CN116055254A - Safe and trusted gateway system, control method, medium, equipment and terminal - Google Patents
Safe and trusted gateway system, control method, medium, equipment and terminal Download PDFInfo
- Publication number
- CN116055254A CN116055254A CN202310030212.3A CN202310030212A CN116055254A CN 116055254 A CN116055254 A CN 116055254A CN 202310030212 A CN202310030212 A CN 202310030212A CN 116055254 A CN116055254 A CN 116055254A
- Authority
- CN
- China
- Prior art keywords
- network
- trusted
- gateway
- data
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 82
- 238000001914 filtration Methods 0.000 claims abstract description 60
- 238000004891 communication Methods 0.000 claims abstract description 43
- 230000008569 process Effects 0.000 claims abstract description 41
- 238000012795 verification Methods 0.000 claims abstract description 15
- 238000007726 management method Methods 0.000 claims description 76
- 230000005540 biological transmission Effects 0.000 claims description 59
- 230000007246 mechanism Effects 0.000 claims description 52
- 238000002955 isolation Methods 0.000 claims description 49
- JBWKIWSBJXDJDT-UHFFFAOYSA-N triphenylmethyl chloride Chemical compound C=1C=CC=CC=1C(C=1C=CC=CC=1)(Cl)C1=CC=CC=C1 JBWKIWSBJXDJDT-UHFFFAOYSA-N 0.000 claims description 45
- 238000005516 engineering process Methods 0.000 claims description 41
- 230000006870 function Effects 0.000 claims description 38
- 238000005259 measurement Methods 0.000 claims description 32
- 238000012545 processing Methods 0.000 claims description 32
- 230000003068 static effect Effects 0.000 claims description 19
- 230000006399 behavior Effects 0.000 claims description 15
- 230000003993 interaction Effects 0.000 claims description 13
- 238000003860 storage Methods 0.000 claims description 13
- 239000003795 chemical substances by application Substances 0.000 claims description 12
- 238000012544 monitoring process Methods 0.000 claims description 9
- 238000000926 separation method Methods 0.000 claims description 9
- 238000004422 calculation algorithm Methods 0.000 claims description 8
- 101000652292 Homo sapiens Serotonin N-acetyltransferase Proteins 0.000 claims description 7
- 102100030547 Serotonin N-acetyltransferase Human genes 0.000 claims description 7
- 238000006243 chemical reaction Methods 0.000 claims description 6
- 238000012550 audit Methods 0.000 claims description 5
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 4
- 238000009795 derivation Methods 0.000 claims description 4
- 206010048669 Terminal state Diseases 0.000 claims description 3
- 241000700605 Viruses Species 0.000 claims description 3
- 230000002155 anti-virotic effect Effects 0.000 claims description 3
- 230000002457 bidirectional effect Effects 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 claims description 3
- 230000008878 coupling Effects 0.000 claims description 3
- 238000010168 coupling process Methods 0.000 claims description 3
- 238000005859 coupling reaction Methods 0.000 claims description 3
- 238000005520 cutting process Methods 0.000 claims description 3
- 238000005242 forging Methods 0.000 claims description 3
- 239000012634 fragment Substances 0.000 claims description 3
- 239000003999 initiator Substances 0.000 claims description 3
- 238000007689 inspection Methods 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 238000012546 transfer Methods 0.000 claims description 3
- 238000012384 transportation and delivery Methods 0.000 claims description 3
- 238000004806 packaging method and process Methods 0.000 claims description 2
- 231100000279 safety data Toxicity 0.000 claims description 2
- 238000013461 design Methods 0.000 description 20
- 238000010586 diagram Methods 0.000 description 16
- 238000004519 manufacturing process Methods 0.000 description 11
- 239000000306 component Substances 0.000 description 10
- 230000008901 benefit Effects 0.000 description 8
- 230000005641 tunneling Effects 0.000 description 8
- 238000004458 analytical method Methods 0.000 description 5
- 238000004140 cleaning Methods 0.000 description 5
- 230000010354 integration Effects 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 230000004927 fusion Effects 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 230000004888 barrier function Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000013209 evaluation strategy Methods 0.000 description 2
- 238000012827 research and development Methods 0.000 description 2
- CKRLIWFOVCLXTP-UHFFFAOYSA-N 4-phenyl-1-propyl-3,6-dihydro-2h-pyridine Chemical compound C1N(CCC)CCC(C=2C=CC=CC=2)=C1 CKRLIWFOVCLXTP-UHFFFAOYSA-N 0.000 description 1
- 101150015836 ENO1 gene Proteins 0.000 description 1
- 101100172356 Schizosaccharomyces pombe (strain 972 / ATCC 24843) eno101 gene Proteins 0.000 description 1
- 101100172357 Schizosaccharomyces pombe (strain 972 / ATCC 24843) eno102 gene Proteins 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000003631 expected effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000008092 positive effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Abstract
The invention belongs to the technical field of communication, and discloses a safe and reliable gateway system, a control method, a medium, equipment and a terminal, wherein a TLS (transport layer security) connection is established between a gateway client and a gateway server, user data packets with destinations of internal networks are captured, the user data packets are sent to the gateway server in a tunnel form through the TLS connection, and the tunnel packets received from the TLS connection are correctly unpacked and sent to corresponding user processes; the method comprises the steps of establishing TLS connection with a gateway client by using a gateway server, receiving and analyzing tunnel packets from the TLS connection, correctly filtering data packets according to filtering rules, correctly controlling the flow of the data packets according to flow control requirements, sending the data packets to an internal network after passing through NAT, sending the data packets from the internal network through the corresponding TLS connection in a tunnel mode, and managing the filtering rules and the flow control rules of the gateway. The invention simplifies the identity authentication and authority verification processes and improves the safety access efficiency.
Description
Technical Field
The invention belongs to the technical field of communication, and particularly relates to a safe and reliable gateway system, a control method, a medium, equipment and a terminal.
Background
The high-grade numerical control system is one of the central manifestations of the core competitiveness of the national manufacturing industry, is a master machine for producing and manufacturing high-precision equipment, has great strategic significance in industry, and is faced with increasingly serious information security problems in the networked and intelligent transformation upgrading process. The international numerical control manufacturers, including Siemens and Fanacies, construct an open type safety numerical control system by taking deep defense as thought, and form a technical barrier to a certain extent, which is disadvantageous to autonomous controllability in China. Currently, for an open numerical control system, a typical intelligent production line comprises a numerical control system, a robot, a conveying device, an AGV and other devices which come from different manufacturers and support different communication protocols, and most of the communication protocols adopt clear text transmission, so that integration difficulty and potential safety hazard are brought to users. Especially for foreign products with significant security risks, the trusted control module or the security cryptographic module cannot be integrated inside the equipment. How to adapt the communication protocols in the heterogeneous forms, ensure the integration openness and flexibility of the production line, and simultaneously access the numerical control network in a safe and reliable mode, form a safe and reliable interconnection interoperation scheme of the autonomous and foreign mixed brand and mixed model numerical control system, and carry out ciphertext transmission and safe analysis on uploading/downloading process files, processing codes and the like, thereby being a key scientific problem which needs to be solved by the safe intelligent numerical control production line.
Through the above analysis, the problems and defects existing in the prior art are as follows: most of communication protocols of the existing open numerical control system adopt plaintext transmission, and integration difficulty and potential safety hazard are brought to users; for foreign products with great potential safety hazards, a trusted control module or a secure password module cannot be integrated into equipment; the numerical control system has larger difference with the general computer system in the aspects of hardware structure, computing resources, business behaviors and the like, the numerical control characteristics of small resource occupation rate, high computing instantaneity, high business precision and the like are required to be ensured, a multi-high-characteristic numerical control system body environment is formed, and manufacturer enterprises cannot accept a safe and reliable protection scheme which affects normal production business; how to comprehensively consider constraint conditions such as hardware interfaces, computing resources, service software openness, interpolation control instantaneity and the like of the numerical control system gateway, optimize software and hardware integration of the numerical control system gateway and a safe and reliable key technology, realize zero influence of safe and reliable enhancement on the numerical control system service, and be a key scientific problem that the safe and reliable technology of the numerical control system is available and reliable and must be solved.
Disclosure of Invention
Aiming at the problems existing in the prior art, the invention provides a safe and reliable gateway system, a control method, a medium, equipment and a terminal, in particular to a safe and reliable gateway system, a control method, a medium, equipment and a terminal based on a national encryption algorithm.
The invention is realized in such a way that a control method of a safe and reliable gateway system comprises the following steps: establishing TLS connection with a gateway server by using a gateway client, capturing user data packets with the destination of an internal network, transmitting the user data packets to the gateway server through the TLS connection in a tunnel mode, and correctly unpacking the tunnel packets received from the TLS connection and transmitting the tunnel packets to corresponding user processes; the method comprises the steps of establishing TLS connection with a gateway client by using a gateway server, receiving and analyzing tunnel packets from the TLS connection, correctly filtering data packets according to filtering rules, correctly controlling the flow of the data packets according to flow control requirements, sending the data packets to an internal network after passing through NAT, sending the data packets from the internal network through the corresponding TLS connection in a tunnel mode, and managing the filtering rules and the flow control rules of the gateway.
Further, the control method of the safe and trusted gateway system comprises the following steps:
step one, filtering a network boundary protocol of a security gateway;
secondly, network isolation and flow control of the security gateway are carried out;
thirdly, performing trusted network boundary protection of the security gateway;
And step four, high-speed encryption and access control are realized based on trusted computing 3.0.
Further, the filtering of the network boundary protocol of the security gateway in the step one includes:
(1) For data transfer by the web application layer: using HTTPS proxy, the authentication method is as follows:
unidirectional authentication: the client sends a message to the server, and after the server receives the message, the server encrypts data by using a private key in a key bank of the server; the encrypted data and the public key of the server side are sent to the client side, and the client side decrypts the data by using the public key sent by the server side; and encrypting the data by using the public key of the server transmitted to the client side, and decrypting the data by using the private key by the server.
And (3) bidirectional authentication:
1) The client sends a message to the server, encrypts the message by using a client certificate and sends the message to the server together with the client certificate;
2) After receiving the message, the server decrypts the message by using the client certificate, encrypts the message by using a server private key and sends the server certificate and the message to the client together;
3) The client decrypts the message by using the sent server certificate, and encrypts the message by using the server certificate; encrypting the message once by using the certificate of the client, and sending the encrypted message and the client certificate to the server;
4) Decrypting the message by using the certificate transmitted by the client to the server to ensure that the message is sent by the client; and decrypting the message by using a private key of the server side to obtain plaintext data.
And a TLS agent is used at a TCP transmission layer of the gateway, and data transmission interaction is carried out between TLS communication and applications of DNC, MDC, MES and ERP in the open numerical control system after the TLS agent passes through the gateway.
The security gateway adopts a network encryption agent for the internal subnetwork, and uses a TLS agent after passing through the security gateway to interact with the application in the numerical control system through the virtual network card.
(2) Data transmission for NC-Link layer: using NC-Link encryption gateway to assist the delivery line to perform safety data interaction; the NC-Link protocol relates to data acquisition, G code file transmission and uplink or downlink data issued by instructions, and performs authentication and access control on NC-Link access equipment in a classified manner, and encrypts and protects the data transmission integrity.
Further, the network isolation and flow control of the security gateway in the second step includes:
(1) Network isolation based on VPN gateway
IPSec is implemented by using an external computer EPC and a manager MPC, and the EPC is directly connected to an internal network and is a special machine specially used for accessing the Internet or a dual-purpose computer provided with an isolating card. The internet surfing condition of each external computer EPC is configured, controlled, tracked and audited by using a manager MPC, and the real-time monitoring is carried out. SE is an IPSec VPN security gateway between an internal network and an external network; each EPC forms a tunnel with SE through an internal network, the tunnel is used for accessing an external network, and the tunnel is opaque to the internal network; the EPC and SE form a virtual network which depends on the internal network and is completely isolated from the internal network.
(2) Unidirectional transmission control
Cutting off TCP/IP connection between the external network and the internal network; the external network processing unit strips the application data based on the network protocol to form static data; packaging the static data according to a special non-IP data frame format, and sending the static data to an intranet processing unit through a unidirectional transmission unit; and finally, the intranet processing unit restores the static data, and the TCP/IP protocol is encapsulated again and sent to the intranet. In the process of data exchange, safety control measures are respectively implemented on the external network processing unit and the internal network processing unit, so that the safety of data transmission is ensured.
In the data unidirectional ferrying process, the external network processing unit and the internal network processing unit apply security control measures on a link layer, a network layer, a transmission layer and an application layer respectively to form a multilayer integrated unidirectional security isolation ferrying mechanism. Wherein, the link layer is utilized to adopt MAC address binding check to prevent ARP address spoofing attack in the network. Through network layer information security inspection, preventing the attack behaviors of IP fragments, source routes and Ping of Death; by carrying out identity authentication with an IP communication party, a secure transmission tunnel is established, so that the integrity and authenticity of the IP packet are checked, and the spoofing, forging and replay attacks of the IP packet are prevented; according to the source address, the destination address, the transmission protocol, the source port, the destination port and the time information of the IP packet, the connection state tracking mechanism is combined, and the access control of the network layer is realized according to the rule configured by the user. The transmission layer adds a SYN Flooding protection mechanism aiming at the TCP protocol to resist SYN Flooding attack; and aiming at the UDP protocol, a flow control mechanism is adopted to prevent UDP flood attack. The application layer supports the definition of a configurable data format, and realizes the format check of the application layer data; the anti-virus Trojan horse system is combined to realize virus Trojan horse searching and killing of application data; an application layer session tracking technology is adopted to prevent session hijacking attack aiming at an application protocol; and according to the keyword information of the application layer data, combining an application session state tracking mechanism, and realizing access control of the application layer according to rules configured by a user.
Further, the trusted network boundary protection of the security gateway in the third step includes:
terminal a serves as an initiator of network connection and terminal B serves as a visited party. Both parties of communication are configured with TPCM card in hardware layer for identifying identity, cipher operation and starting measurement function; installing and deploying a trusted software base TSB in a system layer, and completing the functions of interception, measurement and policy management of user behaviors; and the functions of policy management, storage, identity authentication and policy arbitration are realized by utilizing the security management platform.
Before the terminal A establishes connection with the terminal B, the two terminals report the trusted status report to the security management platform at fixed time. After receiving the report, the security management platform uses the certificate of the terminal to carry out signature verification, the signature verification acquires the starting measurement, the static measurement and the error log information recorded in the report after passing, and then evaluates the trusted state of the terminal by combining with the strategy judgment condition to obtain a trusted state value, and the trusted state value is stored in a database.
The two terminals send requests for synchronizing the trusted state information of other terminals to the security management platform at regular time, and after the security management platform receives the requests, the security management platform checks whether the terminal sending the requests is a legal terminal or not and replies the state information of all managed terminals. Upon returning the status information, the management platform encrypts and signs the information using the platform key in its own TPCM. After receiving the trusted status information, the terminal performs signature verification on the status information, judges the source legitimacy of the information, and updates the terminal status list stored in the policy library.
Before establishing network connection, the terminal judges the trusted state of the opposite terminal according to the locally stored trusted terminal state list, and then decides whether to allow connection establishment. In the establishment of the trusted connection, the terminal A starts any network application and establishes network connection with the terminal B in the network. The trusted software base acquires network behaviors through network hook points in the LSM of Linux, and informs a trusted authentication service program of network IP and port information, and the trusted authentication service program judges the trusted state of the terminal B. If the trusted state of the terminal B meets the condition, allowing connection establishment; after receiving the network connection request of the terminal A, the terminal B adopts the same mechanism to judge the trusted state of the terminal A through a trusted authentication program, and if the conditions are met, the terminal A is allowed to access.
Further, implementing high-speed encryption and access control based on trusted computing 3.0 in step four includes:
the trusted platform control module TPCM is utilized to realize the trusted protection function in the trusted computing node, and the trusted monitoring is carried out on the resources to be protected in parallel to the working of the computing component according to the built-in protection strategy.
The domestic high-speed password service module is utilized to realize the high-speed data encryption function, and hardware logic of a national password chip, a random number generator, a key memory and an algorithm accelerator is realized, so that the parallelism of the password calculation technology is enhanced; realizing a permission management and control model based on permission granularity and permission mapping, realizing technologies such as security role/service/authentication of a password module and the like through the permission management and control model, and realizing correct permission allocation of password security capability in a numerical control system; the key real-time switching mechanism oriented to the failure of the key real-time updating is realized, the key encryption key and working key multi-state storage mode of the numerical control real-time service is realized, and the correctness of the password in the system real-time switching is ensured; aiming at the safe operation calling requirement of the password service module, a driving program composition of the safe password service module is designed, corresponding interface specifications are formulated at a service side, a system side and a bottom layer side, a hardware driving access mode is realized, the configurability of the password service of the numerical control system is supported, the control period numerical control service calling characteristics of decoding, cutter control and speed control are designed, and a password service interface is designed based on a coupling function set of service functions.
Based on X.509 standard, dynamic policy configuration based on attribute-based access control is utilized to break through the problem of unmatched life cycle of an identity certificate and an attribute certificate, so that the combination and binding of the identity certificate and the attribute certificate are realized, an authentication protocol and an access control technology under a trusted computing 3.0 network architecture are realized, and the identity authentication and permission verification flow is simplified; the NC-Link protocol is combined, so that online service of applying, auditing, issuing, publishing and logging off identity and attribute certificates is provided for users, processes and main bodies of equipment; TPCM and trusted cryptography service based on trusted computing 3.0 are realized, a multi-level key management mechanism in the certificate service is realized, key separation, master key derivation encryption keys, encryption protection data keys and session keys are realized, and lightweight identity and attribute certificate service is realized.
Another object of the present invention is to provide a secure trusted gateway system applying the control method of the secure trusted gateway system, where the secure trusted gateway system includes a gateway client and a gateway server.
The gateway client process is connected with the TAP through a TCP/IP protocol stack, and the TAP is virtual network equipment in an operating system kernel and operates the second-layer data packet. After the TAP acquires the Ethernet frame, the Ethernet frame is sent to the TLS connection, so that the Ethernet frame is sent in a tunnel mode. Capturing and forwarding user data packets in a tunnel form by utilizing Tun/Tap virtual network equipment in a mode of setting a client route.
The TAP in the gateway server is equivalent to an ethernet device, and operates on layer two data packets, such as ethernet data frames. The operating system transmits data to the program of the user space of the binding device through the TUN/TAP device, and conversely, the program of the user space transmits data through the TUN/TAP device. Linux Bridge is a network Bridge for connecting several network interfaces together to implement a two-layer exchange. Linux veth pair is a virtual network device interface that appears in pairs, with one end connected to the network protocol stack and one end connected to each other. NAT is between veth1 and physical network card connected to internal network, and SNAT conversion is carried out on data forwarded by veth1 to physical network card of internal network.
The gateway server also comprises a gateway server filtering module, a NAT module and a gateway server management module;
the gateway server filtering module is positioned between the TLS connection and the tap port and is used for filtering data sent to the tap port by all TLS connections;
the NAT module is positioned between the veth1 and a physical network card connected with the internal network and is used for carrying out SNAT conversion on the data forwarded to the physical network card of the internal network by the veth 1;
the gateway server side management module is used for setting an IP blacklist and filtering corresponding IP by using the gateway server side filtering module; setting a protocol white list, and filtering the protocol by using a gateway server filtering module; setting flow control, and controlling the flow of the client by using a gateway server filtering module.
It is a further object of the present invention to provide a computer device comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, causes the processor to perform the steps of the method of controlling a secure trusted gateway system as described.
Another object of the present invention is to provide a computer readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the steps of the control method of the secure trusted gateway system.
Another object of the present invention is to provide an information data processing terminal, where the information data processing terminal is used to implement the secure trusted gateway system.
In combination with the technical scheme and the technical problems to be solved, the technical scheme to be protected has the following advantages and positive effects:
first, aiming at the technical problems in the prior art and the difficulty of solving the problems, the technical problems solved by the technical proposal of the invention are analyzed in detail and deeply by tightly combining the technical proposal to be protected, the results and data in the research and development process, and the like, and some technical effects brought after the problems are solved have creative technical effects. The specific description is as follows:
In order to solve the identity authentication and data transmission security problems of applications such as DNC, MDC, MES, ERP in an open numerical control system, the invention realizes a VPN security gateway based on WEB applications, network ports and virtual network cards (L3 VPN) on the basis of a national cryptographic algorithm by analyzing security proxy technologies of an application layer, a transmission layer and a network layer, and the invention comprises the following specific contents:
(1) Analyzing the security problems of a plurality of communication protocols (HTTP, FTP, NFS, CIFS) between the numerical control system application and the numerical control machine tool and background service, and performing security filtering on the network boundary protocols;
(2) Analyzing network isolation and unidirectional transmission control problems of data based on VPN gateway, and realizing strict access control on a sensitive area of a numerical control system;
(3) Analyzing how to realize the trusted network connection through the trusted network boundary, and determining whether the accessed terminal can access the network by verifying the integrity of the terminal accessing the network;
(4) And analyzing the fusion technology of the security gateway and the trusted computing 3.0 trusted network to finally form a reliable network protection boundary with a network identity authentication and communication encryption function.
Compared with the prior art, the invention has the following meanings:
(1) The method solves the safety problems of identity authentication and access control in an open numerical control system, realizes authentication protocol and access control technology under a trusted computing 3.0 network architecture, simplifies the identity authentication and authority verification process, and improves the safety access efficiency;
(2) Based on X.509 standard, dynamic policy configuration using attribute-based access control breaks through the problem of mismatch between the life cycle of the identity certificate and the attribute certificate, realizes combination and binding of the identity certificate and the attribute certificate, and simplifies certificate storage and interaction times;
(3) The NC-Link protocol is combined, so that online services such as application, audit, issue, release, cancellation and the like for providing identity and attribute certificates for users, processes, equipment and other subjects are realized;
(4) TPCM and trusted cryptography service based on trusted computing 3.0 are realized, a multi-level key management mechanism in certificate service is realized, the capabilities of key separation, master key derivation encryption key, encryption protection data key, session key and the like are realized, the life cycle protection of each level of key is formed, and lightweight identity and attribute certificate service is realized.
Secondly, the technical scheme is regarded as a whole or from the perspective of products, and the technical scheme to be protected has the following technical effects and advantages:
the gateway system of the invention can carry out security filtration on more than 5 common network communication protocols (HTTP, FTP, NFS, CIFS, etc.); the gateway system realizes functions of network identity authentication, communication encryption, network isolation and the like based on a multi-level key management mechanism of a TPCM trusted root in trusted computing 3.0, and supports single machine concurrency greater than or equal to 10000 clients; the gateway system uses a domestic NC-Link protocol as a core to realize the security interconnection of numerical control equipment, realizes main stream security capabilities such as identity authentication, access control, transmission encryption and the like, and is compatible with protocols adapting to various foreign numerical control systems, including protocols such as MTConcet, OPC UA, modbus-TCP and the like.
Thirdly, as inventive supplementary evidence of the claims of the present invention, the following important aspects are also presented:
(1) The expected benefits and commercial values after the technical scheme of the invention is converted are as follows: the invention is used as one of important research technologies in the safe and reliable platform of the open numerical control system, and greatly reduces economic losses caused by malicious attacks and data steal. The project achievements can reduce the safety production risk, ensure stable operation and provide technical support for guaranteeing sensitive processing technology data. The method has important scientific value for improving the safe and reliable technical level of the numerical control system, has important prospective, and provides scientific research support for ensuring strategic safety production of aerospace, military industry and the like. From the economic value perspective, the safe and reliable market scale of the numerical control system is expanded to 50 hundred million, and the direct economic benefit is expected to be 2 hundred million yuan. It is expected that after the project is completed for 1 year, the annual increase rate of the income of the numerical control system of China numerical control is not lower than 20%, the market share of the high-grade numerical control system which is autonomously controllable in China is improved, and the national industrial safety is supported.
(2) The technical scheme of the invention fills the technical blank in the domestic and foreign industries: compared with international numerical control manufacturers, which take Siemens and Fanacies as the first parts, overseas design an open type security numerical control system gateway software and hardware system by taking deep defense as an idea. The invention combines more advanced security concepts such as trusted 3.0, protocol fusion security (NC-Link), password strong foundation (national cryptographic algorithm), market large space (intelligent manufacturing) and the like, integrates with the national tap enterprises with strong strength and high market occupation in the field of the numerical control system in dominant technology, solves the problem of lack of complete security design in the gateway software and hardware system in the numerical control system at present, and realizes identity authentication, access control and transmission encryption protection for network access.
(3) Whether the technical scheme of the invention solves the technical problems that people want to solve all the time but fail to obtain success all the time is solved: the method solves the problems of identity authentication and data transmission security of applications such as DNC, MDC, MES, ERP in an open numerical control system, researches the security agent technology of an application layer, a transmission layer and a network layer, and realizes a VPN security gateway based on WEB application, a network port and a virtual network card (L3 VPN) on the basis of a national cryptographic algorithm; the safety problem of a plurality of communication protocols (HTTP, FTP, NFS, CIFS) between the application of the numerical control system and the numerical control machine tool and background service is solved, and the detection, early warning and blocking of a plurality of network intrusion are provided; the method solves the problems of network isolation and unidirectional data transmission control based on the VPN gateway, and realizes strict access control on the sensitive area of the numerical control system; the integration technology of the security gateway and the trusted computing 3.0 trusted network is solved, and a reliable network protection boundary with a VPN encryption function is finally formed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments of the present invention will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a control method of a secure trusted gateway system provided by an embodiment of the present invention;
fig. 2 is a schematic diagram of the overall design of a gateway according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a gateway client design according to an embodiment of the present invention;
fig. 4 is a schematic diagram of gateway server design according to an embodiment of the present invention;
fig. 5 is a general technical architecture diagram of a gateway according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a network isolation scheme provided by an embodiment of the present invention;
fig. 7 is a schematic diagram of a unidirectional transmission control principle provided by an embodiment of the present invention;
FIG. 8 is a diagram of the overall architecture of a trusted connection provided by an embodiment of the present invention;
FIG. 9 is a flow chart of trusted connections provided by an embodiment of the present invention;
FIG. 10 is a diagram of trusted connection function modules provided by an embodiment of the present invention;
FIG. 11 is a diagram of a Linux terminal technology implementation architecture provided by an embodiment of the present invention;
FIG. 12 is a schematic diagram of a software architecture stack provided by an embodiment of the present invention;
FIG. 13 is a diagram of a trusted computing 3.0 authentication and access control architecture provided by an embodiment of the present invention;
FIG. 14 is a schematic diagram of the working principle of Tap/Tun according to an embodiment of the present invention;
FIG. 15 is a flowchart of a Linux Bridge workflow provided by an embodiment of the present invention;
FIG. 16 is a schematic diagram of the working principle of the Linux veth pair provided by the embodiment of the invention;
fig. 17 is a schematic diagram of a virtual network device connection manner according to an embodiment of the present invention;
fig. 18 is a schematic diagram of a gateway filtering module according to an embodiment of the present invention;
fig. 19 is a schematic diagram of NAT module design according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the following examples in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Aiming at the problems existing in the prior art, the invention provides a safe and reliable gateway system, a control method, a medium, equipment and a terminal, and the invention is described in detail below with reference to the accompanying drawings.
In order to fully understand how the invention may be embodied by those skilled in the art, this section is an illustrative embodiment in which the claims are presented for purposes of illustration.
As shown in fig. 1, the control method of the secure trusted gateway system provided by the embodiment of the invention includes the following steps:
s101, filtering a network boundary protocol of a security gateway;
S102, performing network isolation and flow control of a security gateway;
s103, performing trusted network boundary protection of the security gateway;
s104, high-speed encryption and access control are realized based on trusted computing 3.0.
As shown in fig. 2, the secure trusted gateway system provided by the embodiment of the present invention is a VPN gateway system based on national security TLS, where the VPN gateway system generally includes two parts, namely a gateway server and a gateway client.
1. Gateway client workflow
The workflow of the gateway client provided by the embodiment of the invention is summarized as the following points:
1) Establishing TLS connection with a gateway server;
2) Capturing user data packets destined for an internal network;
3) The data packet of the user is sent to the gateway server through TLS connection in the form of a tunnel;
4) And correctly unpacking the tunnel packet received from the TLS connection and transmitting the unpacked tunnel packet to the corresponding user process.
The overall structure of the gateway client provided by the embodiment of the invention is shown in fig. 3. The client process is connected with the TAP through a TCP/IP protocol stack, and the TAP is virtual network equipment in an operating system kernel and operates the second-layer data packet. After the TAPs acquire Ethernet frames, sending them to the TLS link enables tunneling.
2. Gateway server workflow
The gateway server provided by the embodiment of the invention is a core of a gateway system, and the design thought and the workflow of the gateway server can be summarized into the following points:
1) Establishing TLS connection with a gateway client;
2) Receiving and parsing tunnel packets from the TLS connection;
3) Correctly filtering the data packet according to the filtering rule;
4) Accurately controlling the flow of the data packet according to the flow control requirement;
5) The data packet is sent to an internal network after passing through NAT;
6) Transmitting the data packet from the internal network through the corresponding TLS connection in a tunnel mode;
7) The filtering rules and the flow control rules of the gateway can be managed.
The overall structural design of the gateway server provided by the embodiment of the invention is shown in fig. 4. Wherein the TAP is equivalent to an ethernet device that operates on layer two data packets, such as ethernet data frames. The operating system sends data through the TUN/TAP device to the program that binds the user space of the device, whereas the program of the user space may send data through the TUN/TAP device as well as operating a hardware network device. The Linux Bridge is a network Bridge, and simply understood is to connect a plurality of network interfaces to realize two-layer exchange. The veth pair is a virtual network device interface that appears in pairs, with one end connected to the network protocol stack and one end connected to each other. The NAT is positioned between the veth1 and the physical network card connected with the internal network and is used for carrying out SNAT conversion on the data forwarded to the physical network card of the internal network by the veth 1.
In order to analyze the key technology of the safe and reliable gateway which meets the functions of network identity authentication and communication encryption under the 3.0 framework of trusted computing, can safely filter the common numerical control application protocol, support unidirectional flow control and support network isolation, the general technical architecture of the gateway provided by the embodiment of the invention is shown in figure 5.
3. Network boundary protocol filtering
The different computer systems are linked by a network, and the complex network makes the computer systems potentially vulnerable to attack from the network. For this reason, security protection needs to be implemented at the network boundaries. Theoretically, if the security problem of the network boundary can be avoided, the network security problem can be solved. In fact, however, it is not possible to completely solve the security problem, and better protection techniques can only reduce the risk of the system being attacked. Filtering is particularly important for various communication protocol protocols within the network boundary, and the network boundary protocol filtering portion will filter for multiple communication protocols (HTTP, FTP, NFS, CIFS) between various services.
3.1 functional design
The filter module is designed to realize the following functions:
1) Filtering of target IP. And filtering against the IP blacklist through the IP information obtained from the TLS connection information.
2) ARP control. Clients connected to the server will all be logically within a lan, but interworking between clients is meaningless and dangerous, and therefore ARP requests between clients need to be filtered out. And when the filtering module receives the Ethernet frame from the TLS connection, analyzing an ARP request frame in the Ethernet frame through unpacking, and judging the requested target IP. If the target IP is the IP of the gateway (i.e. the IP of veth 1), the release is carried out, otherwise the discarding is carried out.
3) And (5) protocol filtering. Often the internal network provides only specific services to the external network, so requests of protocols that are not related to the specific services can be filtered out. And when the filtering module receives the Ethernet frame from the TLS connection, analyzing the used protocol through unpacking, comparing the protocol with a protocol white list, and if the protocol accords with the protocol on the white list, releasing, otherwise, discarding the protocol.
4) Unidirectional flow control. Traffic from the clients needs to be controlled due to security concerns and limited gateway server load capacity. The implementation mode is that the client data exceeding the flow limit is directly discarded, and the TCP/IP automatically completes congestion control.
3.2 implementation
The security gateway grabs the communication packet, analyzes the 8-bit protocol field, and makes clear what proxy type the datagram carries, and forwards the data part to various clients according to the proxy type.
For data transfer by the web application layer: using HTTPS proxy, HTTP plus TLS (SSL), a specific authentication method is as follows:
unidirectional authentication: after receiving the message, the server encrypts the data by using a private key in a key bank of the server, then sends the encrypted data and a public key of the server to the client, the client decrypts the data by using the public key sent by the server, encrypts the data by using the public key of the server transmitted to the client and transmits the encrypted data to the server, and the server decrypts the data by using the private key, thereby completing the security problem of communication between the client and the server, but the one-way authentication does not verify the legitimacy of the client.
And (3) bidirectional authentication:
(1) The client sends a message to the server, firstly encrypts the message by using a client certificate and then sends the client certificate to the server together;
(2) After receiving the message, the server decrypts the message by using the client certificate, encrypts the message by using a server private key and sends the server certificate and the message to the client;
(3) The client decrypts the message by using the sent server certificate, encrypts the message by using the server certificate, encrypts the message once by using the client certificate, and sends the encrypted message and the client certificate to the server;
(4) The server end firstly decrypts the message by using the certificate transmitted by the client end, ensures that the message is transmitted by the client end, and then decrypts the message by using the private key of the server end to obtain the plaintext data.
And a TLS agent is used at a TCP transmission layer of the gateway, and after passing through the gateway, the TLS agent performs interaction such as data transmission with applications such as DNC, MDC, MES, ERP in the open numerical control system.
The security gateway adopts a network encryption agent for the internal subnetwork, and uses a TLS agent after passing through the security gateway to interact with the application in the numerical control system through the virtual network card.
Data transmission for NC-Link layer: the NC-Link encryption gateway is used, and the NC-Link encryption gateway is mainly used for assisting a delivery line to carry out safe data interaction, and because NC-Link protocols relate to uplink or downlink data such as data acquisition, G code file transmission, instruction issuing and the like, in order to ensure that the data in the production process of a numerical control system are not illegally stolen or tampered, the NC-Link access equipment is required to be authenticated and access controlled in a classified manner, and the data transmission is encrypted and integrity protected.
4. Network isolation and flow control
4.1 VPN gateway-based network isolation
(1) Basic concept and principle
The purpose of network isolation is to prohibit resource sharing between networks, preventing information from one network from leaking onto another network.
Physical isolation is a common network isolation method, which has been the most reliable and intuitive isolation measure in mind, so that other isolation techniques are not believed and adopted. There is no currently accepted definition or standard as to what is physical isolation and how to calculate the physical isolation. It is generally believed that physical isolation should be at a minimum achieved by physical separation of network devices, including routers, switches, wires, hosts, etc. In order to achieve physical isolation, it is necessary to build several physical networks simultaneously in the same office, the same building group. This is just a disadvantage of physical isolation, and this costly cost is not affordable to all users. The network isolation problem belongs to the security problem, and the security cannot be guaranteed without considering the cost. A good solution should be a reasonable balance of risk, cost, performance, ease of handling. The security is not absolute, there is no absolute security for a practical system, and the physical isolation is not seamless. Two physically isolated networks often share an electromagnetic space, share a power supply system and remote communication resources, run an operating system which is also unsafe, a user group with a question and a manager, and are physically isolated under the condition, so that the expected effect of people is difficult to achieve. The physical isolation is static and passive, and focuses on physical separation during network construction, and has no effect on the running condition and the user condition of the network, and information leakage exists between the networks in practice. Physical isolation is an external network security measure, and sometimes proactive security measures internal to the network are more effective.
Unlike physical isolation, VPN isolation. VPN isolation is a kind of logical isolation, but unlike the traditional logical isolation, it is an isolation implemented by using encryption technology, authentication technology VPN technology. Physical isolation emphasizes the separation of devices, VPN isolation pursues the separation or unreadable information.
A VPN is a logical network with private network security features built on public network infrastructure using cryptography and tunneling, the logical network being opaque to or otherwise isolated from the public network. Security features obtained by cryptography and tunneling are the most fundamental features of VPNs, and economy obtained with public networks.
VPN isolation is achieved through tunneling. A tunnel is a virtual data path between two points in a VPN network, and is essentially a way to transport data using public network facilities. The transmitted data (in the form of frames or packets) are encapsulated and encrypted according to a determined protocol before entering a tunnel (public network facility), and a new protocol header is added. The address on the public network is derived from the address of the data to be transmitted and is filled into the new protocol header. The encapsulated frame or packet is unpacked, decrypted, and restored to its original form before leaving the tunnel.
In order to establish a tunnel, both parties must follow the same tunneling protocol. There are second layer (corresponding to the link layer in the OSI reference model) and third layer (corresponding to the network layer in the OSI reference model) tunneling protocols according to the layers in the OSI reference model. Common layer two tunneling protocols are PPTP, L2TF, which are all used to encapsulate PPP data frames. IPSec is the most representative layer three tunneling protocol that is used to protect IP packets.
IPSec is an open security standard framework developed by the Internet Engineering Task Force (IETF) to guarantee confidentiality, integrity and authenticity of the IP layer, which is in fact a set of network layer security protocol sets. Since the first release in 1995, the IPSec protocol suite has gained widespread acceptance as a de facto network layer security standard. IPSec mainly uses Diffie-Hellman key exchange technology, public key signature technology, advanced encryption technology, hash algorithm based on key, CA and digital certificate, etc., and has security mechanisms of access control, connectionless integrity, machine-based data source authentication, confidentiality, replay attack resistance, traffic analysis resistance, etc., and provides transparent confidentiality, integrity, authenticity, etc. services for upper layer protocols and applications.
(2) Network isolation scheme based on VPN gateway
The network isolation scheme is shown in fig. 6, in which EPC is an external computer, and IPSec is implemented and directly connected to an internal network. The EPC can be a special machine for accessing Internet or a dual-purpose computer with a barrier card (in this case, the computer is provided with two hard disks, one for the intranet and one for the extranet, the two disks do not work at the same time and cannot exchange data).
The MPC is a supervisor, and IPSec is also realized, and is used for configuring, controlling, tracking, auditing, monitoring in real time and the like on the Internet surfing condition of each external computer EPC.
SE is an IPSec VPN security gateway, and becomes a necessary path for information exchange between an internal network and an external network. Each EPC forms a tunnel with the SE through the internal network, and the tunnel is opaque to the internal network by using the tunnel to access the external network, the intelent. The EPC and SE form a virtual network which relies on the internal network and is completely isolated from the internal network.
From the foregoing, it can be seen that this solution is a particular application of VPN. Typically, VPN is a secure network built through an untrusted public network, while the present solution is to build an open, internet-interconnected network through a trusted internal network.
4.2 unidirectional Transmission control
The unidirectional control between networks can adopt the unidirectional security isolation ferrying technology to carry out unidirectional data transmission between two networks, and the basic principle is as follows: cutting off TCP/IP connection between the external network and the internal network; the external network processing unit strips out the application data based on the network protocol to form static data; then, the static data is packaged according to a special non-IP data frame format and is sent to an intranet processing unit through a unidirectional transmission unit; and finally, the intranet processing unit restores the static data, and the TCP/IP protocol is encapsulated again and sent to the intranet. In the process of data exchange, safety control measures are respectively implemented on the external network processing unit and the internal network processing unit, so that the safety of data transmission is ensured.
The unidirectional transmission control principle is shown in fig. 7, and in the unidirectional data ferrying process, the external network processing unit and the internal network processing unit apply security control measures on the link layer, the network layer, the transmission layer and the application layer respectively, so that a multilayer integrated unidirectional security isolation ferrying mechanism is formed.
First link layer
Mainly adopts MAC address binding check to prevent ARP address spoofing attack in the network.
(II) network layer
Through network layer information security inspection, preventing IP fragments, source routes, ping of Death and other attack behaviors; by carrying out identity authentication with an IP communication party, a secure transmission tunnel is established, so that the integrity and authenticity check of the IP packet are realized, and the attacks such as spoofing, forging, replay and the like of the IP packet are prevented; according to the information of the source address, the destination address, the transmission protocol, the source port, the destination port, the time and the like of the IP packet, and by combining a connection state tracking mechanism, the access control of a network layer can be realized according to the rule configured by a user.
(III) transport layer
A SYN Flooding protection mechanism is added for the TCP protocol to resist SYN Flooding attack; aiming at the UDP protocol, a flow control mechanism is adopted to prevent UDP flow attack and avoid the influence of abnormal flow on an intranet system.
(IV) application layer
Supporting the definition of a configurable data format, and realizing the format check of application layer data; the anti-virus and anti-Trojan horse system is combined to realize the virus Trojan horse checking and killing of application data; an application layer session tracking technology is adopted to prevent attacks such as session hijacking aiming at an application protocol; according to the keyword information of the application layer data, the application session state tracking mechanism is combined, and the access control of the application layer can be realized according to the rule configured by the user. The unidirectional security isolation ferrying technology blocks direct TCP/IP network connection between the information equipment of the internal network and the information equipment of the external network, realizes unidirectional transmission of application service data on the basis of network security isolation, eliminates security risks caused by network protocol stacks or self loopholes of an operating system, and effectively eliminates network attack threat of the external network system to the internal network system.
5. Trusted network boundary protection
The trusted network boundary protection mainly realizes the trusted network connection, the trusted connection is an important component of a trusted computing theory, is a core technology for realizing trust transmission on a network, and has different implementation schemes in different products and application scenes.
The trusted connection determines whether the accessing terminal is capable of accessing the network by verifying the integrity of the terminal accessing the network. The trusted terminal participating in the communication transmits the trusted state of the trusted terminal to the network, so that the network is ensured to be trusted.
There are two main problems in the model of TCA:
(1) TCA does not have an explicit method and criteria for evaluating the trusted state;
(2) The trusted third party arbitration mechanism is used as a policy manager in the TCA to provide two-way authentication for the communication terminal, but identity and state authentication between the terminal and the trusted third party arbitration mechanism are not clear.
The trusted connection of the trusted network boundary protection in the security gateway is designed by referring to the TCA standard independently formulated in China, a policy manager designed in the standard is realized by an independent security policy management platform in the scheme, the platform collects the trusted status reports reported by all terminals, and whether the terminals are trusted or not is judged according to the arbitration rules formulated by users and the data in the trusted status reports. The trusted report is generated by a trusted root, the trusted root is realized by a trusted platform control module (Trusted Platform Control Module, TPCM) in a hardware form, the TPCM participates in the work of trusted state report generation, identity verification, password negotiation and the like in network communication, and the identity of the terminal is identified by a built-in trusted password module (Trusted Cryptography Module, TCM) to ensure the confidentiality and the security of data in the interaction process.
In the design of the functional flow of the trusted connection, before the two communication parties communicate, the current trusted status report of the two communication parties needs to be acquired, and whether to allow the communication is determined by the trusted status. The judgment of the trusted state and the control of the access resource are realized through a strategy judgment mechanism, and the strategy judgment mechanism can be comprehensively judged by a plurality of conditions.
In the protection function implementation, the monitoring and interception of the network access request are realized through an LSM mechanism of Linux, and data can be normally sent and received only if the connection property of the trusted state meeting the policy requirement can be established.
5.1 general architecture
As shown in fig. 8, terminal a serves as an initiator of network connection, and terminal B serves as an accessed party. Both parties of communication are configured with TPCM cards at the hardware layer for identifying the functions of identity, password operation, starting measurement and the like; a trusted software base (Trusted Software Base, TSB) is installed and deployed on a system layer, and the functions of interception, measurement, policy management and the like of user behaviors are mainly completed; the security management platform realizes the functions of policy management, storage, identity authentication, policy arbitration and the like.
Before the terminal A establishes connection with the terminal B, the two terminals report the self trusted status report to the security management platform at regular time. After receiving the report, the security management platform uses the certificate of the terminal (which is imported into the management platform system when the terminal is deployed) to check the signature, and the trusted state of the terminal is evaluated by combining the policy judgment condition after the check passes through the information such as the start measurement, the static measurement, the error log and the like recorded in the post-acquisition report to obtain a trusted state value, and the trusted state value is stored in a database.
The two terminals send requests for synchronizing the trusted state information of other terminals to the security management platform at regular time, and after the security management platform receives the requests, the security management platform checks whether the terminal sending the requests is a legal terminal or not and replies the state information of all the terminals managed by the security management platform. Upon returning the status information, the management platform encrypts and signs the information using the platform key in its own TPCM. After receiving the trusted status information, the terminal firstly carries out signature verification on the status information, judges the source legitimacy of the information, and then updates the terminal status list stored in the policy library.
Before establishing network connection, the terminal needs to judge the trusted state of the opposite terminal according to the locally stored trusted terminal state list, and then decides whether to allow connection establishment.
The flow of the establishment of the trusted connection is shown in fig. 9. The terminal a starts any one network application and needs to establish network connection with the terminal B in the network. The trusted software base acquires the network behavior through a network hook point in the LSM of Linux, and notifies a trusted authentication service program of information such as network IP, port and the like, and the trusted authentication service program judges the trusted state of the terminal B. If the trusted state of terminal B satisfies the condition, connection establishment is allowed. After receiving the network connection request of the terminal A, the terminal B also adopts the same mechanism to judge the trusted state of the terminal A through a trusted authentication program, and if the conditions are met, the terminal A is allowed to access.
In the running process of the system, the relay terminal A and the terminal B report the own trusted state at fixed time and update the deflectable states of all terminals in the network from the security management platform. When the state of one of the two communication parties changes, emergency measures can be taken. The emergency measures are various, for example, a firewall mechanism in a Linux system can be linked to control the sending and receiving of the terminal data packet; the execution of the problem program may also be interrupted directly by the process hook point of the TSB in the LSM.
5.2 Critical parts
5.2.1TPCM trusted root
The TPCM is a core component of a trusted computing architecture, responsible for trusted metrics and safeguarding computing nodes, and generating logs and trusted reporting data. The TPCM includes trusted hardware resources, a trusted operating system, and a built-in TCM.
The TPCM hardware resource comprises a set of special logic control CPU, a storage unit, a password unit, IO equipment and a TCM module which can be expanded by external connection. The hardware resources of the TPCM can be isolated and protected through the isolation, protection and interaction mechanism provided by the CPU of the TPCM, and the mutual communication between the computing node and the trusted node is realized.
The TPCM provides functions of initiating the construction of a trust chain, trusted state logging, trusted state report generation, access interfaces for cryptographic resources, etc. The TPCM of the terminal regularly generates a trusted status report and signs it by a platform key in the TCM, preventing the trusted report from being falsified. The trusted software base periodically reports the trusted status report generated by the TPCM to the security management platform, and the security management platform maintains the trusted status of all terminals and provides inquiry services.
5.2.2 trusted software base
When the user needs to access the network, the kernel mode system of the trusted software base firstly evaluates the trusted state of the target terminal according to the strategy, and refuses communication which does not meet the condition, otherwise, allows communication. The determination of the user behavior also includes the determination of the network behavior. User behavior also includes decisions on other states, such as program execution, file access, etc. The result of the determination needs to be configured into the TPCM, the platform configuration register (Platform Configuration Register, PCR) of the TPCM stores the determined state, and the trusted state report is generated and then reported to the security management platform.
The trusted software base TSB consists of a basic trust base, an active monitoring mechanism (comprising a control mechanism, a measurement mechanism and a judgment mechanism), a trusted reference library and a supporting mechanism.
The trusted reference library provides functions of storing, querying, updating and the like of trusted reference values (including information such as reference objects and reference contents). The reference library provides real-time reference information, is convenient for quick inquiry, and the reference information is generally stored in a memory.
The TSB active monitoring mechanism intercepts the subtracted system call and realizes active measurement and control of a subject, an object, an operation and an environment related to the system call under the support of the TPCM. The TSB realizes access to TPCM resources through a supporting mechanism; policy and audit information interaction with a trusted security management platform and trusted collaboration between other computing platforms TSB are achieved through a collaboration mechanism.
The active monitoring mechanism of the TSB obtains the network behavior and other behaviors of the user in the ISM framework of the Linux, and determines whether the user is legal or not through a control mechanism, a measurement mechanism and a judgment mechanism.
5.2.3 Security management platform
The trusted security management platform builds centralized management mechanisms uniformly, and completes execution and management of security mechanisms in all areas and all layers uniformly. From the aspects of system management, security management and audit management, a centralized and unified security management mechanism is established through calculation and analysis of an application system.
The security management platform performs centralized management on the trusted state in the managed area, performs signature verification on the trusted state report reported by the terminal, ensures the source of the report to be trusted, and synchronizes the currently maintained trusted state with each terminal at fixed time. The security management platform provides a judgment standard for customizing the trusted state by a user and an interface for adding judgment factors.
5.3 trusted connection technology implementation
5.3.1 functional Module Assembly
The functional module of the trusted connection is composed of three parts, as shown in fig. 10, namely a security management platform, a trusted software base and a TPCM.
The security management platform performs centralized management on the state reported by the terminal, and performs signature verification on the trusted state report reported in the terminal deployment process. The user can self-define the evaluation strategy of the trusted state through the user interaction interface, and score the state reported by the terminal.
The terminal obtains the trusted status information of all other terminals in the system from the security management platform through the encryption channel, and simultaneously carries the trusted status information of the terminal to the security management platform, and periodically downloads the network control strategy. The trusted software base application state and the kernel state are in data communication through a Netlink protocol, and the established communication channel can transmit information such as strategy logs, trusted status reports and the like.
5.3.2Linux terminal technology implementation
The technical architecture for realizing the trusted network connection of the Linux terminal is shown in fig. 11, and if the application program invokes the network interface of the system in the running process, the trusted software base obtains the network information at the hook points deployed at the positions of a file system, program execution, network communication and the like through the LSM framework. The network information includes source IP, destination IP, source port, destination port. The trusted software base searches the trusted state of the target host in the trusted state library through the IP information of the target host, and then judges whether to allow the data to be sent or received by combining with a strategy.
When the application program calls the related interface of the network system to perform network communication, the application program calls the service sock_recvmsg () and the service_sendmsg () provided by the kernel to receive and send data. In the kernel module of the trusted software base, the control logic of policy check and trusted status check is registered on the network call interfaces security_socket_sendmsg () and security_socket_recvmsg () corresponding to the LSM framework. The policy configuration and trusted state update may employ a Netlink protocol to configure information obtained by the application layer from the management platform into the kernel. In order to increase the query speed, the policy management may use a hash table to establish a cache. The architecture of the software stack in the system is shown in fig. 12. The trusted software stack is an essential system component in the overall architecture. In order to facilitate the cryptographic services of the TPCM and the information about the acquisition of the trusted metrics that can be used by the application software and trusted software base kernels, a software stack must be used as an intermediary. The software stack provides up the application and kernel interfaces, down through the hardware drivers to use the computational power and storage resources of the TPCM.
5.3.3 trusted status report
The trusted status report contains information of the running state of the system such as a start trust chain, static measurement, dynamic measurement and the like, and the results of all the partial measurement are stored in the PCR.
The boot trust chain measures information such as BIOS, GRUB, linux kernel, file system and the like, the measurement process starts from the TPCM hardware, the content of the later stage is measured by the former stage, a complete boot trust chain is formed, and the result is stored in the PCR of the TPCM. And (3) program operation, dynamic library loading and other information in the static measurement recording system, wherein the TPCM stores measurement results in the measurement process, and gathers measurement result information in the report generation process.
The dynamic measurement is carried out through the integrity of the TPCM active periodic measurement program and the kernel code segment in the memory, and the measurement result information is summarized in the process of generating the report.
The TPCM periodically reads the measurement results of each measurement point recorded in the PCR, signs the measurement results by using a platform key and sends the measurement results to the security management platform.
The trusted reporting format is defined as follows:
the trusted status report can contain various user data information, status results of various security measures are summarized, and the current trusted status of the terminal is judged by a self-defined evaluation strategy on a security management platform. In the scheme, besides starting measurement, static measurement and dynamic measurement, information such as illegal file access and network access of users is added.
6. High-speed encryption and access control based on trusted computing 3.0
The computing 3.0 system consists of a trusted platform control module TPCM and a domestic high-speed password service module.
6.1 trusted platform control Module TPCM
The TPCM is a key component for realizing the trusted protection function in the trusted computing node, and can be realized by adopting various technical approaches, such as a board card, a chip, an IP core and the like, wherein the inside of the TPCM comprises hardware, firmware, such as a central processing unit, a memory and the like, and software, such as an operating system, a trusted functional component and the like, and is supported to be used as a protection component independent of the computing component, and the TPCM works in parallel with the computing component according to a built-in protection strategy, so that the resources, such as the hardware, the firmware, the software and the like, of the computing component are subjected to trusted monitoring, and the TPCM is a trusted root in the trusted computing node.
6.2 domestic high-speed cipher service module
The domestic cipher service module consists of a hardware entity and an embedded component running on the hardware entity, realizes a high-speed data encryption function, realizes hardware logics such as a national cipher chip, a random number generator, a key memory, an algorithm accelerator and the like, and has enhanced parallelism of a cipher computing technology; the authority management and control model based on the authority granularity and the authority mapping is realized, the technologies of security role/service/authentication and the like of the password module are realized through the authority management and control model, and the correct authority allocation of the password security capability in the numerical control system is realized; the key real-time switching mechanism oriented to the failure of the key real-time updating is realized, the key encryption key and working key multi-state storage mode of the numerical control real-time service is realized, and the correctness of the password in the system real-time switching is ensured; aiming at the safe operation calling requirement of the password service module, a driver composition of the safe password service module is designed, corresponding interface specifications are formulated at a service side, a system side and a bottom layer side, a hardware driving access mode is realized, the configurability of the password service of the numerical control system is supported, the control period numerical control service calling characteristics of decoding, cutter control, speed control and the like are designed, and a password service interface is designed based on a coupling function set of service functions.
6.3 authentication and Access control
Based on X.509 standard, dynamic policy configuration using attribute-based access control breaks through the problem of mismatch between the life cycle of an identity certificate and an attribute certificate, realizes combination and binding of the identity certificate and the attribute certificate, simplifies certificate storage and interaction times, solves the safety problem of identity authentication and access control in an open numerical control system, realizes authentication protocol and access control technology under a trusted computing 3.0 network architecture, simplifies the authentication and permission verification process, and improves safety access efficiency; the NC-Link protocol is combined, so that online services such as application, audit, issue, release, cancellation and the like of identity and attribute certificates are provided for users, processes, equipment and other subjects; TPCM and trusted cryptography service based on trusted computing 3.0 are realized, a multi-level key management mechanism in the certificate service is realized, the capabilities of key separation, master key derivation encryption key, encryption protection data key, session key and the like are realized, the life cycle protection of each level of key is formed, and lightweight identity and attribute certificate service is realized. The trusted computing 3.0 authentication and access control architecture is shown in fig. 13.
7. Gateway client detailed design
The gateway client realizes corresponding functions based on the Tun/Tap virtual equipment, and the design thought of the gateway client is described from the Tun/Tap equipment.
7.1Tun/Tap virtual network device
In a computer network, TUN and TAP are virtual network devices in the operating system kernel. Unlike conventional hardware network card implemented devices, these virtual network devices are all implemented in software and provide the software running on the operating system with exactly the same functionality as the hardware network devices.
The TAP is equivalent to an ethernet device that operates on layer two data packets, such as ethernet data frames. TUN emulates network layer equipment and operates on third layer data packets such as IP data packets.
The operating system sends data through the TUN/TAP device to the program that binds the user space of the device, whereas the program of the user space may send data through the TUN/TAP device as well as operating a hardware network device. In the latter case, the TUN/TAP device posts (or "injects") the data packet to the network stack of the operating system, thereby simulating the process of accepting the data from outside.
The Linux tune/Tap driver provides two interaction modes for the application program: virtual network interface and character device/dev/net/tun. The data written in the character equipment/dev/net/tun is sent to the virtual network interface; data sent into the virtual network interface will also appear on the character device.
The application program may send IP packets to the tune/Tap interface through a standard Socket API as if it were operating as a real network card. In addition to the application, the operating system may also send IP packets or ethernet packets, such as ARP or ICMP packets, to the tune/Tap interface according to the processing of the TCP/IP protocol stack. The Tun/Tap driver writes the data packet received by the Tun/Tap interface directly to the/dev/net/Tun character device, and an application program for processing the Tun/Tap data, such as a VPN program, can read the data packet from the device to perform corresponding processing.
The application program can also write the data packet through the/dev/net/Tun character device, in which case the data packet written on the character device is sent to the Tun/Tap virtual interface, and the TCP/IP protocol stack entering the operating system performs corresponding processing, just like the data entering the operating system from the physical network card.
The difference between the Tun virtual device and the physical network card is that the Tun virtual device is an IP layer device, and the writing of the data packet is only the writing of the data packet from the/dev/net/Tun character device, so that two-layer operation such as ARP request sending and ethernet broadcasting cannot be performed. In contrast, the Tap virtual device is an ethernet device, processes two layers of ethernet data frames, reads ethernet data frames from the/dev/net/tun character device, and writes only ethernet data frames. From this point of view, the Tap virtual device and the real physical network card are more capable. Fig. 14 depicts the principle of operation of Tap/Tun.
7.2 capturing user data packets through Tun/Tap and forwarding in tunnel form
the tun/tap is a virtual network device (tun is a three-layer virtual network device, tap is a two-layer virtual network device), and is no different from the physical network card in view of the operating system. The capturing of the user data packet can be achieved by directing the client's data packet onto the tun/tap network card by setting the client's route. The specific design comprises the following steps:
1) Creating a tun/tap device through an interface provided by a Linux system;
2) Acquiring the IP (the IP for setting Tun/Tap equipment) and the gateway address (the IP of virtual network equipment in the gateway server) of the connection through the gateway server;
3) Setting the IP of a tun/tap virtual network card;
4) Modifying the route of the client so that the data packet taking the internal network as a destination takes a tun/tap virtual network card, and the gateway is the IP of the virtual equipment in the gateway server;
this allows successful capture of the client's data packets.
And because the tun/tap virtual network card has character equipment, the reading and writing operations can be directly performed. Therefore, after the tun/tap virtual network card successfully captures the data packet of the user, the tun/tap virtual network card directly carries out reading operation, so that the corresponding tunnel packet (wherein the tun network card acquires the IP packet and the tap network card acquires the Ethernet frame) can be directly acquired, and the tun/tap virtual network card transmits the IP packet and the Ethernet frame to the TLS connection to realize the transmission in the form of a tunnel.
Similarly, when tunnel packets are received from the TLS connection, they are directly written into the tun/tap network card, and the packets can be automatically unpacked and sent to the corresponding user process by the TCP/IP protocol stack.
In this way, tunnel communication is achieved from the gateway client to the gateway server.
8. Gateway server-based detailed design
The gateway server also needs to use a tun/tap virtual device (specifically, the gateway server will use a tap virtual network card), and because of the requirement of the gateway server function implementation, other virtual network devices (Linux Bridge and veth pair) are also needed. The design concept of the gateway server will be described starting from the virtual network device used.
8.1Linux Bridge
Linux Bridge is a virtual network device that operates in two layers, functioning similarly to a physical switch. Bridge can bind other Linux network devices as slave devices and virtualize the devices into ports, and when a slave device is bound to Bridge, the port of a switch in the real network is equivalent to inserting a network cable connected with a terminal.
The Linux Bridge is a network Bridge, and simply understood is to connect a plurality of network interfaces to realize two-layer exchange.
The working process is consistent with that of a physical switch: and according to the MAC address forwarding, learning the MAC address table. As a virtual switch, linux Bridge has the following characteristics:
1) When Bridge is created, a hidden port is created, and the hidden port can be automatically connected with a system protocol stack;
2) Bridge can configure IP address to realize three-layer exchange;
3) If the eth0 with the IP address is originally installed on the bridge, the IP address corresponding to eth0 will be disabled (eth 0 will be actually put into promiscuous mode).
There are several examples of Linux Bridge. When an external data packet flows in, whether the external data packet is a Bridge is judged by a Bridge check: if yes, forwarding the packet to a corresponding Bridge, forwarding the Bridge according to a two-layer switch mechanism, and if the packet is sent to the local, forwarding the packet to a network layer through br 0; if not, submitting to the network layer. The workflow of Linux Bridge is shown in FIG. 15.
8.2Linux veth pair
As shown in fig. 16, the veth pair is a virtual network device interface that appears in pairs, with one end connected to the network protocol stack and one end connected to each other.
Because of its nature, it is often used to build virtual network topologies. Such as connecting two different network namespaces (netns), connecting a docker container, connecting a Bridge (Bridge), etc., one of the very common cases is that the OpenStack Neutron bottom layer uses it to build a very complex network topology.
The veth, like the TUN/TAP or other physical network interface, can also configure the mac/ip address (although it is not necessary to configure the mac/ip address).
8.3 connection and data forwarding between virtual network devices
To meet the corresponding functional requirements, the virtual network devices on the gateway server are connected in the manner designed in fig. 17.
The gateway server uses a Tap virtual network card in Tun/Tap (Tun cannot be connected to a Linux Bridge), and is connected to the Linux Bridge as a port thereof, and no address is set. Each Tap network card serves one TLS connection, i.e. one client, receiving their data.
Linux Bridge will send the data received from each tap port (the destination address of these packets is the address of veth 1) to the veth0 port; data received from the veth0 port is also sent to the corresponding tap port.
One end of the veth pair is connected to the Linux Bridge, while the other end needs to be IP (actually gateway address) set. The data from the veth0 is sent to the veth1 end, namely, all the data from the client are sent to the veth1 end, and the veth1 forwards the data to the routing direction of the internal network; also all data from the internal network will be received by veth1 and sent to Linux Bridge and finally to the corresponding client.
8.4 gateway server filtering module
The gateway server filtering module is located between the TLS connection and the tap port, and is configured to filter data sent to the tap port by all TLS connections, as shown in fig. 18.
The filter module is designed to realize the following functions:
1) Filtering of target IP. And filtering against the IP blacklist through the IP information obtained from the TLS connection information.
2) ARP control. Clients connected to the server will all be logically within a lan, but interworking between clients is meaningless and dangerous, and therefore ARP requests between clients need to be filtered out. And when the filtering module receives the Ethernet frame from the TLS connection, analyzing an ARP request frame in the Ethernet frame through unpacking, and judging the requested target IP. If the target IP is the IP of the gateway (i.e. the IP of veth 1), the release is carried out, otherwise the discarding is carried out.
3) And (5) protocol filtering. Often the internal network provides only specific services to the external network, so requests of protocols that are not related to the specific services can be filtered out. And when the filtering module receives the Ethernet frame from the TLS connection, analyzing the used protocol through unpacking, comparing the protocol with a protocol white list, and if the protocol accords with the protocol on the white list, releasing, otherwise, discarding the protocol.
4) Unidirectional flow control. Traffic from the clients needs to be controlled due to security concerns and limited gateway server load capacity. The implementation mode is that the client data exceeding the flow limit is directly discarded, and the TCP/IP automatically completes congestion control.
8.5NAT module
The NAT module is located between the veth1 and the physical network card connected to the internal network, and is configured to perform SNAT conversion on the data forwarded by the veth1 to the physical network card of the internal network, as shown in fig. 19.
8.6 gateway server management Module
The gateway server management module mainly realizes the following functions:
1) An IP blacklist is set. The gateway server filtering module is used for filtering the corresponding IP;
2) And setting a protocol white list. The requests of which protocols can pass through the rules of the gateway and are used for the gateway server-side filtering module to filter the protocols;
3) Flow control settings. And setting an upper limit of the allowed client flow, and controlling the client flow by a gateway server filtering module.
In order to prove the inventive and technical value of the technical solution of the present invention, this section is an application example on specific products or related technologies of the claim technical solution.
On a trusted server, the invention realizes a security gateway based on the national secret high-speed encryption card. The network identity authentication and communication encryption function is provided. The method can carry out security filtering on more than 5 common network communication protocols and support unidirectional flow control. Support functions such as network isolation. The technical values of the application embodiments and the schemes of the present invention are described below:
the invention realizes VPN security gateway based on WEB application, network port and virtual network card (L3 VPN) by utilizing a trusted platform control module TPCM and a domestic high-speed password service module, and solves the problems of identity authentication and data transmission security of applications such as DNC, MDC, MES, ERP in an open numerical control system;
the invention utilizes various security proxy technologies (HTTPS proxy is adopted in the application layer, TLS proxy is adopted in the transmission layer, NC-Link encryption gateway is adopted in the network layer) in the application layer, the transmission layer and the network layer, solves the security problem of various communication protocols (HTTP, FTP, NFS, CIFS) between a numerical control system and a numerical control machine tool and background service, and provides detection, early warning and blocking of various network invasion;
the invention realizes the network isolation of the gateway and the unidirectional transmission control of data by using VPN IPSec, and realizes the strict access control of the sensitive area of the digital control system by using the security management platform, the trusted software base and the TPCM.
The embodiment of the invention has a great advantage in the research and development or use process, and has the following description in combination with data, charts and the like of the test process.
9. Example advantages
The overall advantages of the present invention over other gateways can be summarized in two points:
(1) Multilevel key management mechanism based on TPCM trusted root: aiming at the requirements of secure transmission of system static files and network dynamic data, internal production lines and interconnection centers, single machine, network clusters and other multi-scene data, the invention realizes the provision of identity certificates and encryption keys for users, processes, equipment and other subjects. Based on the TPCM of the trusted meter 3.0 and the trusted cryptography service, a master key principle and a multi-level key management mechanism are researched, and the capabilities of key separation, master key derived encryption keys, encryption protection data keys, session keys and the like are realized, so that the life cycle protection of each level of keys is formed.
(2) The safe and credible technology is organically integrated with a numerical control system: the security technology, the trusted computing technology and the software and hardware fusion design technology of the numerical control system are researched, and the balance between the trusted security and the performance of the numerical control system is achieved. Firstly, integrating a trusted control module and a password service module based on trusted 3.0 on a gateway of a numerical control system to ensure that the trusted control module and the password service module reach the trusted control module at a hardware bottom layer; then integrating the trusted software base into the numerical control operating system, and establishing a trusted running environment of the numerical control operating system; and then the numerical control software on the host computer of the numerical control system is subjected to safety protection, and safety functions such as identity authentication, access control, storage encryption, transmission encryption, external connection prevention, NC file analysis and the like are provided. Aiming at the real-time requirement of the numerical control service, the methods of lightweight passwords, hardware acceleration, double-system credible strategies and the like are adopted to implement safe credible protection on the premise of ensuring the performance of the numerical control system.
10. Partial interface design and simulation experiment: 10.1 gateway client user interface design
The gateway client is started in a command line mode, and parameters required to be input by a user comprise the following points:
(1) IP and port of gateway server;
(2) The allowed modes of the gateway client include a global mode (i.e., the default gateway is set as the gateway set by the gateway server, and all traffic of the client goes to the gateway server) and a local mode (the user specifies some segments of the internal network, and only data destined for the segments goes to the gateway server).
10.2 gateway server user interface design
The gateway server is started in a command line mode, and parameters required to be input by a user comprise the following points:
(1) Designating an operation mode, including a working mode, a cleaning mode and a setting mode;
(2) The working mode is that the gateway normally operates, and the parameters can specify private network segments to be allocated to the client;
(3) The cleaning mode is used for cleaning up virtual network devices created by gateway operation, and the devices do not disappear after the gateway operation is finished (the gateway is usually forcefully stopped), so that the virtual network devices need to be actively deleted.
(4) The setting mode is used for setting filtering rules of the gateway, including protocol filtering rules and traffic filtering rules.
10.3 gateway partial flow demonstration
The process simulates accessing an internal network in an external network through a gateway client and a gateway server.
External network: in the embodiment of the invention, the external network is a network which can be accessed to the gateway server by the gateway client. The gateway server is connected with an external network through an eno1 network card, and the network card IP is 10.12.159.11.
The gateway client is deployed in a virtual machine of a host in the external network, and the virtual machine shares the host network in a nat mode. Host network configuration and virtual machine network configuration of the deployment client are required.
Internal network: the internal network is simulated by the network segment in which the running virtual machine on the gateway server is located. The network segment where the virtual machine is located is: 172.16.89.0/24.
The gateway server communicates with the internal network through the vmnet8 network card, IP:172.16.89.1.vmnet8 simulates the portal where the gateway server is connected to the internal network.
(1) Operation server
After operation a virtual bridge will be created in the system, in this example the IP of the bridge is set to 10.222.0.1/16 as the address of the gateway. And then listens to the gateway client's connections.
(2) Starting the forwarding of a gateway server linux bridge;
(3) Opening the route forwarding of the gateway server system;
(4) Modifying the filtering rule of the gateway server netfilter, and setting the default rule to allow forwarding;
(5) Configuring a gateway server SNAT;
(6) Running a client;
connect to gateway server and obtain the assigned IP 10.222.0.2;
the routing rules are added and the gateway address to the internal network (172.16.89.0/24) is set to 10.222.0.1.
(7) Network connectivity testing
The host 172.16.89.140 of the target network is pinged on the client host, which may be connected.
(9) Acquisition service testing
Taking ssh service as an example, the ssh service of the host 172.16.89.140 of the target network is requested on the client host, so that the service can be normally acquired.
(10) Cleaning created virtual network bridge after closing gateway server
The bridge created by the service end in running can exist after finishing, and needs to be manually deleted (which cannot be automatically realized in the running process because the gateway service end is forcedly stopped), so that a clean command is provided for cleaning the bridge.
It should be noted that the embodiments of the present invention can be realized in hardware, software, or a combination of software and hardware. The hardware portion may be implemented using dedicated logic; the software portions may be stored in a memory and executed by a suitable instruction execution system, such as a microprocessor or special purpose design hardware. Those of ordinary skill in the art will appreciate that the apparatus and methods described above may be implemented using computer executable instructions and/or embodied in processor control code, such as provided on a carrier medium such as a magnetic disk, CD or DVD-ROM, a programmable memory such as read only memory (firmware), or a data carrier such as an optical or electronic signal carrier. The device of the present invention and its modules may be implemented by hardware circuitry, such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, etc., or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., as well as software executed by various types of processors, or by a combination of the above hardware circuitry and software, such as firmware.
The foregoing is merely illustrative of specific embodiments of the present invention, and the scope of the invention is not limited thereto, but any modifications, equivalents, improvements and alternatives falling within the spirit and principles of the present invention will be apparent to those skilled in the art within the scope of the present invention.
Claims (10)
1. The control method of the safe and reliable gateway system is characterized by comprising the following steps of: establishing TLS connection with a gateway server by using a gateway client, capturing user data packets with the destination of an internal network, transmitting the user data packets to the gateway server through the TLS connection in a tunnel mode, and correctly unpacking the tunnel packets received from the TLS connection and transmitting the tunnel packets to corresponding user processes; the method comprises the steps of establishing TLS connection with a gateway client by using a gateway server, receiving and analyzing tunnel packets from the TLS connection, correctly filtering data packets according to filtering rules, correctly controlling the flow of the data packets according to flow control requirements, sending the data packets to an internal network after passing through NAT, sending the data packets from the internal network through the corresponding TLS connection in a tunnel mode, and managing the filtering rules and the flow control rules of the gateway.
2. The control method of a secure trusted gateway system as claimed in claim 1, wherein the control method of the secure trusted gateway system comprises the steps of:
step one, filtering a network boundary protocol of a security gateway;
secondly, network isolation and flow control of the security gateway are carried out;
thirdly, performing trusted network boundary protection of the security gateway;
and step four, high-speed encryption and access control are realized based on trusted computing 3.0.
3. The method of controlling a secure trusted gateway system as claimed in claim 2, wherein the network boundary protocol filtering of the secure gateway in step one comprises:
(1) For data transfer by the web application layer: using HTTPS proxy, the authentication method is as follows:
unidirectional authentication: the client sends a message to the server, and after the server receives the message, the server encrypts data by using a private key in a key bank of the server; the encrypted data and the public key of the server side are sent to the client side, and the client side decrypts the data by using the public key sent by the server side; encrypting the data by using a public key of the server transmitted to the client and transmitting the encrypted data to the server, wherein the server decrypts the data by using a private key;
And (3) bidirectional authentication:
1) The client sends a message to the server, encrypts the message by using a client certificate and sends the message to the server together with the client certificate;
2) After receiving the message, the server decrypts the message by using the client certificate, encrypts the message by using a server private key and sends the server certificate and the message to the client together;
3) The client decrypts the message by using the sent server certificate, and encrypts the message by using the server certificate; encrypting the message once by using the certificate of the client, and sending the encrypted message and the client certificate to the server;
4) Decrypting the message by using the certificate transmitted by the client to the server to ensure that the message is sent by the client; decrypting the message by using a private key of the server side to obtain plaintext data;
using a TLS agent at a TCP transmission layer of a gateway, and performing data transmission interaction with applications of DNC, MDC, MES and ERP in an open numerical control system through TLS communication after passing through the gateway;
the security gateway adopts a network encryption agent for the internal subnet, and uses a TLS agent after passing through the security gateway to interact with the application in the numerical control system through the virtual network card;
(2) Data transmission for NC-Link layer: using NC-Link encryption gateway to assist the delivery line to perform safety data interaction; the NC-Link protocol relates to data acquisition, G code file transmission and uplink or downlink data issued by instructions, and performs authentication and access control on NC-Link access equipment in a classified manner, and encrypts and protects the data transmission integrity.
4. The method for controlling a secure trusted gateway system as claimed in claim 2, wherein the network isolation and flow control of the secure gateway in step two comprises:
(1) Network isolation based on VPN gateway
IPSec is realized by using an external computer EPC and a manager MPC, the EPC is directly connected to an internal network, and is a special machine specially used for accessing the Internet or a dual-purpose computer provided with an isolation card; the method comprises the steps that a manager MPC is utilized to configure, control, track and audit the Internet surfing condition of each external computer EPC, and monitor in real time; SE is an IPSec VPN security gateway between an internal network and an external network; each EPC forms a tunnel with SE through an internal network, the tunnel is used for accessing an external network, and the tunnel is opaque to the internal network; the EPC and the SE form a virtual network which depends on the internal network and is completely isolated from the internal network;
(2) Unidirectional transmission control
Cutting off TCP/IP connection between the external network and the internal network; the external network processing unit strips the application data based on the network protocol to form static data; packaging the static data according to a special non-IP data frame format, and sending the static data to an intranet processing unit through a unidirectional transmission unit; finally, the intranet processing unit restores the static data, and the TCP/IP protocol is encapsulated again and sent to the intranet; in the process of data exchange, safety control measures are respectively implemented on an external network processing unit and an internal network processing unit, so that the safety of data transmission is ensured;
In the process of unidirectional data ferrying, an external network processing unit and an internal network processing unit apply security control measures on a link layer, a network layer, a transmission layer and an application layer respectively to form a multilayer integrated unidirectional security isolation ferrying mechanism; wherein, the link layer is utilized to adopt MAC address binding check to prevent ARP address spoofing attack in the network; through network layer information security inspection, preventing the attack behaviors of IP fragments, source routes and Ping of Death; by carrying out identity authentication with an IP communication party, a secure transmission tunnel is established, so that the integrity and authenticity of the IP packet are checked, and the spoofing, forging and replay attacks of the IP packet are prevented; according to the source address, the destination address, the transmission protocol, the source port, the destination port and the time information of the IP packet, combining a connection state tracking mechanism, and realizing the access control of a network layer according to the rule configured by a user; the transmission layer adds a SYN Flooding protection mechanism aiming at the TCP protocol to resist SYN Flooding attack; aiming at the UDP protocol, a flow control mechanism is adopted to prevent UDP flood attack; the application layer supports the definition of a configurable data format, and realizes the format check of the application layer data; the anti-virus Trojan horse system is combined to realize virus Trojan horse searching and killing of application data; an application layer session tracking technology is adopted to prevent session hijacking attack aiming at an application protocol; and according to the keyword information of the application layer data, combining an application session state tracking mechanism, and realizing access control of the application layer according to rules configured by a user.
5. The method of controlling a secure trusted gateway system as claimed in claim 2, wherein the trusted network boundary protection of the secure gateway in step three comprises:
the terminal A is used as an initiator of network connection, and the terminal B is used as an accessed party; both parties of communication are configured with TPCM card in hardware layer for identifying identity, cipher operation and starting measurement function; installing and deploying a trusted software base TSB in a system layer, and completing the functions of interception, measurement and policy management of user behaviors; the security management platform is utilized to realize the functions of policy management, storage, identity authentication and policy arbitration;
before a terminal A and a terminal B establish connection, the two terminals report a trusted status report to a security management platform at regular time; after receiving the report, the security management platform uses the certificate of the terminal to carry out signature verification, acquires the starting measurement, the static measurement and the error log information recorded in the report after the signature verification passes, evaluates the trusted state of the terminal by combining with the strategy judgment condition to obtain a trusted state value, and stores the trusted state value in a database;
the two terminals send requests for synchronizing the trusted state information of other terminals to the security management platform at regular time, and after the security management platform receives the requests, the security management platform checks whether the terminal sending the requests is a legal terminal or not and replies the state information of all managed terminals; when returning the state information, the management platform encrypts and signs the information by using a platform key in the TPCM of the management platform; after receiving the trusted status information, the terminal performs signature verification on the status information, judges the source legitimacy of the information, and updates a terminal status list stored in a policy library;
Before establishing network connection, the terminal judges the trusted state of the opposite terminal according to a locally stored trusted terminal state list and then decides whether to allow connection establishment; in the establishment of the trusted connection, a terminal A starts any network application and establishes network connection with a terminal B in a network; the trusted software base acquires network behaviors through network hook points in LSM of Linux, and informs a trusted authentication service program of network IP and port information, and the trusted authentication service program judges the trusted state of the terminal B; if the trusted state of the terminal B meets the condition, allowing connection establishment; after receiving the network connection request of the terminal A, the terminal B adopts the same mechanism to judge the trusted state of the terminal A through a trusted authentication program, and if the conditions are met, the terminal A is allowed to access.
6. The control method of a secure trusted gateway system as claimed in claim 2, wherein the implementing high-speed encryption and access control based on trusted computing 3.0 in step four comprises:
the trusted platform control module TPCM is utilized to realize a trusted protection function in a trusted computing node, and the trusted protection function is parallel to the working of a computing component according to a built-in protection strategy to perform trusted monitoring on resources to be protected;
the domestic high-speed password service module is utilized to realize the high-speed data encryption function, and hardware logic of a national password chip, a random number generator, a key memory and an algorithm accelerator is realized, so that the parallelism of the password calculation technology is enhanced; realizing a permission management and control model based on permission granularity and permission mapping, realizing technologies such as security role/service/authentication of a password module and the like through the permission management and control model, and realizing correct permission allocation of password security capability in a numerical control system; the key real-time switching mechanism oriented to the failure of the key real-time updating is realized, the key encryption key and working key multi-state storage mode of the numerical control real-time service is realized, and the correctness of the password in the system real-time switching is ensured; aiming at the safe operation calling requirement of the password service module, a driving program composition of the safe password service module is designed, corresponding interface specifications are formulated at a service side, a system side and a bottom layer side, a hardware driving access mode is realized, the configurability of the password service of the numerical control system is supported, the control period numerical control service calling characteristics of decoding, cutter control and speed control are designed, and a password service interface is designed based on a coupling function set of service functions;
Based on X.509 standard, dynamic policy configuration based on attribute-based access control is utilized to break through the problem of unmatched life cycle of an identity certificate and an attribute certificate, so that the combination and binding of the identity certificate and the attribute certificate are realized, an authentication protocol and an access control technology under a trusted computing 3.0 network architecture are realized, and the identity authentication and permission verification flow is simplified; the NC-Link protocol is combined, so that online service of applying, auditing, issuing, publishing and logging off identity and attribute certificates is provided for users, processes and main bodies of equipment; TPCM and trusted cryptography service based on trusted computing 3.0 are realized, a multi-level key management mechanism in the certificate service is realized, key separation, master key derivation encryption keys, encryption protection data keys and session keys are realized, and lightweight identity and attribute certificate service is realized.
7. A secure trusted gateway system applying the control method of the secure trusted gateway system as claimed in any one of claims 1 to 6, characterized in that the secure trusted gateway system comprises a gateway client and a gateway server;
the gateway client process is connected with the TAP through a TCP/IP protocol stack, and the TAP is virtual network equipment in an operating system kernel and operates a second layer of data packet; after the TAP acquires the Ethernet frame, the Ethernet frame is sent to the TLS connection to realize the transmission in the form of a tunnel; capturing a user data packet by utilizing Tun/Tap virtual network equipment in a mode of setting a client route and forwarding the user data packet in a tunnel mode;
The TAP in the gateway server is equivalent to the Ethernet equipment, and operates the second layer data packet such as Ethernet data frame; the operating system sends data to the program in the user space of the binding device through the TUN/TAP device, otherwise, the program in the user space sends data through the TUN/TAP device; the Linux Bridge is a network Bridge and is used for connecting a plurality of network interfaces to realize two-layer exchange; the Linux veth pair is a virtual network device interface which appears in pairs, one end of the Linux veth pair is connected with a network protocol stack, and the other ends of the Linux veth pair are connected with each other; NAT is between veth1 and physical network card connected to internal network, SNAT conversion is carried out on data forwarded by veth1 to physical network card of internal network;
the gateway server also comprises a gateway server filtering module, a NAT module and a gateway server management module;
the gateway server filtering module is positioned between the TLS connection and the tap port and is used for filtering data sent to the tap port by all TLS connections;
the NAT module is positioned between the veth1 and a physical network card connected with the internal network and is used for carrying out SNAT conversion on the data forwarded to the physical network card of the internal network by the veth 1;
the gateway server side management module is used for setting an IP blacklist and filtering corresponding IP by using the gateway server side filtering module; setting a protocol white list, and filtering the protocol by using a gateway server filtering module; setting flow control, and controlling the flow of the client by using a gateway server filtering module.
8. A computer device comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, causes the processor to perform the steps of the method of controlling a secure trusted gateway system as claimed in any one of claims 1 to 6.
9. A computer readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the steps of the method of controlling a secure trusted gateway system as claimed in any one of claims 1 to 6.
10. An information data processing terminal, characterized in that the information data processing terminal is arranged to implement the secure trusted gateway system as claimed in claim 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310030212.3A CN116055254A (en) | 2023-01-10 | 2023-01-10 | Safe and trusted gateway system, control method, medium, equipment and terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310030212.3A CN116055254A (en) | 2023-01-10 | 2023-01-10 | Safe and trusted gateway system, control method, medium, equipment and terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116055254A true CN116055254A (en) | 2023-05-02 |
Family
ID=86112882
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310030212.3A Pending CN116055254A (en) | 2023-01-10 | 2023-01-10 | Safe and trusted gateway system, control method, medium, equipment and terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116055254A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116248416A (en) * | 2023-05-11 | 2023-06-09 | 深圳竹云科技股份有限公司 | Identity authentication method, device and computer equipment |
| CN116633693A (en) * | 2023-07-24 | 2023-08-22 | 深圳市永达电子信息股份有限公司 | Trusted security gateway implementation method based on full-element network identification |
| CN117097591A (en) * | 2023-10-19 | 2023-11-21 | 四川中电启明星信息技术有限公司 | Application security access gateway system and route forwarding method |
| CN117395087A (en) * | 2023-12-12 | 2024-01-12 | 湖南博盛芯微电子科技有限公司 | BMC implementation method and system based on domestic processor |
| CN117834306A (en) * | 2024-03-05 | 2024-04-05 | 深圳市永达电子信息股份有限公司 | Construction method of network security controllable gateway of station hotel clothes equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100082415A1 (en) * | 2008-09-30 | 2010-04-01 | International Business Machines Corporation | Automatic determination of selective message caching to support rules in a trading partner collaboration management environment |
| WO2013081441A1 (en) * | 2011-12-02 | 2013-06-06 | Mimos Berhad | A system and method for establishing mutual remote attestation in internet protocol security (ipsec) based virtual private network (vpn) |
| CN103460738A (en) * | 2011-03-23 | 2013-12-18 | 交互数字专利控股公司 | Systems and methods for securing network communications |
| CN108605041A (en) * | 2016-02-08 | 2018-09-28 | 科里普特佐内北美股份有限公司 | The network equipment is protected by fire wall |
-
2023
- 2023-01-10 CN CN202310030212.3A patent/CN116055254A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100082415A1 (en) * | 2008-09-30 | 2010-04-01 | International Business Machines Corporation | Automatic determination of selective message caching to support rules in a trading partner collaboration management environment |
| CN103460738A (en) * | 2011-03-23 | 2013-12-18 | 交互数字专利控股公司 | Systems and methods for securing network communications |
| WO2013081441A1 (en) * | 2011-12-02 | 2013-06-06 | Mimos Berhad | A system and method for establishing mutual remote attestation in internet protocol security (ipsec) based virtual private network (vpn) |
| CN108605041A (en) * | 2016-02-08 | 2018-09-28 | 科里普特佐内北美股份有限公司 | The network equipment is protected by fire wall |
Non-Patent Citations (2)
| Title |
|---|
| 王志皓;安宁钰;张鹏;王雪;: "可信网络通信技术产业发展与解决方案探讨", 信息安全与通信保密, no. 02, 10 February 2018 (2018-02-10) * |
| 陈建华;何彬彬;崔莹;: "一种安全隧道网关的设计与实现", 微电子学与计算机, no. 04, 5 April 2011 (2011-04-05) * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116248416A (en) * | 2023-05-11 | 2023-06-09 | 深圳竹云科技股份有限公司 | Identity authentication method, device and computer equipment |
| CN116633693A (en) * | 2023-07-24 | 2023-08-22 | 深圳市永达电子信息股份有限公司 | Trusted security gateway implementation method based on full-element network identification |
| CN116633693B (en) * | 2023-07-24 | 2023-10-31 | 深圳市永达电子信息股份有限公司 | Trusted security gateway implementation method based on full-element network identification |
| CN117097591A (en) * | 2023-10-19 | 2023-11-21 | 四川中电启明星信息技术有限公司 | Application security access gateway system and route forwarding method |
| CN117097591B (en) * | 2023-10-19 | 2024-01-23 | 四川中电启明星信息技术有限公司 | Application security access gateway system and route forwarding method |
| CN117395087A (en) * | 2023-12-12 | 2024-01-12 | 湖南博盛芯微电子科技有限公司 | BMC implementation method and system based on domestic processor |
| CN117395087B (en) * | 2023-12-12 | 2024-02-20 | 湖南博盛芯微电子科技有限公司 | BMC implementation method and system based on domestic processor |
| CN117834306A (en) * | 2024-03-05 | 2024-04-05 | 深圳市永达电子信息股份有限公司 | Construction method of network security controllable gateway of station hotel clothes equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10986133B1 (en) | Cloud over IP session layer network | |
| US10462188B2 (en) | Computer network security system | |
| Yan et al. | Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: A survey, some research issues, and challenges | |
| Scott-Hayward et al. | A survey of security in software defined networks | |
| US10382401B1 (en) | Cloud over IP for enterprise hybrid cloud network and security | |
| CN116055254A (en) | Safe and trusted gateway system, control method, medium, equipment and terminal | |
| US7756981B2 (en) | Systems and methods for remote rogue protocol enforcement | |
| Rahouti et al. | SDN security review: Threat taxonomy, implications, and open challenges | |
| Rahouti et al. | Secure software-defined networking communication systems for smart cities: current status, challenges, and trends | |
| US11314614B2 (en) | Security for container networks | |
| Mishra et al. | Software defined internet of things security: Properties, state of the art, and future research | |
| CN110198297A (en) | Data on flows monitoring method, device, electronic equipment and computer-readable medium | |
| Sheikh et al. | Zero trust using network micro segmentation | |
| CA3164102A1 (en) | Programmable switching device for network infrastructures | |
| Al-Sakran et al. | Framework architecture for securing IoT using blockchain, smart contract and software defined network technologies | |
| Benabbou et al. | Security in OpenFlow-based SDN, opportunities and challenges | |
| Hamad et al. | A framework for policy based secure intra vehicle communication | |
| Al-Zewairi et al. | An experimental software defined security controller for software defined network | |
| Yassein et al. | Combining software-defined networking with Internet of Things: Survey on security and performance aspects | |
| Ali et al. | Byod cyber forensic eco-system | |
| Kaur | Cross-layer design in software defined networks (SDNs): issues and possible solutions | |
| Paradis | Software-Defined Networking | |
| Koujalagi | Network Security Intelligence for Small and Medium Scale Industry 4.0: Design and Implementation | |
| Yi | The Network Security Analysis System Design Based on B/S Structure: An Approach Research | |
| Quamara et al. | Role of software-defined networking (SDN) in Internet of things (IoT) security: Attacks and countermeasures |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |