CN114024752B - Network security defense method, device and system based on whole network linkage - Google Patents
Network security defense method, device and system based on whole network linkage Download PDFInfo
- Publication number
- CN114024752B CN114024752B CN202111316105.4A CN202111316105A CN114024752B CN 114024752 B CN114024752 B CN 114024752B CN 202111316105 A CN202111316105 A CN 202111316105A CN 114024752 B CN114024752 B CN 114024752B
- Authority
- CN
- China
- Prior art keywords
- firewall
- message
- attack source
- blacklist
- source information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 230000007123 defense Effects 0.000 title claims description 42
- 238000001514 detection method Methods 0.000 claims description 12
- 241000700605 Viruses Species 0.000 claims description 10
- 230000000903 blocking effect Effects 0.000 claims description 9
- 238000001914 filtration Methods 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 8
- 238000009434 installation Methods 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- PCTMTFRHKVHKIS-BMFZQQSSSA-N (1s,3r,4e,6e,8e,10e,12e,14e,16e,18s,19r,20r,21s,25r,27r,30r,31r,33s,35r,37s,38r)-3-[(2r,3s,4s,5s,6r)-4-amino-3,5-dihydroxy-6-methyloxan-2-yl]oxy-19,25,27,30,31,33,35,37-octahydroxy-18,20,21-trimethyl-23-oxo-22,39-dioxabicyclo[33.3.1]nonatriaconta-4,6,8,10 Chemical compound C1C=C2C[C@@H](OS(O)(=O)=O)CC[C@]2(C)[C@@H]2[C@@H]1[C@@H]1CC[C@H]([C@H](C)CCCC(C)C)[C@@]1(C)CC2.O[C@H]1[C@@H](N)[C@H](O)[C@@H](C)O[C@H]1O[C@H]1/C=C/C=C/C=C/C=C/C=C/C=C/C=C/[C@H](C)[C@@H](O)[C@@H](C)[C@H](C)OC(=O)C[C@H](O)C[C@H](O)CC[C@@H](O)[C@H](O)C[C@H](O)C[C@](O)(C[C@H](O)[C@H]2C(O)=O)O[C@H]2C1 PCTMTFRHKVHKIS-BMFZQQSSSA-N 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002035 prolonged effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000011100 viral filtration Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure relates to a network security defending method, device and system based on whole network linkage, which receives attack source information sent by any firewall, queries a data table, obtains position information of a target firewall, and sends the attack source information to the target firewall according to the position information of the target firewall, so that the target firewall generates a whole network linkage blacklist according to the attack source information, and when receiving a message, blocks or releases the message according to the whole network linkage blacklist. Therefore, the comprehensive daemon is realized on the own network without increasing the installation cost and the working pressure of the equipment, and the convenience of resisting the network attack is further improved.
Description
Technical Field
The disclosure relates to the technical field of network security, in particular to a network security defense method, device and system based on whole network linkage.
Background
With the popularization and development of the internet, the network environment faces various network security problems.
In the related art, the detection and defense are mainly performed by adopting the function modules such as virus filtration and intrusion detection deployed on the firewall or the anti-virus gateway, however, a plurality of security modules are required to be installed at the same time to comprehensively daemon the network of the firewall or the anti-virus gateway, the cost for installing the security modules is relatively high, and the working pressure of the firewall or the anti-virus gateway and other equipment can be greatly increased after the security modules are started.
Disclosure of Invention
In order to solve the above technical problems or at least partially solve the above technical problems, the present disclosure provides a network security defense method, device and system based on whole network linkage.
In a first aspect, an embodiment of the present disclosure provides a network security defense method based on whole network linkage, which is applied to a server, and includes:
receiving attack source information sent by any firewall;
Inquiring a data table to obtain the position information of the target firewall;
and sending the attack source information to the target firewall according to the position information of the target firewall, so that the target firewall generates a whole-network linked blacklist according to the attack source information, and determining to block or release the message according to the whole-network linked blacklist when receiving the message.
In a second aspect, an embodiment of the present disclosure further provides a network security defense method based on whole network linkage, which is applied to a firewall, and includes:
Establishing a preset protocol connection with a server and receiving attack source information sent by the server;
generating a whole-network linkage blacklist according to attack source information;
and when receiving the message, determining whether to block or release the message according to the whole-network linked blacklist.
In a third aspect, embodiments of the present disclosure further provide a server, including:
the receiving module is used for receiving attack source information sent by any firewall;
the query acquisition module is used for querying the data table and acquiring the position information of the target firewall;
and the sending module is used for sending the attack source information to the target firewall according to the position information of the target firewall so that the target firewall generates a whole-network linked blacklist according to the attack source information, and when receiving the message, the target firewall determines to block or release the message according to the whole-network linked blacklist.
In a fourth aspect, embodiments of the present disclosure further provide a firewall, including:
The connection transmitting module is used for establishing a preset protocol connection with the server and receiving attack source information transmitted by the server;
the generation module is used for generating a whole-network linkage blacklist according to the attack source information;
and the processing module is used for determining whether to block or release the message according to the whole network linked blacklist when receiving the message.
In a fifth aspect, an embodiment of the present disclosure further provides a network security defense system based on whole network linkage, including: the server and firewall of the foregoing embodiments.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:
In the embodiment of the disclosure, the server receives the attack source information sent by any firewall, acquires the position of the firewall by inquiring the data table, then sends the attack source information to the firewall according to the position information to generate the whole-network linked blacklist, and the firewall determines whether to release or block according to the whole-network linked blacklist when receiving the message, so that the network is comprehensively guarded while the installation cost and the equipment working pressure are not increased, and the convenience of resisting the network attack is further improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments of the present disclosure or the solutions in the prior art, the drawings that are required for the description of the embodiments or the prior art will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
Fig. 1 is a schematic diagram of a network security defense system based on whole network linkage according to an embodiment of the disclosure;
fig. 2 is a flowchart of a network security defense method based on whole network linkage according to an embodiment of the present disclosure;
FIG. 3 is a flowchart of another network security defense method based on whole network linkage provided by an embodiment of the present disclosure;
FIG. 4 is a flowchart of yet another network security defense method based on whole network linkage provided by an embodiment of the present disclosure;
FIG. 5 is a flowchart of yet another network security defense method based on whole network linkage provided by an embodiment of the present disclosure;
FIG. 6 is a flowchart of yet another network security defense method based on whole network linkage provided by an embodiment of the present disclosure;
fig. 7 is a flowchart of yet another network security defense method based on whole network linkage provided in an embodiment of the present disclosure;
FIG. 8 is a flowchart of yet another network security defense method based on whole network linkage provided by an embodiment of the present disclosure;
fig. 9 is a flowchart of yet another network security defense method based on whole network linkage provided in an embodiment of the present disclosure;
Fig. 10 is a schematic structural diagram of a server according to an embodiment of the disclosure;
fig. 11 is a schematic structural view of a fireproof wall according to an embodiment of the disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, a further description of aspects of the present disclosure will be provided below. It should be noted that, without conflict, the embodiments of the present disclosure and features in the embodiments may be combined with each other.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced otherwise than as described herein; it will be apparent that the embodiments in the specification are only some, but not all, embodiments of the disclosure.
The network security defense method based on the whole network linkage can be applied to an application environment shown in figure 1. The network security defense method based on the whole network linkage is applied to a network security defense system based on the whole network linkage. The network security defense system based on the whole network linkage comprises a server 100 and a firewall 200, wherein the server 100 and the firewall 200 communicate through a TCP connection. When any firewall 200 receives a message as an attack source, the attack source information is sent to the server 100, and the server 100 sends the attack source information to all firewalls 200 authenticated on the server 100 so that all firewalls 200 generate a whole network linked blacklist according to the attack source information, and when the message is received, the message is blocked or released according to the whole network linked blacklist.
Therefore, the omnibearing daemon of the self network is realized without increasing the installation cost and the equipment working pressure, and the convenience of resisting the network attack is further improved.
The firewall technology is a technology for helping a computer network to construct a relatively isolated protection barrier between an internal network and an external network by organically combining various software and hardware devices for safety management and screening so as to protect user data and information safety.
In one embodiment, as shown in fig. 2, a network security defense method based on whole network linkage is provided. The present embodiment is mainly illustrated by the application of the method to the server 100 in fig. 1.
Fig. 2 is a network security defense method based on whole network linkage according to an embodiment of the present disclosure, including:
step 201, receiving attack source information sent by any firewall.
The attack source information mainly comprises an IP (Internet Protocol, an Internet protocol address), a protocol (such as a TCP, UCP protocol and the like) and a port of the attack device, wherein the IP is an interconnection protocol between networks, namely a protocol designed for mutual connection of computer networks to communicate, is a set of rules capable of enabling all the computer networks connected to the networks to realize mutual communication, prescribes the rules to be observed when the computers communicate on the Internet, and has uniqueness of the IP address. Ports refer to TCP or UDP ports used to establish a connection.
In embodiments of the present disclosure, any firewall refers to one or more firewalls that establish a connection with a server, which in some embodiments establishes a connection with firewalls A, B and C, the server receives attack source information sent by firewall a; in another embodiment, a server establishes a connection with firewalls A, B and C, and the server receives attack source information sent by firewalls B and C, respectively. The above is merely an example, and the embodiments of the present disclosure do not specifically limit the server to receive attack source information sent by any firewall.
Step 202, inquiring a data table to obtain the position information of the target firewall.
The data table refers to a table in which firewall location information is stored in advance. The location information includes IP, protocol and port of the firewall. The target firewall refers to a firewall storing the position information in the data table, and can be one or more.
In the embodiment of the disclosure, after the attack source information is received, the attack source information needs to be sent to the target firewall, so that the data table needs to be queried to obtain the position information of the target firewall. In some embodiments, the data table stores the location information of the firewalls A, B and C as A1, B1, and C1, respectively, and the acquired location information is A1, B1, and C1, respectively.
Step 203, according to the position information of the target firewall, the attack source information is sent to the target firewall, so that the target firewall generates a whole-network linked blacklist according to the attack source information, and when receiving the message, the target firewall determines to block or release the message according to the whole-network linked blacklist.
The server sends the information of the attack source to all firewalls with known position information, and the firewall generates a whole network linked blacklist according to the received attack source information, so that when a message is received, whether the whole network linked blacklist is blocked or released can be judged according to the whole network linked blacklist. The whole network linked blacklist includes, but is not limited to, information such as IP, protocol and port, addition time, and matching times of the message. And executing blocking action if the traffic message is matched with the whole-network linked blacklist, otherwise, releasing the blocking action.
It should be noted that, the attack source information is sent to all the firewalls in the data table, for example, the firewall a sends the attack source information to the server, and the server sends the attack source information to the firewall ABCD, that is, to the firewall a, because the whole network linked blacklist of the firewall a does not have the attack source information at this time.
According to the network security defense scheme of whole network linkage, which is provided by the embodiment of the disclosure, attack source information sent by any firewall is received, a data table is queried, the position information of a target firewall is obtained, the attack source information is sent to the target firewall according to the position information of the target firewall, so that the target firewall generates a whole network linkage blacklist according to the attack source information, and when a message is received, the message is blocked or released according to the whole network linkage blacklist. By adopting the technical scheme, the firewall which starts the security modules such as virus filtering and intrusion detection dynamically generates the attack source information aiming at the attack source in the network environment, and the attack source information is issued to all the firewalls registered on the server through the server, so that the firewall realizes the defense of various attacks under the condition that a plurality of security modules are not purchased, and the problem that the firewall loses the capability of resisting the attacks due to the fact that the security modules are not started is solved.
In the embodiment of the disclosure, in order to avoid that other firewalls attack the server by sending a large amount of constructed attack source information, the security of the network is further improved, before the server and the firewall send the information, authentication operation needs to be performed on the firewall, in some embodiments, an authentication operation request sent by any firewall is received, the server and any firewall establish a preset protocol connection, receive position information reported by any firewall, and generate a data table according to the position information.
The authentication operation can be completed through a preset protocol, as shown in fig. 3, the authentication operation can be completed through a TCP (Transmission Control Protocol ) protocol, a TCP connection is established through three-way handshake, after the connection is established, a firewall sends an authentication operation request to a server, the server sends authentication success information to the firewall, and the firewall reports own position information to the server.
Alternatively, as shown in fig. 4, if the firewall has not authenticated successfully after 3 consecutive authentications, the firewall should generate error message "please check network configuration or re-authenticate-! ". After successful authentication, the firewall actively reports its own position information to the server, wherein the position information contains the IP, protocol and port position information of the firewall, and the server records the position information in a data table after receiving the position information reported by the firewall.
Optionally, as shown in fig. 5, after receiving the location information reported by the firewall, the server sends a receipt of reporting success to the firewall, if the firewall does not receive the receipt information of the server after reporting the location for special reasons, the firewall should report its own location information again every 3 seconds, and after failing to receive the receipt information three times in succession, the firewall should prompt that the reporting of the information fails and needs to be authenticated again.
According to the network security defense scheme of the whole network linkage, which is provided by the embodiment of the disclosure, after an authentication operation request sent by any firewall is received, a preset protocol connection is established with any firewall and position information reported by any firewall is received after the authentication operation request is authenticated, and a data table is generated according to the position information.
In addition, the firewall needs to send corresponding keep-alive messages to the server at regular time to inform the server of the online state, so that the server can be prevented from considering that the firewall is offline and missing attack source information sent by the server. Specifically, fig. 6 is a further network security defense method of full network linkage according to an embodiment of the present disclosure, including:
step 601, setting the offline time of any firewall.
The offline time may be set to 2 days or 3 days, and the embodiment is not limited herein.
Step 602, updating the offline time when receiving the keep-alive message of any firewall in the offline time.
In some embodiments, the offline time of the firewall is set to be 3 days, so that the authenticated firewall can send a keep-alive message to the server every 12 hours or 24 hours, and the server resets the timeout time corresponding to the firewall position information after receiving the keep-alive message; in another embodiment, the time of the keep-alive message received by the server is 2021, 10 months and 15 days, and since the set offline time is 3 days, the offline time of the firewall is 2021, 10 months and 18 days, i.e. the offline time is prolonged by sending the keep-alive message to the server at intervals of a period of time.
And 603, deleting the position information of any firewall from the data table when the keep-alive message of any firewall is not received in the offline time.
In some embodiments, the offline time of the firewall is set to be 3 days, if the server does not receive the keep-alive message from any firewall within 3 days, the firewall is considered to be offline, and the location information of the firewall is deleted from the data table; in another embodiment, when the firewall is offline and re-online for some reason, the user may manually restart the whole network linkage function to immediately report its own status to the server, or may wait for the firewall to send itself at regular time.
It should be noted that, for a firewall with reported attack source information, the attack source information sent by the firewall may also reset the timeout time of its location information on the server, i.e. sending the attack source information may be regarded as sending a keep-alive message.
According to the network security defense scheme of the whole network linkage, the offline time of any firewall is set, the offline time is updated when the keep-alive message of any firewall is received in the offline time, the keep-alive message of any firewall is not received in the offline time, and the position information of any firewall is deleted from the data table. By adopting the technical scheme, the server is prevented from considering that the firewall is offline and missing attack source information sent by the server.
In one embodiment, the present disclosure provides yet another network security defense method based on whole network linkage. The present embodiment is mainly illustrated by the application of the method to the firewall 200 in fig. 1. As shown in fig. 7, includes:
and 701, receiving attack source information sent by a server, and generating a whole-network linkage blacklist according to the attack source information.
Step 702, when receiving a message, determining whether to block or release the message according to the whole network linked blacklist.
The message refers to a data unit exchanged and transmitted in the network, and includes complete data information to be sent, which is also a unit of network transmission. When the message passes through the firewall, the firewall judges the message according to the generated whole network linked blacklist, if the message information is in the blacklist, the message is blocked if the message is unfavorable to the server, otherwise, the message is allowed to pass through.
In a specific embodiment, a message is received, an internet protocol address (IP), a protocol and a port of the message are obtained, and if the IP, the protocol and the port of the message are in a whole network linkage blacklist, the message is blocked; wherein, if the IP of the message is intranet IP, the receipt information is sent by a resource locator mode; if the IP, protocol and port of the attacker are not in the whole network linkage blacklist, judging whether the IP of the message is an external network IP, if the IP of the message is the external network IP, acquiring the attack source information of the message and sending the attack source information to the server, and if the IP of the attacker is the internal network IP, not reporting the attack source information of the message.
The network security defense scheme of whole network linkage provided by the embodiment of the disclosure is applied to a firewall side and comprises the following steps: and receiving attack source information sent by a server, generating a whole-network linked blacklist according to the attack source information, and determining whether to block or release the message according to the whole-network linked blacklist when receiving the message. By adopting the technical scheme, the firewall which starts the security modules such as virus filtering and intrusion detection dynamically generates the attack source information aiming at the attack source in the network environment, and the attack source information is issued to all the firewalls registered on the server through the server, so that the firewall realizes the defense of various attacks under the condition that a plurality of security modules are not purchased, and the problem that the firewall loses the capability of resisting the attacks due to the fact that the security modules are not started is solved. In addition, for the firewall itself, the method of the embodiment of the disclosure not only can improve the self competitiveness, but also can save a part of the performance of the firewall and lighten the pressure of the firewall because the flow matched with the whole network linked blacklist in the firewall processing flow does not enter other security engine modules.
In an embodiment of the present disclosure, further includes: and sending the keep-alive message to the server according to a preset time interval.
If the preset interval can be set to 12 hours or 24 hours, etc., the keep-alive message is sent to the server at regular time, and the firewall is proved to be not in line. Because the capacity of the database of the server is limited, the adoption of the technical scheme can prevent the phenomenon that the position information of a firewall is still on the server after the firewall is disconnected and occupies the capacity of the server, and further ensure the stability of the server.
Fig. 8 is a diagram illustrating a network security defense method of a further network-wide linkage in an embodiment of the present disclosure.
And receiving the message, acquiring an internet protocol address IP, a protocol and a port of the message, and blocking the message if the IP, the protocol and the port of the message are in a whole network linkage blacklist. And sending receipt information in a uniform resource locator mode under the condition that the IP of the message is intranet IP.
The uniform resource locator refers to a concise representation of the location and access method of the resources obtained from the internet, and is the address of the standard resources on the internet. The firewall receives the message to obtain IP, protocol and port of the message, if the IP, protocol and port position information of the message are in the whole network linkage blacklist, the message is prevented from passing through, if the message is detected to be the intranet, the receipt information is also required to be sent in a uniform resource locator mode, if the access connection is the intranet user, the firewall also needs to send a feedback receipt message to the user, the receipt message can be returned to the user in a uniform resource locator mode, the user should see that the resource possibly contains virus threat and is blocked by the firewall! "and the like.
And judging whether the IP of the message is the IP of the external network or not in the blacklist of the whole network linkage of the IP, the protocol and the port of the message. That is, if the attack source message information is not matched with the whole network linked blacklist, security modules such as virus filtering, intrusion detection, DDOS (Distributed Denial of Service ) attack and the like need to be entered to perform security detection on the message.
And under the condition that the IP of the message is the IP of the external network, acquiring attack source information of the message, and sending the attack source information to the server, and under the condition that the IP of the message is the IP of the internal network, not reporting the attack source information of the message. If the IP of the message detected by the security module is the external network, the firewall records the IP, the protocol and the port information of the message and reports the recorded IP, the protocol and the port information to the server.
If the source IP of the attack message is intranet IP, reporting is not needed. There are two reasons for not reporting: firstly, other security modules on the fireproof wall generally perform blocking processing after detecting security threat, the attack source cannot reach the external network due to the existence of the fireproof wall, and secondly, if the internal network IP is reported to the server as the attack source, other fireproof walls receive the attack source information and possibly block traffic in the local area network as attack.
According to the network security defense scheme of the whole network linkage, a message is received, an internet protocol address IP, a protocol and a port of the message are obtained, if the IP, the protocol and the port of the message are in a whole network linkage blacklist, the message is blocked, and receipt information is sent in a resource locator mode under the condition that the IP of the message is an intranet IP. Judging whether the IP of the message is an external network IP or not in the whole network linkage blacklist, acquiring attack source information of the message and sending the attack source information to a server under the condition that the IP of the message is the external network IP, and not reporting the attack source information of the message under the condition that the IP of the attacker is the internal network IP. By adopting the technical scheme, the comprehensive daemon is realized on the own network without increasing the installation cost and the equipment working pressure, and the convenience of resisting network attack is further improved.
In the embodiment of the disclosure, when the value of the list in the whole-network linked blacklist is equal to a preset threshold, deleting the list in the whole-network linked blacklist to the preset value according to the list adding time sequence, and recording the operation of deleting the list in a log of the firewall.
In some embodiments, the preset threshold is controlled by a license (license) of the firewall, and when the specification specified in the license (preset threshold) is reached, the 50% blacklist added first is deleted, for example, the blacklist specification in the license is 20000, and when the blacklist reaches 20000, 10000 that is added first is deleted. And recording the operation of deleting the blacklist in a local log of the firewall.
According to the network security defense scheme of the whole network linkage, when the list value in the whole network linkage blacklist is equal to the preset threshold, deleting the list in the whole network linkage blacklist to the preset value according to the list adding time sequence, and recording the operation of deleting the list in a local log of any firewall. By adopting the technical scheme, the complexity of the real network environment is considered, and the full-network linkage blacklist of the firewall is ensured to be in a state of never exceeding time, so that the firewall is convenient for users to use.
As an example of a scenario, as shown in fig. 9,1, an attack packet from a network (Internet) arrives at a firewall of a local area network 1, the firewall intercepts the attack and records the attack source information, 2, the firewall in the local area network 1 reports the recorded attack source information to an external network server, 3, the server issues the attack source information to all the firewalls, 4, the firewall which receives the attack source information issued by the server records the attack source in its whole network linked blacklist, 5, the attack packet from the network arrives at the firewall of other local area networks, and the firewall detects that the packet matches the whole network linked blacklist and then blocks the whole network linked blacklist.
More specifically, each firewall reports its own position information to the server and authenticates, after detecting the attack source, the firewall of the virus filtering, intrusion detection and DDOS attack module reports the attack source to the server, the server sends the attack source information to all the firewalls reporting the position information, the firewall dynamically generates a whole network linked blacklist after receiving the attack source information from the server, if the message matches the whole network linked blacklist, it is blocked, and in addition, each firewall periodically sends keep-alive messages to the server to inform itself to be in an on-line state.
Therefore, in the embodiment of the disclosure, the firewall in each local area network forms a unified whole through the linkage between the firewall and the external network server, and the external network server transmits attack source information to the firewall in each local area network and dynamically generates a whole network linkage blacklist, so that the firewall which does not start security engines such as virus filtering, intrusion detection and the like can obtain a certain degree of defending capability.
Fig. 10 is a schematic structural diagram of a server according to an embodiment of the present disclosure, where the server includes: a receiving module 1001, a query acquiring module 1002 and a transmitting module 1003. The device comprises the following specific implementation steps:
a receiving module 1001, configured to receive attack source information sent by any firewall,
An obtaining module 1002, configured to query the data table, obtain location information of the target firewall,
And the sending module 1003 is configured to send the attack source information to the target firewall according to the location information of the target firewall, so that the target firewall generates a whole-network linked blacklist according to the attack source information, and when receiving the message, it determines to block or release the message according to the whole-network linked blacklist.
Optionally, the apparatus further comprises:
the receiving request module is used for receiving an authentication operation request sent by any firewall;
And the connection generating module is used for establishing a preset protocol connection with any firewall after the authentication operation request is authenticated, receiving the position information reported by any firewall, and generating a data table according to the position information.
Optionally, the apparatus further comprises:
The setting module is used for setting the offline time of any firewall;
The receiving and updating module is used for updating the offline time when receiving the keep-alive message of any firewall in the offline time;
and the deleting module is used for deleting the position information of any firewall from the data table when the keep-alive message of any firewall is not received in the offline time.
Fig. 11 is a schematic structural diagram of a firewall device according to an embodiment of the disclosure, where the device includes a connection sending module 1101, a generating module 1102, and a processing module 1103. The device comprises the following specific implementation steps:
a connection sending module 1101, configured to receive attack source information sent by a server,
A generation module 1102, configured to generate a whole-network linked blacklist according to attack source information,
And a processing module 1103, configured to determine whether to block or release the message according to the whole network linked blacklist when receiving the message.
Optionally, the apparatus further comprises:
and the message sending module is used for sending the keep-alive message to the server according to the preset time interval.
Optionally, the processing module 1103 is specifically configured to:
Receiving a message, and acquiring an internet protocol address IP, a protocol and a port of the message;
Blocking the message when the IP, protocol and port of the message are in the whole network linkage blacklist; wherein, if the IP of the message is intranet IP, the receipt information is sent by a resource locator mode;
Judging whether the IP of the message is the IP of the external network or not in the blacklist of the whole network linkage of the IP, the protocol and the port of the attacker;
under the condition that the IP of the message is the IP of the external network, acquiring attack source information of the message and sending the attack source information to a server;
And under the condition that the IP of the attacker is intranet IP, no attack source information of the message is reported.
Optionally, the apparatus further comprises:
And the deletion recording module is used for deleting the list in the whole network linked blacklist to a preset value according to the list adding time sequence when the list value in the whole network linked blacklist is equal to a preset threshold value, and recording the operation of deleting the list in the local log of any firewall.
The embodiment of the disclosure also provides a network security defense system of whole network linkage, wherein the system part comprises a server and a firewall.
The server and the firewall provided in this embodiment may execute the network security defense method of the whole network linkage provided in the above method embodiment, and the implementation principle and the technical effect are similar, and are not repeated here.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing is merely a specific embodiment of the disclosure to enable one skilled in the art to understand or practice the disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown and described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (8)
1. The network security defense method based on the whole network linkage is characterized by being applied to a server and comprising the following steps:
Receiving attack source information sent by any firewall; the attack source information is dynamically generated by a firewall which is started with a security module aiming at an attack source in a network environment, and the security module comprises at least one of virus filtering, intrusion detection and distributed denial of service (DDOS) attack;
setting the offline time of any firewall;
Updating the offline time when receiving the keep-alive messages of any firewall in the offline time; the keep-alive message comprises attack source information sent by a corresponding firewall;
The keep-alive message of any firewall is not received in the offline time, and the position information of any firewall is deleted from a data table;
Inquiring the data table to obtain the position information of the target firewall; the data table is a table for storing the position information of the firewall in advance, the position information comprises the IP, the protocol and the port of the firewall, and the target firewall is the firewall for storing the position information in the data table;
According to the position information of the target firewall, the attack source information is sent to the target firewall, so that the target firewall generates a whole network linked blacklist according to the attack source information, and when a message is received, the message is blocked or released according to the whole network linked blacklist;
When receiving a message, determining to block or release the message according to the whole network linked blacklist, including: receiving a message, and acquiring an internet protocol address (IP), a protocol and a port of the message;
Blocking the message when the IP, protocol and port of the message are in the whole network linkage blacklist; wherein, if the IP of the message is intranet IP, the receipt information is sent by a resource locator mode;
Judging whether the IP of the message is an external network IP or not in the whole network linkage blacklist if the IP, the protocol and the port of the message are not in the whole network linkage blacklist;
under the condition that the IP of the message is an external network IP, acquiring attack source information of the message and sending the attack source information to the server;
And under the condition that the IP of the message is intranet IP, the attack source information of the message is not reported.
2. The network security defense method based on whole network linkage according to claim 1, further comprising:
receiving an authentication operation request sent by any firewall;
after the authentication operation request is authenticated, a preset protocol connection is established with any firewall, the position information reported by any firewall is received, and the data table is generated according to the position information.
3. The network security defense method based on whole network linkage is characterized by being applied to any firewall and comprising the following steps:
Attack source information sent by a server is received; the method comprises the steps that attack source information is sent by a server based on position information of a corresponding firewall, the position information of the firewall is obtained through inquiring a data table, the data table is used for deleting the position information of any firewall when a keep-alive message of any firewall is not received in a downlink time, the downlink time is determined based on the set downlink time of any firewall, the keep-alive message of any firewall is updated when the keep-alive message of any firewall is received in the downlink time, the keep-alive message comprises attack source information sent by the corresponding firewall, the attack source information is dynamically generated by the firewall starting a security module aiming at an attack source in a network environment, the security module comprises at least one of virus filtering, intrusion detection and distributed denial of service (DDOS) attack, the data table is a table for pre-storing the position information of the firewall, and the position information comprises IP, protocol and port of the firewall;
Generating a whole-network linkage blacklist according to the attack source information;
receiving a message, and acquiring an internet protocol address (IP), a protocol and a port of the message;
Blocking the message when the IP, protocol and port of the message are in the whole network linkage blacklist; wherein, if the IP of the message is intranet IP, the receipt information is sent by a resource locator mode;
Judging whether the IP of the message is an external network IP or not in the whole network linkage blacklist if the IP, the protocol and the port of the message are not in the whole network linkage blacklist;
under the condition that the IP of the message is an external network IP, acquiring attack source information of the message and sending the attack source information to the server;
And under the condition that the IP of the message is intranet IP, the attack source information of the message is not reported.
4. The network security defense method based on the whole network linkage according to claim 3, further comprising:
and sending a keep-alive message to the server according to a preset time interval.
5. The network security defense method based on the whole network linkage according to claim 3, further comprising:
And deleting the list in the whole-network linked blacklist to a preset value according to the list adding time sequence when the list value in the whole-network linked blacklist is equal to a preset threshold, and recording the operation of deleting the list in the local log of any firewall.
6. A server, comprising:
The receiving module is used for receiving attack source information sent by any firewall; the attack source information is dynamically generated by a firewall which is started with a security module aiming at an attack source in a network environment, and the security module comprises at least one of virus filtering, intrusion detection and distributed denial of service (DDOS) attack;
The setting module is used for setting the offline time of any firewall;
the receiving and updating module is used for updating the offline time when the keep-alive message of any firewall is received in the offline time; the keep-alive message comprises attack source information sent by a corresponding firewall;
the deleting module is used for deleting the position information of any firewall from the data table when the keep-alive message of any firewall is not received in the offline time;
the query acquisition module is used for querying the data table and acquiring the position information of the target firewall; the data table is a table for storing the position information of the firewall in advance, the position information comprises the IP, the protocol and the port of the firewall, and the target firewall is the firewall for storing the position information in the data table;
The sending module is used for sending the attack source information to the target firewall according to the position information of the target firewall so that the target firewall generates a whole-network linked blacklist according to the attack source information, and when receiving a message, the target firewall determines to block or release the message according to the whole-network linked blacklist;
When receiving a message, determining to block or release the message according to the whole network linked blacklist, including: receiving a message, and acquiring an internet protocol address (IP), a protocol and a port of the message;
Blocking the message when the IP, protocol and port of the message are in the whole network linkage blacklist; wherein, if the IP of the message is intranet IP, the receipt information is sent by a resource locator mode;
Judging whether the IP of the message is an external network IP or not in the whole network linkage blacklist if the IP, the protocol and the port of the message are not in the whole network linkage blacklist;
under the condition that the IP of the message is an external network IP, acquiring attack source information of the message and sending the attack source information to the server;
And under the condition that the IP of the message is intranet IP, the attack source information of the message is not reported.
7. A firewall, comprising:
The connection sending module is used for establishing a preset protocol connection with the server and receiving attack source information sent by the server; the method comprises the steps that attack source information is sent by a server based on position information of a corresponding firewall, the position information of the firewall is obtained through inquiring a data table, the data table is used for deleting the position information of any firewall when a keep-alive message of any firewall is not received in a downlink time, the downlink time is determined based on the set downlink time of any firewall, the keep-alive message of any firewall is updated when the keep-alive message of any firewall is received in the downlink time, the keep-alive message comprises attack source information sent by the corresponding firewall, the attack source information is dynamically generated by the firewall starting a security module aiming at an attack source in a network environment, the security module comprises at least one of virus filtering, intrusion detection and distributed denial of service (DDOS) attack, the data table is a table for pre-storing the position information of the firewall, and the position information comprises IP, protocol and port of the firewall;
the generation module is used for generating a whole-network linkage blacklist according to the attack source information;
The processing module is used for determining whether to block or release the message according to the whole network linked blacklist when receiving the message;
The processing module is specifically configured to: receiving a message, and acquiring an internet protocol address (IP), a protocol and a port of the message;
Blocking the message when the IP, protocol and port of the message are in the whole network linkage blacklist; wherein, if the IP of the message is intranet IP, the receipt information is sent by a resource locator mode;
Judging whether the IP of the message is an external network IP or not in the whole network linkage blacklist if the IP, the protocol and the port of the message are not in the whole network linkage blacklist;
under the condition that the IP of the message is an external network IP, acquiring attack source information of the message and sending the attack source information to the server;
And under the condition that the IP of the message is intranet IP, the attack source information of the message is not reported.
8. A network security defense system based on whole network linkage, comprising: a plurality of servers as claimed in claim 6 and a firewall as claimed in claim 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111316105.4A CN114024752B (en) | 2021-11-08 | 2021-11-08 | Network security defense method, device and system based on whole network linkage |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111316105.4A CN114024752B (en) | 2021-11-08 | 2021-11-08 | Network security defense method, device and system based on whole network linkage |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114024752A CN114024752A (en) | 2022-02-08 |
| CN114024752B true CN114024752B (en) | 2024-07-19 |
Family
ID=80062625
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111316105.4A Active CN114024752B (en) | 2021-11-08 | 2021-11-08 | Network security defense method, device and system based on whole network linkage |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114024752B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115296893A (en) * | 2022-08-02 | 2022-11-04 | 北京天融信网络安全技术有限公司 | Method, device, system and medium for detecting address information abnormity |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101184088A (en) * | 2007-12-14 | 2008-05-21 | 浙江工业大学 | Multi-point interlinked LAN firewall cooperating method |
| CN103973573A (en) * | 2014-05-16 | 2014-08-06 | 杭州华三通信技术有限公司 | Session backup method and device and message forwarding method and device |
| CN113497798A (en) * | 2020-04-08 | 2021-10-12 | 北京中科网威信息技术有限公司 | FPGA-based data forwarding method for firewall |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102594834B (en) * | 2012-03-09 | 2014-09-10 | 北京星网锐捷网络技术有限公司 | Method and device for defending network attack and network equipment |
| EP2945456A4 (en) * | 2013-01-31 | 2016-04-27 | Huawei Tech Co Ltd | Method, permanent online controller and device for keeping application online |
| CN104202333A (en) * | 2014-09-16 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | Implementation method of distributed firewall |
| CN105553958A (en) * | 2015-12-10 | 2016-05-04 | 国网四川省电力公司信息通信公司 | Novel network security linkage system and method |
| CN108040039A (en) * | 2017-11-28 | 2018-05-15 | 深信服科技股份有限公司 | A kind of method, apparatus, equipment and system for identifying attack source information |
-
2021
- 2021-11-08 CN CN202111316105.4A patent/CN114024752B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101184088A (en) * | 2007-12-14 | 2008-05-21 | 浙江工业大学 | Multi-point interlinked LAN firewall cooperating method |
| CN103973573A (en) * | 2014-05-16 | 2014-08-06 | 杭州华三通信技术有限公司 | Session backup method and device and message forwarding method and device |
| CN113497798A (en) * | 2020-04-08 | 2021-10-12 | 北京中科网威信息技术有限公司 | FPGA-based data forwarding method for firewall |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114024752A (en) | 2022-02-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8082578B2 (en) | Intelligent firewall | |
| Schnackengerg et al. | Cooperative intrusion traceback and response architecture (CITRA) | |
| US7984493B2 (en) | DNS based enforcement for confinement and detection of network malicious activities | |
| Leiwo et al. | Towards network denial of service resistant protocols | |
| US20070294759A1 (en) | Wireless network control and protection system | |
| EP1722535A2 (en) | Method and apparatus for identifying and disabling worms in communication networks | |
| US20170070518A1 (en) | Advanced persistent threat identification | |
| Nehra et al. | FICUR: Employing SDN programmability to secure ARP | |
| EP1720315B1 (en) | Network management and administration by monitoring network traffic and vulnerability scanning | |
| CN114024752B (en) | Network security defense method, device and system based on whole network linkage | |
| US9686311B2 (en) | Interdicting undesired service | |
| Dakhane et al. | Active warden for TCP sequence number base covert channel | |
| Khosravifar et al. | An experience improving intrusion detection systems false alarm ratio by using honeypot | |
| EP3618396B1 (en) | Protection method and system for http flood attack | |
| Chai et al. | A study of security threat for Internet of Things in smart factory | |
| US10079857B2 (en) | Method of slowing down a communication in a network | |
| WO2009110327A1 (en) | Network monitor system, network monitor method, and network monitor program | |
| WO2008086224A2 (en) | Systems and methods for detecting and blocking malicious content in instant messages | |
| Pandey et al. | Comprehensive security mechanism for defending cyber attacks based upon spoofing and poisoning | |
| KR102571147B1 (en) | Security apparatus and method for smartwork environment | |
| JP4710889B2 (en) | Attack packet countermeasure system, attack packet countermeasure method, attack packet countermeasure apparatus, and attack packet countermeasure program | |
| Barbhuiya et al. | An active detection mechanism for detecting ICMP based attacks | |
| Holik | Protecting IoT Devices with Software-Defined Networks | |
| KR101143368B1 (en) | Dispersion type ddos defense system and using defense method thereof | |
| KR20100027829A (en) | Sip attack detection system using virtual proxy server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |