TX is analyzed on the P2 interface in real time, and a Security Rule Platform (SRP) docked by the P0 interface is reported and treated in real time.
The protocol filter device PFD of this embodiment obtains CLT-MSG from P1 and submits the CLT-MSG to the security rules platform SRP from the ethernet port P0, and the protocol filter device PFD obtains SRV-MSG from P2 and submits the SRV-MSG to the security rules platform SRP from the ethernet port P0.
Referring to fig. 1-5, the protocol filter PFD is configured, assuming that it has three interfaces, which we refer to as P1 interface, P2 interface 2, and P0 interface 0, P0 is generally an interface for configuration and power interface, reporting, and real-time shielding, and we assume that the client → P1-RX → P2-TX → far end, and RX of P1, which is an upstream analysis and handling; distal → P1-RX → P2-TX → server, P2 at TX, which is downstream analysis and treatment.
The protocol filtering device PFD may support an unlimited number of clients and servers, and it may support only a client mode or only a server mode, and it may also support two working modes at the same time.
Application examples of the method of the invention:
application scenarios and environments are constructed according to fig. 1-5:
1. reporting of business data of enterprise units
Large enterprise units, such as the china aluminum industry main company, branch companies in various places need to report produced summarized data daily, the data of the enterprise will be finally concentrated in the private cloud of the headquarters, and specific clients of specific offices of various sub-companies need to report the data to the headquarters daily in a file manner.
Then, a reporting rule of the key data can be designed, for example, a time node for reporting is appointed, a port of the server side is appointed, at a specific time node, the client side appoints the port, namely, the appointed port of the server side can be accessed, and the data file is uploaded to the server side; at other times, in other occasions, no matter the port of the client or the port of the server is available; then, for the data reporting of the critical service, the reporting process is reliable, trusted and secure.
In summary, based on the PFD, the security of network transmission of critical data can be improved to a new boundary. The method is simple and effective, and does not need to modify the current business process and significantly upgrade the server, software and the like.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (10)
1. A method for implementing a rule-based secure network service, comprising the steps of: s1: before the protocol filtering device PFD is used, a P0 interface of the protocol filtering device PFD is directly connected to a management monitoring platform, a P0 interface adopts a predefined management IP address and a predefined port, the monitoring platform sends out a real-time configuration command based on the port, and the protocol filtering device PFD receives a configuration message of the monitoring platform and performs configuration; s2: defining the network where the client machine group is located as a network C, connecting the network C to an Ethernet port P1 of the protocol filtering device PFD, defining the network where the server machine group is located as a network S, and connecting the network S to an Ethernet port P2 of the protocol filtering device PFD; s3: the method comprises the steps that messages sent by any client are grouped at a P1 interface according to a source IP, a source PORT, a destination IP and a destination PORT during RX, a uniform request format is formed and reported to a Security Rule Platform (SRP), and the CLT-MSG comprises an IP-SRC, a PORT-SRC, an IP-DST and a PORT-DST; the method comprises the steps that messages received by any service end are grouped at a P2 interface according to a source IP, a source PORT, a destination IP and a destination PORT during TX, a uniform request format is formed and reported to a security rule platform SRP, and the SRV-MSG comprises an IP-SRC, a PORT-SRC, an IP-DST and a PORT-DST; s4: when the security rule platform SRP receives the CLT-MSG, the CLT-MSG can be admitted according to the appointed rule, and when the CLT-MSG meets the rule, the security rule platform SRP issues an instruction in real time and shields the request sent from the client at this time; the security rule platform SRP receives the SRV-MSG, can carry out access to the SRV-MSG according to the agreed rule, and when the rule is met, the SRP sends an instruction in real time to shield the request to the server; s5: when an exception occurs, the protocol filter device PFD sends a message directly from the management/power supply interface, i.e. the ethernet P0 interface, to the default security rules platform SRP, where it is handled by the administrator.
2. The method of claim 1, wherein the hardware of the PFD is any one of FPGA, ASIC, CPLD, DSP, single chip, ARM chip, RISC-V chip, custom chip, PC system, and mobile phone system.
3. The method of claim 1, wherein the P0, P1 and P2 interfaces are Ethernet interfaces, the Ethernet interfaces of the P1 and P2 interfaces are any one of ten gigabit, gigabit and hundred gigabit, and the Ethernet interface of the P0 interface is a hundred gigabit.
4. The method for implementing a rule-based secure network service according to claim 1, wherein the protocol filtering device PFD submits various requests to the security rule platform SRP for rule verification when the client cluster is connected to the P1 interface, and is shielded by the security rule platform SRP in real time; when the protocol filtering device PFD is sent from the P2 interface to the server, various requests sent are submitted to the security rule platform SRP for rule verification, and are shielded in real time by the security rule platform SRP.
5. The method of claim 1, wherein said protocol filter PFD is connected to egress routers of the client cluster by a P1 interface, and said protocol filter PFD is connected to the remote extranet by a P2 interface; another protocol filter device PFD, connect to the far-end extranet with P1 interface, the said protocol filter device PFD connects to the server group with P2 interface; the P0 interfaces of the two PFDs are used to configure, supply power, report the security rule platform SRP, receive the real-time shielding indication of the security rule platform SRP, shield specific IP and port, and the shield includes a source IP, a destination IP, a source port and a destination port.
6. The method for managing an implementation method of a rule-based secure network service according to claim 1, wherein in the step S1, the P0 interface uses a predefined management IP address and port admIP/9000, and the monitoring platform uses port srvIP/9000.
7. The method for managing a method for implementing a rules-based secure network service of claim 1, wherein the IP address and port admIP of the protocol filtering device PFD are configured when receiving a configuration message from the monitoring platform srvoip agreed format.
8. The method for managing a method for implementing a rule-based secure network service according to claim 1, wherein in step S2, the network message is transmitted through a flow of: when the client cluster is transmitted to a P1 interface of the PFD, a P1 interface is transmitted to a P2 interface, and a P2 interface is transmitted to a remote end, RX is analyzed in real time on the P1 interface, and a Security Rule Platform (SRP) butted by a P0 interface is reported and treated in real time; when the far end is transmitted to a P1 interface of the PFD, a P1 interface is transmitted to a P2 interface, and a P2 interface is transmitted to the server cluster, the TX is analyzed on the P2 interface in real time, and a Security Rule Platform (SRP) docked by the P0 interface is reported and treated in real time.
9. The method for managing a realization of a rules-based secure network service of claim 1, characterized in that said protocol filtering means PFD obtains the CLT-MSG from P1 and submits it from the ethernet port P0 to the security rules platform SRP.
10. The method for managing a realization of a rules-based secure network service of claim 1, characterized in that said protocol filtering means PFD obtains SRV-MSG from P2 and submits it from ethernet port P0 to the security rules platform SRP.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111242594.3A CN113783894A (en) | 2021-10-25 | 2021-10-25 | Method for realizing safety network service based on rule |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111242594.3A CN113783894A (en) | 2021-10-25 | 2021-10-25 | Method for realizing safety network service based on rule |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113783894A true CN113783894A (en) | 2021-12-10 |
Family
ID=78956755
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111242594.3A Withdrawn CN113783894A (en) | 2021-10-25 | 2021-10-25 | Method for realizing safety network service based on rule |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113783894A (en) |
-
2021
- 2021-10-25 CN CN202111242594.3A patent/CN113783894A/en not_active Withdrawn
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111193719A (en) | Network intrusion protection system | |
US20170155682A1 (en) | System and method for providing network and computer firewall protection with dynamic address isolation to a device | |
CN103491060B (en) | A kind of method, apparatus and system of defence Web attacks | |
US20100325685A1 (en) | Security Integration System and Device | |
CN112468518B (en) | Access data processing method and device, storage medium and computer equipment | |
WO2008147475A2 (en) | Providing a generic gateway for accessing protected resources | |
JP7388613B2 (en) | Packet processing method and apparatus, device, and computer readable storage medium | |
CN105743878A (en) | Dynamic service handling using a honeypot | |
CN109558366A (en) | A kind of firewall based on multiple processor structure | |
CN109361753A (en) | A kind of Internet of things system framework and encryption method | |
CN110213214B (en) | Attack protection method, system, device and storage medium | |
Jie et al. | Industrial control system security | |
CN109165508A (en) | A kind of external device access safety control system and its control method | |
Huang et al. | An authentication scheme to defend against UDP DrDoS attacks in 5G networks | |
Ahmed et al. | Detection and prevention of DDoS attacks on software defined networks controllers for smart grid | |
CN1326365C (en) | Worm blocking system and method using hardware-based pattern matching | |
CN105245336B (en) | A kind of file encryption management system | |
CN108737344A (en) | A kind of network attack protection method and device | |
CN110868429A (en) | BGP routing protocol security protection method and device | |
CN113783894A (en) | Method for realizing safety network service based on rule | |
CN116668078A (en) | Internet intrusion security defense system | |
CN106453336B (en) | Method for internal network to actively provide external network host calling service | |
CN113965388A (en) | Safe transmission device for calculating check sum according to classification | |
CN108471428B (en) | DDoS attack active defense technology and equipment applied to CDN system | |
CN115776517A (en) | Service request processing method and device, storage medium and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20211210 |
|
WW01 | Invention patent application withdrawn after publication |