CN114363902A - Method, device, equipment and storage medium for guaranteeing 5G private network service safety - Google Patents
Method, device, equipment and storage medium for guaranteeing 5G private network service safety Download PDFInfo
- Publication number
- CN114363902A CN114363902A CN202210007749.3A CN202210007749A CN114363902A CN 114363902 A CN114363902 A CN 114363902A CN 202210007749 A CN202210007749 A CN 202210007749A CN 114363902 A CN114363902 A CN 114363902A
- Authority
- CN
- China
- Prior art keywords
- server
- address
- terminal
- service access
- access request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 65
- 230000006870 function Effects 0.000 claims description 80
- 230000000903 blocking effect Effects 0.000 claims description 13
- 238000004458 analytical method Methods 0.000 claims description 9
- 238000010586 diagram Methods 0.000 description 10
- 238000004891 communication Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000004590 computer program Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- GVVPGTZRZFNKDS-JXMROGBWSA-N geranyl diphosphate Chemical group CC(C)=CCC\C(C)=C\CO[P@](O)(=O)OP(O)(O)=O GVVPGTZRZFNKDS-JXMROGBWSA-N 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a 5G private network service security guarantee method, a device, equipment and a storage medium, and belongs to the field of network security. The method comprises the following steps: receiving a service access request of a terminal, and analyzing to obtain a server address in the service access request; inquiring address records of all servers according to the server addresses, and determining the current address of a first server to be accessed by the terminal; the address record comprises the current address and the historical address of the server, and the address record of the first server comprises the address of the server; and forwarding the service access request to the current address of the first server so that the first server executes service processing according to the service access request. According to the method and the device, the service access request is forwarded to the address of the server, the address of the server does not need to be fed back to the terminal, and then the terminal initiates service access, so that the terminal is prevented from acquiring the address of the server to initiate attack, and the safety guarantee capability of high-safety-level services is improved.
Description
Technical Field
The present application relates to network security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for guaranteeing security of a 5G private network service.
Background
The 5G private network has the characteristics of large bandwidth, low time delay and wide connection, and provides a data transmission channel which is different from the public network and faces the requirements of novel digital services for enterprise users and industrial internet terminals. Since the 5G private network often deeply serves the production and management business of an enterprise, 5G private network users often put higher requirements on the network security of the private network than the public users.
Currently, a server with a high security level is configured with a random time-varying Internet Protocol (IP) address. The traditional solution for solving the access of the time-varying IP address Server is to configure a Domain Name Server (DNS for short), when a terminal generates a service demand, the terminal initiates a service access to a Domain Name, the service access is first sent to the DNS, the DNS performs Domain Name resolution to identify the latest IP address corresponding to the Domain Name, the DNS then sends the latest IP address corresponding to the Domain Name to the terminal, and the terminal then initiates a service access to the latest IP address.
However, the above solution still exposes the IP address of the server to the terminal, and the terminal may launch an attack to the IP address of the server, so that the protection of the high security level service is insufficient.
Disclosure of Invention
The application provides a method, a device, equipment and a storage medium for guaranteeing the safety of a 5G private network service, which are used for improving the safety guarantee capability of a high-safety-level service.
In a first aspect, the present application provides a method for guaranteeing security of a 5G private network service, including: receiving a service access request of a terminal, and analyzing to obtain a server address in the service access request; inquiring address records of all servers according to the server addresses, and determining the current address of a first server to be accessed by the terminal; the address record comprises the current address and the historical address of the server, and the address record of the first server comprises the address of the server; and forwarding the service access request to the current address of the first server so that the first server executes service processing according to the service access request.
In this way, address records of each server are inquired through the server address in the service access request, and when the server address exists in the address records, the server is the server to be accessed by the terminal, namely the first server, the current address of the first server can be determined, so that the current address of the server configured with the time-varying IP address can be obtained; by forwarding the service access request to the current address, the service access of the terminal is realized, the address of the server does not need to be fed back to the terminal, and the safety guarantee capability of the high-safety-level service is improved.
Further, after receiving the service access request of the terminal, the method further includes: analyzing to obtain a terminal identifier of the terminal; and if the terminal identification is not in the preset white list, rejecting the service access of the terminal.
The access of the non-white list terminal to the server is limited, and the safety guarantee capability of high-safety-level services is further improved.
Further, receiving a service access request of a terminal, including: receiving a service access request of the terminal forwarded by the 5G user plane function module; forwarding the service access request to the current address of the first server, comprising: and if the terminal identifier is in the preset white list, sending the current address of the first server to the 5G user plane function module, so that the 5G user plane function module forwards the service access request of the terminal to the current address of the first server.
The method further explains that under the 5G network architecture, the isolation of the terminal and the latest address of the server is realized through the 5G user plane function module, and the attack initiated by the terminal acquiring the latest address of the server is avoided.
Further, if the terminal identifier is not in the preset white list, denying the service access of the terminal, including: and if the terminal identifier is not in the preset white list, sending a blocking service identifier to the 5G user plane function module, so that the 5G user plane function module does not execute forwarding of the service access request.
The method further explains that under the 5G network architecture, the access of the non-white list terminal to the server is limited by sending the blocking service identification to the 5G user plane function module, and the safety guarantee capability of the high-safety-level service is improved.
Further, the method for guaranteeing the security of the 5G private network service further comprises the following steps: and if the address records of the servers do not comprise the first server address, forwarding the service access request to the server address.
In the method, when the server address analyzed from the service access request does not exist in the address record, it indicates that the current address of the server to be accessed by the terminal is the analyzed server address, and the service access request is forwarded to the server address, so that the service access of the terminal can be realized.
Further, forwarding the service access request to the server address includes: and if the address records of the servers do not comprise the server addresses, sending the server addresses to the 5G user plane function module, so that the 5G user plane function module forwards the service access requests of the terminals to the server addresses.
The method further explains that under the 5G network architecture, the 5G user plane function module realizes the access of the terminal to the IP server without configuration time varying.
Further, the method for guaranteeing the security of the 5G private network service further comprises the following steps: and synchronously updating the address records of the servers according to the latest addresses of the servers.
The method clarifies that after the server changes the IP address of the server according to the preset rule, the latest address and the historical address of the server are updated and recorded.
The apparatus, electronic device, and computer storage medium provided by the present application are described below, and the contents and effects thereof can be referred to in the method section.
In a second aspect, the present application provides a 5G private network service security guarantee device, including: the analysis and identification module is used for receiving a service access request of the terminal and analyzing to obtain a server address in the service access request; the synchronization module is used for inquiring the address records of the servers according to the server addresses and determining the current address of a first server to be accessed by the terminal; the address record comprises the current address and the historical address of the server, and the address record of the first server comprises the address of the server; and the forwarding module is used for forwarding the service access request to the current address of the first server so that the first server executes service processing according to the service access request.
Further, the analysis and identification module is also used for analyzing and obtaining the terminal identification of the terminal; and if the terminal identification is not in the preset white list, rejecting the service access of the terminal.
Further, the analysis and identification module is specifically configured to receive a service access request of the terminal forwarded by the 5G user plane function module, and analyze and obtain a server address in the service access request; and the forwarding module is specifically configured to send the current address of the first server to the 5G user plane function module if the terminal identifier is in the preset white list, so that the 5G user plane function module forwards the service access request of the terminal to the current address of the first server.
Further, the forwarding module is further configured to send a service blocking identifier to the 5G user plane function module if the terminal identifier is not in the preset white list, so that the 5G user plane function module does not perform forwarding of the service access request.
Further, the forwarding module is further configured to forward the service access request to the server address if the address record of each server does not include the server address.
Further, the forwarding module is specifically configured to send the server address to the 5G user plane function module if the address record of each server does not include the server address, so that the 5G user plane function module forwards the service access request of the terminal to the server address.
Further, the synchronization module is further configured to update the address records of the servers synchronously according to the latest addresses of the servers.
In a third aspect, the present application provides an electronic device, comprising: a processor, and a memory communicatively coupled to the processor; the memory stores computer-executable instructions; the processor executes computer-executable instructions stored by the memory to implement the method of the first aspect.
In a fourth aspect, the present application provides a computer-readable storage medium having stored thereon computer-executable instructions for performing the method of the first aspect when executed by a processor.
The method, the device, the equipment and the storage medium for guaranteeing the service safety of the 5G private network provided by the application comprise the following steps: receiving a service access request of a terminal, and analyzing to obtain a server address in the service access request; inquiring address records of all servers according to the server addresses, and determining the current address of a first server to be accessed by the terminal; the address record comprises the current address and the historical address of the server, and the address record of the first server comprises the address of the server; and forwarding the service access request to the current address of the first server so that the first server executes service processing according to the service access request. The method and the device realize the acquisition of the latest address of the high-security-level server configured with the time-varying IP address by inquiring the address record of each server; the service access of the terminal is realized by forwarding the service access request to the latest address without feeding back the address of the server to the terminal, thereby improving the safety guarantee capability of the high-safety-level service.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
Fig. 1 is an application scenario of a 5G private network service security assurance method exemplarily provided in the present application;
fig. 2 is a flowchart of a method for guaranteeing security of a 5G private network service according to an embodiment of the present application;
fig. 3 is a flowchart illustrating a method for restricting service access of a non-white list terminal according to an embodiment of the present disclosure;
fig. 4 is a flowchart of a 5G private network service security guaranteeing method based on a 5G user plane function module according to an embodiment of the present application;
fig. 5 is a flowchart of another 5G private network service security guaranteeing method based on a 5G user plane function module according to an embodiment of the present application;
fig. 6 is a flowchart of another 5G private network service security guaranteeing method according to an embodiment of the present application;
fig. 7 is a flowchart of a further method for guaranteeing security of a 5G private network service based on a 5G user plane function module according to an embodiment of the present application;
fig. 8 is a flowchart of a further method for guaranteeing security of a 5G private network service based on a 5G user plane function module according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a 5G private network service security guarantee device according to a second embodiment of the present application;
fig. 10 is a schematic structural diagram of another 5G private network service security device according to the second embodiment of the present application;
fig. 11 is a schematic structural diagram of another 5G private network service security device provided in the second embodiment of the present application;
fig. 12 is a schematic structural diagram of a further 5G private network service security device according to a second embodiment of the present application;
fig. 13 is a schematic structural diagram of an electronic device according to a third embodiment of the present application.
With the above figures, there are shown specific embodiments of the present application, which will be described in more detail below. These drawings and written description are not intended to limit the scope of the inventive concepts in any manner, but rather to illustrate the inventive concepts to those skilled in the art by reference to specific embodiments.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with aspects of the present application.
The terms to which this application relates will first be introduced:
a 5G private network, called local 5G network, or private 5G network, refers to a mobile communication network dedicated to a particular industry or enterprise. Different from a private network, a 2G/3G/4G/5G mobile communication network connected with the smart phone is called a public network. A public network is a "public place", and hundreds of millions of mobile users share the same network, resources and network devices in the same frequency band. The concept of private networks is not unknown, and the concept of private networks is existed as early as 2G/3G/4G, such as railway private networks, public safety private networks, military private networks and the like.
The 5G private network provides a new mode of data production and transmission for new data requirements in the enterprise digital transformation process. The 5G private network gives full play to the characteristics of large bandwidth, low time delay and wide connection, and provides a data transmission channel which is different from the public network and faces the requirements of novel digital services for enterprise users and industrial internet terminals. Since the 5G private network often deeply serves the production and management business of an enterprise, the 5G private network users often have higher requirements on the network security of the private network than the public users. For example, a random time-varying IP address needs to be configured for a server with a high security level, so as to avoid the terminal from learning the IP address of the server and initiating an attack.
In order to meet the requirement of security assurance, a conventional scheme for solving the access of a time-varying IP address Server is to configure a Domain Name Server (DNS), when a terminal generates a service requirement, a service access is initiated to a Domain Name, the service access is first sent to the DNS, the DNS performs Domain Name resolution, that is, identifies the latest IP address corresponding to the Domain Name, the DNS then sends the latest IP address corresponding to the Domain Name to the terminal, and the terminal then initiates the service access to the latest IP address.
However, since the 5G private network is often used to carry delay-sensitive services such as remote control, the above scheme can implement access to a time-varying IP address service, but since domain name resolution needs to be completed first and then access is initiated again by the terminal, the domain name server still needs to send the latest IP address of the server to the terminal, that is, the IP address of the server is exposed, and protection of the high-security level server is insufficient. In addition, the access procedure described above is also time-delayed.
The application provides a method, a device, equipment and a storage medium for guaranteeing 5G private network service safety, and aims to solve the technical problems in the prior art.
The application can be applied to the application scenario shown in fig. 1. The terminal shown in fig. 1 is a device that can initiate a service request to a server, for example, a smart phone, a tablet computer, a desktop computer, etc. with a web access function. Under the communication architecture of the 5G private network, when a terminal initiates a service access to a server through a 5G base station, for example, an access request is initiated to a domain name or an IP address of a certain website, a terminal identifier, a server address to be accessed, and a service request are packaged and sent to a 5G private network service security guarantee device, and the service request is sent to the server after being analyzed and distinguished by the device.
The following describes the technical solutions of the present application and how to solve the above technical problems with specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Example one
Fig. 2 is a flowchart of a 5G private network service security guaranteeing method provided in an embodiment of the present application, including the following steps:
s100, receiving a service access request of a terminal, and analyzing to obtain a server address in the service access request.
The terminal can be a mobile terminal and is accessed to the internet through wireless communication. Specifically, the mobile phone and the tablet personal computer can be used as well as a wireless terminal in industrial control, a wireless terminal in unmanned driving, a wireless terminal in telemedicine, a wireless terminal in a smart grid, a wireless terminal in a smart city, a smart home, a vehicle-mounted terminal and the like. The terminal may also be a fixed terminal, such as a conventional desktop computer, that is connected to a router or portal via a network connection to enable access to the internet.
S200, inquiring address records of all servers according to server addresses, and determining the current address of a first server to be accessed by the terminal; the address record comprises the current address and the historical address of the server, and the address record of the first server comprises the address of the server.
Specifically, when the server address analyzed from the service access request exists in the address record, the server corresponding to the server address is the first server, and the valid address of the first server that can be currently accessed can be determined according to the corresponding relationship between the current address and the historical address in the address record.
The server corresponding to the address record is configured with a time-varying IP address, and can randomly and dynamically change own IP so as to improve the safety of the own.
S300, the service access request is forwarded to the current address of the first server, so that the first server executes service processing according to the service access request.
The server address resolved from the service access request may be a location identifier of the computer, such as a domain name and an IP address. Accordingly, the address records of the servers also include domain names and IP addresses. It should be noted that the IP address is a logical address for uniquely identifying computers on the internet, so that the computers can communicate with each other, and each networked computer is distinguished from each other and associated with each other by the IP address. Because the IP address is a digital mark and is difficult to memorize and write when in use, a symbolic address scheme is developed on the basis of the IP address to replace a digital IP address. Each of the symbolized addresses corresponds to a particular IP address, facilitating resource access on the network. This character-type address, which corresponds to a numeric IP address on the network, is called a domain name.
When the server address resolved from the service access request exists in the aforementioned address record, it may hit the history address in the address record, and may also hit the current address in the address record. For example, when the terminal initiates a service access, the IP address of the server is updated, and at this time, the server address in the service access request is the same as one of the historical addresses in the address records of each server, and the corresponding current address can be obtained through the corresponding relationship of the address records, so as to implement effective access to the server.
Correspondingly, when the terminal initiates service access, the IP address of the server is not updated with a new IP address, and at this time, the server address in the service access request is the same as one of the current addresses in the address records of the servers, so that the server address analyzed from the service access request is directly accessed, and effective access to the server can be realized.
Further, the method for guaranteeing security of the 5G private network service provided in the embodiment of the present application further includes: and synchronously updating the address records of the servers according to the latest addresses of the servers. Specifically, in order to ensure the validity of the service-accessed IP address, after the server configured with the time-varying IP address changes its own IP address according to a preset rule, the address record of the server needs to be updated.
The current address of the first server to be accessed by the terminal is determined by inquiring the address records of the servers, so that the latest address of the high-level security server with the time-varying IP address is obtained; the service access request is forwarded to the latest address, so that the service access requirement of the terminal is realized, the acquired latest address does not need to be fed back to the terminal in the process, the safety guarantee capability of the high-safety-level service is improved, and meanwhile, the service access delay is reduced.
In practical application, the main executing body of the 5G private network service security guarantee method can be a service security guarantee device depending on a 5G private network. The device can be a base station and other network equipment which can be accessed to the terminal and provide 5G private network communication service. The apparatus may be implemented by a computer program, e.g., application software or the like; alternatively, the apparatus may also be implemented as a medium storing a related computer program, for example, a usb disk, a cloud disk, or the like; still alternatively, the apparatus may be implemented by a physical device, e.g., a chip, etc., into which the associated computer program is integrated or installed.
Further, after receiving the service access request of the terminal in step 100, the method further includes: analyzing to obtain a terminal identifier of the terminal; and if the terminal identification is not in the preset white list, rejecting the service access of the terminal. Fig. 3 is a flowchart for limiting service access of a non-white list terminal according to an embodiment of the present application. The method comprises the following specific steps:
s110, receiving a service access request of a terminal;
s120, analyzing and obtaining a server address in the service access request; analyzing to obtain a terminal identifier of the terminal;
s130, judging whether the terminal identification is in a preset white list or not;
and if the terminal identification is not in the preset white list, executing S140 and refusing the service access of the terminal.
If the terminal identifier is in the preset white list, executing S200, inquiring address records of all servers according to the server addresses, and determining the current address of a first server to be accessed by the terminal; the address record comprises the current address and the historical address of the server, and the address record of the first server comprises the address of the server;
s300, the service access request is forwarded to the current address of the first server, so that the first server executes service processing according to the service access request.
In S120, the sequence of the server address and the terminal identifier is analyzed from the service access request, which is not limited in this embodiment, and may be obtained by analyzing simultaneously or may be obtained by analyzing sequentially. Since the white list is set according to preset rules, and the terminal identifiers in the white lists corresponding to different servers may be different, the determination needs to be performed by combining with a specific server.
The security guarantee capability of the high security level service is further improved by limiting the access of the non-white list terminal to the server.
It should be noted that a User Plane Function (UPF) is an important component of a 3rd Generation Partnership Project (3 GPP)5G core network system architecture, and mainly supports routing and forwarding of User Equipment (UE) service data, data and service identification, action and policy execution, and the like.
Based on the network architecture of the 5G industry, the receiving of the service access request of the terminal in S110 specifically includes: and receiving the service access request of the terminal forwarded by the 5G user plane function module. S300, forwarding the service access request to the current address of the first server, specifically including: and if the terminal identifier is in the preset white list, sending the current address of the first server to the 5G user plane function module, so that the 5G user plane function module forwards the service access request of the terminal to the current address of the first server.
Specifically, fig. 4 is a flowchart of a 5G private network service security guaranteeing method based on a 5G user plane function module according to an embodiment of the present application. The method comprises the following steps: s111, receiving a service access request of the terminal forwarded by the 5G user plane function module;
s120, analyzing and obtaining a server address in the service access request; analyzing to obtain a terminal identifier of the terminal;
s130, judging whether the terminal identification is in a preset white list or not;
and if the terminal identification is not in the preset white list, executing S140 and refusing the service access of the terminal.
If the terminal identifier is in the preset white list, executing S200, inquiring address records of all servers according to the server addresses, and determining the current address of a first server to be accessed by the terminal; the address record comprises the current address and the historical address of the server, and the address record of the first server comprises the address of the server;
s301, sending the current address of the first server to the 5G user plane function module, so that the 5G user plane function module forwards the service access request of the terminal to the current address of the first server.
Based on a network architecture of the 5G industry, the isolation of the latest address of the terminal and the server is realized through the 5G user plane function module, and the attack initiated by the terminal acquiring the latest address of the server is avoided.
On the basis of the above example, if the terminal identifier is not in the preset white list, denying the service access of the terminal includes: and if the terminal identifier is not in the preset white list, sending a blocking service identifier to the 5G user plane function module, so that the 5G user plane function module does not execute forwarding of the service access request.
Specifically, fig. 5 is a flowchart of another 5G private network service security guaranteeing method based on a 5G user plane function module according to an embodiment of the present application. In comparison with fig. 4, S140 is replaced with S141 and executed. S141 is: and sending a blocking service identifier to the 5G user plane function module so that the 5G user plane function module does not execute forwarding of the service access request. Based on a network architecture of the 5G industry, the access of a non-white list terminal to a server is limited by sending a blocking service identifier to a 5G user plane function module, so that the safety guarantee capability of high-safety-level services is improved.
The method for guaranteeing the service security of the 5G private network provided by the embodiment of the application further comprises the following steps: and if the address records of the servers do not comprise the server addresses, forwarding the service access requests to the server addresses.
Specifically, when the server to be accessed by the terminal is not configured with a time-varying IP address, the address records of the servers do not include the server address parsed from the service access request, and the server address is the current address of the server to be accessed by the terminal, and the service access request is directly forwarded to the parsed server address, so that the corresponding server can execute service processing according to the service access request.
Exemplarily, fig. 6 is a flowchart of another 5G private network service security guaranteeing method provided in an embodiment of the present application. The execution steps are as follows:
s100, receiving a service access request of a terminal, and analyzing to obtain a server address in the service access request;
s210, inquiring address records of all servers according to server addresses;
s400, judging whether the address records of the servers comprise the server addresses or not;
if not, executing S500, and forwarding the service access request to the server address, so that the corresponding server executes service processing according to the service access request.
If yes, executing S220, and determining the current address of the first server to be accessed by the terminal; s300, the service access request is forwarded to the current address of the first server, so that the first server executes service processing according to the service access request.
Further, based on a network architecture in the 5G industry, forwarding the service access request to the server address specifically includes: and if the address records of the servers do not comprise the server address, sending the server address to the 5G user plane function module, so that the 5G user plane function module forwards the service access request of the terminal to the server address.
Specifically, fig. 7 is a flowchart of a further method for guaranteeing security of a 5G private network service based on a 5G user plane function module according to an embodiment of the present application. Compared to fig. 6, S500 is replaced with S501 for execution. S501 is as follows: and sending the server address to the 5G user plane function module, so that the 5G user plane function module forwards the service access request of the terminal to the server address.
Based on the network architecture of the 5G industry, fig. 8 is a flowchart of a further method for guaranteeing security of a 5G private network service based on a 5G user plane function module according to an embodiment of the present application. The execution steps are as follows:
s111, receiving a service access request of the terminal forwarded by the 5G user plane function module;
s120, analyzing and obtaining a server address in the service access request; analyzing to obtain a terminal identifier of the terminal;
s130, judging whether the terminal identification is in a preset white list or not;
and if the terminal identifier is not in the preset white list, executing S141, and sending a blocking service identifier to the 5G user plane function module, so that the 5G user plane function module does not execute forwarding of the service access request.
If the terminal identification is in the preset white list, executing S210, and inquiring address records of each server according to the server address;
s400, judging whether the address records of the servers contain the server addresses or not;
if not, executing S501, sending the server address to the 5G user plane function module, so that the 5G user plane function module forwards the service access request of the terminal to the server address.
If yes, executing S220, and determining the current address of the first server to be accessed by the terminal;
s301, sending the current address of the first server to the 5G user plane function module, so that the 5G user plane function module forwards the service access request of the terminal to the current address of the first server.
The method for guaranteeing the service security of the 5G private network provided by the embodiment of the application comprises the following steps: receiving a service access request of a terminal, and analyzing to obtain a server address in the service access request; inquiring address records of all servers according to the server addresses, and determining the current address of a first server to be accessed by the terminal; the address record comprises the current address and the historical address of the server, and the address record of the first server comprises the address of the server; and forwarding the service access request to the current address of the first server so that the first server executes service processing according to the service access request. The latest address of the high-security-level server configured with the time-varying IP address is acquired by inquiring the address record of each server; the service access of the terminal is realized by forwarding the service access request to the latest address without feeding back the address of the server to the terminal, thereby improving the safety guarantee capability of the high-safety-level service.
Example two
Fig. 9 is a schematic structural diagram of a 5G private network service security device according to an embodiment of the present application, including: parsing identification module 10, synchronization module 20 and forwarding module 30. The analysis and identification module 10 is configured to receive a service access request of a terminal, and analyze and obtain a server address in the service access request; a synchronization module 20, configured to query address records of each server according to the server address, and determine a current address of a first server to be accessed by the terminal; the address record comprises the current address and the historical address of the server, and the address record of the first server comprises the address of the server; and a forwarding module 30, configured to forward the service access request to the current address of the first server, so that the first server performs service processing according to the service access request.
The server address resolved from the service access request may be a location identifier of the computer, such as a domain name and an IP address. The address record of each server also includes a domain name and an IP address. When the server address resolved from the service access request exists in the aforementioned address record, it may hit the history address in the address record, and may also hit the current address in the address record.
Specifically, when the terminal initiates a service access, the IP address of the server is updated, and at this time, the server address in the service access request is the same as one of the historical addresses in the address records of each server, and the corresponding current address can be obtained through the corresponding relationship of the address records, so as to implement effective access to the server.
Or, when the terminal initiates the service access, the IP address of the server is not updated yet, and at this time, the server address in the service access request is the same as one of the current addresses in the address records of the servers, so that the server address analyzed from the service access request is directly accessed, and the effective access to the server can be realized.
Further, the synchronization module 20 is further configured to synchronously update the address records of the servers according to the latest addresses of the servers. Typically, high security level servers are configured with time-varying IP addresses.
Fig. 10 is a schematic structural diagram of another 5G private network service security device according to a second embodiment of the present disclosure, which includes an analysis and identification module 10, a synchronization module 20, a forwarding module 30, and a high security level server module 40. As shown in fig. 10, the high security level server module 40 is connected to the forwarding module 30. Specifically, in order to ensure the validity of the service-accessed IP address, after the server configured with the time-varying IP address changes its own IP address according to a preset rule, the address record of the server needs to be updated.
Further, the parsing and identifying module 10 is further configured to parse and obtain a terminal identifier of the terminal; and if the terminal identification is not in the preset white list, rejecting the service access of the terminal. The safety guarantee capability of the high-safety-level service is further improved by limiting the access of the non-white list terminal to the server.
Fig. 11 is a schematic structural diagram of another 5G private network service security device according to the second embodiment of the present application, including an analysis and identification module 10, a synchronization module 20, a forwarding module 30, a high security level server module 40, and a 5G user plane function module 50.
Under the network architecture of the 5G private network, the parsing and identifying module 10 is specifically configured to receive, by the parsing and identifying module 10, the service access request of the terminal forwarded by the 5G user plane function module 50. The forwarding module 30 is specifically configured to send the current address of the first server to the 5G user plane function module if the terminal identifier is in the preset white list, so that the 5G user plane function module forwards the service access request of the terminal to the current address of the first server. According to the embodiment of the application, the isolation between the terminal and the latest address of the server is realized through the 5G user plane function module 50, and the attack initiated by the terminal acquiring the latest address of the server is avoided.
Further, the forwarding module 30 is further configured to send a service blocking identifier to the 5G user plane function module 50 if the terminal identifier is not in the preset white list, so that the 5G user plane function module 50 does not perform forwarding of the service access request.
The 5G private network service security guarantee device provided in the embodiment of the present application, for a high security level server with a randomly changed IP address in a 5G private network, does not need to use a DNS server, synchronizes IP address information through the synchronization module 20 and the high security level server module 40, and the 5G user plane module 50 directly forwards a service access request from a terminal to the high security level server to a correct address, so that the terminal can realize access of the server with low latency, and can restrict access of a non-white list terminal to the server, thereby improving security guarantee capability of a high security level service, and reducing service access latency.
Further, the forwarding module 30 is further configured to forward the service access request to the server address if the address record of each server does not include the server address.
Specifically, when the server to be accessed by the terminal is not configured with a time-varying IP address, the address records of the servers do not include the server address parsed from the service access request, and the server address is the current address of the server to be accessed by the terminal, and the service access request is directly forwarded to the parsed server address, so that the corresponding server can execute service processing according to the service access request.
Further, the forwarding module 30 is specifically configured to send the server address to the 5G user plane function module if the address record of each server does not include the server address, so that the 5G user plane function module forwards the service access request of the terminal to the server address. Based on the network architecture of the 5G industry, the embodiment of the present application implements access to an unconfigured time-varying IP server through the 5G user plane function module 50.
In one example, the aforementioned parsing identification module 10 and forwarding module 30 may incorporate a data processing module 60 as shown in fig. 12. Fig. 12 is a schematic structural diagram of another 5G private network service security device according to the second embodiment of the present application. With reference to fig. 12, an example of information interaction and operation processes between modules of the 5G private network service security and assurance device provided in the embodiment of the present application is described below.
The 5G user plane function module 50 is configured to receive a service access request sent by the terminal through the base station, and send the service access request to the data processing module 60, and the 5G user plane function module 50 receives information fed back by the data processing module 60, and does not forward the service access request if receiving the blocking service identifier; if the blocking service identifier is not received, the service access request is forwarded to the destination address received from the data processing module 60.
The data processing module 60 is configured to identify a first server address and a terminal identifier of the service access request, and send a blocking service identifier to the 5G user plane function module 50 if the terminal identifier is a non-white list terminal according to a preset rule; otherwise, the first server address is sent to the synchronization module 20, if the latest address fed back by the synchronization module 20 is received, the latest address is sent to the 5G user plane function module 50, and if the latest address fed back by the synchronization module 20 is not received, the first server address is sent to the 5G user plane function module 50, where the first server address may be a domain name, an IP address, and the like.
The synchronization module 20 is used to synchronize address update information with the high security level server module 40. The synchronization module 20 receives the latest address information sent by the high security level server module 40, and records the historical address information and domain name information of the server. When the received first server address sent by the data processing module 60 hits the historical address or domain name of a server with a high security level, the latest address of the server is sent to the data processing module 60. If there is no hit, no information is sent to the data processing module 60.
The high security level server module 40 is configured to process a service access request of a user, change an IP address of the high security level server according to a preset rule, and send the changed IP address information to the synchronization module 20.
The 5G private network service security guarantee device provided by the embodiment of the application comprises: the analysis and identification module 10 is used for receiving a service access request of a terminal and analyzing to obtain a server address in the service access request; a synchronization module 20, configured to query address records of each server according to the server address, and determine a current address of a first server to be accessed by the terminal; the address record comprises the current address and the historical address of the server, and the address record of the first server comprises the address of the server; and a forwarding module 30, configured to forward the service access request to the current address of the first server, so that the first server performs service processing according to the service access request. According to the method and the device, the latest address of the high-security-level server configured with the time-varying IP address is acquired by inquiring the address record of each server; the service access of the terminal is realized by forwarding the service access request to the latest address without feeding back the address of the server to the terminal, thereby improving the safety guarantee capability of the high-safety-level service.
EXAMPLE III
Fig. 13 is a schematic structural diagram of an electronic device according to a third embodiment of the present application, and as shown in fig. 13, the electronic device includes:
a processor (processor)291, the electronic device further including a memory (memory) 292; a Communication Interface 293 and bus 294 may also be included. The processor 291, the memory 292, and the communication interface 293 may communicate with each other via the bus 294. Communication interface 293 may be used for the transmission of information. Processor 291 may invoke logic instructions in memory 292 to perform the methods of the embodiments described above.
Further, the logic instructions in the memory 292 may be implemented in software functional units and stored in a computer readable storage medium when sold or used as a stand-alone product.
The memory 292 is a computer-readable storage medium for storing software programs, computer-executable programs, such as program instructions/modules corresponding to the methods in the embodiments of the present application. The processor 291 executes the functional application and data processing by executing the software program, instructions and modules stored in the memory 292, so as to implement the method in the above method embodiments.
The memory 292 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal device, and the like. Further, the memory 292 may include a high speed random access memory and may also include a non-volatile memory.
The embodiment of the application provides a computer-readable storage medium, in which computer-executable instructions are stored, and the computer-executable instructions are executed by a processor to implement the method provided by the first embodiment.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.
Claims (16)
1. A5G private network service security guarantee method is characterized by comprising the following steps:
receiving a service access request of a terminal, and analyzing to obtain a server address in the service access request;
inquiring address records of all servers according to the server addresses, and determining the current address of a first server to be accessed by the terminal; the address record comprises a current address and a historical address of a server, and the address record of the first server comprises the address of the server;
and forwarding the service access request to the current address of the first server so that the first server executes service processing according to the service access request.
2. The method of claim 1, wherein after receiving the service access request of the terminal, further comprising:
analyzing to obtain a terminal identifier of the terminal;
and if the terminal identification is not in a preset white list, rejecting the service access of the terminal.
3. The method of claim 2, wherein receiving the service access request of the terminal comprises:
receiving a service access request of the terminal forwarded by the 5G user plane function module;
the forwarding the service access request to the current address of the first server includes:
and if the terminal identifier is in a preset white list, sending the current address of the first server to the 5G user plane function module, so that the 5G user plane function module forwards the service access request of the terminal to the current address of the first server.
4. The method of claim 3, wherein the denying the service access of the terminal if the terminal identifier is not in a predefined white list comprises:
and if the terminal identifier is not in a preset white list, sending a blocking service identifier to the 5G user plane function module, so that the 5G user plane function module does not execute forwarding of the service access request.
5. The method of claim 3, further comprising:
and if the address records of the servers do not comprise the server addresses, forwarding the service access requests to the server addresses.
6. The method of claim 5, wherein forwarding the service access request to the server address comprises:
and if the address records of the servers do not comprise the server addresses, sending the server addresses to the 5G user plane function module, so that the 5G user plane function module forwards the service access requests of the terminals to the server addresses.
7. The method according to any one of claims 1-6, further comprising:
and synchronously updating the address records of the servers according to the latest addresses of the servers.
8. A5G private network service security guarantee device is characterized by comprising:
the analysis and identification module is used for receiving a service access request of a terminal and analyzing to obtain a server address in the service access request;
the synchronization module is used for inquiring the address records of the servers according to the server addresses and determining the current address of a first server to be accessed by the terminal; the address record comprises a current address and a historical address of a server, and the address record of the first server comprises the address of the server;
and the forwarding module is used for forwarding the service access request to the current address of the first server so that the first server executes service processing according to the service access request.
9. The apparatus of claim 8, wherein the parsing and identifying module is further configured to, after receiving a service access request of a terminal, parse and obtain a terminal identifier of the terminal;
and if the terminal identification is not in a preset white list, rejecting the service access of the terminal.
10. The apparatus of claim 9,
the analysis and identification module is specifically used for receiving the service access request of the terminal forwarded by the 5G user plane function module, and analyzing to obtain a server address in the service access request;
the forwarding module is specifically configured to send the current address of the first server to the 5G user plane function module if the terminal identifier is in a preset white list, so that the 5G user plane function module forwards the service access request of the terminal to the current address of the first server.
11. The apparatus of claim 10, wherein the parsing and identifying module is further configured to send a service blocking identifier to the 5G user plane function module if the terminal identifier is not in a predefined white list, so that the 5G user plane function module does not perform forwarding of the service access request.
12. The apparatus of claim 10, wherein the forwarding module is further configured to forward the service access request to the server address if the address record of each server does not include the server address.
13. The apparatus of claim 12,
the forwarding module is specifically configured to send the server address to the 5G user plane function module if the address record of each server does not include the server address, so that the 5G user plane function module forwards the service access request of the terminal to the server address.
14. The apparatus according to any one of claims 8-13, wherein the synchronization module is further configured to update the address records of the servers synchronously according to the latest addresses of the servers.
15. An electronic device, comprising: a processor, and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
the processor executes computer-executable instructions stored by the memory to implement the method of any of claims 1-7.
16. A computer-readable storage medium having computer-executable instructions stored therein, which when executed by a processor, are configured to implement the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210007749.3A CN114363902A (en) | 2022-01-05 | 2022-01-05 | Method, device, equipment and storage medium for guaranteeing 5G private network service safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210007749.3A CN114363902A (en) | 2022-01-05 | 2022-01-05 | Method, device, equipment and storage medium for guaranteeing 5G private network service safety |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114363902A true CN114363902A (en) | 2022-04-15 |
Family
ID=81108205
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210007749.3A Pending CN114363902A (en) | 2022-01-05 | 2022-01-05 | Method, device, equipment and storage medium for guaranteeing 5G private network service safety |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114363902A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114938508A (en) * | 2022-05-31 | 2022-08-23 | 中国联合网络通信集团有限公司 | 5G private network control method and device, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6944167B1 (en) * | 2000-10-24 | 2005-09-13 | Sprint Communications Company L.P. | Method and apparatus for dynamic allocation of private address space based upon domain name service queries |
| US20100023611A1 (en) * | 2007-04-04 | 2010-01-28 | Huawei Technologies Co., Ltd. | Method and device for storing domain name system records, method and device for parsing domain name |
| CN103888358A (en) * | 2012-12-20 | 2014-06-25 | 中国移动通信集团公司 | Routing method, device, system and gateway equipment |
| CN111314472A (en) * | 2020-02-21 | 2020-06-19 | 聚好看科技股份有限公司 | Domain name resolution method, domain name resolution server and terminal equipment |
-
2022
- 2022-01-05 CN CN202210007749.3A patent/CN114363902A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6944167B1 (en) * | 2000-10-24 | 2005-09-13 | Sprint Communications Company L.P. | Method and apparatus for dynamic allocation of private address space based upon domain name service queries |
| US20100023611A1 (en) * | 2007-04-04 | 2010-01-28 | Huawei Technologies Co., Ltd. | Method and device for storing domain name system records, method and device for parsing domain name |
| CN103888358A (en) * | 2012-12-20 | 2014-06-25 | 中国移动通信集团公司 | Routing method, device, system and gateway equipment |
| CN111314472A (en) * | 2020-02-21 | 2020-06-19 | 聚好看科技股份有限公司 | Domain name resolution method, domain name resolution server and terminal equipment |
Non-Patent Citations (1)
| Title |
|---|
| 王霖;冉会中;刘丽萍;杨彦;: "基于功能服务端口信息实现动态域名解析系统的设计", 西昌学院学报(自然科学版), no. 02, 20 June 2008 (2008-06-20) * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114938508A (en) * | 2022-05-31 | 2022-08-23 | 中国联合网络通信集团有限公司 | 5G private network control method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110800331B (en) | Network verification method, related equipment and system | |
| CN110049022B (en) | Domain name access control method and device and computer readable storage medium | |
| US9578040B2 (en) | Packet receiving method, deep packet inspection device and system | |
| US8214537B2 (en) | Domain name system using dynamic DNS and global address management method for dynamic DNS server | |
| CN110635933B (en) | Apparatus, control method, and recording medium for managing network of SDN | |
| WO2017054526A1 (en) | Arp entry generation method and device | |
| US20180270189A1 (en) | Equipment for offering domain-name resolution services | |
| WO2013131472A1 (en) | Message processing method, device and system | |
| CN109067936B (en) | Domain name resolution method and device | |
| CN105635073B (en) | Access control method and device and network access equipment | |
| CN114257440B (en) | Network function service discovery method, system and storage medium | |
| CN113691646A (en) | Domain name service resource access method, device, electronic equipment and medium | |
| CN115189897A (en) | Access processing method and device for zero trust network, electronic equipment and storage medium | |
| CN114363902A (en) | Method, device, equipment and storage medium for guaranteeing 5G private network service safety | |
| CN114221959A (en) | Service sharing method, device and system | |
| CN108011801B (en) | Data transmission method, equipment, device and system | |
| CN112398796B (en) | Information processing method, device, equipment and computer readable storage medium | |
| EP2077018B1 (en) | Method for controlling access to a network in a communication system | |
| CN111163105A (en) | Method and device for accessing IPTV service of network protocol television | |
| CN114338809B (en) | Access control method, device, electronic equipment and storage medium | |
| CN110995738B (en) | Violent cracking behavior identification method and device, electronic equipment and readable storage medium | |
| CN110324826B (en) | Intranet access method and related device | |
| CN109688204B (en) | File downloading method, node and terminal based on NDN (named data networking) | |
| CN113162922A (en) | Client data acquisition method and device, storage medium and electronic equipment | |
| CN110768983B (en) | Message processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |