CN113872956A - Method and system for inspecting IPSEC VPN transmission content - Google Patents
Method and system for inspecting IPSEC VPN transmission content Download PDFInfo
- Publication number
- CN113872956A CN113872956A CN202111118853.1A CN202111118853A CN113872956A CN 113872956 A CN113872956 A CN 113872956A CN 202111118853 A CN202111118853 A CN 202111118853A CN 113872956 A CN113872956 A CN 113872956A
- Authority
- CN
- China
- Prior art keywords
- data packet
- transmitted data
- response message
- security detection
- negotiation response
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 68
- 238000000034 method Methods 0.000 title claims abstract description 25
- 230000004044 response Effects 0.000 claims abstract description 79
- 238000001514 detection method Methods 0.000 claims abstract description 65
- 238000005538 encapsulation Methods 0.000 claims description 16
- 238000012546 transfer Methods 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a system for checking IPSEC VPN transmission content, which comprises the steps of acquiring a transmitted data packet and identifying whether the transmitted data packet is an IPSEC VPN data packet; when the transmitted data packet is an IPSEC VPN data packet, analyzing the transmitted data packet, and if the analysis is successful, performing security detection on the content of the transmitted data packet; if the analysis is unsuccessful, identifying the SA negotiation response message in the transmission data packet to obtain an identification result; wherein the identification result comprises successful or unsuccessful identification; when the identification result is successful, performing security detection according to the SA negotiation response message; and if the security detection passes, releasing the transmitted data packet, and if the security detection does not pass, intercepting the transmitted data packet. The invention can better supervise the use of the VPN, prevent the attack of forged VPN messages and improve the supervision efficiency and the network security.
Description
Technical Field
The invention relates to the technical field of IPSEC VPN inspection, in particular to a method and a system for inspecting IPSEC VPN transmission content.
Background
The VPN is a mature technology and is widely applied to networking interconnection between a headquarter and branch organizations, virtualizes a 'private line' by utilizing the existing Internet export of the organization, and connects the branch organizations and the headquarter of the organization to form a large local area network. The VPN user accessing the intranet resources also needs to allocate a virtual private IP to the user who dials into UTM25, so that the user of the SSL VPN client can access the resources in the lan as the lan user can.
IPsec VPN refers to a VPN technology that uses IPsec Protocol to implement remote access, IPsec is generally called Internet Protocol Security, and is a Security standard framework defined by Internet Engineering Task Force (IETF), a secure communication channel is provided for two private networks on a public network, Security of connection is ensured by an encryption channel, and private data packet service is provided between two public gateways, IPsec is a set of relatively complete and systematic VPN technology, and defines a series of Protocol standards.
The IPSEC protocol is introduced for 2 reasons, one is in the middle of the original TCP/IP system, and no security-based design is included, so that anyone can analyze all communication data as long as the person can join a line. IPSEC introduces complete security mechanisms including encryption, authentication, and data tamper-resistance functions. Another reason is that, because the Internet is rapidly developed and the access is more and more convenient, many customers want to use the bandwidth of Internet to realize the intercommunication of different networks.
However, the VPN has double-faced performance, so that on one hand, the security of data transmission can be improved, and on the other hand, a safer information transmission mode is provided for lawbreakers; therefore, the examination of IPSEC VPN transfer content is an essential part to combat criminal offences.
Disclosure of Invention
The invention aims to provide a method and a system for inspecting transmission contents of an IPSEC VPN, which solve the technical problems of network supervision insufficiency and low efficiency caused by the fact that the existing method cannot effectively inspect the transmission contents of the IPSEC VPN.
In one aspect, a method of auditing IPSEC VPN transfer content is provided, comprising:
acquiring a transmitted data packet and identifying whether the transmitted data packet is an IPSEC VPN data packet;
when the transmitted data packet is an IPSEC VPN data packet, analyzing the transmitted data packet, and if the analysis is successful, performing security detection on the content of the transmitted data packet; if the analysis is unsuccessful, identifying the SA negotiation response message in the transmission data packet to obtain an identification result; wherein the identification result comprises successful or unsuccessful identification; when the identification result is successful, performing security detection according to the SA negotiation response message;
and if the security detection passes, releasing the transmitted data packet, and if the security detection does not pass, not releasing the transmitted data packet.
Preferably, the analyzing the transmission data packet specifically includes:
analyzing the transmission data packet according to a preset IPSEC VPN data packet standard format;
if the data of the corresponding item can be analyzed according to a preset IPSEC VPN data packet standard format, judging that the transmission data packet is successfully analyzed;
and if the data of the corresponding item cannot be analyzed according to the preset IPSEC VPN data packet standard format, judging that the analysis of the transmission data packet is unsuccessful.
Preferably, the performing security detection on the content of the transmission data packet specifically includes:
identifying encapsulation information contained in an extension packet header in the transmitted data packet, and judging whether the transmitted data packet is AH encapsulated or ESP encapsulated according to the encapsulation information;
if the transmitted data packet is packaged by AH, decapsulating the transmitted data packet and performing security detection;
and if the transmitted data packet is ESP (electronic stability program) encapsulated, decapsulating the transmitted data packet, decrypting data in the transmitted data packet by using a preset secret key to obtain a keyword eye of the transmitted data packet, and performing security detection on the keyword eye.
Preferably, the identifying the SA negotiation response packet in the transmission data packet specifically includes:
identifying SA context information characteristics of the transmission data packet; and according to the SA context information characteristics, an SA negotiation response message is extracted:
if the SA negotiation response message cannot be extracted, judging that the data packet is illegal, preventing the data packet from passing through, and generating an identification result as unsuccessful;
if the SA negotiation response message is extracted, judging that the data packet is legal, and generating an identification result as success.
Preferably, the performing security detection according to the SA negotiation response packet specifically includes:
analyzing an SA negotiation request message and an SA negotiation response message included in the SA context information characteristics, and judging the encryption positions of the SA negotiation request message and the SA negotiation response message;
if the encryption positions of the SA negotiation request message and the SA negotiation response message are in a non-standard format, judging that the security detection is not passed;
if the encryption positions of the SA negotiation request message and the SA negotiation response message are in a standard format, judging that the security detection is passed;
the standard format at least comprises an SA negotiation request message arranged at the front end and an SA negotiation response message arranged at the back end.
In another aspect, a system for inspecting IPSEC VPN transferred content is further provided, so as to implement the method for inspecting IPSEC VPN transferred content, including:
the system comprises an acquisition module, a transmission module and a processing module, wherein the acquisition module is used for acquiring a transmitted data packet and identifying whether the transmitted data packet is an IPSEC VPN data packet;
the analysis module is used for analyzing the transmission data packet when the transmission data packet is an IPSEC VPN data packet, and if the analysis is successful, the security detection is carried out on the content of the transmission data packet; if the analysis is unsuccessful, identifying the SA negotiation response message in the transmission data packet to obtain an identification result; wherein the identification result comprises successful or unsuccessful identification; when the identification result is successful, performing security detection according to the SA negotiation response message;
and the examination module is used for releasing the transmitted data packet if the security detection passes, and not releasing the transmitted data packet if the security detection does not pass.
Preferably, the analysis module is further configured to analyze the transmission data packet according to a preset IPSEC VPN data packet standard format;
if the data of the corresponding item can be analyzed according to a preset IPSEC VPN data packet standard format, judging that the transmission data packet is successfully analyzed;
if the data of the corresponding item cannot be analyzed according to a preset IPSEC VPN data packet standard format, determining that the transmission data packet is unsuccessfully analyzed;
and SA context information characteristics for identifying the transmission data packet; and according to the SA negotiation response message extracted from the SA context information characteristics:
if the SA negotiation response message cannot be extracted, judging that the data packet is illegal, preventing the data packet from passing through, and generating an identification result as unsuccessful;
if the SA negotiation response message is extracted, judging that the data packet is legal, and generating an identification result as success.
Preferably, the examining module is further configured to identify encapsulation information included in an extension packet header in the transmitted data packet, and determine whether the transmitted data packet is AH encapsulation or ESP encapsulation according to the encapsulation information;
if the transmitted data packet is packaged by AH, decapsulating the transmitted data packet and performing security detection;
if the transmitted data packet is ESP (electronic stability program) encapsulated, decapsulating the transmitted data packet, decrypting data in the transmitted data packet by using a preset secret key to obtain a keyword eye of the transmitted data packet, and performing security detection on the keyword eye;
preferably, an SA negotiation request message and an SA negotiation response message included in the SA context information feature are analyzed, and an encryption position of the SA negotiation request message and the SA negotiation response message is determined;
if the encryption positions of the SA negotiation request message and the SA negotiation response message are in a non-standard format, judging that the security detection is not passed;
if the encryption positions of the SA negotiation request message and the SA negotiation response message are in a standard format, judging that the security detection is passed;
the standard format at least comprises an SA negotiation request message arranged at the front end and an SA negotiation response message arranged at the back end.
In summary, the embodiment of the invention has the following beneficial effects:
the method and the system for inspecting the transmission content of the IPSEC VPN acquire and identify whether the data packet is an IPSEC VPN data packet, if so, analyze the IPSEC VPN data packet, if the analysis is passed, extract the IPSEC VPN data packet and perform security detection on the content of the IPSEC VPN data packet, if not, analyze the SA context information characteristics of the IPSEC VPN data packet and extract an SA negotiation response message, and extract a key field from the SA negotiation response message for performing security detection; if the security detection is passed, the IPSEC VPN data packet is released; therefore, the use of the VPN can be better supervised, the attack of forged VPN messages can be prevented, and the supervision efficiency and the network safety are improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is within the scope of the present invention for those skilled in the art to obtain other drawings based on the drawings without inventive exercise.
Fig. 1 is a main flow diagram of a method for inspecting IPSEC VPN transfer content according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of a system for auditing IPSEC VPN transfer contents according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings.
Fig. 1 is a schematic diagram illustrating an embodiment of a method for auditing IPSEC VPN transfer contents according to the present invention. In this embodiment, the method comprises the steps of:
acquiring a transmitted data packet and identifying whether the transmitted data packet is an IPSEC VPN data packet.
In a specific embodiment, when IPSEC VPN transmission is performed, one end of the IPSEC VPN transmission is connected to a terminal device (e.g., a terminal computer), and the terminal computer is connected to the IPSEC VPN through a UDP 500 port or a UDP 4500 port provided thereon, and when a transmitted data packet needs to be acquired, a data packet received and transmitted by a corresponding port (e.g., the UDP 500 port or the UDP 4500 port) can be directly retrieved; one end of IPSEC VPN transmission is connected with access equipment of an operator, and when the transmitted data packet needs to be acquired, the data packet can be directly acquired from the access equipment of the operator. When the access equipment acquires a data packet which is transmitted and received with the terminal equipment, namely the transmitted data packet; and judging whether the transmitted data packet meets a preset IPSEC VPN data packet standard, if so, judging that the transmitted data packet is an IPSEC VPN data packet, and if not, judging that the transmitted data packet is not an IPSEC VPN data packet.
When the transmitted data packet is an IPSEC VPN data packet, analyzing the transmitted data packet, and if the analysis is successful, performing security detection on the content of the transmitted data packet; if the analysis is unsuccessful, identifying the SA negotiation response message in the transmission data packet to obtain an identification result; wherein the identification result comprises successful or unsuccessful identification; when the identification result is successful, performing security detection according to the SA negotiation response message; understandably, the parsing is performed according to the standard IPSEC VPN data packet format; if the analysis is not passed, the SA context information characteristics of the IPSEC VPN data packet are analyzed, and an SA negotiation response message is extracted: if the SA negotiation response packet cannot be extracted by analyzing the SA context information characteristic of the IPSEC VPN packet, it is determined that the IPSEC VPN packet is illegal, and the IPSEC VPN packet is prevented from passing through, and the SA negotiation response packet cannot be extracted, which proves that the receiver VPN fails to feed back after receiving the SA negotiation request packet, that is, a uniquely approved transmission scheme is not sent by using the IKE protocol, which indicates that the IPSEC VPN packet is not the uniquely approved transmission scheme sent by using the IKE protocol, and may be an attack of a forged VPN packet or other illegal packets, and the forged IPSEC VPN packet needs to be prevented, that is, the transmission of such forged or illegal IPSEC VPN packets is limited, for example, the forged or illegal IPSEC VPN packet is added into a blacklist or a restricted list.
In a specific embodiment, the analyzing process specifically includes analyzing the transmission data packet according to a preset IPSEC VPN data packet standard format; if the data of the corresponding item can be analyzed according to a preset IPSEC VPN data packet standard format, judging that the transmission data packet is successfully analyzed; after the analysis is successful, identifying encapsulation information contained in an extension packet header in the transmitted data packet, and judging whether the transmitted data packet is AH encapsulation or ESP encapsulation; if the transmitted data packet is packaged by AH, decapsulating the transmitted data packet and performing security detection; and if the transmitted data packet is ESP (electronic stability program) encapsulated, decapsulating the transmitted data packet, decrypting data in the transmitted data packet by using a preset secret key to obtain a keyword eye of the transmitted data packet, and performing security detection on the keyword eye. That is, identifying whether the IPSEC VPN packet is AH encapsulated or ESP encapsulated; wherein identifying whether the IPSEC VPN packet is AH encapsulated or ESP encapsulated comprises: identification is made from the extension header of the data packet. If the IPSEC VPN data packet is packaged by AH, security detection is carried out after the IPSEC VPN data packet is unpacked; if the IPSec VPN data packet is ESP-encapsulated, decrypting the data in the IPSec VPN data packet by using a key negotiated with the client in the tunnel establishment stage after the IPSec VPN data packet is decrypted, and performing security detection on the content data obtained by decryption; wherein the security check includes reviewing key words in the data.
Further, if the data of the corresponding item cannot be analyzed according to the preset IPSEC VPN data packet standard format, the transmission data packet is judged to be unsuccessfully analyzed. Specifically, if the analysis is unsuccessful, the information needs to be identified, and the SA context information characteristic of the transmission data packet is identified; and extracting an SA negotiation response message from the SA context information characteristics: if the SA negotiation response message cannot be extracted, judging that the data packet is illegal, preventing the data packet from passing through, and generating an identification result as unsuccessful; if the SA negotiation response message is extracted, judging that the data packet is legal, and generating an identification result as success.
Specifically, an SA negotiation request message and an SA negotiation response message included in the SA context information feature are analyzed, and the encryption positions of the SA negotiation request message and the SA negotiation response message are determined; if the encryption positions of the SA negotiation request message and the SA negotiation response message are in a non-standard format, judging that the security detection is not passed; if the encryption positions of the SA negotiation request message and the SA negotiation response message are in a standard format, judging that the security detection is passed; the standard format at least comprises an SA negotiation request message arranged at the front end and an SA negotiation response message arranged at the back end. That is, before extracting the key fields from the SA negotiation response message for security detection, the following steps are included: and analyzing an encryption format formed by encrypting the encryption algorithm used by the IPSEC VPN data packet from the SA negotiation response message, and if the encryption format is a non-standard algorithm, preventing the IPSEC VPN data packet from passing through. The IPSEC VPN data packet is in a standard format, and only the SA negotiation response message is extracted without extracting the SA negotiation response message according to the SA context information characteristic. The SA negotiation request message and the SA negotiation response message refer to: the IPSec VPN adopts an IKE protocol to complete a key negotiation process, an initiator VPN firstly initiates a request for starting ISAKMP SA negotiation to a receiver VPN, namely, the IKE protocol is utilized to send a transmission scheme containing a plurality of combinations of different encryption algorithms and hash algorithms, and the network message is called as an SA negotiation request message; after receiving the message, the receiving party VPN feeds back the message to the initiating party, that is, a uniquely approved transmission scheme is sent by using the IKE protocol, which is called as an SA negotiation response message.
And if the security detection passes, releasing the transmitted data packet, and if the security detection does not pass, not releasing the transmitted data packet.
Fig. 2 is a schematic diagram of an embodiment of a system for auditing IPSEC VPN transfer contents according to the present invention. In this embodiment, the method for implementing the system to audit IPSEC VPN transfer content includes:
the acquisition module is used for acquiring the transmitted data packet and identifying whether the transmitted data packet is an IPSEC VPN data packet.
The analysis module is used for analyzing the transmission data packet when the transmission data packet is an IPSEC VPN data packet, and if the analysis is successful, the security detection is carried out on the content of the transmission data packet; if the analysis is unsuccessful, identifying the SA negotiation response message in the transmission data packet to obtain an identification result; wherein the identification result comprises successful or unsuccessful identification; and when the identification result is successful, carrying out safety detection according to the SA negotiation response message.
Specifically, the analysis module is further configured to analyze the transmission data packet according to a preset IPSEC VPN data packet standard format; if the data of the corresponding item can be analyzed according to a preset IPSEC VPN data packet standard format, judging that the transmission data packet is successfully analyzed; if the data of the corresponding item cannot be analyzed according to a preset IPSEC VPN data packet standard format, determining that the transmission data packet is unsuccessfully analyzed;
and SA context information characteristics for identifying the transmission data packet; and extracting an SA negotiation response message from the SA context information characteristics: if the SA negotiation response message cannot be extracted, judging that the data packet is illegal, preventing the data packet from passing through, and generating an identification result as unsuccessful; if the SA negotiation response message is extracted, judging that the data packet is legal, and generating an identification result as success.
And the examination module is used for releasing the transmitted data packet if the security detection passes, and not releasing the transmitted data packet if the security detection does not pass.
Specifically, the examination module is further configured to identify encapsulation information included in an extension packet header in the transmitted data packet, and determine whether the transmitted data packet is AH encapsulation or ESP encapsulation; if the transmitted data packet is packaged by AH, decapsulating the transmitted data packet and performing security detection; if the transmitted data packet is ESP (electronic stability program) encapsulated, decapsulating the transmitted data packet, decrypting data in the transmitted data packet by using a preset secret key to obtain a keyword eye of the transmitted data packet, and performing security detection on the keyword eye;
and the SA negotiation request message and the SA negotiation response message included in the SA context information feature are analyzed, and the encryption positions of the SA negotiation request message and the SA negotiation response message are judged; if the encryption positions of the SA negotiation request message and the SA negotiation response message are in a non-standard format, judging that the security detection is not passed; if the encryption positions of the SA negotiation request message and the SA negotiation response message are in a standard format, judging that the security detection is passed; the standard format at least comprises an SA negotiation request message arranged at the front end and an SA negotiation response message arranged at the back end.
For a specific implementation process of the system for inspecting IPSEC VPN transmission content, reference may be made to the specific implementation process of the method for inspecting IPSEC VPN transmission content, which is not described herein again.
In summary, the embodiment of the invention has the following beneficial effects:
the method and the system for inspecting the transmission content of the IPSEC VPN acquire and identify whether the data packet is an IPSEC VPN data packet, if so, analyze the IPSEC VPN data packet, if the analysis is passed, extract the IPSEC VPN data packet and perform security detection on the content of the IPSEC VPN data packet, if not, analyze the SA context information characteristics of the IPSEC VPN data packet and extract an SA negotiation response message, and extract a key field from the SA negotiation response message for performing security detection; if the security detection is passed, the IPSEC VPN data packet is released; therefore, the use of the VPN can be better supervised, the attack of forged VPN messages can be prevented, and the supervision efficiency and the network safety are improved.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present invention, and it is therefore to be understood that the invention is not limited by the scope of the appended claims.
Claims (10)
1. A method of auditing IPSEC VPN transfer content, comprising:
acquiring a transmitted data packet and identifying whether the transmitted data packet is an IPSEC VPN data packet;
when the transmitted data packet is an IPSEC VPN data packet, analyzing the transmitted data packet, and if the analysis is successful, performing security detection on the content of the transmitted data packet; if the analysis is unsuccessful, identifying the SA negotiation response message in the transmission data packet to obtain an identification result; wherein the identification result comprises successful or unsuccessful identification; when the identification result is successful, performing security detection according to the SA negotiation response message;
and if the security detection passes, releasing the transmitted data packet, and if the security detection does not pass, intercepting the transmitted data packet.
2. The method of claim 1, wherein parsing the transmission packet specifically comprises:
analyzing the transmission data packet according to a preset IPSEC VPN data packet standard format;
if the data of the corresponding item can be analyzed according to a preset IPSEC VPN data packet standard format, judging that the transmission data packet is successfully analyzed;
and if the data of the corresponding item cannot be analyzed according to the preset IPSEC VPN data packet standard format, judging that the analysis of the transmission data packet is unsuccessful.
3. The method of claim 2, wherein the performing security detection on the content of the transmission data packet specifically comprises:
identifying encapsulation information contained in an extension packet header in the transmitted data packet, and judging whether the transmitted data packet is AH encapsulated or ESP encapsulated according to the encapsulation information;
if the transmitted data packet is packaged by AH, decapsulating the transmitted data packet and performing security detection;
and if the transmitted data packet is ESP (electronic stability program) encapsulated, decapsulating the transmitted data packet, decrypting data in the transmitted data packet by using a preset secret key to obtain a keyword eye of the transmitted data packet, and performing security detection on the keyword eye.
4. The method according to claim 3, wherein the identifying the SA negotiation response packet in the transmission data packet specifically comprises:
identifying SA context information characteristics of the transmission data packet; and according to the SA context information characteristics, an SA negotiation response message is extracted:
if the SA negotiation response message cannot be extracted, judging that the data packet is illegal, preventing the data packet from passing through, and generating an identification result as unsuccessful;
if the SA negotiation response message is extracted, judging that the data packet is legal, and generating an identification result as success.
5. The method according to claim 4, wherein the performing security detection according to the SA negotiation response packet specifically includes:
analyzing an SA negotiation request message and an SA negotiation response message included in the SA context information characteristics, and judging the encryption positions of the SA negotiation request message and the SA negotiation response message;
if the encryption positions of the SA negotiation request message and the SA negotiation response message are in a non-standard format, judging that the security detection is not passed;
if the encryption positions of the SA negotiation request message and the SA negotiation response message are in a standard format, judging that the security detection is passed;
the standard format at least comprises an SA negotiation request message arranged at the front end and an SA negotiation response message arranged at the back end.
6. A system for auditing IPSEC VPN transfer content to implement the method of any of claims 1-5, comprising:
the system comprises an acquisition module, a transmission module and a processing module, wherein the acquisition module is used for acquiring a transmitted data packet and identifying whether the transmitted data packet is an IPSEC VPN data packet;
the analysis module is used for analyzing the transmission data packet when the transmission data packet is an IPSEC VPN data packet, and if the analysis is successful, the security detection is carried out on the content of the transmission data packet; if the analysis is unsuccessful, identifying the SA negotiation response message in the transmission data packet to obtain an identification result; wherein the identification result comprises successful or unsuccessful identification; when the identification result is successful, performing security detection according to the SA negotiation response message;
and the examination module is used for releasing the transmitted data packet if the security detection passes, and not releasing the transmitted data packet if the security detection does not pass.
7. The system of claim 6, wherein the parsing module is further configured to parse the transmission data packet according to a preset IPSEC VPN data packet standard format;
if the data of the corresponding item can be analyzed according to a preset IPSEC VPN data packet standard format, judging that the transmission data packet is successfully analyzed;
if the data of the corresponding item cannot be analyzed according to a preset IPSEC VPN data packet standard format, determining that the transmission data packet is unsuccessfully analyzed;
8. the system of claim 7, wherein the parsing module is further configured to identify SA context information characteristics of the transmission packet; and according to the SA context information characteristics, an SA negotiation response message is extracted:
if the SA negotiation response message cannot be extracted, judging that the data packet is illegal, preventing the data packet from passing through, and generating an identification result as unsuccessful;
if the SA negotiation response message is extracted, judging that the data packet is legal, and generating an identification result as success.
9. The system of claim 8, wherein the examining module is further configured to identify encapsulation information included in an extension header of the transmitted packet, and determine whether the transmitted packet is AH encapsulated or ESP encapsulated according to the encapsulation information;
if the transmitted data packet is packaged by AH, decapsulating the transmitted data packet and performing security detection;
and if the transmitted data packet is ESP (electronic stability program) encapsulated, decapsulating the transmitted data packet, decrypting data in the transmitted data packet by using a preset secret key to obtain a keyword eye of the transmitted data packet, and performing security detection on the keyword eye.
10. The system according to claim 9, wherein the examination module is further configured to parse an SA negotiation request packet and an SA negotiation response packet included in the SA context information feature, and determine encryption positions of the SA negotiation request packet and the SA negotiation response packet;
if the encryption positions of the SA negotiation request message and the SA negotiation response message are in a non-standard format, judging that the security detection is not passed;
if the encryption positions of the SA negotiation request message and the SA negotiation response message are in a standard format, judging that the security detection is passed;
the standard format at least comprises an SA negotiation request message arranged at the front end and an SA negotiation response message arranged at the back end.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111118853.1A CN113872956A (en) | 2021-09-24 | 2021-09-24 | Method and system for inspecting IPSEC VPN transmission content |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111118853.1A CN113872956A (en) | 2021-09-24 | 2021-09-24 | Method and system for inspecting IPSEC VPN transmission content |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113872956A true CN113872956A (en) | 2021-12-31 |
Family
ID=78993723
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111118853.1A Pending CN113872956A (en) | 2021-09-24 | 2021-09-24 | Method and system for inspecting IPSEC VPN transmission content |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113872956A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114285571A (en) * | 2022-03-03 | 2022-04-05 | 成都量安区块链科技有限公司 | Method, gateway device and system for using quantum key in IPSec protocol |
| CN114826640A (en) * | 2021-12-15 | 2022-07-29 | 广西电网有限责任公司电力科学研究院 | Method and system for inspecting IPSec VPN transmission content |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286896A (en) * | 2008-06-05 | 2008-10-15 | 上海交通大学 | IPSec VPN protocol drastic detecting method based on flows |
| CN103188351A (en) * | 2011-12-27 | 2013-07-03 | 中国电信股份有限公司 | IPSec VPN communication service processing method and system under IPv6 environment |
| WO2017173806A1 (en) * | 2016-04-07 | 2017-10-12 | 烽火通信科技股份有限公司 | Method and system using cooperation of switch chip or np and cpu to perform ipsec encryption on packet |
-
2021
- 2021-09-24 CN CN202111118853.1A patent/CN113872956A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286896A (en) * | 2008-06-05 | 2008-10-15 | 上海交通大学 | IPSec VPN protocol drastic detecting method based on flows |
| CN103188351A (en) * | 2011-12-27 | 2013-07-03 | 中国电信股份有限公司 | IPSec VPN communication service processing method and system under IPv6 environment |
| WO2017173806A1 (en) * | 2016-04-07 | 2017-10-12 | 烽火通信科技股份有限公司 | Method and system using cooperation of switch chip or np and cpu to perform ipsec encryption on packet |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114826640A (en) * | 2021-12-15 | 2022-07-29 | 广西电网有限责任公司电力科学研究院 | Method and system for inspecting IPSec VPN transmission content |
| CN114285571A (en) * | 2022-03-03 | 2022-04-05 | 成都量安区块链科技有限公司 | Method, gateway device and system for using quantum key in IPSec protocol |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108429730B (en) | Non-feedback safety authentication and access control method | |
| US8095789B2 (en) | Unauthorized communication detection method | |
| CN101296227B (en) | IPSec VPN protocol depth detection method based on packet offset matching | |
| US20130312054A1 (en) | Transport Layer Security Traffic Control Using Service Name Identification | |
| CN111245862A (en) | System for safely receiving and sending terminal data of Internet of things | |
| CN111935212B (en) | Security router and Internet of things security networking method based on security router | |
| CN111988289B (en) | EPA industrial control network security test system and method | |
| CN113872956A (en) | Method and system for inspecting IPSEC VPN transmission content | |
| US8671451B1 (en) | Method and apparatus for preventing misuse of a group key in a wireless network | |
| CN111797431B (en) | Encrypted data anomaly detection method and system based on symmetric key system | |
| CN107124385B (en) | Mirror flow-based SSL/TLS protocol plaintext data acquisition method | |
| CN107453861B (en) | A kind of collecting method based on SSH2 agreement | |
| US8010787B2 (en) | Communication device, communication log transmitting method suitable for communication device, and communication system | |
| CN106789524A (en) | The high speed parsing of VPN encrypted tunnels and restoring method | |
| CN113315678A (en) | Encrypted TCP (Transmission control protocol) traffic acquisition method and device | |
| CN106685896B (en) | Clear data acquisition method and system in a kind of SSH agreement multilevel access | |
| CN210839642U (en) | Device for safely receiving and sending terminal data of Internet of things | |
| CN114553414A (en) | Intranet penetration method and system based on HTTPS service | |
| CN111885083A (en) | Malicious encrypted flow detection method and device | |
| Koshy et al. | Privacy Leaks Via SNI and Certificate Parsing | |
| Wangl et al. | Check for updates A Framework for TLS Implementation | |
| CN117319088B (en) | Method, device, equipment and medium for blocking illegal external connection equipment | |
| CN116389169B (en) | Method for avoiding disorder and fragmentation of data packets of national security IPSecVPN gateway | |
| CN108494731A (en) | A kind of anti-network scanning method based on bidirectional identity authentication | |
| CN112532702B (en) | Cloud service platform, secure communication method of user and cloud isolation security system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211231 |