CN114143076B - Electric power thing networking safety protection system based on virtual switch frame - Google Patents
Electric power thing networking safety protection system based on virtual switch frame Download PDFInfo
- Publication number
- CN114143076B CN114143076B CN202111435812.5A CN202111435812A CN114143076B CN 114143076 B CN114143076 B CN 114143076B CN 202111435812 A CN202111435812 A CN 202111435812A CN 114143076 B CN114143076 B CN 114143076B
- Authority
- CN
- China
- Prior art keywords
- virtual
- security
- things
- component
- internet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000006855 networking Effects 0.000 title claims description 4
- 230000005540 biological transmission Effects 0.000 claims abstract description 7
- 238000012544 monitoring process Methods 0.000 claims description 30
- 238000000034 method Methods 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 8
- 230000003993 interaction Effects 0.000 claims description 7
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 101800000618 Protein kinase C delta type catalytic subunit Proteins 0.000 description 15
- 102100021004 Protein sidekick-1 Human genes 0.000 description 15
- 101000716310 Homo sapiens Protein sidekick-2 Proteins 0.000 description 12
- 102100021005 Protein sidekick-2 Human genes 0.000 description 12
- 230000009471 action Effects 0.000 description 12
- 230000006870 function Effects 0.000 description 10
- 238000007726 management method Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 5
- 101100513046 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) eth-1 gene Proteins 0.000 description 4
- 230000010354 integration Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000009434 installation Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000009466 transformation Effects 0.000 description 3
- 102100034663 Caseinolytic peptidase B protein homolog Human genes 0.000 description 2
- 101000946436 Homo sapiens Caseinolytic peptidase B protein homolog Proteins 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000010076 replication Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000013499 data model Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/20—Support for services
- H04L49/208—Port mirroring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/70—Virtual switches
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a safety protection system of an electric power Internet of things, which is applied to an edge Internet of things proxy, and comprises the following components: the virtual switch and the plurality of security components are respectively encapsulated in the virtual container and connected with the virtual switch; the virtual switch is provided with a plurality of virtual ports, and is connected with the security component through the virtual ports; the virtual switch performs pairwise matching on the virtual ports through the flow table items, controls the transmission sequence of the data messages among the security components, and realizes the arrangement of the security components. According to the electric power internet of things safety protection system provided by the invention, the virtual switch frame is applied to the edge internet of things proxy, virtual port pairing is realized by using flow table entry control through applying the virtual switch frame to the edge side, and the flow direction of two layers of messages is controlled, so that the dynamic arrangement of safety components according to the need is realized, and the requirements of accurate moderate, light and flexible safety protection of the electric power internet of things service scene are met.
Description
Technical Field
The invention relates to the technical field of electric power internet of things safety, in particular to an electric power internet of things safety protection system.
Background
With the wide application of the internet of things technology, the internet of things terminal is increased in geometric series, and is accessed into a network through a sensing technology, a communication technology and a computer technology, so that higher requirements are provided for network safety protection. Along with the increasingly complex network structure and the wide access of heterogeneous mass terminals, the electric power Internet of things hierarchical architecture introduces an edge Internet of things proxy to realize the local treatment and the safety protection of the edge side, and provides a first defense line on the edge side of the Internet of things. To protect the security of terminals of the power internet of things, various security devices are typically deployed at edge internet of things agents, or various security services are provided, such as WAF firewalls (Web Application Firewall, WAF), intrusion detection systems (Intrusion Detection System, IDS), intrusion prevention systems (Intrusion Prevention System, IPS), and the like. The safety protection deployment mode depending on hardware stacking is characterized in that a plurality of edge functions are intersected, integration is absent, and deployment cost is extremely high. Meanwhile, in the face of different environments and business demands, the safety protection demands are dynamically changed, the safety protection measures based on hardware are relatively solidified, linkage and unified scheduling are difficult to achieve due to different control interfaces, the safety protection measures lack of elasticity, and the requirements of accurate protection and moderate protection of the electric power Internet of things are not met. At present, the safety protection at the edge side of the electric power internet of things has some problems to be solved:
(1) The edge internet of things proxy security protection measures depend on hardware deployment modes, and protection requirements are difficult to effectively implement. In the safety system of the internet of things, safety functions such as safety access, safety access and safety monitoring exist, the edge functions are crossed and lack of integration, the hardware deployment mode is relied on, the geographic position of the deployment of the edge internet of things agent is uncontrollable, the problems of cost, technology and the like are limited, and the traditional safety protection measures are difficult to effectively implement.
(2) The safety protection capability of the edge internet of things proxy is solidified, and the edge internet of things proxy is not suitable for the dynamic change scene of the safety requirement of the electric power internet of things. In each scene such as the transmission, transformation, distribution, use, adjustment and the like of the electric power internet of things, the safety requirements are different, meanwhile, the safety protection requirements are dynamically changed in the face of different actual environments and different business requirements, and the existing safety protection measures of the edge internet of things proxy are solidified in the safety protection measures once deployed, so that the safety protection capability of the edge side is lack of elasticity.
(3) The internal flow of the edge internet of things agent is lack of safety arrangement and analysis and cannot be controlled according to the actual safety condition of the site side. At present, the edge side safety protection adopts a shell type, the protection effect is realized by externally deploying special hardware, the internal flow of the edge internet of things agent is lack of dynamic arrangement, monitoring and analysis, the control granularity of the edge internet of things agent is relatively coarse, and the internal fine granularity control cannot be carried out according to the actual safety condition of the edge internet of things agent.
Disclosure of Invention
Therefore, the technical problem to be solved by the invention is to overcome the defects that the functions of the safety protection deployment mode relying on hardware stacking in the prior art are crossed, lack of integration, extremely high deployment cost and incapability of flexibly changing according to requirements, so that the safety protection system of the electric power Internet of things is provided.
The invention provides a safety protection system of an electric power Internet of things, which is applied to an edge Internet of things proxy, and comprises the following components: the virtual switch and the plurality of security components are respectively encapsulated in the virtual container and connected with the virtual switch; the virtual switch is provided with a plurality of virtual ports, and is connected with the security component through the virtual ports; the virtual switch performs pairwise matching on the virtual ports through the flow table items, controls the transmission sequence of the data messages among the security components, and realizes the arrangement of the security components.
Optionally, the power internet of things safety protection system provided by the invention further comprises: the service application is packaged in the virtual container, is connected with the virtual switch through a virtual port on the virtual switch, runs in the virtual switch, and is used for sending and/or receiving data packets to the designated destination address and port through the security component.
Optionally, the power internet of things safety protection system provided by the invention further comprises: the forwarding component is packaged in the virtual container and comprises two virtual network ports, is connected with the virtual switch and the virtual network bridge respectively through the two virtual network ports and is used for receiving the data message sent by the safety component and sending the data message to the destination host through the virtual network bridge or receiving the data packet through the virtual network bridge and sending the data packet to the safety component; the virtual network bridge is respectively connected with the forwarding component and the operating system in the edge internet of things proxy, receives the data message, sends the data message to the operating system, forwards the data message through the operating system, and sends the data message to the target host through the physical network port in the edge internet of things proxy.
Optionally, in the power internet of things safety protection system provided by the invention, the virtual switch and the virtual bridge work in different network segments, and the virtual network port connected with the virtual switch in the forwarding component and the virtual switch work in the same network segment; the virtual network port connected with the virtual network bridge in the forwarding component and the virtual network bridge work in the same network segment.
Optionally, in the security protection system of the electric power internet of things provided by the invention, after the security component receives the data message through the virtual port, the original destination IP in the data message is changed into the self IP of the security component according to the destination address conversion rule in the firewall, and the application layer of the security component processes the data message and packages and sends the data message.
Optionally, in the electric power internet of things safety protection system provided by the invention, the safety component comprises a safety access component, the safety access component is used for carrying out safety interaction with the internet of things sensing terminal, and software and hardware fingerprint information of the internet of things sensing terminal is utilized to deploy without proxy through a bypass.
Optionally, in the security protection system of the electric power internet of things provided by the invention, the security component comprises a security access component, the security access component is used for performing security interaction with the internet of things management platform, and the security access component is deployed on the edge internet of things proxy in a security protocol processing process mode.
Optionally, in the power internet of things security protection system provided by the invention, the security access component supports the SSAL/SSL protocol.
Optionally, in the power internet of things safety protection system provided by the invention, the safety component comprises a safety monitoring component, the safety monitoring component is used for carrying out safety monitoring on data transmitted in the virtual switch, sending a monitoring result to the safety access component, and sending the monitoring result to the internet of things management platform through the safety access component.
Optionally, in the power internet of things security protection system provided by the invention, the virtual port comprises a mirror port, and the security monitoring component is connected with the virtual switch through the mirror port; the mirror image port is used for acquiring mirror image data of the appointed virtual port, inputting the mirror image data into the safety monitoring component, and carrying out safety monitoring on the mirror image data by the safety monitoring component to obtain a monitoring result.
The technical scheme of the invention has the following advantages:
according to the electric power internet of things safety protection system provided by the invention, the virtual switch frame is applied to the edge internet of things proxy, virtual port pairing is realized by using flow table entry control through applying the virtual switch frame to the edge side, and the flow direction of two layers of messages is controlled, so that the dynamic arrangement of safety components according to the need is realized, and the requirements of accurate moderate, light and flexible safety protection of the electric power internet of things service scene are met.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic block diagram of a specific example of a security system for an electric power Internet of things in an embodiment of the invention;
FIG. 2 is a schematic diagram of an edge-to-thing proxy security architecture in an embodiment of the present invention;
FIG. 3 is a graph showing the results of telnet operation within APPs containers in accordance with an embodiment of the invention;
FIG. 4 (a) shows the result of the program running in SDK1 according to the embodiment of the present invention;
FIG. 4 (b) shows the result of the program running in SDK2 according to the embodiment of the present invention;
FIG. 5 (a) is a graph showing the result of tcpdump operation in SDK1 according to an embodiment of the present invention;
FIG. 5 (b) is a graph showing the result of tcpdump operation in SDK2 according to an embodiment of the present invention;
FIG. 6 is a graph showing the result of tcpdump in SDK3 capturing mirrored data according to an embodiment of the present invention;
FIG. 7 (a) is a graph showing the result of tcpdump operation in SDK1 according to an embodiment of the present invention;
FIG. 7 (b) is a graph showing the result of tcpdump operation in SDK2 according to an embodiment of the present invention;
FIG. 8 is a graph showing the result of tcpdump in SDK3 grabbing mirrored data in an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made apparent and fully in view of the accompanying drawings, in which some, but not all embodiments of the invention are shown. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the description of the present invention, it should be noted that technical features of different embodiments of the present invention described below may be combined with each other as long as they do not collide with each other.
The embodiment of the invention provides a safety protection system of an electric power Internet of things, which is applied to an edge Internet of things agent, as shown in fig. 1, and comprises the following components: a virtual switch and a plurality of security components,
the security components are each encapsulated in a virtual container and connected to the virtual switch.
In an alternative embodiment, the virtual container is connected to the virtual switch by means of network card binding.
In the embodiment of the invention, the edge internet of things agent security protection prototype is deployed in a software integration mode, and as shown in fig. 2, the edge physical agent is located in the terminal layer of the internet of things.
In the embodiment of the invention, the security functions of the edge internet of things agent are packaged into different security components, and the functions of the edge internet of things agent include: communication protocol adaptation, data storage processing, management and control strategies, edge calculation, data model adaptation, security strategies, complete access to a communication network, security interaction with an internet of things sensing terminal and the like. In an alternative embodiment, the above security functions may be classified into types, and security functions belonging to the same type may be packaged in the same security component, and different security components may be separately packaged in different virtual containers.
In an alternative embodiment, each security component can provide the programmable and customizable capabilities of the security component prototype externally in the form of an application program interface (Application Programming Interface, API), i.e. the security functions of the security component can be formulated by the application program interface according to the actual requirements.
The virtual switch is provided with a plurality of virtual ports, and is connected with the security component through the virtual ports; the virtual switch performs pairwise matching on the virtual ports through the flow table items, controls the transmission sequence of the data messages among the security components, and realizes the arrangement of the security components.
In an alternative embodiment, each security component is connected to two virtual ports respectively, and the data message is acquired through one virtual port and sent through the other virtual port.
In an alternative embodiment, the pairwise matching of the virtual ports is to define the input-output correspondence between the virtual ports, that is, the connection relationship between the virtual ports, and when the connection relationship between the virtual ports changes, the transmission sequence of the data packets between the security components also changes.
For example, as shown in fig. 1, if the correspondence between virtual ports is: and after the data message is output from the virtual port 1, the data message enters a first safety component (SDK 1) through the virtual port 2, the SDK1 outputs the data message from the virtual port 3, and after the data message enters a second safety component (SDK 2) through the virtual port 4, the SDK2 outputs the data message from the virtual port 5. It follows that in the current embodiment, the arrangement order of the security components is SDK1- > SDK2.
If the corresponding relation between the virtual ports is: and after the data message is output from the virtual port 1, the data message enters the SDK2 through the virtual port 4, the SDK2 outputs the data message from the virtual port 5, the data message enters the SDK1 through the virtual port 2, and the SDK1 outputs the data message from the virtual port 3. It follows that in the current embodiment, the arrangement order of the security components is SDK2- > SDK1.
According to the electric power internet of things safety protection system provided by the embodiment of the invention, the virtual switch frame is applied to the edge internet of things proxy, virtual port pairing is realized by using flow table entry control through applying the virtual switch frame to the edge side, and the flow direction of two-layer messages is controlled, so that the dynamic arrangement of safety components according to the need is realized, and the requirements of accurate moderate, light and flexible safety protection of the electric power internet of things service scene are met.
In an optional embodiment, the power internet of things security protection system provided by the embodiment of the invention further includes a service Application (APP), wherein the service application is encapsulated in a virtual container, is connected with the virtual switch through a virtual port on the virtual switch, runs in the virtual switch, and is used for sending and/or receiving a data packet to and/or from a designated destination address and port through a security component. In the embodiment of the invention, the service application has the capability of sending the data packet outwards, and the security component has the port forwarding capability.
In an alternative embodiment, when there are multiple non-passing service applications, different service applications are respectively encapsulated in the non-passing container, and the different service applications are used to transmit different types of data packets, where the service applications running in the virtual switch include, for example, a marketing professional application, a device professional application, and the like.
In an alternative embodiment, the service application is connected with the virtual switch through a virtual port, and when the virtual switch performs pairwise matching on the virtual ports through the flow table entries, the virtual switch matches the virtual port connected with the service application with one of the virtual ports connected with the security components, and controls the data packet sent by the service application to be received by one of the security components and forwarded through the security component.
In an alternative embodiment, the security components, service applications, and virtual switches operate in the same network segment, and illustratively, in the embodiment shown in fig. 1, the network segment in which the security components, service applications, and virtual switches operate is 192.268.121.0/24.
In an alternative embodiment, the power internet of things security protection system further comprises a forwarding component and a virtual network bridge.
The forwarding component is packaged in the virtual container and comprises two virtual network ports, and is respectively connected with the virtual switch and the virtual network bridge through the two virtual network ports and is used for receiving the data message sent by the safety component and sending the data message to the target host through the virtual network bridge, or receiving the data packet through the virtual network bridge and sending the data packet to the safety component.
In an alternative embodiment, the forwarding component listens to the designated port, and after receiving the data packet, sends the data packet to the destination host through routing.
In an alternative embodiment, the virtual switch and the virtual bridge operate in different network segments, and the network segment in which the virtual port connected to the virtual switch operates in the forwarding component is the same as the network segment in which the virtual switch operates, and the network segment in which the virtual port connected to the virtual bridge operates is the same as the network segment in which the virtual bridge operates.
Illustratively, in the embodiment shown in FIG. 1, the virtual switch operates at 192.268.121.0/24, the virtual bridge operates at 192.268.122.0/24, the virtual port in the forwarding component connected to the virtual switch operates at 192.268.121.0/24, and the virtual port connected to the virtual bridge operates at 192.268.122.0/24.
In the embodiment of the invention, the two virtual network ports of the forwarding component work in different network segments, thereby playing a role in network isolation.
The virtual network bridge is respectively connected with the forwarding component and the operating system in the edge internet of things proxy, receives the data message, sends the data message to the operating system, forwards the data message through the operating system, and sends the data message to the target host through the physical network port in the edge internet of things proxy.
In the embodiment of the invention, the virtual network bridge is used as an outlet of the traffic of the virtual switch and is also used as a network isolation component to ensure that each virtual container is not exposed on the public network.
In an optional embodiment, in the security protection system for the electric power internet of things provided by the embodiment of the invention, after the security component receives the data message through the virtual port, the original destination IP in the data message is changed into the self IP of the security component according to the destination address conversion rule in the firewall, and the application layer of the security component processes the data message and packages and sends the data message.
In an alternative embodiment, when the security protection system of the electric power internet of things is built, a host firewall is configured, and after the original destination IP in the data message is changed into the self IP of the security component through the destination address conversion rule in the firewall, the data message can be received by an application layer of the security component, and the data message is packaged and sent after being processed through the application layer of the security component.
In an optional embodiment, in the electric power internet of things safety protection system provided by the embodiment of the invention, the safety component comprises a safety access component, the safety access component is used for carrying out safety interaction with the internet of things sensing terminal, the identification of the internet of things sensing terminal is generated by utilizing the software and hardware fingerprint information of the internet of things sensing terminal, the identification of each internet of things sensing terminal is unique, and identity authentication is carried out on the internet of things sensing terminal through the identification.
In an alternative embodiment, the security access component can realize the functions of identity authentication, access right control, abnormal behavior discovery, blocking and the like of the terminal, solves the security problems of illegal terminal access, illegal control of the terminal, legal terminal override access and the like caused by lack of strict control of the terminal access of the Internet of things at present, overcomes the defects that the traditional solution depends on terminal transformation, network transformation, incomplete terminal coverage and the like, and is suitable for the characteristics of complex and heterogeneous terminals of the Internet of things, uncontrollable environments and the like.
In an optional embodiment, in the power internet of things security protection system provided by the embodiment of the invention, the security component includes a security access component, and the security access component is used for performing security interaction with the internet of things management platform.
In an alternative embodiment, the secure access component supports SSAL/SSL protocols, is deployed on the internet of things proxy in a secure protocol processing process, and is responsible for SSAL/SSL protocol encapsulation and offloading, packet segmentation and assembly, basic cryptographic algorithm operation, and session key negotiation with the access gateway.
In an optional embodiment, in the power internet of things security protection system provided by the embodiment of the present invention, the virtual port in the virtual switch includes a mirror port, and the security component includes a security monitoring component.
The security monitoring component is connected with the virtual switch through the mirror image port. Illustratively, in the embodiment shown in fig. 1, the virtual port 7 in the virtual switch is a mirror port, SKD3 is a security monitoring component, and SKD3 is connected to the virtual switch through the virtual port 7.
The mirror image port is used for acquiring mirror image data of the appointed virtual port, inputting the mirror image data into the safety monitoring component, inputting a monitoring result of the mirror image data into the safety access component by the safety monitoring component, and sending the monitoring result to the Internet of things management platform through the safety access component. In the embodiment of the invention, the designated virtual port is any one or more virtual ports on the virtual switch, and the mirror port can acquire all data passing through the designated virtual port.
In an alternative embodiment, the monitoring result is uploaded to the internet of things management platform through a secure transmission channel established by the secure access component and the secure access gateway, and the monitoring result is displayed and analyzed through the internet of things management platform.
In an alternative embodiment, the power internet of things security system is constructed by:
1) Loading a base image:
loading an image: dock load-i sps-image
Labeling: dock tag { image id } sds-image:1.0
View mirror image: dock images
Wherein sds-image is a provided basic mirror image, and a ubuntu-armhf system is arranged inside, and comprises net-tools, iptables, telnet, ping and portfwd (port forwarding program), tcpdump.
2) Virtual containers that launch business applications (apps) and security components (sdk 1, sdk2, sdk 3) using base-image mirroring:
docker run-idt--name[apps]--net=none--privileged--init sds-img:1.0/bin/bash
docker run-idt--name[sdk1]--net=none--privileged--initsds-img:1.0/bin/bash
docker run-idt--name[sdk2]--net=none--privileged--initsds-img:1.0/bin/bash
docker run-idt--name[sdk3]--net=none--privileged--initsds-img:1.0/bin/bash
wherein, -net=none means that the dock container is started in none mode, and additional network cards, configuration IP, etc. are required for the container; priviled represents a container started in this way, the root in the container having the true root right; -init operates and initializes in the container to forward signals and acquire processes, so as to solve the problems that the processes after containerization cannot be normally terminated, and zombie processes cannot be normally recovered.
Enter container command: dock exec-it apps/bin/bash.
3) A virtual bridge mynet is started, and a forwarding component (fwd) container of the mynet bridge is linked:
docker network create-d bridge--subnet=[192.168.122.0/24]--gateway=[192.168.122.1][mynet]
([ mynet ] is a customizable network bridge name, and the network segment and the gateway can set-d parameter to specify the driving type as the network bridge by themselves)
docker run-idt--name[fwd]--net=mynet--privileged--initsds-img:1.0/bin/bash
([ fwd ] the container has one portal connected to ovs and one portal connected to mynet, equivalent to the firewall effect).
4) Configuring host iptables:
iptables-t nat-nvL
(look at the nat Table of iptables)
ifconfig[br-31ee69976f88]promisc
(hybrid mode of opening a newly built bridge, br-31ee69976f88 is newly built bridge id)
iptables-t filter-P FORWARD ACCEPT
(changing the default policy of forward chain in the filter table to accept)
5) Install ovs environment and create virtual switch:
an offline installation ovs environment, performed through an installation script, requires 12 deb installation packages;
checking ovs whether the environment is successfully installed through a ovs-vsctl-version command;
ovs-vsctl add-br[br0]
([ br0] is a customizable virtual switch name);
delete virtual switch command: ovs-vsctl del-br 0.
6) Virtual network cards are added for apps, sdk1, sdk2, sdk3, fwd:
ovs-docker add-port[br0][eth1][1921]--ipaddress=[192.168.121.1]--macaddress=[11:00:00:00:00:01]
([ 1921] is apps container id, 1 virtual network card is added for apps, and mac address and ip address are specified at the same time)
ovs-docker add-port[br0][eth2][4be1]--ipaddress=[192.168.121.2]--macaddress=[11:00:00:00:00:02]
ovs-docker add-port[br0][eth3][4be1]--ipaddress=[192.168.121.3]--macaddress=[11:00:00:00:00:03]
([ 4be1] is sdk1 container id, 2 virtual network cards are added for sdk1, mac address and ip address can be specified, 1 block is communicated with apps, 1 block is communicated with sdk 2)
ovs-docker add-port[br0][eth4][8879]--ipaddress=[192.168.121.4]--macaddress=[11:00:00:00:00:04]
ovs-docker add-port[br0][eth5][8879]--ipaddress=[192.168.121.5]--macaddress=[11:00:00:00:00:05]
([ 8879] sdk Container id, sdk2 added with 2 virtual network cards, mac Address and ip Address can be assigned, 1 Block communicates with sdk1, 1 Block communicates with fwd)
ovs-docker add-port[br0][eth6][106b]--ipaddress=[192.168.121.6]--macaddress=[11:00:00:00:00:06]
([ 106b ] is fwd container id, 1 virtual network card bound with ovs is added for fwd, mac address and ip address can be designated, and a block can be automatically generated by bridging with mynet)
ovs-docker add-port[br0][eth7][1e47]--ipaddress=[192.168.121.7]--macaddress=[11:00:00:00:00:07]
([ 106b ] is sdk container id, 1 virtual network card is added for sdk3, mac address and ip address can be designated, sdk is mirror image container)
Viewing virtual network card ip, mac address commands: ifconfig
7) Configuring a routing table and an arp table:
a) Entering an apps container dock exec-it apps/bin/flash:
route add-net[192.168.121.0/24]dev[eth1]
route add-net[192.168.122.0/24]dev[eth1]
route add-net[192.168.123.0/24]dev[eth1]
arp-s[192.168.121.2][11:00:00:00:00:02]
arp-s[192.168.123.235][11:00:00:00:00:02]
(mac addresses corresponding to all ip addresses of the arp table in apps are mac addresses of next hop, eth 2)
b) Entering a sdk container docker exec-it sdk1/bin/bash:
route add-host[192.168.121.1]dev[eth2]
route add-host[192.168.121.4]dev[eth3]
arp-s[192.168.121.1][11:00:00:00:00:01]
arp-s[192.168.121.4][11:00:00:00:00:04]
c) Entering a sdk container docker exec-it sdk2/bin/bash:
route add-host[192.168.121.3]dev[eth4]
route add-host[192.168.121.6]dev[eth5]
arp-s[192.168.121.3][11:00:00:00:00:03]
arp-s[192.168.121.6][11:00:00:00:00:06]
d) Entering an fwd container docker exec-it fwd/bin/flash:
route add-net[192.168.121.0/24]dev[eth6]
route add-net[192.168.122.0/24]dev[eth0]
route add-net[192.168.123.0/24]gw[192.168.122.1]dev[eth0]
arp-s[192.168.121.5][11:00:00:00:00:05]
e) Host machine:
route add-net[192.168.121.0/24]gw[192.168.122.1]dev[br-31ee69976f88]
8) Configuration flow table:
ovs-ofctl add-flow[br0][in_port=1,actions=output:2]
ovs-ofctl add-flow[br0][in_port=2,actions=output:1]
ovs-ofctl add-flow[br0][in_port=3,actions=output:4]
ovs-ofctl add-flow[br0][in_port=4,actions=output:3]
ovs-ofctl add-flow[br0][in_port=5,actions=output:6]
ovs-ofctl add-flow[br0][in_port=6,actions=output:5]
view flow table command: ovs-offctl dump-flows [ br0]
Delete flow table entry command: ovs-offtl del-flows [ br0] [ in_port=1 ] (when a new flow entry is added to in_port=1, the old flow entry is automatically overwritten)
9) Iptables of sdk and sdk are configured:
sdk1:
iptables-t nat-I PREROUTING-d[192.168.123.235]-j DNAT--to[192.168.121.2]
sdk2:
iptables-t nat-I PREROUTING-d[192.168.123.235]-j DNAT--to[192.168.121.4]
(- -d is the ip address of the target, and- -to is the ip address of the sdk client)
10 Configuration mirror interface):
ovs-offctl show br0 view port name, ovs-vsctl list port view uuidovs-vsctl according to name-id= @ m create mirror name = m0 select_dst_port= [ uuid ] output_port= [ uuid ] - -set bridge 0 mirrors= @ m
(uuid obtains the uuid of the virtual switch interface through ovs-vsctl list port command, select_dst_port represents the data sent to the interface by mirror replication, select-all represents all the data sent through the interface, select-dst-port represents the data sent from the interface, output_port represents the data sent by mirror replication from the interface)
( Each mirror may have two data sources, one select_src_port and one select_dst_port. If more than two image sources are needed or two target image sources are intercepted or two source image sources need to be newly built in a target container, a virtual network card is added to a ovs virtual switch, and then a new image is added. )
11 Start portfwd):
sdk1:
portfwd-arm32[23][192.168.121.4:23][-v]
sdk2:
portfwd-arm32[23][192.168.121.6:23][-v]
fwd:
portfwd-arm32[23][192.168.123.235:23][-v]
( portfwd performs tcp port forwarding, here telnet data forwarding, [23] parameter represents listening port, i.e. data source port, [192.168.121.4: the 23 parameter indicates 23 ports to destination ip address 192.168.121.4, [ -v ] indicates view execution details )
12 Start telnet):
apps:telnet 192.168.123.235
13 Flow schedule:
for example, the order of apps- > sdk1- > sdk2- > fwd is changed to apps- > sdk2- > sdk1- > fwd
And realizing port matching and traffic arrangement by running the script file.
#!/bin/bash
ovs-ofctl add-flow br0 in_port=1,actions=output:4
ovs-ofctl add-flow br0 in_port=4,actions=output:1
ovs-ofctl add-flow br0 in_port=5,actions=output:2
ovs-ofctl add-flow br0 in_port=2,actions=output:5
ovs-ofctl add-flow br0 in_port=3,actions=output:6
ovs-ofctl add-flow br0 in_port=6,actions=output:3
The test is performed after the electric power internet of things safety protection system is constructed by implementing the method provided by the embodiment, and telnet is operated in the APPs container as shown in figure 3.
The program operation conditions in the SDK1 and the SDK2 are as shown in fig. 4 (a) and 4 (b). As shown in fig. 5 (a) and 5 (b), the tcpdump operation conditions in SDK1 and SDK2 indicate that the APPs flow rate is from sdk1→sdk2 to the destination host.
As shown in fig. 6, the tcpdump in the SDK3 captures the mirrored data, and it can be seen from fig. 6 that the SDK3 has mirrored the traffic data in the SDK1, where the traffic data in the SDK1 passes through the virtual port No. 3 of the virtual switch.
Running the traffic orchestration script tests, tcpdump running conditions within SDK1 and SDK2 are shown in fig. 7 (a), 7 (b). The tcpdump running conditions in the SDK1 and the SDK2 can know that the flow of the APPs passes through the SDK2 and the SDK1 and then reaches the destination host, and the dynamic arrangement of the security component is successfully realized.
As shown in FIG. 8, the tcpdump in SDK3 captures the image data, and the flow data in SDK1 of SDK3 image remains unchanged and is not affected by dynamic arrangement.
It is apparent that the above examples are given by way of illustration only and are not limiting of the embodiments. Other variations or modifications of the above teachings will be apparent to those of ordinary skill in the art. It is not necessary here nor is it exhaustive of all embodiments. While still being apparent from variations or modifications that may be made by those skilled in the art are within the scope of the invention.
Claims (9)
1. The utility model provides a electric power thing networking safety protection system based on virtual switch frame, is applied to edge thing allies oneself with the agent, its characterized in that, electric power thing networking safety protection system includes: a virtual switch and a plurality of security components,
the security components are respectively packaged in a virtual container and connected with the virtual switch;
the virtual switch is provided with a plurality of virtual ports, and is connected with the safety component through the virtual ports; the virtual switch performs pairwise matching on the virtual ports through the flow table items, controls the transmission sequence of the data messages among the safety components, and realizes the arrangement of the safety components;
the system further comprises a forwarding component and a virtual bridge,
the forwarding component is packaged in a virtual container and comprises two virtual network ports, and is respectively connected with the virtual switch and the virtual network bridge through the two virtual network ports, and is used for receiving a data message sent by the safety component and sending the data message to a target host through the virtual network bridge, or receiving a data packet through the virtual network bridge and sending the data packet to the safety component;
the virtual network bridge is respectively connected with the forwarding component and the operating system in the edge internet of things proxy, receives the data message, and sends the data message to the operating system, wherein the data message is forwarded by the operating system and is sent to a target host through a physical network port in the edge internet of things proxy.
2. The virtual switch frame based power internet of things security protection system of claim 1, further comprising:
the service application is packaged in a virtual container, is connected with the virtual switch through a virtual port on the virtual switch, runs in the virtual switch, and is used for sending and/or receiving data packets to an appointed destination address and port through the security component.
3. The electrical power internet of things safety protection system of claim 1,
the virtual switch and the virtual bridge work in different network segments, and a virtual network port connected with the virtual switch in the forwarding component and the virtual switch work in the same network segment;
and a virtual network port connected with the virtual network bridge in the forwarding component and the virtual network bridge work in the same network segment.
4. The electrical power internet of things safety protection system of claim 1,
after the security component receives the data message through the virtual port, the original destination IP in the data message is changed into the self IP of the security component according to the destination address conversion rule in the firewall, and the application layer of the security component processes the data message and packages and sends the data message.
5. The power internet of things security system of claim 1 or 4, wherein the security component comprises a security access component,
the safety access component is used for carrying out safety interaction with the Internet of things sensing terminal, and generating the identifier of the Internet of things sensing terminal by utilizing the software and hardware fingerprint information of the Internet of things sensing terminal.
6. The power internet of things security system of claim 1, 4 or 5, wherein the security component comprises a security access component,
the security access component is used for performing security interaction with the Internet of things management platform.
7. The electrical power internet of things safety protection system of claim 6,
the secure access component supports SSAL/SSL protocols.
8. The power internet of things security system of claim 6 or 7, wherein the security component comprises a security monitoring component,
the security monitoring component is used for performing security monitoring on data transmitted in the virtual switch, sending a monitoring result to the security access component, and sending the monitoring result to the Internet of things management platform through the security access component.
9. The power internet of things security system of claim 8, wherein the virtual port comprises a mirrored port,
the safety monitoring component is connected with the virtual switch through the mirror image port;
the mirror image port is used for acquiring mirror image data of the appointed virtual port, the mirror image data is input into the safety monitoring component, and the safety monitoring component monitors the safety of the mirror image data to obtain a monitoring result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111435812.5A CN114143076B (en) | 2021-11-29 | 2021-11-29 | Electric power thing networking safety protection system based on virtual switch frame |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111435812.5A CN114143076B (en) | 2021-11-29 | 2021-11-29 | Electric power thing networking safety protection system based on virtual switch frame |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114143076A CN114143076A (en) | 2022-03-04 |
| CN114143076B true CN114143076B (en) | 2024-01-19 |
Family
ID=80389161
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111435812.5A Active CN114143076B (en) | 2021-11-29 | 2021-11-29 | Electric power thing networking safety protection system based on virtual switch frame |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114143076B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114969827A (en) * | 2022-06-22 | 2022-08-30 | 工银科技有限公司 | Sensitive data file control method and device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107612843A (en) * | 2017-09-27 | 2018-01-19 | 国云科技股份有限公司 | A kind of method for preventing cloud platform IP and MAC from forging |
| CN107911313A (en) * | 2017-11-15 | 2018-04-13 | 北京易讯通信息技术股份有限公司 | A kind of method that virtual machine port flow moves outside in private clound |
| CN109962832A (en) * | 2017-12-26 | 2019-07-02 | 华为技术有限公司 | The method and apparatus of Message processing |
| CN111556136A (en) * | 2020-04-26 | 2020-08-18 | 全球能源互联网研究院有限公司 | Data interaction method between internal containers of power edge Internet of things agent |
| CN111752679A (en) * | 2020-06-22 | 2020-10-09 | 中国电子科技集团公司第五十四研究所 | Dynamic arranging device for safety service chain |
| CN112104540A (en) * | 2020-09-08 | 2020-12-18 | 中国电子科技集团公司第五十四研究所 | Cross-domain resource dynamic arranging method and cross-domain interconnection system |
| CN113542092A (en) * | 2021-05-27 | 2021-10-22 | 贵州电网有限责任公司 | Openstack-based automatic drainage method |
-
2021
- 2021-11-29 CN CN202111435812.5A patent/CN114143076B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107612843A (en) * | 2017-09-27 | 2018-01-19 | 国云科技股份有限公司 | A kind of method for preventing cloud platform IP and MAC from forging |
| CN107911313A (en) * | 2017-11-15 | 2018-04-13 | 北京易讯通信息技术股份有限公司 | A kind of method that virtual machine port flow moves outside in private clound |
| CN109962832A (en) * | 2017-12-26 | 2019-07-02 | 华为技术有限公司 | The method and apparatus of Message processing |
| CN111556136A (en) * | 2020-04-26 | 2020-08-18 | 全球能源互联网研究院有限公司 | Data interaction method between internal containers of power edge Internet of things agent |
| CN111752679A (en) * | 2020-06-22 | 2020-10-09 | 中国电子科技集团公司第五十四研究所 | Dynamic arranging device for safety service chain |
| CN112104540A (en) * | 2020-09-08 | 2020-12-18 | 中国电子科技集团公司第五十四研究所 | Cross-domain resource dynamic arranging method and cross-domain interconnection system |
| CN113542092A (en) * | 2021-05-27 | 2021-10-22 | 贵州电网有限责任公司 | Openstack-based automatic drainage method |
Non-Patent Citations (2)
| Title |
|---|
| 基于二层交换技术的改进型SSL VPN的设计与实现;马巍娜;张延园;;计算机应用(第12期);全文 * |
| 基于虚拟化技术的电厂弱电集成系统;杜石存;田沛;许红彬;;电力信息与通信技术(第09期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114143076A (en) | 2022-03-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11750563B2 (en) | Flow metadata exchanges between network and security functions for a security service | |
| US7738457B2 (en) | Method and system for virtual routing using containers | |
| US9143390B2 (en) | Method and system for a unified system management | |
| CN105743878B (en) | Dynamic service handling using honeypots | |
| US11949654B2 (en) | Distributed offload leveraging different offload devices | |
| US11785048B2 (en) | Consistent monitoring and analytics for security insights for network and security functions for a security service | |
| Ashraf et al. | Analyzing challenging aspects of IPv6 over IPv4 | |
| CN113132342A (en) | Method, network device, tunnel entry point device, and storage medium | |
| EP2548346B1 (en) | Packet node for applying service path routing at the mac layer | |
| EP3993331B1 (en) | Flow metadata exchanges between network and security functions for a security service | |
| CN108390937B (en) | Remote monitoring method, device and storage medium | |
| CN114143076B (en) | Electric power thing networking safety protection system based on virtual switch frame | |
| US20070006292A1 (en) | Method and system for the transparent transmission of data traffic between data processing devices, corresponding computer program product, and corresponding computer-readable storage medium | |
| Ashraf et al. | Challenges and Mitigation Strategies for Transition from IPv4 Network to Virtualized Next-Generation IPv6 Network. | |
| CN109525544B (en) | Business system access method and system based on cipher machine cluster | |
| US9338183B2 (en) | Session hopping | |
| Abdulla | Survey of security issues in IPv4 to IPv6 tunnel transition mechanisms | |
| US20220385631A1 (en) | Distributed traffic steering and enforcement for security solutions | |
| US9992083B1 (en) | System to detect network egress points | |
| JP2023531034A (en) | Service transmission method, device, network equipment and storage medium | |
| Parola et al. | Creating disaggregated network services with eBPF: The kubernetes network provider use case | |
| CN115277190B (en) | Method for realizing neighbor discovery on network by link layer transparent encryption system | |
| CN109391683B (en) | Data and service fusion agent system facing network application authorization and implementation method thereof | |
| US20230208680A1 (en) | Communication method, and communications apparatus, device, and system | |
| KR102040115B1 (en) | network fault processing system and method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |