CN114039750A - Method for protecting SDP controller - Google Patents
Method for protecting SDP controller Download PDFInfo
- Publication number
- CN114039750A CN114039750A CN202111247584.9A CN202111247584A CN114039750A CN 114039750 A CN114039750 A CN 114039750A CN 202111247584 A CN202111247584 A CN 202111247584A CN 114039750 A CN114039750 A CN 114039750A
- Authority
- CN
- China
- Prior art keywords
- controller
- client
- access
- sdp
- spa
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 14
- 230000003068 static effect Effects 0.000 claims description 6
- 230000007547 defect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for protecting an SDP controller, which comprises the following steps: s01, the SDP client generates IP and port information of the access target controller; s02, the SDP client initiates SPA single packet authentication to the target controller; s03, the network control admission system presets a plurality of IP POOL address POOLs, and a controller schedules to temporarily activate or release the IP to a client for access in a certain time period; s04, the controller calculates IP and access port needing to be put through at a certain moment, and the controller and the network control access system put through the IP and port access strategy; s05, after the client side can normally send the SPA authentication message to the controller system, the controller checks the information of the SPA message; and S06, after receiving the target gateway information, the client initiates resource access to the SDP gateway system. The invention better realizes the network stealth characteristic of the SDP system and greatly enhances the architecture security and the robustness of the SDP system.
Description
Technical Field
The invention relates to a realization method for protecting an SDP controller, belonging to the technical field of network security.
Background
The english abbreviation of sdp (software Defined perimeter) software Defined boundary is a completely new concept of network boundary. Defined by CSA international cloud security alliance, the core idea is that core network assets and facilities can be hidden through an SDP framework so as not to be exposed to the internet, and various attack behaviors and security threats are prevented to the greatest extent. The SDP makes up the defects of a TCP/IP framework, avoids important network assets from being directly exposed to the internet, can directly deploy applications on the Internet to achieve efficient and safe access as intranet applications, realizes the hiding and zero trust of the key assets, avoids network safety risks and achieves thorough safety protection on the framework.
SDP mainly contains three parts: SDP Controller (Controller), SDP Gateway (Gateway), and SDP Client (Client).
All types of network attacks, including DDos, man-in-the-middle attacks, server queries (OWASP ten threats) and advanced persistent threats (ATP), are thwarted by using a new SDP security model, incorporating security components such as device authentication, identity-based access, and dynamic configuration connections.
At present, the conventional SDP security architecture has the following problems:
(1) according to the traditional SDP architecture, through the technical scheme of SPA single-packet authentication of authentication first and connection second, even if an illegal connection or an attacker scans the SDP controller through a network and sniffs a port, any network exposed surface cannot be sensed, and the network stealth function is realized. However, the client still needs to know the IP address and the port of the connected controller, otherwise, data communication cannot be carried out, so that an attacker or hacker can easily initiate subsequent network attack or the IP address and the port of the controller;
(2) although a hacker or an attacker cannot scan the IP and the port of the SDP controller, if the hacker or the attacker is familiar with or knows about the SDP principle or protocol, DDOS attack can be initiated to the IP address and the port of the SDP controller, and the controller cannot provide service capability due to denial-of-service attack on the SDP controller caused by blocking a communication channel, so that the SDP system cannot continue to work at this time.
Disclosure of Invention
In order to overcome and avoid the technical defects, the invention provides the implementation method for protecting the SDP controller, which strengthens the safety of the SDP controller, dynamically loads the IP and the port randomness generation algorithm on the controller and the client, greatly improves the attack and flow cost of hackers or attackers, reduces the possibility of being attacked, and greatly improves the service continuity and the safety of the SDP system.
The technical scheme adopted by the invention is as follows: an implementation method for protecting an SDP controller comprises the following steps:
s01, the SDP client dynamically generates IP and port information of the access target controller based on a time algorithm;
s02, the SDP client end automatically initiates SPA single packet authentication to the target controller, the SPA authentication message contains MFA user identification information;
s03, the network control admission system presets a plurality of IP POOL address POOLs, and a controller schedules to temporarily activate or release the IP to a client for access in a certain time period;
s04, the controller calculates IP and access port needing to be opened at a certain moment based on consistency of time algorithm and client generation algorithm by adopting a non-contact mode, and the controller and the network control access system open IP and port access strategy;
s05, after the client side can normally send an SPA authentication message to the controller system, the controller checks the information of the SPA message, if the check of the SPA message fails, the message is directly discarded, and if the check is successful, the SDP client side is dynamically informed to access a certain gateway system and inform the gateway of releasing the client side resource access authority;
and S06, after receiving the target gateway information, the client initiates resource access to the SDP gateway system.
Further, in step S02, the client initiates SPA single packet authentication to the controller based on the calculated controller target IP and port and carrying the static or MFA multi-factor authentication information filled by the user.
Further, the controller schedules and manages to temporarily enable or activate a certain IP and a port for the SDP client to access and use, and the generated IP address is consistent with the IP address generated by the client based on the time algorithm, so that the network communication is guaranteed to be accessible.
Furthermore, an SPA authentication packet initiated by the client can normally reach the controller through the network access control equipment, the controller checks the SPA authentication information of the user, the check information comprises the equipment fingerprint, the static password, the OTP and the code scanning multi-factor authentication information of the user, and any authentication information error can directly lead the DROP to the data packet.
Further, after verifying that the user SPA authentication information is accurate, the controller simultaneously returns related authentication and access policy information to the client and the gateway, informs the client of the corresponding access relationship between the target resource to be accessed and the gateway, and simultaneously informs the gateway of accessing the client to secure access policies.
The invention has the beneficial effects that: the IP and port information to be accessed is dynamically generated at the client and the controller through a time and random algorithm, and the network access control strategy is dynamically generated at the same time, so that a hacker or an attacker can hardly find the IP and port information of the controller through guessing or packet capturing, and meanwhile, based on the SPA single-packet authentication characteristic of the controller, the hidden protection capability of the network can be better realized, the hacker and the attacker can more difficultly acquire the controller information, the attack cost and the cost are also sharply increased, and the safety of the SDP controller and the whole SDP framework can be better protected.
Drawings
FIG. 1 is a schematic flow diagram of the present invention;
FIG. 2 is a schematic diagram of the data and signal flow of the modules of the present invention.
Detailed Description
The invention is described in detail below with reference to the figures and specific embodiments.
As shown in fig. 1 and 2, this embodiment discloses an implementation method for protecting an SDP controller, which includes the following specific steps:
(1) firstly, a client side calculates a target controller and an IP port which need to be accessed at a certain time based on a time dynamic generation algorithm;
(2) the client initiates SPA single-packet authentication to the controller based on the calculated controller target IP and port and carrying the static or MFA multi-factor authentication information filled by the user;
(3) the network control access system can preset a plurality of sections of IP POOL, routing and other information, and temporarily start or activate a certain IP and a port for the access of an SDP client by scheduling management of a controller, so that the generated IP address is consistent with the IP address generated by the client based on a time algorithm, and the network communication can be ensured to be accessible; at this time, other illegal access or hacker attackers cannot perceive the dynamically generated IP address, so that network attack cannot be initiated to the controller, and the controller is prevented from being attacked from the outside;
(4) the controller can also generate or open an IP and a port for the access of the client based on a time algorithm, and simultaneously inform a network control access system to ensure that the strategies are consistent;
(5) an SPA authentication packet initiated by a client can normally reach a controller through network access control equipment, the controller checks SPA authentication information of a user, the check information comprises multi-factor authentication information such as equipment fingerprint, static password, OTP (one time password) and scanning code of the user, and any authentication information error can directly lead to the DROP data packet;
(6) after verifying that the SPA authentication information of the user is accurate, the controller simultaneously returns related authentication and access strategy information to the client and the gateway, informs the client of the corresponding access relation between the target resource to be accessed and the gateway, and informs the gateway of accessing the client to a safe access strategy;
(7) the client can normally initiate a data connection request to the gateway and access the target application resource after being checked and verified by the gateway security policy.
In summary, the implementation method for protecting the SDP controller disclosed in this embodiment changes the defect that the IP address and the access port of the traditional SDP architecture controller are always unchanged and can continuously launch DOS attack once being known by a hacker, reduces the attack risk of the SDP system controller being captured or guessed, randomly increases the attack cost of the hacker or attacker through the IP and the port, better implements the network stealth feature of the SDP system, greatly enhances the architecture security and robustness of the SDP system, further optimizes the security architecture capability of the SDP system, and avoids some design defects of the system.
The foregoing illustrates and describes the principles, general features, and advantages of the present invention. It should be understood by those skilled in the art that the above embodiments do not limit the scope of the present invention in any way, and all technical solutions obtained by using equivalent substitution methods fall within the scope of the present invention.
The parts not involved in the present invention are the same as or can be implemented using the prior art.
Claims (5)
1. An implementation method for protecting an SDP controller is characterized by comprising the following steps:
s01, the SDP client dynamically generates IP and port information of the access target controller based on a time algorithm;
s02, the SDP client end automatically initiates SPA single packet authentication to the target controller, the SPA authentication message contains MFA user identification information;
s03, the network control admission system presets a plurality of IP POOL address POOLs, and a controller schedules to temporarily activate or release the IP to a client for access in a certain time period;
s04, the controller calculates IP and access port needing to be opened at a certain moment based on consistency of time algorithm and client generation algorithm by adopting a non-contact mode, and the controller and the network control access system open IP and port access strategy;
s05, after the client side can normally send an SPA authentication message to the controller system, the controller checks the information of the SPA message, if the check of the SPA message fails, the message is directly discarded, and if the check is successful, the SDP client side is dynamically informed to access a certain gateway system and inform the gateway of releasing the client side resource access authority;
and S06, after receiving the target gateway information, the client initiates resource access to the SDP gateway system.
2. The method as claimed in claim 1, wherein in step S02, the client initiates SPA single packet authentication to the controller based on the calculated target IP and port of the controller and carrying the static or MFA multi-factor authentication information filled by the user.
3. The method as claimed in claim 1, wherein in step S03, the controller schedules and manages to temporarily enable or activate an IP and a port for the SDP client to access, and the generated IP address is consistent with the IP address generated by the client based on the time algorithm, so as to ensure that network communication is accessible.
4. The method of claim 1, wherein in step S05, the SPA authentication packet initiated by the client normally reaches the controller through the network admission control device, and the controller checks the SPA authentication information of the user, where the check information includes the device fingerprint, static password, OTP, and scan code multi-factor authentication information of the user, and any authentication information error will directly DROP the data packet.
5. The method as claimed in claim 4, wherein the controller returns the authentication and access policy information to the client and the gateway after verifying that the user SPA authentication information is accurate, informs the client of the access relationship between the target resource to be accessed and the gateway, and informs the gateway of accessing the client to the security access policy.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111247584.9A CN114039750B (en) | 2021-10-26 | 2021-10-26 | Implementation method for protecting SDP controller |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111247584.9A CN114039750B (en) | 2021-10-26 | 2021-10-26 | Implementation method for protecting SDP controller |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114039750A true CN114039750A (en) | 2022-02-11 |
CN114039750B CN114039750B (en) | 2023-11-10 |
Family
ID=80141938
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111247584.9A Active CN114039750B (en) | 2021-10-26 | 2021-10-26 | Implementation method for protecting SDP controller |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114039750B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114629692A (en) * | 2022-02-25 | 2022-06-14 | 国家电网有限公司 | Access authentication method and system of power Internet of things based on SDP |
CN114666130A (en) * | 2022-03-23 | 2022-06-24 | 北京从云科技有限公司 | WEB security reverse proxy method |
CN114745128A (en) * | 2022-03-28 | 2022-07-12 | 中国人民解放军战略支援部队信息工程大学 | Trust evaluation method and device for network terminal equipment |
CN114915534A (en) * | 2022-04-22 | 2022-08-16 | 中国人民解放军战略支援部队信息工程大学 | Network deployment architecture facing trust enhancement and network access method thereof |
CN115037509A (en) * | 2022-04-25 | 2022-09-09 | 浙江清捷智能科技有限公司 | Industrial network safety protection system and safety protection method |
CN115174264A (en) * | 2022-08-03 | 2022-10-11 | 远江盛邦(北京)网络安全科技股份有限公司 | Security-optimized single-package authentication method and system |
CN115333840A (en) * | 2022-08-15 | 2022-11-11 | 中国电信股份有限公司 | Resource access method, system, device and storage medium |
CN115361186A (en) * | 2022-08-11 | 2022-11-18 | 哈尔滨工业大学(威海) | Zero trust network architecture for industrial internet platform |
CN115776408A (en) * | 2022-12-08 | 2023-03-10 | 四川启睿克科技有限公司 | Single-packet multi-stage authentication method based on zero trust |
CN116318912A (en) * | 2023-03-01 | 2023-06-23 | 华能信息技术有限公司 | Dynamic network interface hiding method |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170063859A1 (en) * | 2015-08-26 | 2017-03-02 | Worcester Polytechnic Institute | System and method for network access control |
CN111490993A (en) * | 2020-04-13 | 2020-08-04 | 江苏易安联网络技术有限公司 | Application access control security system and method |
CN111586025A (en) * | 2020-04-30 | 2020-08-25 | 广州市品高软件股份有限公司 | SDN-based SDP security group implementation method and security system |
-
2021
- 2021-10-26 CN CN202111247584.9A patent/CN114039750B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170063859A1 (en) * | 2015-08-26 | 2017-03-02 | Worcester Polytechnic Institute | System and method for network access control |
CN111490993A (en) * | 2020-04-13 | 2020-08-04 | 江苏易安联网络技术有限公司 | Application access control security system and method |
CN111586025A (en) * | 2020-04-30 | 2020-08-25 | 广州市品高软件股份有限公司 | SDN-based SDP security group implementation method and security system |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114629692A (en) * | 2022-02-25 | 2022-06-14 | 国家电网有限公司 | Access authentication method and system of power Internet of things based on SDP |
CN114666130A (en) * | 2022-03-23 | 2022-06-24 | 北京从云科技有限公司 | WEB security reverse proxy method |
CN114666130B (en) * | 2022-03-23 | 2024-06-07 | 北京从云科技有限公司 | WEB security reverse proxy method |
CN114745128A (en) * | 2022-03-28 | 2022-07-12 | 中国人民解放军战略支援部队信息工程大学 | Trust evaluation method and device for network terminal equipment |
CN114915534A (en) * | 2022-04-22 | 2022-08-16 | 中国人民解放军战略支援部队信息工程大学 | Network deployment architecture facing trust enhancement and network access method thereof |
CN115037509A (en) * | 2022-04-25 | 2022-09-09 | 浙江清捷智能科技有限公司 | Industrial network safety protection system and safety protection method |
CN115174264A (en) * | 2022-08-03 | 2022-10-11 | 远江盛邦(北京)网络安全科技股份有限公司 | Security-optimized single-package authentication method and system |
CN115361186B (en) * | 2022-08-11 | 2024-04-19 | 哈尔滨工业大学(威海) | Zero trust network architecture for industrial Internet platform |
CN115361186A (en) * | 2022-08-11 | 2022-11-18 | 哈尔滨工业大学(威海) | Zero trust network architecture for industrial internet platform |
CN115333840A (en) * | 2022-08-15 | 2022-11-11 | 中国电信股份有限公司 | Resource access method, system, device and storage medium |
CN115333840B (en) * | 2022-08-15 | 2024-02-23 | 中国电信股份有限公司 | Resource access method, system, equipment and storage medium |
CN115776408B (en) * | 2022-12-08 | 2024-05-14 | 四川启睿克科技有限公司 | Single-packet multi-stage authentication method based on zero trust |
CN115776408A (en) * | 2022-12-08 | 2023-03-10 | 四川启睿克科技有限公司 | Single-packet multi-stage authentication method based on zero trust |
CN116318912A (en) * | 2023-03-01 | 2023-06-23 | 华能信息技术有限公司 | Dynamic network interface hiding method |
Also Published As
Publication number | Publication date |
---|---|
CN114039750B (en) | 2023-11-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN114039750B (en) | Implementation method for protecting SDP controller | |
Pradhan et al. | Solutions to vulnerabilities and threats in software defined networking (SDN) | |
US8661250B2 (en) | Remote activation of covert service channels | |
US6745333B1 (en) | Method for detecting unauthorized network access by having a NIC monitor for packets purporting to be from itself | |
Sinha et al. | Information Security threats and attacks with conceivable counteraction | |
US7984493B2 (en) | DNS based enforcement for confinement and detection of network malicious activities | |
US20070294759A1 (en) | Wireless network control and protection system | |
Bellovin | A look back at" security problems in the tcp/ip protocol suite | |
US11595385B2 (en) | Secure controlled access to protected resources | |
CN108924122B (en) | Network friend or foe identification method and system | |
Toosarvandani et al. | The risk assessment and treatment approach in order to provide LAN security based on ISMS standard | |
CN102325132B (en) | System level safety domain name system (DNS) protection method | |
KR101047994B1 (en) | Network based terminal authentication and security method | |
US20220103582A1 (en) | System and method for cybersecurity | |
Lee et al. | Man-in-the-middle Attacks Detection Scheme on Smartphone using 3G network | |
Ren et al. | Security protection under the environment of WiFi | |
Maidine et al. | Cloud Identity Management Mechanisms and Issues | |
CN107819787A (en) | One kind prevents LAN computer illegal external connection system and method | |
Kaur et al. | Potential Security Requirements in IoT to Prevent Attacks and Threats | |
US20240250942A1 (en) | Risk-Based Factor Selection | |
Nasser et al. | Defending a wireless LAN against ARP spoofing attacks using a Raspberry Pi | |
Harrison et al. | A protocol layer survey of network security | |
Jony et al. | A New Technique to Mitigate DHCPv6 Starvation Attack and Authenticate Clients using DUID | |
Osmëni et al. | Introduction to Cyber Tensions Preventative Analysis and Honeypotting Strategy | |
Karimli | Cloud Risks and Solutions Review |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |