CN115664789B - Industrial firewall security assessment system and method - Google Patents

Industrial firewall security assessment system and method Download PDF

Info

Publication number
CN115664789B
CN115664789B CN202211299876.1A CN202211299876A CN115664789B CN 115664789 B CN115664789 B CN 115664789B CN 202211299876 A CN202211299876 A CN 202211299876A CN 115664789 B CN115664789 B CN 115664789B
Authority
CN
China
Prior art keywords
data
firewall
network
address
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211299876.1A
Other languages
Chinese (zh)
Other versions
CN115664789A (en
Inventor
张向华
王孟斯
黄建伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Luoan Technology Co Ltd
Original Assignee
Beijing Luoan Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Luoan Technology Co Ltd filed Critical Beijing Luoan Technology Co Ltd
Priority to CN202211299876.1A priority Critical patent/CN115664789B/en
Publication of CN115664789A publication Critical patent/CN115664789A/en
Application granted granted Critical
Publication of CN115664789B publication Critical patent/CN115664789B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of firewall evaluation, and discloses an industrial firewall security evaluation system, which comprises: the data processing module is used for retrieving security energy level assignment corresponding to the accessed network ip address in the feedback information according to the accessed network ip address, screening data items with data states in the feedback information, which are the data states, to generate first screening data, screening the security energy level assignment of the accessed network ip address according to the first screening data to be greater than the security energy level assignment data items corresponding to the testing module, generating second screening data, and outputting a firewall security assessment report according to the second screening data; and according to the output firewall security assessment report, the enterprise firewall operation and maintenance personnel accurately locate risk items, timely cut off access channels of intelligent equipment located in a security energy level assignment low range to intelligent equipment located in a security energy level assignment high range, and improve the protection capability of the firewall.

Description

Industrial firewall security assessment system and method
Technical Field
The invention relates to the technical field of firewall evaluation, in particular to an industrial firewall security evaluation system and method.
Background
In recent years, along with the rapid promotion of industrial informatization progress, an industrial control system gradually breaks the sealing of the industrial control system on a physical environment and starts to be threatened by the traditional information network security attack, and the industrial control system has zero-day loopholes. The industrial firewall is used as an effective safety protection measure and is widely applied to industrial control sites.
When the existing industrial firewall safety evaluation is carried out, the safety evaluation is mainly carried out on the industrial firewall in the research and development stage or the delivery stage of the industrial firewall, and then the industrial firewall is finally applied to industrial manufacturing enterprises to embody the value of the industrial firewall.
The industrial firewall is applied to the industrial industry and can play an effective role in protection, has a great relationship with the skill level of firewall operation and maintenance personnel in manufacturing enterprises, and the firewall operation and maintenance personnel with lower level can possibly set the firewall security area in place and the related security configuration in the later maintenance process of the industrial firewall, so that the firewall has loopholes, is easily utilized by attackers, and causes important assets of the enterprise to be lost.
Disclosure of Invention
The invention provides an industrial firewall security assessment system and method aiming at the defects of the prior art.
The invention solves the technical problems by the following technical means: an industrial firewall security assessment system, comprising:
the number of the test modules is n, n is an integer greater than 1, and the test modules run on intelligent equipment connected with the industrial firewall connection port;
the security level setting module is used for carrying out security level assignment on the intelligent equipment running the testing module, wherein the higher the assignment is, the higher the corresponding security level is;
the association module is used for associating the test module with intelligent equipment running the test module, associating a network ip address corresponding to the intelligent equipment and associating the intelligent equipment with the security energy level assignment of the intelligent equipment;
the acquisition module is used for acquiring the intelligent equipment network ip addresses of the n operation test modules and sending the intelligent equipment network ip addresses of the n operation test modules to the n test modules;
the test module is used for removing network ip addresses corresponding to the test module according to the n intelligent device network ip addresses to generate an access request list, the intelligent device is used for sending test access request packets to intelligent devices except the intelligent device network ip addresses, the test module is used for generating access requests according to the access request list, sending test access request packets to the intelligent device network ip addresses in the access request list, monitoring the packet-returning data state of the accessed network ip addresses, generating feedback information according to the packet-returning data, wherein the feedback information comprises the network ip addresses corresponding to the test module, the accessed network ip addresses and the packet-returning data state of the accessed network ip addresses, and the packet-returning data state comprises a data state and a data state without data;
the data processing module invokes security level assignment corresponding to the accessed network ip address according to the accessed network ip address in the feedback information, the invoked security level assignment marks the accessed network ip address, the data item with the data state is screened in the feedback information to form first screening data, the security level assignment of the accessed network ip address is screened out according to the first screening data to be greater than the security level assignment data item corresponding to the testing module, second screening data is generated, and the data processing module outputs a firewall security evaluation report according to the second screening data.
Preferably, in the foregoing, the data processing module includes:
a receiving unit that receives feedback information;
the calling unit is used for calling the security energy level assignment corresponding to the accessed network ip address according to the accessed network ip address in the feedback information;
the marking unit is used for assigning a value to the accessed network ip address to mark the accessed network ip address;
the screening unit screens the data items with the data states of the packet data in the feedback information to generate first screening data, screens the safety energy level assignment data items with the safety energy level assignment value greater than that of the network ip address corresponding to the test module according to the first screening data, and generates second screening data;
the generating unit outputs a firewall security assessment report according to the second screening data.
Preferably, in the above, the test module includes:
the list generation unit is used for removing the network ip addresses corresponding to the test modules according to the network ip addresses of the n intelligent devices to generate an access request list;
the sending unit generates an access request according to the access request list and sends a test access request packet to the network ip address of the intelligent equipment in the access request list;
the monitoring unit monitors the packet-returning data state of the accessed network ip address, and generates feedback information according to the packet-returning data, wherein the feedback information comprises the network ip address corresponding to the test module, the accessed network ip address and the packet-returning data state of the accessed network ip address, and the packet-returning data state comprises a data state and a data-free state.
Preferably, in the foregoing, the data processing module further invokes the address of the connection port ip between the intelligent device and the firewall corresponding to the low-assignment of the security energy level and the address of the connection port ip between the intelligent device and the firewall corresponding to the high-assignment of the security energy level according to the second screening data.
Preferably, in the foregoing, the obtaining module is further configured to obtain a time K when the first frame of the test access request packet data frame enters the firewall port Feeding in Obtaining the moment K when the last frame of the data frame of the test access request packet leaves the firewall port Out of Calculated according to the following formula:
K=K out of ―K Feeding in
Wherein: k is firewall delay time, K includes (K 1 、K 2 、K 3 ...K Y ),K 1 、K 2 、K 3 ...K Y The data state of the network ip address packet which is processed and accessed by the firewall is the delay time of the test access request packet corresponding to the data state, and Y is consistent with the value of the data item which is screened to be in the data state in the feedback information;
taking outAs the firewall delay time of the firewall of the current evaluation;
compared with the prior art, the firewall delay time sample is as follows: the test access request packet is repeatedly tested for a single time to obtain a plurality of firewall delay times, in this embodiment, n test modules send test access request packets to the firewall at the same time, and a plurality of valid samples obtained in a state that the firewall bears multiple tasks or a limit state are processed by the firewall, and the packet data state is the delay time of the test access request packet corresponding to the data state, and according to the firewall delay time obtained by calculating the valid samples in this embodiment, the firewall delay time of the firewall is evaluated this time, which can more represent the delay time of data processing under the actual running condition of the firewall.
An industrial firewall security assessment method, the method comprising:
operating test modules on intelligent equipment connected with an industrial firewall connection port, wherein the number of the test modules is n, and n is an integer greater than 1;
the intelligent equipment is used for carrying out security energy level assignment on intelligent equipment running the test module, and the higher the assignment is, the higher the corresponding security level is;
associating a test module with intelligent equipment running the test module, associating a network ip address corresponding to the intelligent equipment, and associating the intelligent equipment with security energy level assignment of the intelligent equipment;
acquiring intelligent equipment network ip addresses of n operation test modules, and transmitting the intelligent equipment network ip addresses of the n operation test modules to the n test modules;
the method comprises the steps that a network ip address corresponding to a testing module is removed according to n intelligent device network ip addresses to generate an access request list, the intelligent device sends test access request packets to intelligent devices except the intelligent device network ip addresses, the testing module also generates access requests according to the access request list, sends test access request packets to the intelligent device network ip addresses in the access request list, monitors the packet returning data state of the accessed network ip addresses, generates feedback information according to the packet returning data, and the feedback information comprises the network ip address corresponding to the testing module, the accessed network ip address and the packet returning data state of the accessed network ip addresses, wherein the packet returning data state comprises a data state and a data state;
and according to the network ip address accessed in the feedback information, invoking a security level assignment corresponding to the accessed network ip address, marking the accessed network ip address with the invoked security level assignment, screening the data item with the data state of the packet data in the feedback information to generate first screening data, screening the data item with the security level assignment of the accessed network ip address larger than that of the security level assignment corresponding to the test module according to the first screening data, generating second screening data, and outputting a firewall security evaluation report according to the second screening data by the data processing module.
Preferably, in the foregoing, the address of the connection port ip of the intelligent device and the firewall corresponding to the low-assignment security energy level is also called according to the second filtering data, and the address of the connection port ip of the intelligent device and the firewall corresponding to the high-assignment security energy level is called.
Preferably, in the foregoing, the time K when the first frame of the test access request packet data frame enters the firewall port is obtained Feeding in Obtaining the moment K when the last frame of the data frame of the test access request packet leaves the firewall port Out of Calculated according to the following formula:
K=K out of ―K Feeding in
Wherein: k is firewall delay time, K includes (K 1 、K 2 、K 3 ...K Y ),K 1 、K 2 、K 3 ...K Y The data state of the network ip address packet which is processed and accessed by the firewall is the delay time of the test access request packet corresponding to the data state, and Y is consistent with the value of the data item which is screened to be in the data state in the feedback information;
taking outAs the firewall delay time of the firewall of the current evaluation;
compared with the prior art, the firewall delay time sample is as follows: the test access request packet is repeatedly tested for a single time to obtain a plurality of firewall delay times, in this embodiment, n test modules send test access request packets to the firewall at the same time, and a plurality of valid samples obtained in a state that the firewall bears multiple tasks or a limit state are processed by the firewall, and the packet data state is the delay time of the test access request packet corresponding to the data state, and according to the firewall delay time obtained by calculating the valid samples in this embodiment, the firewall delay time of the firewall is evaluated this time, which can more represent the delay time of data processing under the actual running condition of the firewall.
Compared with the prior art, the technical scheme has the following beneficial effects:
(1) According to the output firewall security evaluation report, the enterprise firewall operation and maintenance personnel accurately position risk items, timely cut off the intelligent equipment access channel in the security energy level assignment low range from the intelligent equipment access channel in the security energy level assignment high range, namely, the low assignment intelligent equipment access channel to the high assignment intelligent equipment, reconfigure the connection ports of the intelligent equipment and the firewall, improve the protection capability of the firewall, timely find errors in firewall setting in the later maintenance process of the industrial firewall by the operation and maintenance personnel, and avoid loss of important assets of the enterprise.
(2) Under the condition that enterprises use more firewall connection ports, firewall operation and maintenance personnel can quickly position the firewall connection ports with errors according to the firewall security evaluation report, and timely change the settings to avoid the errors again.
(3) In this embodiment, n test modules 1 send test access request packets to the firewall at the same time, and a plurality of valid samples obtained in a state where the firewall is subject to multiple tasks or in a limit state are used to process the delay time of the test access request packet corresponding to the data state for the firewall in the packet data state.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram showing the connection between a test module and an intelligent device according to the present invention;
FIG. 2 is a schematic diagram of the industrial firewall security assessment system according to the present invention;
FIG. 3 is a schematic diagram of the data processing module of the present invention;
FIG. 4 is a schematic diagram showing the components of the test module according to the present invention.
In the figure; 1. a test module; 2. a security level setting module; 3. an association module; 4. an acquisition module; 5. a data processing module;
101. a list generation unit; 102. a transmitting unit; 103. a monitoring unit;
501. a receiving unit; 502. a calling unit; 503. a marking unit; 504. a screening unit; 505. and a generating unit.
Detailed Description
The following description of the technical solutions in the embodiments of the present invention will be clear and complete, and it is obvious that the described embodiments are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1
Referring to fig. 2, the embodiment of the invention discloses an industrial firewall security assessment system, which comprises a test module 1, a security level setting module 2, an association module 3, an acquisition module 4 and a data processing module 5; the number of the test modules 1 is n, n is an integer greater than 1, and the test modules 1 run on intelligent equipment connected with an industrial firewall connection port, as shown in fig. 1.
The security level setting module 2 is configured to perform security level assignment on the intelligent device running the test module 1, where the higher the assignment is, the more important the corresponding security level is, i.e. the more important the corresponding relevant data is for the enterprise, and the value generated by the processing device controlled by the intelligent device can be according to the value of the intelligent device itself, the importance of the operator using the intelligent device, the value of the data stored by the intelligent device, and the value generated by the processing device controlled by the intelligent device.
The value of the intelligent equipment, namely the purchase price of the intelligent equipment; the importance of operators using the intelligent equipment is that the more research and development data are mastered by the operators, such as research and development personnel, the higher the safety degree is, and the safety level of the intelligent equipment used by the operators is correspondingly increased, and the intelligent equipment is such as a computer; the intelligent device stores data value, such as financial data; the value generated by processing equipment controlled by the intelligent equipment, for example, the intelligent equipment is plc equipment, the processing equipment is a centrifugal machine, and the plc equipment is subjected to security level assignment according to the importance degree of the centrifugal machine in industrial production, namely, the intelligent equipment is subjected to security level assignment.
The security energy level assignment is communicated and known by a tester and a responsible person of the manufacturer, and then different intelligent devices perform corresponding security energy level assignment.
And the association module 3 associates the test module 1 with the intelligent equipment running the test module 1, associates the network ip address corresponding to the intelligent equipment and associates the intelligent equipment with the intelligent equipment security energy level assignment.
The acquiring module 4 is configured to acquire the ip addresses of the intelligent devices of the n running test modules 1, and send the ip addresses of the intelligent devices of the n running test modules 1 to the n test modules 1, where the ip addresses of the intelligent devices are consistent with the number of the used test modules 1, i.e., the number of the ip addresses of the intelligent devices is n.
The test module 1 removes network ip addresses corresponding to the test module 1 according to n intelligent device network ip addresses to generate an access request list, namely the access request list contains n-1 intelligent device network ip addresses, one intelligent device network ip address is subtracted to be the intelligent device network ip address of the test module 1, namely the intelligent device sends test access request packets to intelligent devices except the intelligent device network ip address, the test module 1 also generates an access request according to the access request list, sends test access request packets to the intelligent device network ip addresses in the access request list, monitors the packet data state of the accessed network ip addresses, generates feedback information according to the packet data, sends the feedback information to the data processing module 5, and the feedback information comprises the network ip address corresponding to the test module 1, the accessed network ip address and the packet data state of the accessed network ip address.
The data processing module 5 retrieves security level assignment corresponding to the accessed network ip address according to the accessed network ip address in the feedback information, the retrieved security level assignment marks the accessed network ip address, the data item with the data state is screened in the feedback information to generate first screening data, the security level assignment of the accessed network ip address is screened out according to the first screening data to be greater than the security level assignment data item corresponding to the test module 1, second screening data is generated, and the data processing module 5 outputs a firewall security assessment report according to the second screening data.
According to the output firewall security evaluation report, the enterprise firewall operation and maintenance personnel accurately position risk items, timely cut off the intelligent equipment access channel in the security energy level assignment low range from the intelligent equipment access channel in the security energy level assignment high range, namely, the low assignment intelligent equipment access channel to the high assignment intelligent equipment, and through reconfiguring the firewall, the connection ports of the intelligent equipment and the firewall are specifically reconfigured, so that the protection capability of the firewall is improved, and in the later maintenance process of the industrial firewall by the operation and maintenance personnel, faults on the firewall are timely found, and important assets of the enterprise are prevented from being lost.
Referring to fig. 3, the data processing module 5 includes a receiving unit 501, a calling unit 502, a marking unit 503, a screening unit 504, and a generating unit 505; the receiving unit 501 receives feedback information; the invoking unit 502 invokes the security level assignment corresponding to the accessed network ip address according to the accessed network ip address in the feedback information; the marking unit 503 assigns a value to the retrieved security level to mark the accessed network ip address; the screening unit 504 screens the data items with the data states of the packet data in the feedback information to generate first screening data, screens the data items with the security energy level assignment of the accessed network ip address greater than the security energy level assignment corresponding to the test module 1 according to the first screening data, and generates second screening data; the generation unit 505 outputs a firewall security assessment report according to the second screening data.
Referring to fig. 4, the test module 1 includes a list generating unit 101, a transmitting unit 102, and a monitoring unit 103; the list generating unit 101 removes network ip addresses corresponding to the test module 1 according to the network ip addresses of the n intelligent devices to generate an access request list; the sending unit 102 generates an access request according to the access request list, and sends a test access request packet to the network ip address of the intelligent device in the access request list; the monitoring unit 103 monitors the packet-back data state of the accessed network ip address, generates feedback information according to the packet-back data, and sends the feedback information to the data processing module 5, wherein the feedback information comprises the network ip address corresponding to the test module 1, the accessed network ip address and the packet-back data state of the accessed network ip address, and the packet-back data state comprises a data state and a data-free state.
Example two
In order to facilitate the operation and maintenance personnel to quickly locate the firewall connection port with the fault, the embodiment further improves the design on the basis of the first embodiment, and the data processing module 5 also calls the ip address of the intelligent device corresponding to the low assignment of the security energy level and the firewall connection port according to the second screening data, and calls the ip address of the intelligent device corresponding to the high assignment of the security energy level.
Under the condition that enterprises use more firewall connection ports, firewall operation and maintenance personnel can quickly position the firewall connection ports with errors according to the firewall security evaluation report, and timely change the settings to avoid the errors again.
Example III
In this embodiment, the obtaining module 4 is further configured to obtain a time K when the first frame of the test access request packet data frame enters the firewall port Feeding in Obtaining the moment K when the last frame of the data frame of the test access request packet leaves the firewall port Out of Calculated according to the following formula:
K=K out of ―K Feeding in
Wherein: k is firewall delay time, K includes K 1 、K 2 、K 3 ...K Y ,K 1 、K 2 、K 3 ...K Y The network ip address packet data states respectively corresponding to firewall processing access are dataThe delay time of the test access request packet corresponding to the state is consistent with the value of the data item of which the data state of the back packet is screened in the feedback information, namely the back packet data state is the test access request packet corresponding to the data state, and the data item is effectively passed through the firewall and is not intercepted by the firewall; the data state of the packet is a data state without data, namely the data state is intercepted by the firewall, and the last frame of the data frame without test access request packet leaves the port moment K of the firewall Out of And (3) eliminating.
Taking outAs the firewall delay time of the firewall evaluated at this time.
Compared with the prior art, the firewall delay time sample is as follows: in this embodiment, n test modules 1 send test access request packets to the firewall at the same time, and multiple valid samples obtained in a state where the firewall is subject to multiple tasks or in a limit state are obtained, and the delay time of the firewall calculated from the valid samples obtained in this embodiment is more representative of the delay time of data processing under the actual running condition of the firewall.
Example IV
The invention provides an industrial firewall security assessment method, which comprises the following steps: the method comprises the steps that a test module 1 is operated on intelligent equipment connected with an industrial firewall connection port, the number of the test modules 1 is n, and n is an integer larger than 1;
the intelligent equipment is used for carrying out security level assignment on the intelligent equipment running the test module 1, and the higher the assignment is, the higher the corresponding security level is;
associating the test module 1 with intelligent equipment running the test module 1, associating a network ip address corresponding to the intelligent equipment, and associating the intelligent equipment with the intelligent equipment security level assignment;
acquiring intelligent equipment network ip addresses of n operation test modules 1, and transmitting the intelligent equipment network ip addresses of the n operation test modules 1 to the n test modules 1;
the method comprises the steps that an access request list is generated by removing network ip addresses corresponding to a test module 1 according to n intelligent device network ip addresses, the intelligent device sends test access request packets to intelligent devices except the intelligent device network ip addresses, the test module 1 also generates access requests according to the access request list, sends test access request packets to the intelligent device network ip addresses in the access request list, monitors the packet data state of the accessed network ip addresses, generates feedback information according to the packet data, and the feedback information comprises the network ip addresses corresponding to the test module 1, the accessed network ip addresses and the packet data state of the accessed network ip addresses, wherein the packet data state comprises a data state and a data state without data;
and according to the accessed network ip address in the feedback information, invoking a security level assignment corresponding to the accessed network ip address, marking the accessed network ip address with the invoked security level assignment, screening the data item with the data state of the packet data in the feedback information to generate first screening data, screening the data item with the security level assignment of the accessed network ip address larger than that of the security level assignment corresponding to the test module 1 according to the first screening data, generating second screening data, and outputting a firewall security evaluation report according to the second screening data by the data processing module 5.
In order to further optimize the technical scheme, the ip addresses of the intelligent device and the firewall connection port corresponding to the security energy level low assignment are also called according to the second screening data, and the ip addresses of the intelligent device and the firewall connection port corresponding to the security energy level high assignment are called.
In order to further optimize the technical scheme, the moment K when the first frame of the test access request packet data frame enters the firewall port is obtained Feeding in Obtaining the moment K when the last frame of the data frame of the test access request packet leaves the firewall port Out of According to the followingThe following formula is calculated:
K=K out of ―K Feeding in
Wherein: k is firewall delay time, K includes K 1 、K 2 、K 3 ...K Y ,K 1 、K 2 、K 3 ...K Y The data state of the network ip address packet which is processed and accessed by the firewall is the delay time of the test access request packet corresponding to the data state, and Y is consistent with the value of the data item which is screened to be in the data state in the feedback information;
taking outAs the firewall delay time of the firewall of the current evaluation;
compared with the prior art, the firewall delay time sample is as follows: in this embodiment, n test modules 1 send test access request packets to the firewall at the same time, and multiple valid samples obtained in a state where the firewall is subject to multiple tasks or in a limit state are obtained, and the delay time of the firewall calculated from the valid samples obtained in this embodiment is more representative of the delay time of data processing under the actual running condition of the firewall.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (8)

1. An industrial firewall security assessment method, the method comprising:
operating the test modules (1) on intelligent equipment connected with an industrial firewall connection port, wherein the number of the test modules (1) is n, and n is an integer greater than 1;
carrying out security energy level assignment on intelligent equipment running the test module (1), wherein the higher the assignment is, the higher the corresponding security level is;
associating a test module (1) with intelligent equipment running the test module (1), associating a network ip address corresponding to the intelligent equipment, and associating the intelligent equipment with the intelligent equipment security energy level assignment;
acquiring intelligent equipment network ip addresses of n operation test modules (1), and transmitting the intelligent equipment network ip addresses of the n operation test modules (1) to the n test modules (1);
removing network ip addresses corresponding to the test module (1) according to n intelligent device network ip addresses to generate an access request list, wherein the intelligent device sends test access request packets to intelligent devices except the intelligent device network ip addresses, the test module (1) also generates access requests according to the access request list, sends the test access request packets to the intelligent device network ip addresses in the access request list, monitors the packet data state of the accessed network ip addresses, generates feedback information according to the packet data, and the feedback information comprises the network ip addresses corresponding to the test module (1), the accessed network ip addresses and the packet data state of the accessed network ip addresses, wherein the packet data state comprises a data state and a data state without data;
according to the network ip address accessed in the feedback information, invoking security level assignment corresponding to the accessed network ip address, assigning the invoked security level to mark the accessed network ip address, screening data items with data states of packet data in the feedback information to generate first screening data, screening data items with security level assignment greater than that of the security level assignment corresponding to the test module (1) according to the first screening data, generating second screening data, and outputting a firewall security evaluation report according to the second screening data by the data processing module (5); and the enterprise firewall operation and maintenance personnel locate risk items according to the outputted firewall security assessment report, and timely cut off the access channel of the intelligent device located in the security energy level assignment low range to the intelligent device located in the security energy level assignment high range.
2. The industrial firewall security assessment method according to claim 1, wherein:
and calling the ip addresses of the intelligent device corresponding to the low-assignment security energy level and the firewall connection port according to the second screening data, and calling the ip addresses of the intelligent device corresponding to the high-assignment security energy level and the firewall connection port.
3. The industrial firewall security assessment method according to claim 2, wherein: acquiring moment when a first frame of a test access request packet data frame enters a firewall portAcquiring the moment when the last frame of the data frame of the test access request packet leaves the firewall port>Calculated according to the following formula:
wherein:for firewall delay time, ++>Comprises (/ ->、/>、/>.../>),/>、/>、/>.../>Respectively corresponding to the delay time of the test access request packet corresponding to the data state of the network ip address packet which is processed and accessed by the firewall, wherein the data state of the network ip address packet is the delay time of the test access request packet corresponding to the data state of the network ip address packet>The data item values which are screened to be in the data state of the data state are consistent with the data item values which are screened to be in the data state of the data state in the feedback information;
taking outAs the firewall delay time of the firewall evaluated at this time.
4. An industrial firewall security assessment system, comprising:
the number of the test modules (1) is n, n is an integer larger than 1, and the test modules (1) are operated on intelligent equipment connected with the industrial firewall connection port;
the security level setting module (2) is used for carrying out security level assignment on the intelligent equipment running the test module (1), wherein the higher the assignment is, the higher the corresponding security level is;
the association module (3) associates the test module (1) with intelligent equipment running the test module (1), associates a network ip address corresponding to the intelligent equipment and associates the intelligent equipment with the security energy level assignment of the intelligent equipment;
the acquisition module (4) is used for acquiring the network ip addresses of the intelligent devices of the n operation test modules (1) and sending the network ip addresses of the intelligent devices of the n operation test modules (1) to the n test modules (1);
the test module (1) removes network ip addresses corresponding to the test module (1) according to n intelligent device network ip addresses to generate an access request list, the intelligent device sends test access request packets to intelligent devices except the intelligent device network ip addresses, the test module (1) also generates access requests according to the access request list, sends the test access request packets to the intelligent device network ip addresses in the access request list, monitors the packet data state of the accessed network ip addresses, generates feedback information according to the packet data, and the feedback information comprises the network ip addresses corresponding to the test module (1), the accessed network ip addresses and the packet data state of the accessed network ip addresses, wherein the packet data state comprises a data state and a data state;
the data processing module (5) is used for retrieving the security level assignment corresponding to the accessed network ip address according to the accessed network ip address in the feedback information, marking the accessed network ip address with the retrieved security level assignment, screening the data item with the data state of the packet data in the feedback information to generate first screening data, screening the security level assignment of the accessed network ip address according to the first screening data to be greater than the security level assignment data item corresponding to the test module (1), generating second screening data, and outputting a firewall security evaluation report according to the second screening data by the data processing module (5); and the enterprise firewall operation and maintenance personnel locate risk items according to the outputted firewall security assessment report, and timely cut off the access channel of the intelligent device located in the security energy level assignment low range to the intelligent device located in the security energy level assignment high range.
5. An industrial firewall security assessment system according to claim 4, wherein: the data processing module (5) comprises:
a receiving unit (501) that receives feedback information;
the calling unit (502) is used for calling the security energy level assignment corresponding to the accessed network ip address according to the accessed network ip address in the feedback information;
a marking unit (503) for assigning a value to the accessed security level to mark the accessed network ip address;
the screening unit (504) screens the data items with the data states of the packet data in the feedback information to generate first screening data, screens the safety energy level assignment data items with the safety energy level assignment value greater than that of the network ip address corresponding to the test module (1) according to the first screening data, and generates second screening data;
and a generation unit (505) for outputting a firewall security assessment report according to the second screening data.
6. An industrial firewall security assessment system according to claim 5, wherein: the test module (1) comprises:
the list generation unit (101) removes network ip addresses corresponding to the test module (1) according to the network ip addresses of the n intelligent devices to generate an access request list;
a transmitting unit (102) for generating an access request according to the access request list and transmitting a test access request packet to the network ip address of the intelligent device in the access request list;
and the monitoring unit (103) monitors the packet returning data state of the accessed network ip address, generates feedback information according to the packet returning data, and the feedback information comprises the network ip address corresponding to the test module (1), the accessed network ip address and the packet returning data state of the accessed network ip address, wherein the packet returning data state comprises a data state and a data state.
7. An industrial firewall security assessment system according to claim 6, wherein: and the data processing module (5) also calls the ip address of the connection port of the intelligent device and the firewall corresponding to the low assignment of the security energy level and calls the ip address of the connection port of the intelligent device and the firewall corresponding to the high assignment of the security energy level according to the second screening data.
8. An industrial firewall security assessment system according to claim 7, wherein: the acquisition module (4) is also used for acquiring the moment when the first frame of the test access request packet data frame enters the firewall portAcquiring the moment when the last frame of the data frame of the test access request packet leaves the firewall port>Calculated according to the following formula:
wherein:for firewall delay time, ++>Comprises (/ ->、/>、/>.../>),/>、/>、/>.../>Respectively corresponding to the delay time of the test access request packet corresponding to the data state of the network ip address packet which is processed and accessed by the firewall, wherein the data state of the network ip address packet is the delay time of the test access request packet corresponding to the data state of the network ip address packet>The data item values which are screened to be in the data state of the data state are consistent with the data item values which are screened to be in the data state of the data state in the feedback information;
;
taking outAs the firewall delay time of the firewall evaluated at this time.
CN202211299876.1A 2022-10-21 2022-10-21 Industrial firewall security assessment system and method Active CN115664789B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211299876.1A CN115664789B (en) 2022-10-21 2022-10-21 Industrial firewall security assessment system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211299876.1A CN115664789B (en) 2022-10-21 2022-10-21 Industrial firewall security assessment system and method

Publications (2)

Publication Number Publication Date
CN115664789A CN115664789A (en) 2023-01-31
CN115664789B true CN115664789B (en) 2023-08-01

Family

ID=84991968

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211299876.1A Active CN115664789B (en) 2022-10-21 2022-10-21 Industrial firewall security assessment system and method

Country Status (1)

Country Link
CN (1) CN115664789B (en)

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070130294A1 (en) * 2005-12-02 2007-06-07 Leo Nishio Methods and apparatus for communicating with autonomous devices via a wide area network
WO2015071964A1 (en) * 2013-11-12 2015-05-21 株式会社日立製作所 Security management method, device and program
CN105337986B (en) * 2015-11-20 2018-06-19 英赛克科技(北京)有限公司 Credible protocol conversion method and system
US20220021675A1 (en) * 2020-07-20 2022-01-20 Gryphon Online Safety, Inc. Method of using dhcp host name to identify a unique device in absense of unique mac address in order to apply network firewall or access control rules
CN112235797B (en) * 2020-12-11 2021-03-09 信联科技(南京)有限公司 SDN-based equipment network access authentication method
CN112583843A (en) * 2020-12-23 2021-03-30 北京珞安科技有限责任公司 Joint protection system and method and computer equipment
CN113411297A (en) * 2021-05-07 2021-09-17 上海纽盾科技股份有限公司 Situation awareness defense method and system based on attribute access control

Also Published As

Publication number Publication date
CN115664789A (en) 2023-01-31

Similar Documents

Publication Publication Date Title
US11924048B2 (en) Anomaly detection in computer networks
EP1480379B1 (en) Automated characterization of network traffic
WO2020151483A1 (en) Stress testing system for internet-of-things platform, method, device, and server
CN106789323A (en) A kind of communication network management method and its device
CN103795707B (en) Enterprise network security automatization test system and method
CN105404207A (en) Industrial environment vulnerability discovering device and method
US10523549B1 (en) Method and system for detecting and classifying networked devices
CN109922026A (en) Monitoring method, device, system and the storage medium of one OT system
CN116527403B (en) Network security control method and system for local area network
CN117319047A (en) Network path analysis method and system based on network security anomaly detection
CN113676526A (en) Industrial data access management system and method
Iturbe et al. Visualizing network flows and related anomalies in industrial networks using chord diagrams and whitelisting
CN115664789B (en) Industrial firewall security assessment system and method
US20190289480A1 (en) Smart Building Sensor Network Fault Diagnostics Platform
US7844443B2 (en) Network subscriber experience modeling
US20210084095A1 (en) Method and Apparatus for Cross Layer Network Diagnostics and Self-Healing Platform for Point-to-Multipoint Networks
KR20170081543A (en) Apparatus and method for detecting symptom based on context information
CN117375957A (en) Industrial control flow analysis system and equipment
CN106713038A (en) Remote transmission line quality detection method and remote transmission line quality detection system
CN116684327A (en) Mountain area communication network fault monitoring and evaluating method based on cloud computing
US11480955B2 (en) Smart building sensor network fault diagnostics platform
CN113032255B (en) Response noise identification method, model, electronic device and computer storage medium
CN115550228A (en) Internet of vehicles bus communication network test method and system
CN112565000A (en) Evaluation method and device for centralized processing of network security equipment logs
CN111261271B (en) Service availability diagnosis method and device for video monitoring environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant