CN114024752A - Network security defense method, equipment and system based on whole network linkage - Google Patents
Network security defense method, equipment and system based on whole network linkage Download PDFInfo
- Publication number
- CN114024752A CN114024752A CN202111316105.4A CN202111316105A CN114024752A CN 114024752 A CN114024752 A CN 114024752A CN 202111316105 A CN202111316105 A CN 202111316105A CN 114024752 A CN114024752 A CN 114024752A
- Authority
- CN
- China
- Prior art keywords
- firewall
- message
- network
- linkage
- blacklist
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000007123 defense Effects 0.000 title claims abstract description 44
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000012545 processing Methods 0.000 claims description 7
- 230000000903 blocking effect Effects 0.000 claims description 5
- 238000009434 installation Methods 0.000 abstract description 4
- 238000001514 detection method Methods 0.000 description 8
- 241000700605 Viruses Species 0.000 description 7
- 238000001914 filtration Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- PCTMTFRHKVHKIS-BMFZQQSSSA-N (1s,3r,4e,6e,8e,10e,12e,14e,16e,18s,19r,20r,21s,25r,27r,30r,31r,33s,35r,37s,38r)-3-[(2r,3s,4s,5s,6r)-4-amino-3,5-dihydroxy-6-methyloxan-2-yl]oxy-19,25,27,30,31,33,35,37-octahydroxy-18,20,21-trimethyl-23-oxo-22,39-dioxabicyclo[33.3.1]nonatriaconta-4,6,8,10 Chemical compound C1C=C2C[C@@H](OS(O)(=O)=O)CC[C@]2(C)[C@@H]2[C@@H]1[C@@H]1CC[C@H]([C@H](C)CCCC(C)C)[C@@]1(C)CC2.O[C@H]1[C@@H](N)[C@H](O)[C@@H](C)O[C@H]1O[C@H]1/C=C/C=C/C=C/C=C/C=C/C=C/C=C/[C@H](C)[C@@H](O)[C@@H](C)[C@H](C)OC(=O)C[C@H](O)C[C@H](O)CC[C@@H](O)[C@H](O)C[C@H](O)C[C@](O)(C[C@H](O)[C@H]2C(O)=O)O[C@H]2C1 PCTMTFRHKVHKIS-BMFZQQSSSA-N 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002035 prolonged effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention relates to a network security defense method, equipment and a system based on whole network linkage, which are used for receiving attack source information sent by any firewall, inquiring a data table, acquiring the position information of a target firewall, sending the attack source information to the target firewall according to the position information of the target firewall so that the target firewall generates a whole network linkage blacklist according to the attack source information, and determining to block or release a message according to the whole network linkage blacklist when receiving the message. Therefore, the self network is comprehensively guarded without increasing the installation cost and the working pressure of equipment, and the convenience of resisting network attack is further improved.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a network security defense method, device, and system based on full network linkage.
Background
With the popularization and development of the internet, the network environment faces various network security problems.
In the related art, functional modules such as virus filtering and intrusion detection deployed in a firewall or an anti-virus gateway are mainly adopted for detection and defense, however, a plurality of security modules need to be installed at the same time to perform all-around protection on a network, the cost for installing the plurality of security modules is higher, and the working pressure of equipment such as the firewall or the anti-virus gateway can be greatly increased after the plurality of security modules are opened.
Disclosure of Invention
In order to solve the technical problems or at least partially solve the technical problems, the disclosure provides a network security defense method, device and system based on full-network linkage.
In a first aspect, an embodiment of the present disclosure provides a network security defense method based on full network linkage, which is applied to a server, and includes:
receiving attack source information sent by any firewall;
inquiring a data table to obtain the position information of the target firewall;
and sending the attack source information to the target firewall according to the position information of the target firewall so that the target firewall generates a full-network linkage blacklist according to the attack source information, and determining to block or release the message according to the full-network linkage blacklist when receiving the message.
In a second aspect, an embodiment of the present disclosure further provides a network security defense method based on full network linkage, which is applied to a firewall, and includes:
establishing a preset protocol connection with a server and receiving attack source information sent by the server;
generating a whole network linkage blacklist according to the attack source information;
and when receiving the message, determining whether to block or release the message according to the whole network linkage blacklist.
In a third aspect, an embodiment of the present disclosure further provides a server, including:
the receiving module is used for receiving attack source information sent by any firewall;
the query acquisition module is used for querying the data table and acquiring the position information of the target firewall;
and the sending module is used for sending the attack source information to the target firewall according to the position information of the target firewall so that the target firewall generates a full-network linkage blacklist according to the attack source information, and when receiving the message, the message is determined to be blocked or released according to the full-network linkage blacklist.
In a fourth aspect, an embodiment of the present disclosure further provides a firewall, including:
the connection sending module is used for establishing a preset protocol connection with the server and receiving attack source information sent by the server;
the generation module is used for generating a whole network linkage blacklist according to the attack source information;
and the processing module is used for determining whether to block or release the message according to the full-network linkage blacklist when receiving the message.
In a fifth aspect, an embodiment of the present disclosure further provides a network security defense system based on full network linkage, including: the server and firewall of the foregoing embodiments.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:
in the embodiment of the disclosure, the server receives attack source information sent by any firewall, acquires the position of the firewall by querying the data table, and then sends the attack source information to the firewall according to the position information to generate the whole network linkage blacklist, and when the firewall receives a message, the firewall determines whether to release or block the message according to the whole network linkage blacklist, so that the self network is comprehensively guarded while installation cost and equipment working pressure are not increased, and convenience in resisting network attack is further improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present disclosure, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic structural diagram of a network security defense system based on full network linkage according to an embodiment of the present disclosure;
fig. 2 is a flowchart of a network security defense method based on full network linkage according to an embodiment of the present disclosure;
FIG. 3 is a flowchart of another network security defense method based on network-wide linkage according to an embodiment of the present disclosure;
fig. 4 is a flowchart of another network security defense method based on network-wide linkage according to an embodiment of the present disclosure;
fig. 5 is a flowchart of another network security defense method based on network-wide linkage according to an embodiment of the present disclosure;
fig. 6 is a flowchart of another network security defense method based on network wide linkage according to an embodiment of the present disclosure;
fig. 7 is a flowchart of another network security defense method based on network wide linkage according to an embodiment of the present disclosure;
fig. 8 is a flowchart of another network security defense method based on network-wide linkage according to an embodiment of the present disclosure;
fig. 9 is a flowchart of another network security defense method based on network-wide linkage according to an embodiment of the present disclosure;
fig. 10 is a schematic structural diagram of a server according to an embodiment of the present disclosure;
fig. 11 is a schematic structural diagram of a firewall according to an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, aspects of the present disclosure will be further described below. It should be noted that the embodiments and features of the embodiments of the present disclosure may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced in other ways than those described herein; it is to be understood that the embodiments disclosed in the specification are only a few embodiments of the present disclosure, and not all embodiments.
The network security defense method based on the whole network linkage can be applied to the application environment shown in the figure 1. The network security defense method based on the whole network linkage is applied to a network security defense system based on the whole network linkage. The network security defense system based on the whole network linkage comprises a server 100 and a firewall 200, wherein the server 100 and the firewall 200 are communicated through a TCP connection. When a message received through any firewall 200 is an attack source, the attack source information is sent to the server 100, the server 100 sends the attack source information to all firewalls 200 authenticated on the server 100 so that all firewalls 200 generate a full-network linkage blacklist according to the attack source information, and the message is blocked or released according to the full-network linkage blacklist when the message is received.
Therefore, the comprehensive protection of the self network is realized without increasing the installation cost and the working pressure of the equipment, and the convenience of resisting network attack is further improved.
The firewall technology is a technology for protecting the security of user data and information by organically combining various software and hardware devices for security management and screening and helping a computer network to construct a relatively isolated protection barrier between an internal network and an external network.
In one embodiment, as shown in fig. 2, a network security defense method based on full network linkage is provided. The present embodiment is mainly illustrated by applying the method to the server 100 in fig. 1.
Fig. 2 is a network security defense method based on full network linkage according to an embodiment of the present disclosure, including:
The attack source information mainly includes an IP (Internet Protocol address), a Protocol (such as TCP, UCP Protocol, etc.) and a port of the attack device, the IP is a Protocol for interconnection between networks, i.e. a Protocol designed for interconnection and communication of computer networks, and is a set of rules for realizing mutual communication of all computer networks connected to the network, and the rules that the computer should obey when communicating on the Internet are specified, and the IP address has uniqueness. A port refers to a TCP or UDP port used to establish a connection.
In the embodiments of the present disclosure, any firewall refers to one or more firewalls that establish a connection with the server, and in some embodiment, the server establishes a connection with firewalls A, B and C, and the server receives attack source information sent by firewall a; in another embodiment, the server establishes a connection with firewalls A, B and C, and the server receives attack source information sent by firewalls B and C, respectively. The above is merely an example, and the embodiment of the present disclosure does not specifically limit the server to receive the attack source information sent by any firewall.
The data table refers to a table in which the location information of the firewall is stored in advance. The location information includes IP, protocol and port of the firewall. The target firewall refers to a firewall storing the position information in a data table, and can be one or more.
In the embodiment of the present disclosure, after receiving the attack source information, the attack source information needs to be sent to the target firewall, and therefore, the data table needs to be queried to obtain the location information of the target firewall. In some embodiments, the location information of the firewalls A, B and C stored in the data table is a1, B1 and C1, respectively, and the obtained location information is a1, B1 and C1, respectively.
And 203, sending the attack source information to the target firewall according to the position information of the target firewall so that the target firewall generates a full-network linkage blacklist according to the attack source information, and determining to block or release the message according to the full-network linkage blacklist when receiving the message.
In the embodiment of the disclosure, the server sends the information of the attack source to all firewalls with known location information, and the firewalls generate a full-network linkage blacklist according to the received attack source information, so that when a message is received, whether the message is blocked or released can be judged according to the full-network linkage blacklist. The full-network linkage blacklist includes, but is not limited to, information such as an IP, a protocol, a port, adding time, matching times, and the like of a message. And subsequently, if the flow message is matched with the full-network linkage blacklist, executing blocking action, and if not, releasing the blocking action.
It should be noted that, the attack source information is sent to all firewalls in the data table, for example, the firewall a sends the attack source information to the server, and the server sends the attack source information to the firewall ABCD, that is, the attack source information is sent to the firewall a, because the firewall a does not have the attack source information in the whole network linkage blacklist at this time.
The network security defense scheme of the whole network linkage provided by the embodiment of the disclosure receives attack source information sent by any firewall, inquires a data table, acquires position information of a target firewall, sends the attack source information to the target firewall according to the position information of the target firewall, so that the target firewall generates a whole network linkage blacklist according to the attack source information, and determines to block or release a message according to the whole network linkage blacklist when receiving the message. By adopting the technical scheme, the firewall with the opened security modules such as virus filtering, intrusion detection and the like dynamically generates attack source information aiming at the attack source in the network environment, and sends the attack source information to all the firewalls registered on the server through the server, so that the firewall can defend various attacks under the condition of not purchasing a plurality of security modules, and the problem that the firewall loses the capability of resisting the attacks because the security modules are not opened is solved.
In the embodiment of the disclosure, in order to avoid that other firewalls attack the server by sending a large amount of constructed attack source information, and further improve the security of the network, before the server and the firewalls send information, the server needs to perform authentication operation on the firewalls.
As shown in fig. 3, the authentication operation may be completed by a TCP (Transmission Control Protocol), a TCP connection is established by three-way handshake, after the connection is established, the firewall sends an authentication operation request to the server, the server sends authentication success information to the firewall, and the firewall reports its own location information to the server.
Optionally, as shown in FIG. 4, if the firewall is not successfully authenticated after 3 consecutive authentications, an error message "please check the network configuration or re-authentication!should be generated on the firewall! ". After the authentication is successful, the firewall actively reports the position information of the firewall to the server, the position information comprises the IP, the protocol and the port position information of the firewall, and the server records the position information in the data table after receiving the position information reported by the firewall.
Optionally, as shown in fig. 5, after receiving the location information reported by the firewall, the server sends a response piece that is reported successfully to the firewall, and if the firewall does not receive the response piece message of the server after reporting the location due to a special reason, the firewall shall report the location information of the firewall once again every 3 seconds, and after failing to receive the response piece message for three consecutive times, the firewall shall prompt that the reported information fails and needs to re-authenticate.
According to the network security defense scheme of the whole network linkage provided by the embodiment of the disclosure, the authentication operation request sent by any firewall is received, after the authentication operation request is authenticated, the preset protocol connection is established with any firewall, the position information reported by any firewall is received, and the data table is generated according to the position information.
In addition, the firewall needs to periodically send a corresponding keep-alive message to the server to notify that the firewall is in an online state, so as to prevent the server from missing attack source information sent by the server when the firewall is considered to be offline. Specifically, fig. 6 is a further network security defense method of network wide linkage provided in the embodiment of the present disclosure, including:
The offline time may be set to 2 days or 3 days, and the embodiment is not limited herein.
In some embodiments, the offline time of the firewall is set to be 3 days, then the authenticated firewall can send a keep-alive message to the server every 12 hours or 24 hours, and the server resets the timeout time corresponding to the firewall position information after receiving the keep-alive message; in another embodiment, the time of the keep-alive messages received by the server is 2021 year, 10 month and 15 days, and the set offline time is 3 days, the offline time of the firewall is 2021 year, 10 month and 18 days, that is, the keep-alive messages are sent to the server at intervals, so that the offline time is prolonged.
In some embodiments, the offline time of the firewall is set to be 3 days, if the server does not receive the keep-alive messages from any firewall within the 3 days, the firewall is considered to be offline, and meanwhile, the position information of the firewall is deleted from the data table; in another embodiment, when the firewall goes offline and goes online again for some reason, the user can manually restart the full-network linkage function to immediately report the state of the firewall to the server, and can also wait for the firewall to send the firewall itself at regular time.
It should be noted that, for a firewall having reported attack source information, the attack source information sent by the firewall may also reset the timeout time of the location information on the server, that is, sending the attack source information may be regarded as sending a keep-alive message.
The network security defense scheme of the whole network linkage provided by the embodiment of the disclosure sets the offline time of any firewall, updates the offline time when receiving the keep-alive messages of any firewall in the offline time, does not receive the keep-alive messages of any firewall in the offline time, and deletes the position information of any firewall from the data table. By adopting the technical scheme, the server is prevented from considering that the firewall is offline and missing attack source information sent by the server.
In one embodiment, the present disclosure provides yet another network security defense method based on network-wide linkage. This embodiment is mainly illustrated by applying the method to the firewall 200 in fig. 1. As shown in fig. 7, includes:
and 701, receiving attack source information sent by a server, and generating a full-network linkage blacklist according to the attack source information.
The message refers to a data unit exchanged and transmitted in the network, and includes complete data information to be sent, and is also a unit of network transmission. Therefore, when the message passes through the firewall, the firewall judges the message according to the generated full-network linkage blacklist, if the message information is in the blacklist, the message is unfavorable for the server, the blocking is carried out, and otherwise, the passing is allowed.
In a specific embodiment, a message is received, an internet protocol address (IP), a protocol and a port of the message are obtained, and if the IP, the protocol and the port of the message are in a full-network linkage blacklist, the message is blocked; wherein, under the condition that the IP of the message is an intranet IP, the receipt information is sent in a resource locator mode; if the IP, the protocol and the port of the attacker are not in the whole network linkage blacklist, judging whether the IP of the message is an external network IP, if the IP of the message is the external network IP, acquiring attack source information of the message and sending the attack source information to the server, and if the IP of the attacker is the internal network IP, not reporting the attack source information of the message.
The network security defense scheme of the whole network linkage provided by the embodiment of the disclosure is applied to the firewall side, and comprises: and receiving attack source information sent by the server, generating a full-network linkage blacklist according to the attack source information, and determining whether to block or release the message according to the full-network linkage blacklist when receiving the message. By adopting the technical scheme, the firewall with the opened security modules such as virus filtering, intrusion detection and the like dynamically generates attack source information aiming at the attack source in the network environment, and sends the attack source information to all the firewalls registered on the server through the server, so that the firewall can defend various attacks under the condition of not purchasing a plurality of security modules, and the problem that the firewall loses the capability of resisting the attacks because the security modules are not opened is solved. In addition, for the firewall, the method disclosed by the embodiment of the disclosure can improve the competitiveness of the firewall, and the flow can not enter other security engine modules after being matched with the full-network linkage blacklist in the processing flow of the firewall, so that the performance of a part of the firewall can be saved, and the pressure of the firewall is reduced.
In the embodiment of the present disclosure, the method further includes: and sending the keep-alive messages to the server according to a preset time interval.
If the preset interval can be set to be 12 hours or 24 hours, and the like, the keep-alive messages are sent to the server at regular time, and the fact that the firewall is not offline is proved. Due to the fact that the capacity of the database of the server is limited, the technical scheme can prevent the phenomenon that the position information of a firewall occupies the capacity of the server after the firewall is offline, and stability of the server is further guaranteed.
Fig. 8 is a further network security defense method of network-wide linkage in the embodiment of the present disclosure.
And receiving the message, and acquiring the IP, the protocol and the port of the Internet protocol address of the message, wherein the IP, the protocol and the port of the message are blocked in the whole network linkage blacklist. And sending the receipt information in a uniform resource locator mode under the condition that the IP of the message is an intranet IP.
The uniform resource locator refers to a compact representation of the location and access method of the resource obtained from the internet, and is an address of a standard resource on the internet. The firewall obtains the IP, the protocol and the port of the message by receiving the message, if the IP, the protocol and the port position information of the message are in the whole network linkage blacklist, the message is prevented from passing, if the IP of the message is detected to be the intranet, the receipt information also needs to be sent in a uniform resource locator mode, if the connected intranet user is accessed, the firewall also needs to send feedback receipt information to the user, the receipt information can be returned to the user in the uniform resource locator mode, and the user should see 'virus threats possibly exist in the resources and are blocked by the firewall'! "and the like.
And judging whether the IP of the message is an external network IP or not when the IP, the protocol and the port of the message are not in the whole network linkage blacklist. That is, if the message information of the attack source is not matched with the full-network linkage blacklist, security modules such as virus filtering, intrusion detection, DDOS (Distributed Denial of Service) attack and the like need to be entered to perform security detection on the message.
And under the condition that the IP of the message is the external network IP, acquiring the attack source information of the message and sending the attack source information to the server, and under the condition that the IP of the message is the internal network IP, not reporting the attack source information of the message. If the IP of the message detected by the security module is the external network, the firewall records the IP, the protocol and the port information of the message and reports the IP, the protocol and the port information to the server.
If the source IP of the attack message is the intranet IP, the attack message does not need to be reported. The reason for not reporting is two points: firstly, other security modules on the firewall can block processing after detecting security threats under general conditions, the attack source can not reach an external network due to the existence of the firewall, and secondly, after the internal network IP is used as the attack source and reported to a server, other firewalls receive the attack source information and possibly block flow in the local area network as an attack.
The network security defense scheme of the whole network linkage provided by the embodiment of the disclosure receives a message, acquires an internet protocol address (IP), a protocol and a port of the message, and blocks the message if the IP, the protocol and the port of the message are in a whole network linkage blacklist, wherein the receipt information is sent in a resource locator mode under the condition that the IP of the message is an intranet IP. And when the IP, the protocol and the port of the attacker are not in the whole network linkage blacklist, judging whether the IP of the message is an external network IP, acquiring attack source information of the message and sending the attack source information to the server under the condition that the IP of the message is the external network IP, and not reporting the attack source information of the message under the condition that the IP of the attacker is the internal network IP. By adopting the technical scheme, the self network is comprehensively guarded without increasing the installation cost and the working pressure of equipment, and the convenience of resisting network attack is further improved.
In the embodiment of the disclosure, when the value of the list in the full-network linkage blacklist is equal to the preset threshold value, the list in the full-network linkage blacklist is deleted to the preset value according to the list adding time sequence, and the operation of deleting the list is recorded in the log of the firewall.
In some embodiments, the preset threshold is controlled by a firewall license (license), and when the specification (preset threshold) specified in the license is reached, 50% of the blacklist that is first added is deleted, for example, if the size of the blacklist in the license is 20000 pieces, then 10000 pieces that are first added are deleted when the blacklist reaches 20000 pieces. And recording the operation of deleting the blacklist in a local log of the firewall.
According to the network security defense scheme of the whole network linkage provided by the embodiment of the disclosure, when the value of the list in the whole network linkage blacklist is equal to the preset threshold value, the list in the whole network linkage blacklist is deleted to the preset value according to the list adding time sequence, and the operation of deleting the list is recorded in the local log of any firewall. By adopting the technical scheme, the complexity of a real network environment is considered, and the whole network linkage blacklist of the firewall is ensured to be in a state which is never overtime, so that the firewall is convenient for a user to use.
As an example of a scenario, as shown in fig. 9, 1, an attack message from a network (Internet) reaches a firewall of a local area network 1, the firewall intercepts the attack and records attack source information, 2, the firewall in the local area network 1 reports the recorded attack source information to an external network server, 3, the server issues the attack source information to all firewalls, 4, the firewall receiving the attack source information issued by the server records the attack source in its own network linked blacklist, 5, the attack message from the network reaches firewalls of other local area networks, and the firewall detects that the message matches the network linked blacklist and blocks the attack message.
More specifically, each firewall reports own position information to a server and carries out authentication, the firewall which starts a virus filtering, intrusion detection and DDOS attack module reports an attack source to the server after detecting the attack source, the server sends the attack source information to all firewalls which have reported the position information, the firewall dynamically generates a whole network linkage blacklist after receiving the attack source information from the server, if the message is matched with the whole network linkage blacklist, the whole network linkage blacklist is blocked, and in addition, each firewall periodically sends a keep-alive message to the server to inform the server that the firewall is in an online state.
Therefore, in the embodiment of the disclosure, the firewall in each local area network forms a unified whole through linkage with the external network server, and the external network server issues the attack source information to the firewall in each local area network and dynamically generates the full-network linkage blacklist, so that the firewall without starting security engines such as virus filtering, intrusion detection and the like obtains a certain degree of defense capability.
Fig. 10 is a schematic structural diagram of a server according to an embodiment of the present disclosure, where the server includes: a receiving module 1001, a query obtaining module 1002 and a sending module 1003. The device comprises the following specific implementation steps:
a receiving module 1001, configured to receive attack source information sent by any firewall,
an obtaining module 1002, configured to query a data table, obtain location information of a target firewall,
the sending module 1003 is configured to send the attack source information to the target firewall according to the location information of the target firewall, so that the target firewall generates a full-network linkage blacklist according to the attack source information, and determines to block or release the message according to the full-network linkage blacklist when receiving the message.
Optionally, the apparatus further comprises:
the receiving request module is used for receiving an authentication operation request sent by any firewall;
and the connection generation module is used for establishing a preset protocol connection with any firewall after the authentication operation request is authenticated, receiving the position information reported by any firewall and generating a data table according to the position information.
Optionally, the apparatus further comprises:
the setting module is used for setting the offline time of any firewall;
the receiving and updating module is used for updating the offline time when the keep-alive messages of any firewall are received in the offline time;
and the deleting module is used for deleting the position information of any firewall from the data table without receiving the keep-alive messages of any firewall within the offline time.
Fig. 11 is a schematic structural diagram of a firewall device according to an embodiment of the present disclosure, where the firewall device includes a connection sending module 1101, a generating module 1102, and a processing module 1103. The device comprises the following specific implementation steps:
a connection sending module 1101, configured to receive attack source information sent by the server,
a generating module 1102, configured to generate a full-network linkage blacklist according to the attack source information,
the processing module 1103 is configured to determine whether to block or release the message according to the full-network linkage blacklist when receiving the message.
Optionally, the apparatus further comprises:
and the message sending module is used for sending the keep-alive messages to the server according to the preset time interval.
Optionally, the processing module 1103 is specifically configured to:
receiving a message, and acquiring an Internet Protocol (IP) address, a protocol and a port of the message;
blocking the message when the IP, the protocol and the port of the message are in the full-network linkage blacklist; wherein, under the condition that the IP of the message is an intranet IP, the receipt information is sent in a resource locator mode;
judging whether the IP of the message is an external network IP or not when the IP, the protocol and the port of the attacker are not in the whole network linkage blacklist;
under the condition that the IP of the message is an external network IP, acquiring attack source information of the message and sending the attack source information to a server;
and under the condition that the IP of the attacker is the intranet IP, the attack source information of the message is not reported.
Optionally, the apparatus further comprises:
and the record deleting module is used for deleting the list in the whole network linkage blacklist to a preset value according to the list adding time sequence when the list value in the whole network linkage blacklist is equal to a preset threshold value, and recording the operation of deleting the list in a local log of any firewall.
The embodiment of the disclosure also provides a network security defense system with full network linkage, and the system part comprises a server and a firewall.
The server and the firewall provided in this embodiment may execute the network security defense method of the full network linkage provided in the above method embodiment, and the implementation principle and the technical effect are similar, and are not described herein again.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A network security defense method based on whole network linkage is characterized in that the method is applied to a server and comprises the following steps:
receiving attack source information sent by any firewall;
inquiring a data table to obtain the position information of the target firewall;
and sending the attack source information to the target firewall according to the position information of the target firewall so that the target firewall generates a full-network linkage blacklist according to the attack source information, and determining to block or release the message according to the full-network linkage blacklist when receiving the message.
2. The network security defense method based on the network wide linkage according to claim 1, further comprising:
receiving an authentication operation request sent by any firewall;
after the authentication operation request is authenticated, a preset protocol connection is established with any firewall, the position information reported by any firewall is received, and the data table is generated according to the position information.
3. The network security defense method based on the network wide linkage according to claim 1, further comprising:
setting the offline time of any firewall;
updating the offline time when the keep-alive messages of any firewall are received in the offline time;
and not receiving the keep-alive messages of any firewall in the offline time, and deleting the position information of any firewall from the data table.
4. A network security defense method based on whole network linkage is characterized in that the method is applied to any firewall and comprises the following steps:
receiving attack source information sent by the server;
generating a whole network linkage blacklist according to the attack source information;
and when a message is received, determining whether to block or release the message according to the whole network linkage blacklist.
5. The network security defense method based on the full-network linkage according to claim 4, characterized by further comprising:
and sending the keep-alive messages to the server according to a preset time interval.
6. The network security defense method based on the network-wide linkage according to claim 4, wherein when the firewall receives the message, determining whether to block or release the message according to the network-wide linkage blacklist includes:
receiving a message, and acquiring an Internet Protocol (IP) address, a protocol and a port of the message;
blocking the message when the IP, the protocol and the port of the message are in the full-network linkage blacklist; sending receipt information in a resource locator mode under the condition that the IP of the message is an intranet IP;
judging whether the IP of the message is an external network IP or not when the IP, the protocol and the port of the attacker are not in the whole network linkage blacklist;
under the condition that the IP of the message is an external network IP, acquiring attack source information of the message and sending the attack source information to the server;
and under the condition that the IP of the attacker is the intranet IP, not reporting the attack source information of the message.
7. The network security defense method based on the full-network linkage according to claim 4, characterized by further comprising:
and when the list value in the whole network linkage blacklist is equal to a preset threshold value, deleting the list in the whole network linkage blacklist to a preset value according to the list adding time sequence, and recording the operation of deleting the list in a local log of any firewall.
8. A server, comprising:
the receiving module is used for receiving attack source information sent by any firewall;
the query acquisition module is used for querying the data table and acquiring the position information of the target firewall;
and the sending module is used for sending the attack source information to the target firewall according to the position information of the target firewall so that the target firewall generates a full-network linkage blacklist according to the attack source information, and when a message is received, the message is determined to be blocked or released according to the full-network linkage blacklist.
9. A firewall, comprising:
the connection sending module is used for establishing a preset protocol connection with a server and receiving attack source information sent by the server;
the generating module is used for generating a whole network linkage blacklist according to the attack source information;
and the processing module is used for determining whether to block or release the message according to the whole network linkage blacklist when receiving the message.
10. The utility model provides a network security defense system based on whole network linkage which characterized in that includes: a plurality of servers as claimed in claim 8 and a firewall as claimed in claim 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111316105.4A CN114024752A (en) | 2021-11-08 | 2021-11-08 | Network security defense method, equipment and system based on whole network linkage |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111316105.4A CN114024752A (en) | 2021-11-08 | 2021-11-08 | Network security defense method, equipment and system based on whole network linkage |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114024752A true CN114024752A (en) | 2022-02-08 |
Family
ID=80062625
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111316105.4A Pending CN114024752A (en) | 2021-11-08 | 2021-11-08 | Network security defense method, equipment and system based on whole network linkage |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114024752A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115296893A (en) * | 2022-08-02 | 2022-11-04 | 北京天融信网络安全技术有限公司 | Method, device, system and medium for detecting address information abnormity |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101184088A (en) * | 2007-12-14 | 2008-05-21 | 浙江工业大学 | Multi-point interlinked LAN firewall cooperating method |
| CN102594834A (en) * | 2012-03-09 | 2012-07-18 | 北京星网锐捷网络技术有限公司 | Method and device for defending network attack and network equipment |
| CN103973573A (en) * | 2014-05-16 | 2014-08-06 | 杭州华三通信技术有限公司 | Session backup method and device and message forwarding method and device |
| CN104137641A (en) * | 2013-01-31 | 2014-11-05 | 华为技术有限公司 | Method, permanent online controller and device for keeping application online |
| CN104202333A (en) * | 2014-09-16 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | Implementation method of distributed firewall |
| CN105553958A (en) * | 2015-12-10 | 2016-05-04 | 国网四川省电力公司信息通信公司 | Novel network security linkage system and method |
| CN108040039A (en) * | 2017-11-28 | 2018-05-15 | 深信服科技股份有限公司 | A kind of method, apparatus, equipment and system for identifying attack source information |
| CN113497798A (en) * | 2020-04-08 | 2021-10-12 | 北京中科网威信息技术有限公司 | FPGA-based data forwarding method for firewall |
-
2021
- 2021-11-08 CN CN202111316105.4A patent/CN114024752A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101184088A (en) * | 2007-12-14 | 2008-05-21 | 浙江工业大学 | Multi-point interlinked LAN firewall cooperating method |
| CN102594834A (en) * | 2012-03-09 | 2012-07-18 | 北京星网锐捷网络技术有限公司 | Method and device for defending network attack and network equipment |
| CN104137641A (en) * | 2013-01-31 | 2014-11-05 | 华为技术有限公司 | Method, permanent online controller and device for keeping application online |
| CN103973573A (en) * | 2014-05-16 | 2014-08-06 | 杭州华三通信技术有限公司 | Session backup method and device and message forwarding method and device |
| CN104202333A (en) * | 2014-09-16 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | Implementation method of distributed firewall |
| CN105553958A (en) * | 2015-12-10 | 2016-05-04 | 国网四川省电力公司信息通信公司 | Novel network security linkage system and method |
| CN108040039A (en) * | 2017-11-28 | 2018-05-15 | 深信服科技股份有限公司 | A kind of method, apparatus, equipment and system for identifying attack source information |
| CN113497798A (en) * | 2020-04-08 | 2021-10-12 | 北京中科网威信息技术有限公司 | FPGA-based data forwarding method for firewall |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115296893A (en) * | 2022-08-02 | 2022-11-04 | 北京天融信网络安全技术有限公司 | Method, device, system and medium for detecting address information abnormity |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Schnackengerg et al. | Cooperative intrusion traceback and response architecture (CITRA) | |
| US7984493B2 (en) | DNS based enforcement for confinement and detection of network malicious activities | |
| JP4174392B2 (en) | Network unauthorized connection prevention system and network unauthorized connection prevention device | |
| Criscuolo | Distributed denial of service: Trin00, tribe flood network, tribe flood network 2000, and stacheldraht ciac-2319 | |
| US20070294759A1 (en) | Wireless network control and protection system | |
| EP3297248B1 (en) | System and method for generating rules for attack detection feedback system | |
| EP1956463A2 (en) | Method and apparatus for providing network security based on device security status | |
| Kumar et al. | Distributed denial-of-service (ddos) threat in collaborative environment-a survey on ddos attack tools and traceback mechanisms | |
| EP1720315B1 (en) | Network management and administration by monitoring network traffic and vulnerability scanning | |
| Nehra et al. | FICUR: Employing SDN programmability to secure ARP | |
| Jeyanthi | Internet of things (iot) as interconnection of threats (iot) | |
| Singh et al. | Analysis of Botnet behavior using Queuing theory | |
| US9686311B2 (en) | Interdicting undesired service | |
| CN114024752A (en) | Network security defense method, equipment and system based on whole network linkage | |
| Khosravifar et al. | An experience improving intrusion detection systems false alarm ratio by using honeypot | |
| Prasad et al. | IP traceback for flooding attacks on Internet threat monitors (ITM) using Honeypots | |
| US20220103582A1 (en) | System and method for cybersecurity | |
| Chen et al. | Detecting Internet worms at early stage | |
| US10079857B2 (en) | Method of slowing down a communication in a network | |
| Chatzis | Motivation for behaviour-based DNS security: A taxonomy of DNS-related internet threats | |
| Nayak et al. | Depth analysis on DoS & DDoS attacks | |
| Ali et al. | Wireshark window authentication based packet captureing scheme to pervent DDoS related security issues in cloud network nodes | |
| Rafiee et al. | A flexible framework for detecting ipv6 vulnerabilities | |
| Singh et al. | Communication based vulnerabilities and script based solvabilities | |
| JP4710889B2 (en) | Attack packet countermeasure system, attack packet countermeasure method, attack packet countermeasure apparatus, and attack packet countermeasure program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |