CN114024767A - Password-defined network security system construction method, system architecture and data forwarding method - Google Patents
Password-defined network security system construction method, system architecture and data forwarding method Download PDFInfo
- Publication number
- CN114024767A CN114024767A CN202111411810.2A CN202111411810A CN114024767A CN 114024767 A CN114024767 A CN 114024767A CN 202111411810 A CN202111411810 A CN 202111411810A CN 114024767 A CN114024767 A CN 114024767A
- Authority
- CN
- China
- Prior art keywords
- security
- network
- entity
- management system
- controller
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 238000010276 construction Methods 0.000 title abstract description 4
- 238000004891 communication Methods 0.000 claims abstract description 18
- 238000012544 monitoring process Methods 0.000 claims description 24
- 230000008569 process Effects 0.000 claims description 16
- 238000013475 authorization Methods 0.000 claims description 7
- 108020001568 subdomains Proteins 0.000 claims description 4
- 230000008859 change Effects 0.000 abstract description 3
- 238000005516 engineering process Methods 0.000 abstract description 3
- 238000000926 separation method Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 3
- 230000011664 signaling Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/34—Encoding or coding, e.g. Huffman coding or error correction
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to the technical field of network security, and particularly relates to a password-defined network security system construction method, a system architecture and a data forwarding method, wherein a plurality of entities for describing network facilities and/or network resources are established, and entity attributes corresponding to the entities are generated according to the characteristics of the entities; allocating an entity identification for representing identity ID data to each entity; according to the service data flow, different cipher suites are utilized to group and divide the entities in the network into corresponding control subdomains, the entities in the same key grouping control subdomain establish a credible network link based on entity identification and a security strategy, and a network boundary is defined for each key grouping control subdomain. The invention relies on the cryptographic technology and based on the entity identification to manage the network equipment resource globally and uniformly, adopts the matched scene and diversified security strategy aiming at different service flows and data flows, ensures the confidentiality and integrity of the communication data, and meets the security requirement of the network dynamic change application.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a password-defined network security system construction method, a system architecture and a data forwarding method.
Background
Enterprise information security is an important but ever more difficult problem due to the complexity of IT infrastructure and application architecture, the breadth and speed of user access, and the adversarial decisions inherent in information security. The traditional security method adopts a boundary-based defense technology, such as deployment of a firewall, an intrusion detection system, network access control and the like on a network boundary, is usually based on quintuple information (source IP, destination IP, source port, destination port and protocol) in network flow, has insufficient security rules, cannot be dynamically self-adaptive based on network context and has hysteresis risk; over time, as intrusion detection systems become less efficient, the deployment of cloud-based resources and the use of encryption protocols has increased, primarily due to the growth in network size and complexity. The traditional security method provides coarse-grained realization for network access control, only can carry out coarse-grained separation on users, networks and application programs, the authority of an accessor is fuzzy and is often granted with larger authority than the actual requirement, and the risk of transverse attack inside the network is greatly increased; with dynamic or transient workloads running in a local containerization or virtualization environment, and with the increase in remote user access, traditional security tools aim to protect the more static and deterministic IT infrastructure, and the overall efficiency of the security solution is reduced.
Disclosure of Invention
Therefore, the invention provides a method for constructing a password-defined network security system, a system architecture and a data forwarding method, which rely on the cryptography technology and carry out global unified management on network equipment based on entity identification, and can adopt matched scene-based and diversified security strategies aiming at different service flows and data flows, thereby ensuring the confidentiality and integrity of communication data and realizing the requirements on communication security.
According to the design scheme provided by the invention, the method for constructing the password-defined network security system comprises the following steps:
establishing a plurality of entities for describing network facilities and/or network resources, and generating entity attributes corresponding to the entities according to the characteristics of the entities; and allocating an entity identifier for representing identity ID data to each entity;
according to the service data flow, different cipher suites are utilized to group and divide the entities in the network into corresponding control subdomains, the entities in the same key grouping control subdomain establish a credible network link based on entity identification and a security strategy, and a network boundary is defined for each key grouping control subdomain.
As the method for constructing the password-defined network security system, further, the entities at least comprise the following types: the system comprises user equipment for accessing a network to perform resource access, a repeater used as a security gateway to execute security policy, a controller used as a policy decision point and used for distributing tunnel policy for the repeater, a domain manager used for registering and managing the repeater and the controller in the same control domain, a running time log management system used for continuously analyzing and managing running time logs of the controller and the repeater, a continuous credible management system used for continuously monitoring and maintaining the states of the controller and the repeater equipment, a key management system used for certificate and key management, a security management system used for monitoring the running process of the system and making and adjusting the tunnel policy, and an identity management system used for access control management.
As the method for constructing the password-defined network security system, further, the entity attributes include: the entity type is used for describing the logical attributes of the entity name, the IP address and the certificate, describing the physical attributes of the hardware configuration and the geographic position of the entity, and describing the domain attributes of the control sub-domain to which the entity belongs.
As the method for constructing the password-defined network security system, further, the entity identifier is encoded by using bytes, wherein the entity identifier encoding comprises: a tunnel type field, a network packet identification field, an entity type field, an entity number field, an affiliated domain manager field, an affiliated controller field, an intra-entity soft device number field, and reserved bytes.
The invention further provides a password-defined network security system architecture, which is realized based on the method and comprises the steps of slicing equipment and resources in a network, dividing the network into a plurality of control sub-domains corresponding to service data streams and isolated through passwords by adopting a password suite, associating related entities in each control sub-domain by utilizing entity identifications, and selecting a data forwarding path based on channel identifications to forward stream data packets.
As the password defined network security architecture of the present invention, further, the devices in the network include but are not limited to: the system comprises user equipment for accessing a network by a user to perform resource access, a repeater used as a security gateway to execute a security policy, a controller used as a policy decision point and used for distributing a tunnel policy for the repeater, and a domain manager used for performing registration management on the repeater and the controller in the same control domain.
As the password defined network security architecture of the present invention, further, the resources in the network include but are not limited to: the system comprises a running time log management system for continuously analyzing and managing running time logs of a controller and a repeater, a continuous credible management system for continuously monitoring and maintaining states of equipment of the controller and the repeater, a key management system for certificate and key management, a security management system for monitoring a system running process and making and adjusting a tunnel policy, and an identity management system for access control management.
Further, the present invention also provides a data forwarding method for a password-defined network security system, which is implemented based on the above architecture, and associates a physical entity and a logical entity in a network through an entity identifier, wherein the physical entity comprises: user equipment used for accessing a network by a user to perform resource access, a repeater used as a security gateway to execute security policy, a controller used as a policy decision point to distribute tunnel policy for the repeater, and a domain manager used for performing registration management on the repeater and the controller in the same control domain, wherein the logic entity comprises: the system comprises a running time log management system for continuously analyzing and managing running time logs of a controller and a repeater, a continuous credible management system for continuously monitoring and maintaining states of equipment of the controller and the repeater, a key management system for certificate and key management, a security management system for monitoring a system running process and making and adjusting a tunnel policy, and an identity management system for access control management, wherein the forwarding process comprises the following contents:
the repeater applies for a security policy for data forwarding to the controller according to a request of the user equipment;
the controller obtains an authentication authorization decision from an identity management system according to forwarding request information sent by the forwarder to determine whether the forwarder can establish tunnel connection or not, and obtains a security policy for creating a password-defined network between the forwarders from a security management system, wherein the forwarding request information comprises: forwarding the data quintuple, entity identifiers and access time of the forwarder and the user equipment;
the transponder establishes a security channel based on the channel identifier according to the security policy, and encrypts and forwards the data packet based on the channel identifier.
As the data forwarding method of the password-defined network security system, the controller accesses the identity management system by using the forwarding request information, searches the entity attribute based on the entity identifier, acquires the security level corresponding to the entity attribute, judges the validity of the forwarding behavior of the forwarding request information and whether the forwarding behavior meets the security level requirement, and authorizes the forwarding according to the security level aiming at the situation that the forwarding behavior is legal; the controller accesses the security management system by using the forwarding request information and the security level, searches and acquires the communication connection information and the channel identifier based on the entity identifier, and generates a security policy according to the security level, wherein the security policy includes but is not limited to: communication connection information, channel identification, a password suite, a password exchange algorithm and a password updating period.
The data packet in the flow of the safety channel is used for distinguishing the password-defined network of the control subdomain by carrying a channel identifier, and feedback is executed according to a safety strategy to maintain the life cycle of the password-defined network.
The invention has the beneficial effects that:
the invention realizes the password definition boundary based on the combination of the modes of entity identification, security strategy and the like, establishes the credible network link, and can form a network in the same key group; network access is protected by an encryption protocol, and confidentiality and integrity of communication contents are guaranteed; channel separation is realized, and different access requests use exclusive encrypted channels, so that the requirements of users on remote, multi-equipment type, multi-scene and mobile access resources can be met; and the identity authentication is carried out before the network accesses the resources, so that the application program resources can be accessed through the network after the authorization is ensured, and an attacker is more difficult to attack; the safety of the equipment is continuously and credibly tracked, the overall safety of a safety system is enhanced, the safety of a channel is guaranteed, and the safety of two ends of the channel is also guaranteed; by dividing physical entities and logical entities in the network and binding entity identifiers, the whole security system is systematized, unified management is facilitated, the requirement of network dynamic change is met based on static and dynamic security strategies, and the method has a good application prospect.
Description of the drawings:
FIG. 1 is a flow chart of a method for constructing a password-defined network security architecture in an embodiment;
FIG. 2 is a schematic representation of entity representation encoding in an embodiment;
FIG. 3 is a schematic diagram of a password-defined network in an embodiment;
FIG. 4 is a schematic diagram of the deployment of the password-defined network security architecture in the embodiment.
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.
An embodiment of the present invention, as shown in fig. 1, provides a method for establishing a password-defined network security architecture, including:
s101, establishing a plurality of entities for describing network facilities and/or network resources, and generating entity attributes corresponding to the entities according to the characteristics of the entities; and allocating an entity identifier for representing identity ID data to each entity;
s102, according to the service data flow, different cipher suites are utilized to group the entities in the network and divide the entities into corresponding control subdomains, the entities in the same key grouping control subdomain establish a credible network link based on entity identification and a security strategy, and meanwhile, a network boundary is defined for each key grouping control subdomain.
In the embodiment of the scheme, in order to solve the problems of network architecture complexity, user access breadth, user access speed and the like, a dynamic and flexible password definition network security system is constructed based on entity identification and a security strategy, a control subdomain corresponding to service requirements is divided, and credible network connection between entities in the control subdomain is established based on the entity identification and the security strategy by using different password suites, so that the security defect based on static network boundary defense in the prior art is overcome, resource service is used as direction, multiple channels are separated, and ciphertext is used for channel protection, the information security of an enterprise is obviously enhanced, and the requirement of higher service agility can be met.
As the method for constructing the password-defined network security architecture in the embodiment of the present invention, further, the entity at least includes the following types: the system comprises user equipment for accessing a network to perform resource access, a repeater used as a security gateway to execute security policy, a controller used as a policy decision point and used for distributing tunnel policy for the repeater, a domain manager used for registering and managing the repeater and the controller in the same control domain, a running time log management system used for continuously analyzing and managing running time logs of the controller and the repeater, a continuous credible management system used for continuously monitoring and maintaining the states of the controller and the repeater equipment, a key management system used for certificate and key management, a security management system used for monitoring the running process of the system and making and adjusting the tunnel policy, and an identity management system used for access control management. Further, the entity attributes include: the entity type is used for describing the logical attributes of the entity name, the IP address and the certificate, describing the physical attributes of the hardware configuration and the geographic position of the entity, and describing the domain attributes of the control sub-domain to which the entity belongs.
Network infrastructure, users, accessed resources, etc. are defined as entities, which are described by a set of entity attributes. Entity attributes refer to a set of characteristics of an entity. These features may be used alone or in combination to form a unique identity that distinguishes the entity from other entities. Setting the entity attributes includes: entity type, logical attribute, physical attribute, domain attribute. The entity logic attribute refers to an entity name, an IP address and a certificate (certificate); the physical attribute of the entity refers to the hardware configuration and the geographic position of the entity; the entity domain attribute refers to a control sub-domain to which an entity belongs, and generally, a password-defined network divides a network into one or more control sub-domains to reduce an attack surface.
The password defines an entity in a network security system structure, and user equipment is equipment used for accessing a network and accessing resources by a user; the repeaters are used as security gateways to execute security strategies, encryption channels are established among the repeaters to carry out password protection on network traffic, and confidentiality, integrity and authentication of data are ensured; the controller is used as a policy decision point, and when two repeaters want to establish a security tunnel, the controller is responsible for distributing tunnel policies for the two repeaters; the domain manager receives the registration of the repeater and the controller equipment in the same control domain, generates an entity identifier, a certificate and a certificate of the registered equipment, and issues the entity identifier, the certificate and the certificate to the registered equipment; the operation time log management system continuously receives and manages operation time logs from the controller and the repeater, the analysis of the operation time logs can provide effect graphs related to strategy execution, and the operation time log management system collects the operation time logs to the safety management system; the continuous credible management system monitors and maintains the equipment credibility of the controller and the repeater, continuously monitors the equipment safety state information of the controller and the repeater, provides a safety state report about the controller and the repeater for the safety management system, and collects the safety state report to the safety management system; the key management system generates and manages certificates and keys; the safety management system monitors the operation process of the whole safety system and makes or revises a tunnel strategy; the identity management system provides techniques and business processes for controlling access. The method mainly comprises identity storage, wherein information related to an entity is stored, attributes of meaningful data of the entity are described, the attributes are used for verifying the access authority of a user, and identity verification is carried out according to the sources; managing the life cycle of the identity; access control uses multi-factor authentication, typically a certificate (and its supporting systems) is used to authenticate user and device identities.
As the method for constructing the password-defined network security system in the embodiment of the present invention, further, the entity identifier is encoded by using bytes, where the entity identifier encoding includes: a tunnel type field, a network packet identification field, an entity type field, an entity number field, an affiliated domain manager field, an affiliated controller field, an intra-entity soft device number field, and reserved bytes.
The password definition network brings the entities such as the network infrastructure, the user, the accessed resource and the like into unified management based on the entity identification. The entity identifier is used to uniquely identify an entity. Referring to fig. 2, the entity identifier may be a 16-byte data encoding field, and may include a 1-byte tunnel type, a 2-byte network packet identifier, a 1-byte entity type, a 4-byte entity number, a 1-byte belonging domain manager, a 2-byte belonging controller, a 1-byte entity internal soft device number, and a 2-byte reserved data. In fig. 2, the platform system entity identification code ignores the number fields of the domain manager, the controller and the software device in the entity, and the entity identification field is obtained by adding or deleting some code bytes of unrelated entities or changing the length of the code field according to the actual application in the coded representation of the entity.
Entities such as a repeater, a controller and the like register with a domain manager, the domain manager calls a service interface of an identity management system, the identity management system performs identity authentication on registered equipment, after the authentication is passed, the registered equipment is divided into a plurality of different attributes, a corresponding resource authority is searched through an access control table according to an access control strategy based on the attributes, the registered equipment is authorized, and registered equipment entity identification, a certificate and a certificate are generated. The domain manager issues the entity identification, the certificate and the certificate to the registered equipment to realize the binding of the entity identification, so that the entity is brought into the whole security system for unified management.
According to the service category, the devices in the network are divided into different network groups in a grouping mode based on different cipher suites, the groups are trusted mutually based on identifiers and trusted certificates, and trusted network links can be established mutually, so that the devices in the same key group form a network, the trusted links are established based on the identifiers (based on keys, the trusted certificates and the like), and the network boundary is defined.
Further, based on the implementation of the above method, an embodiment of the present invention further provides a password-defined network security architecture, where devices and resources in a network are sliced, a password suite is adopted to divide the network into a plurality of control sub-domains corresponding to a service data stream and isolated by a password, entity identifiers are used to associate related entities in each control sub-domain, and a data forwarding path is selected based on a channel identifier to forward a stream data packet.
Passwords define that the network's forwarding of data is performed according to a security policy, which is a set of access rules based on other factors, such as the allocation to users (devices), networks, resources, and environmental threats. The security policy is dynamic, and is strictly enforced when forwarding data. The strategy realizes that trust link is established based on security strategy in network grouping on the basis of password definition network division, and service communication is limited in password definition network boundary. As shown in fig. 3, 2 password-defined networks, in order to satisfy the requirements of high security level, strict key usage period management, protocol type filtering, and the like for transmitting internal files between devices in the password-defined network 1, a national-secret encryption password suite may be used to implement the file transmission encryption function between devices; the equipment in the password definition network 2 is in communication encryption communication for meeting daily work, the security level is low, and an international encryption algorithm suite can be used to realize encryption communication of daily work communication contents. There may be an intersection between the devices of the two networks, such as device 1 and device 2 in the figure; inside the password-defined network, channel separation is implemented, such as A, B and C in password-defined network 1, a, b and C in password-defined network 2; the boundary definition division is beneficial to the realization of the security policy based on the identification, the grouping management of the policy and the channel separation management based on the policy can be realized, and the device in the figure can be a security gateway or a host for installing a security agent program. According to the above two schematic diagrams of the password-defined network, the password-defined network can also be divided by using other password suites in practical application, so as to meet the functional requirements of different service types.
The generation of security policies includes authentication of identities, auditing of resources, access to resources, connectivity of networks, evaluation of threats and security events, and many other factors. The security policy is made or revised by an administrator through a security management system. Or automatically generating a policy, for example, the runtime log management system analyzes a runtime program exception report, a network traffic log, a tunnel policy execution log, an exception network behavior, or a network security event, finds the exception event, reports the exception event to the security management system, and the security management system generates a security policy according to a preset algorithm; for example, the security configuration state and the security monitoring log of the entity in the network security system are defined by the monitoring password of the continuous trusted management system, for example, the monitoring password of the continuous trusted management system is operated in a correct operating system and an application program, and whether the monitoring password is operated under a correct configuration condition or not, the security configuration state report of the entity is provided for the security management system, and the security management system generates a security policy according to a preset algorithm.
Further, based on the above architecture implementation, an embodiment of the present invention further provides a data forwarding method for a password-defined network security system, where a physical entity in a network is associated with a logical entity through an entity identifier, where the physical entity includes: user equipment used for accessing a network by a user to perform resource access, a repeater used as a security gateway to execute security policy, a controller used as a policy decision point to distribute tunnel policy for the repeater, and a domain manager used for performing registration management on the repeater and the controller in the same control domain, wherein the logic entity comprises: the system comprises a running time log management system for continuously analyzing and managing running time logs of a controller and a repeater, a continuous credible management system for continuously monitoring and maintaining states of equipment of the controller and the repeater, a key management system for certificate and key management, a security management system for monitoring a system running process and making and adjusting a tunnel policy, and an identity management system for access control management, wherein the forwarding process comprises the following contents:
the repeater applies for a security policy for data forwarding to the controller according to a request of the user equipment;
the controller obtains an authentication authorization decision from an identity management system according to forwarding request information sent by the forwarder to determine whether the forwarder can establish tunnel connection or not, and obtains a security policy for creating a password-defined network between the forwarders from a security management system, wherein the forwarding request information comprises: forwarding the data quintuple, entity identifiers and access time of the forwarder and the user equipment;
the transponder establishes a security channel based on the channel identifier according to the security policy, and encrypts and forwards the data packet based on the channel identifier.
When the repeater forwards data, a security policy for forwarding the data is applied to the controller, the controller takes quintuple information of the forwarded data, an entity identifier of the repeater, an entity identifier of the user equipment and other information as input, and decision bases are respectively from a security management system and an identity management system. The controller determines whether tunnel connection can be established between the repeaters according to authentication and authorization decisions of the identity management system; the controller manages the establishment of the password defined network between the repeaters according to the security policy issued by the security management system. The controller is in a normally online state and maintains service connection with the system through a specific interface.
As the data forwarding method of the password-defined network security system in the embodiment of the present invention, further, the controller accesses the identity management system using the forwarding request information, searches the entity attribute based on the entity identifier, and obtains the security level corresponding to the entity attribute, determines whether the forwarding behavior of the forwarding request information is legal and meets the security level requirement, and authorizes the forwarding according to the security level in case that the forwarding behavior is legal; the controller accesses the security management system by using the forwarding request information and the security level, searches and acquires the communication connection information and the channel identifier based on the entity identifier, and generates a security policy according to the security level, wherein the security policy includes but is not limited to: communication connection information, channel identification, a password suite, a password exchange algorithm and a password updating period. Further, the data packet in the safety channel flow distinguishes the password defined network of the control subdomain by carrying the channel identification, and carries out feedback to maintain the life cycle of the password defined network according to the safety strategy.
The controller accesses the identity management system by using quintuple information, access time, transponder entity identification, user equipment entity identification and other information of the forwarded data, searches identity information stored in the system based on the identification, such as deployed geographic position, role and the like, gives a security level corresponding to the attribute, obtains a final security level by taking the intersection of all the security levels corresponding to the attribute, and judges the legality and security level requirements of the data access behavior according to a preset access control algorithm. If not, issuing a forwarding prohibition strategy; and if the authentication is legal, the issuing of the security policy is allowed according to the security level authorization. The controller uses quintuple information of the forwarded data, the transponder entity identifier, the user equipment entity identifier, the access security level and the like to access a security management system, the security management system searches the stored security policy information according to the input to obtain network communication connection information and an encrypted channel identifier, then parameters such as a corresponding password suite, a key exchange algorithm, a key updating period and the like are generated according to the security level, finally the parameters are summarized into the security policy to be issued, and the security policy is issued to the controller. The controller respectively issues the received security policies to the repeaters needing to establish communication, the repeaters analyze the content of the security policies, establish a secure network channel based on channel identification, a data packet in the channel flow carries the channel identification, the channel identification is used for distinguishing different networks defined by passwords, the encryption forwarding of the data packet is carried out based on the channel identification, and the life cycle of the network is maintained based on the channel identification.
The cipher definition network safety system structure is a closed loop system, and connects each physical entity and logic entity in the system through entity identification. And executing a security policy among the physical entities of the repeaters, and reporting the successful feedback of the execution of the security policy after establishing a data transmission channel logical entity meeting various service requirements based on the channel identifier so as to enable the physical entities of the controller and the physical entity of the security management system to carry out life cycle management on the defined network.
The following explains the deployment of the security system of the scheme further by combining with fig. 4, in which the dotted line is a registration signaling link, the thick line is a control signaling link, the thin line is a data link, and different links use different identifiers, and the scheme is a channel separation embodiment based on different services and different cipher suites; the safety system comprises the following components: a security agent on the user device, an application resource, a transponder in front of the application resource network location, a controller, an identity management system, a key management system, a security management system, and a security system continuous monitoring platform. The deployment security architecture workflow may be described as follows:
the administrator applies the user name of the security agent and the serial number of the security agent software from the identity management system and assigns the user name and the serial number to the security agent software. The user installs the security agent on the user device and configures the security agent. The security broker and domain manager perform TLS handshake since there is no certificate yet, authentication relies on custom extension fields in TLS. And attaching a user name and a security agent program serial number in the custom extension field, and carrying the user name and the security agent program serial number by the domain manager to access an authentication interface of the identity management system to perform double-factor identity authentication so as to achieve the purposes of authentication and key exchange and generate a session key and a session channel identifier used during registration. The method is equivalent to establishing a ciphertext registration channel between the security agent program and the domain manager, ensuring the confidentiality and the integrity of a registration signaling, and realizing the separation of the registration channel from a control channel and a data channel which will be described below by distinguishing based on identifiers and using different cipher suites.
The user inputs a user name and a self-set password which are distributed in advance, the user equipment registers to the domain manager through the security agent program, and equipment system information, equipment network information, the user name, the password and the like are provided during registration so as to obtain entity identification, a certificate and a certificate. The domain manager calls an interface of the identity management system, uploads the registration information of the user equipment, stores the registration information after the identity management system passes authentication, and issues an entity identifier of the user equipment; requesting the certificate and the certificate by calling the service of the key management system, and acquiring the certificate and the certificate issued to the registration equipment; then, a registration request is replied to the equipment, and entity identification, certificate and certificate are issued. After the registration is completed, the controller and the forwarder also need to register with the domain manager to acquire the entity identifier, and the processes are similar and are not repeated.
And the safety management system arranges the strategy and sends a strategy rule set to the controller. The policy set contains a cipher suite, which is generated by the security management system calling a service interface of the key management system. The controller issues one or more security policies to the repeater, allows the user equipment to access one or a group of application program resources, but does not access other application program resources behind the repeater, different security policies include different channel identifiers, the channel identifiers are used for identifying different policies, and the system performs life cycle management on the security policies, established channels and the like according to the channel identifiers, which is the core embodiment of the password defined network.
The user equipment logs in the controller through the security agent program, and the login information comprises a user name, an entity identifier and the like. The login information is cryptographically protected by a pre-shared key in the credential. The controller calls an interface of the security management system, uploads user access request information, calls an identity management system service interface by the security management system, and authorizes the controller to issue a security connection strategy to the user equipment after authentication is passed.
After the user equipment receives the security connection strategy, TLS handshake is executed between the security agent program of the user equipment and the repeater, the handshake is initiated by the security agent program, the repeater establishes TLS sessions with equal number according to the number of the received security strategies, bidirectional certificate authentication is carried out in the session process, a session key is finally obtained, one or more encryption channels are established between the security agent program and the repeater, the channels are marked by different channel identifications, the separation of the encryption channels based on different service flows is realized, and a trust link between an accessor and a resource is established. And the application program resource list which can be accessed by the user is used as the extension information in the TLS, and is sent after the TLS handshake phase, and the leakage of the application program resource list is prevented due to the fact that the application program resource list is a cipher text. The security agent program creates a virtual network card on the user equipment, adds a routing table according to an application program resource list acquired when the TLS session is established, and routes the access flow of the user to the application program resource to the virtual network card, so that the security agent program captures a network data packet from the virtual network card, determines different encryption paths according to a destination network address, adds an encryption channel identifier in the data packet, and encrypts and transmits the data packet. After receiving the encrypted flow, the repeater selects different keys and algorithms for decryption according to the encrypted channel identification in the data packet, and then sends the encrypted flow to the following application program resource. The packet processing flow from the application resource to the security agent is similar. The security agent program also has a device state monitoring function, when the device is monitored to be abnormal, the security agent program reports to a security management system, the security management system reports an event to a security system monitoring platform, the security system monitoring platform consists of a continuous credible management system and an operation time log management system, the device credible report and the operation log record are collected during operation, the platform makes a decision according to the event and the operation log record, the security management system dynamically issues an emergency strategy to a repeater according to a decision result, and the repeater retrieves the channel record and closes an encrypted channel between the channel record and the security agent program according to a channel identifier contained in the strategy. The transponder locally traverses the life cycle record of the security strategy through the channel identifier, and finds that after a certain strategy is expired, the transponder actively disconnects the encrypted channel corresponding to the strategy without influencing the normal work of other channels, thereby embodying the advantage of channel separation.
The repeater senses the access context behavior of the user equipment, reports to the security management system when the behavior is abnormal, and the security management system dynamically adjusts the security policy.
Compared with the traditional application which has the internal identity and certificate storage, the scheme reduces the software security loophole which can be utilized, integrates the centralized identity management and life cycle process in an enterprise, avoids the island, and avoids the omission of life cycle events of a mobile person or a leaving person, thereby causing the account to be still in an active state; deployment is carried out based on identification and a security policy, network access to an application program can be protected by an encryption protocol, confidentiality and integrity of communication content are guaranteed, channel separation is achieved, different access requests use exclusive encryption channels, isolation boundaries defined by passwords are used, and the passwords define the embodiment of a network. Before accessing the application program resource, the user must pass identity authentication, and the application program resource can be accessed through the network after authorization is ensured, so that an attacker is more difficult to attack, the requirement of the user for remotely accessing the application program resource can be met, the mobile access of the user is met, and the application requirement of network dynamic change is met.
Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.
Based on the foregoing method and/or system, an embodiment of the present invention further provides a server, including: one or more processors; a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method described above.
Based on the above method and/or system, the embodiment of the invention further provides a computer readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the above method.
In all examples shown and described herein, any particular value should be construed as merely exemplary, and not as a limitation, and thus other examples of example embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A method for constructing a password-defined network security system is characterized by comprising the following contents:
establishing a plurality of entities for describing network facilities and/or network resources, and generating entity attributes corresponding to the entities according to the characteristics of the entities; and allocating an entity identifier for representing identity ID data to each entity;
according to the service data flow, different cipher suites are utilized to group and divide the entities in the network into corresponding control subdomains, the entities in the same key grouping control subdomain establish a credible network link based on entity identification and a security strategy, and a network boundary is defined for each key grouping control subdomain.
2. The method of claim 1, wherein the entities comprise at least the following types: the system comprises user equipment for accessing a network to perform resource access, a repeater used as a security gateway to execute security policy, a controller used as a policy decision point and used for distributing tunnel policy for the repeater, a domain manager used for registering and managing the repeater and the controller in the same control domain, a running time log management system used for continuously analyzing and managing running time logs of the controller and the repeater, a continuous credible management system used for continuously monitoring and maintaining the states of the controller and the repeater equipment, a key management system used for certificate and key management, a security management system used for monitoring the running process of the system and making and adjusting the tunnel policy, and an identity management system used for access control management.
3. The method of claim 1 or 2, wherein the entity attributes comprise: the entity type is used for describing the logical attributes of the entity name, the IP address and the certificate, describing the physical attributes of the hardware configuration and the geographic position of the entity, and describing the domain attributes of the control sub-domain to which the entity belongs.
4. The method of claim 3, wherein the entity identifier is encoded using bytes, wherein the entity identifier encoding comprises: a tunnel type field, a network packet identification field, an entity type field, an entity number field, an affiliated domain manager field, an affiliated controller field, an intra-entity soft device number field, and reserved bytes.
5. A password-defined network security architecture, realized based on the method of claim 1, characterized in that, the devices and resources in the network are sliced, a password suite is used to divide the network into a plurality of control sub-domains corresponding to the service data stream and isolated by passwords, entity identifiers are used to associate the related entities in each control sub-domain, and a data forwarding path is selected based on the channel identifiers to forward the stream data packets.
6. The password defined network security architecture of claim 5, wherein the devices in the network include but are not limited to: the system comprises user equipment for accessing a network by a user to perform resource access, a repeater used as a security gateway to execute a security policy, a controller used as a policy decision point and used for distributing a tunnel policy for the repeater, and a domain manager used for performing registration management on the repeater and the controller in the same control domain.
7. The password defined network security architecture of claim 5, wherein the resources in the network include but are not limited to: the system comprises a running time log management system for continuously analyzing and managing running time logs of a controller and a repeater, a continuous credible management system for continuously monitoring and maintaining states of equipment of the controller and the repeater, a key management system for certificate and key management, a security management system for monitoring a system running process and making and adjusting a tunnel policy, and an identity management system for access control management.
8. A method for forwarding data in a network security architecture defined by a password, based on the architecture implementation of claim 5, wherein the physical entity and the logical entity in the network are associated by an entity identifier, wherein the physical entity comprises: user equipment used for accessing a network by a user to perform resource access, a repeater used as a security gateway to execute security policy, a controller used as a policy decision point to distribute tunnel policy for the repeater, and a domain manager used for performing registration management on the repeater and the controller in the same control domain, wherein the logic entity comprises: the system comprises a running time log management system for continuously analyzing and managing running time logs of a controller and a repeater, a continuous credible management system for continuously monitoring and maintaining states of equipment of the controller and the repeater, a key management system for certificate and key management, a security management system for monitoring a system running process and making and adjusting a tunnel policy, and an identity management system for access control management, wherein the forwarding process comprises the following contents:
the repeater applies for a security policy for data forwarding to the controller according to a request of the user equipment;
the controller obtains an authentication authorization decision from an identity management system according to forwarding request information sent by the forwarder to determine whether the forwarder can establish tunnel connection or not, and obtains a security policy for creating a password-defined network between the forwarders from a security management system, wherein the forwarding request information comprises: forwarding the data quintuple, entity identifiers and access time of the forwarder and the user equipment;
the transponder establishes a security channel based on the channel identifier according to the security policy, and encrypts and forwards the data packet based on the channel identifier.
9. The method of claim 8, wherein the controller accesses the identity management system using the forwarding request information, searches for an entity attribute based on the entity identifier, obtains a security level corresponding to the entity attribute, determines whether the forwarding behavior of the forwarding request information is legal and meets the security level requirement, and authorizes the forwarding according to the security level if the forwarding behavior is legal; the controller accesses the security management system by using the forwarding request information and the security level, searches and acquires the communication connection information and the channel identifier based on the entity identifier, and generates a security policy according to the security level, wherein the security policy includes but is not limited to: communication connection information, channel identification, a password suite, a password exchange algorithm and a password updating period.
10. The data forwarding method of claim 8, wherein the data packet in the security channel traffic carries a channel identifier to distinguish the password-defined network of the control sub-domain, and performs feedback to maintain the life cycle of the password-defined network according to the security policy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111411810.2A CN114024767B (en) | 2021-11-25 | 2021-11-25 | Method for constructing password definition network security system, system architecture and data forwarding method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111411810.2A CN114024767B (en) | 2021-11-25 | 2021-11-25 | Method for constructing password definition network security system, system architecture and data forwarding method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114024767A true CN114024767A (en) | 2022-02-08 |
| CN114024767B CN114024767B (en) | 2023-06-02 |
Family
ID=80066550
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111411810.2A Active CN114024767B (en) | 2021-11-25 | 2021-11-25 | Method for constructing password definition network security system, system architecture and data forwarding method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114024767B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116015875A (en) * | 2022-12-26 | 2023-04-25 | 北京火山引擎科技有限公司 | Container environment safety protection method, device, equipment and storage medium |
| CN116488811A (en) * | 2023-06-21 | 2023-07-25 | 豪符密码检测技术(成都)有限责任公司 | Method for dividing cipher boundary |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101631113A (en) * | 2009-08-19 | 2010-01-20 | 西安西电捷通无线网络通信有限公司 | Security access control method of wired LAN and system thereof |
| CN102006291A (en) * | 2010-11-10 | 2011-04-06 | 西安西电捷通无线网络通信股份有限公司 | Network transmission method and system suitable for trusted connection framework |
| US20140165169A1 (en) * | 2012-12-10 | 2014-06-12 | Lookout, Inc. | Method and system for managing user login behavior on an electronic device for enhanced security |
| US20140208095A1 (en) * | 2014-03-24 | 2014-07-24 | SkySocket, LLC | Managed real-time communications between user devices |
| CN104798355A (en) * | 2012-09-18 | 2015-07-22 | 思杰系统有限公司 | Mobile device management and security |
| US20150215339A1 (en) * | 2014-01-27 | 2015-07-30 | Honeywell International Inc. | Policy-based secure communication with automatic key management for industrial control and automation systems |
| CN107196967A (en) * | 2017-07-10 | 2017-09-22 | 南京邮电大学 | A kind of logistics big data information security access control system |
| CN111416807A (en) * | 2020-03-13 | 2020-07-14 | 苏州科达科技股份有限公司 | Data acquisition method, device and storage medium |
| CN111464563A (en) * | 2020-05-08 | 2020-07-28 | 武汉思普崚技术有限公司 | Protection method of industrial control network and corresponding device |
| CN112235235A (en) * | 2020-08-28 | 2021-01-15 | 中国大唐集团科学技术研究院有限公司 | SDP authentication protocol implementation method based on state cryptographic algorithm |
| CN112866197A (en) * | 2020-12-31 | 2021-05-28 | 北京安御道合科技有限公司 | Password edge calculation method and system for realizing security of terminal of Internet of things and terminal |
| CN113572738A (en) * | 2021-06-29 | 2021-10-29 | 中孚安全技术有限公司 | Zero trust network architecture and construction method |
-
2021
- 2021-11-25 CN CN202111411810.2A patent/CN114024767B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101631113A (en) * | 2009-08-19 | 2010-01-20 | 西安西电捷通无线网络通信有限公司 | Security access control method of wired LAN and system thereof |
| CN102006291A (en) * | 2010-11-10 | 2011-04-06 | 西安西电捷通无线网络通信股份有限公司 | Network transmission method and system suitable for trusted connection framework |
| CN104798355A (en) * | 2012-09-18 | 2015-07-22 | 思杰系统有限公司 | Mobile device management and security |
| US20140165169A1 (en) * | 2012-12-10 | 2014-06-12 | Lookout, Inc. | Method and system for managing user login behavior on an electronic device for enhanced security |
| US20150215339A1 (en) * | 2014-01-27 | 2015-07-30 | Honeywell International Inc. | Policy-based secure communication with automatic key management for industrial control and automation systems |
| US20140208095A1 (en) * | 2014-03-24 | 2014-07-24 | SkySocket, LLC | Managed real-time communications between user devices |
| CN107196967A (en) * | 2017-07-10 | 2017-09-22 | 南京邮电大学 | A kind of logistics big data information security access control system |
| CN111416807A (en) * | 2020-03-13 | 2020-07-14 | 苏州科达科技股份有限公司 | Data acquisition method, device and storage medium |
| CN111464563A (en) * | 2020-05-08 | 2020-07-28 | 武汉思普崚技术有限公司 | Protection method of industrial control network and corresponding device |
| CN112235235A (en) * | 2020-08-28 | 2021-01-15 | 中国大唐集团科学技术研究院有限公司 | SDP authentication protocol implementation method based on state cryptographic algorithm |
| CN112866197A (en) * | 2020-12-31 | 2021-05-28 | 北京安御道合科技有限公司 | Password edge calculation method and system for realizing security of terminal of Internet of things and terminal |
| CN113572738A (en) * | 2021-06-29 | 2021-10-29 | 中孚安全技术有限公司 | Zero trust network architecture and construction method |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116015875A (en) * | 2022-12-26 | 2023-04-25 | 北京火山引擎科技有限公司 | Container environment safety protection method, device, equipment and storage medium |
| CN116488811A (en) * | 2023-06-21 | 2023-07-25 | 豪符密码检测技术(成都)有限责任公司 | Method for dividing cipher boundary |
| CN116488811B (en) * | 2023-06-21 | 2023-09-05 | 豪符密码检测技术(成都)有限责任公司 | Method for dividing cipher boundary |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114024767B (en) | 2023-06-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11218446B2 (en) | Secure on-premise to cloud communication | |
| Attkan et al. | Cyber-physical security for IoT networks: a comprehensive review on traditional, blockchain and artificial intelligence based key-security | |
| Huang et al. | Secure data processing framework for mobile cloud computing | |
| US9357331B2 (en) | Systems and apparatuses for a secure mobile cloud framework for mobile computing and communication | |
| JP2020516202A (en) | Core network access provider | |
| US8443416B2 (en) | Techniques for secure channel messaging | |
| US20220103361A1 (en) | Enforcing a Segmentation Policy Using Cryptographic Proof of Identity | |
| Uzunov | A survey of security solutions for distributed publish/subscribe systems | |
| US11784819B2 (en) | Dynamic segmentation of network traffic by use of pre-shared keys | |
| CN110417739B (en) | Safe network in-band measurement method based on block chain technology | |
| CN114024767B (en) | Method for constructing password definition network security system, system architecture and data forwarding method | |
| Jabraeil Jamali et al. | IoT security | |
| Moussaid et al. | Enhance the security properties and information flow control | |
| Zhang et al. | Secure ABE scheme for access management in blockchain-based IoT | |
| Jamal et al. | Reliable access control for mobile cloud computing (MCC) with cache-aware scheduling | |
| Gupta et al. | Fog computing and its security challenges | |
| US9172711B2 (en) | Originator publishing an attestation of a statement | |
| KR102413497B1 (en) | Systems and methods for secure electronic data transmission | |
| Adelin et al. | Facing emerging challenges in connected vehicles: a formally proven, legislation compliant, and post-quantum ready security protocol | |
| Yan et al. | Heterogeneous data access control based on trust and reputation in mobile cloud computing | |
| Tupakula et al. | Implementation of techniques for enhancing security of southbound infrastructure in SDN | |
| Kwon et al. | Mondrian: Comprehensive Inter-domain Network Zoning Architecture. | |
| Sujatha et al. | Efficient Mutual User Authentication Protocol to Share Files Using ID in Cloud Storage | |
| Karmakar | Techniques for securing software defined networks and survices | |
| Raza et al. | A review on security issues and their impact on hybrid cloud computing environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240606 Address after: Room 0706, 6th Floor, No. 113 Zhichun Road, Haidian District, Beijing, 100080 Patentee after: Beijing Xinda Cloud Valley Technology Co.,Ltd. Country or region after: China Address before: 450000 floors 1-5 and 5 of Building 2, building 1, block D, No. 55, Lianhua street, high tech Industrial Development Zone, Zhengzhou, Henan Province Patentee before: Zhengzhou Xinda Information Technology Research Institute Co.,Ltd. Country or region before: China |