CN116506221B - Industrial switch admission control method, device, computer equipment and medium - Google Patents
Industrial switch admission control method, device, computer equipment and medium Download PDFInfo
- Publication number
- CN116506221B CN116506221B CN202310746592.0A CN202310746592A CN116506221B CN 116506221 B CN116506221 B CN 116506221B CN 202310746592 A CN202310746592 A CN 202310746592A CN 116506221 B CN116506221 B CN 116506221B
- Authority
- CN
- China
- Prior art keywords
- industrial switch
- access
- platform
- certificate
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000012795 verification Methods 0.000 claims abstract description 112
- 238000004891 communication Methods 0.000 claims abstract description 46
- 230000004913 activation Effects 0.000 claims abstract description 8
- 230000009849 deactivation Effects 0.000 claims abstract description 8
- 238000004590 computer program Methods 0.000 claims description 9
- 230000003287 optical effect Effects 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 description 6
- 238000007726 management method Methods 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013496 data integrity verification Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Abstract
The application provides a control method, a device, computer equipment and a medium for the access of an industrial switch, which relate to the technical field of switch safety, wherein the method comprises the following steps: collecting physical information of an industrial switch, and generating a device identification code of the industrial switch from the physical information; establishing a first communication channel based on a secure transport layer protocol between an industrial switch and an access platform, performing primary verification on the industrial switch, and if the primary verification is successful, sending an access certificate to the industrial switch by the access platform; the industrial switch sends a request for updating the certificate to the access platform, and the industrial switch is verified again; for an industrial switch accessing an access platform, the activation and deactivation of service ports of the industrial switch are controlled. According to the scheme, the safety of the industrial switch is improved through the method of primary verification and secondary verification by means of the equipment identification code, and meanwhile, the management of the admission platform on the industrial switch can be enhanced.
Description
Technical Field
The present application relates to the field of switch security technologies, and in particular, to a method, an apparatus, a computer device, and a medium for controlling access to an industrial switch.
Background
The traditional industrial switch has single function and only has the switching capability of two layers of network data. The industrial switch is an indispensable link in the whole network environment, but the traditional industrial switch does not have any security capability, so that the traditional industrial switch becomes a weak link in the network environment, easily becomes a hack intrusion point, reduces network security, and further causes property loss in the network. Meanwhile, because a connection mechanism cannot be established with an industrial switch, management of the industrial switch is generally difficult.
Disclosure of Invention
In view of the above, the embodiment of the application provides a control method for the access of an industrial switch, so as to solve the technical problem of low safety of the industrial switch in the prior art. The method comprises the following steps:
collecting physical information of industrial switches, and generating equipment identification codes of the industrial switches from the physical information, wherein the equipment identification code of each industrial switch is unique to the equipment identification codes of other industrial switches;
establishing a first communication channel based on a secure transport layer protocol between an industrial switch and an access platform, wherein the industrial switch sends a verification request to the access platform through the first communication channel, the access platform performs primary verification on the industrial switch based on the verification request, and if the primary verification is successful, the access platform sends an access certificate to the industrial switch;
the industrial switch sends a request for updating the certificate to the access platform through a first communication channel based on the access certificate, the industrial switch is re-verified by aiming at the access platform through the equipment identification code, if the re-verification is successful, the industrial switch is accessed to the access platform, and the industrial switch is allowed to be accessed to the working network;
for the industrial switch accessed to the access platform, the access platform controls the activation and deactivation of the service port of the industrial switch according to the safety state of the service port of the industrial switch.
The embodiment of the application also provides a control device for the access of the industrial switch, so as to solve the technical problem of lower safety of the industrial switch. The device comprises:
the system comprises a physical information acquisition module, a physical information acquisition module and a physical information generation module, wherein the physical information acquisition module is used for acquiring physical information of an industrial switch and generating equipment identification codes of the industrial switch from the physical information, and the equipment identification code of each industrial switch is unique relative to the equipment identification codes of other industrial switches;
the system comprises a primary access verification module, a security transmission layer protocol-based communication channel, an access platform and an access certificate, wherein the primary access verification module is used for establishing a first communication channel based on the security transmission layer protocol between the industrial switch and the access platform, the industrial switch sends a verification request to the access platform through the first communication channel, the access platform carries out primary verification on the industrial switch based on the verification request, and if the primary verification is successful, the access platform sends the access certificate to the industrial switch;
the re-admittance verification module is used for transmitting a request for updating the certificate to the admittance platform through the first communication channel based on the admittance certificate, re-verifying the industrial switch through the equipment identification code aiming at the admittance platform, and if the re-verification is successful, accessing the industrial switch into the admittance platform, and allowing the industrial switch to be accessed into the working network;
the switch access module is used for controlling the starting and stopping of the service port of the industrial switch according to the safety state of the service port of the industrial switch aiming at the industrial switch accessed to the access platform.
The embodiment of the application also provides computer equipment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the control method for admitting any industrial switch when executing the computer program so as to solve the technical problem of lower safety of the industrial switch.
The embodiment of the application also provides a computer readable storage medium which stores a computer program for executing the control method for admitting the industrial switch, so as to solve the technical problem of lower safety of the industrial switch.
Compared with the prior art, the beneficial effects that above-mentioned at least one technical scheme that this description embodiment adopted can reach include at least:
the access control mechanism of the industrial switch and the access platform is established through the method of primary verification and secondary verification by means of the equipment identification code, and the access network of the industrial switch is controlled through the access platform, so that the security of the access network of the industrial switch is improved, and the capability of the industrial switch for resisting external attack and the security of the industrial switch are improved. Meanwhile, the service port of the industrial switch can be controlled through the access platform, the management of the access platform to the industrial switch can be further enhanced, and the running efficiency and the safety of the whole network are further improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a control method for industrial switch admission provided in an embodiment of the present application;
fig. 2 is a flowchart of a control method for implementing the above-mentioned industrial switch admission according to an embodiment of the present application;
FIG. 3 is a block diagram of a computer device according to an embodiment of the present application;
fig. 4 is a block diagram of a control device for industrial switch access according to an embodiment of the present application.
Detailed Description
Embodiments of the present application will be described in detail below with reference to the accompanying drawings.
Other advantages and effects of the present application will become apparent to those skilled in the art from the following disclosure, which describes the embodiments of the present application with reference to specific examples. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. The application may be practiced or carried out in other embodiments that depart from the specific details, and the details of the present description may be modified or varied from the spirit and scope of the present application. It should be noted that the following embodiments and features in the embodiments may be combined with each other without conflict. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In an embodiment of the present application, a control method for admittance of an industrial switch is provided, as shown in fig. 1 and fig. 2, where the method includes:
step S101: the method comprises the steps of collecting physical information of industrial switches and generating equipment identification codes of the industrial switches from the physical information, wherein the equipment identification code of each industrial switch is unique relative to the equipment identification codes of other industrial switches.
Step S102: a first communication channel based on a secure transport layer protocol is established between the industrial switch and the access platform, the industrial switch sends a verification request to the access platform through the first communication channel, the access platform performs primary verification on the industrial switch based on the verification request, and if the primary verification is successful, the access platform sends an access certificate to the industrial switch.
Step S103: and the industrial switch sends a request for updating the certificate to the access platform through the first communication channel based on the access certificate, the industrial switch is re-verified by aiming at the access platform through the equipment identification code, and if the re-verification is successful, the industrial switch is accessed into the access platform, and the industrial switch is allowed to be accessed into the working network.
Step S104: for the industrial switch accessed to the access platform, the access platform controls the activation and deactivation of the service port of the industrial switch according to the safety state of the service port of the industrial switch. And when the admission authentication is successful, the service port is activated, and when the admission authentication is failed, the service port is deactivated.
In particular, in order to implement an admission control mechanism between an industrial switch and an admission platform, a basic TLS/SSL (transport layer security protocol) functional component may be integrated in the industrial switch system, and an admission program (certificate authentication check) is initiated in the industrial switch based on the TLS/SSL component's functionality in a subsequent authentication step of the admission control mechanism, so as to implement an authentication step with the admission platform based on the admission program.
In particular, in order to further improve the validity of verification and improve the security of the industrial switch, it is proposed to verify the device identification code based on the industrial switch, where the device identification code may be generated by the following steps: splicing the physical information into a serial number character string, wherein the physical information comprises a network card physical serial number, a main board serial number, a CPU serial number, a hard disk serial number and a memory serial number of the switch; generating a verification character string from the serial number character string; and splicing the verification character string to the tail end of the serial number character string, and taking the generated character string as the equipment identification code.
In the implementation, the access program is used for collecting physical information such as a network card physical serial number, a main board serial number, a CPU serial number, a hard disk serial number, a memory serial number and the like in the current industrial switch, and the physical information is integrated to generate a unique equipment identification code.
In specific implementation, in order to quickly and effectively realize the primary verification of the access control mechanism of the industrial switch, it is proposed to realize the primary verification by the following steps:
the access platform acquires a default request certificate carried by the verification request, wherein the default request certificate comprises authentication data, and the authentication data comprises a valid time range, a user name of a user using the industrial switch and a signature; the access platform verifies a default request certificate according to authentication data, and the access platform sends a first platform access certificate to the industrial switch with the successful verification of the default request certificate, wherein the first platform access certificate is a temporary access certificate accessed to the access platform; the industrial switch receives the first platform access certificate, verifies the validity of the first platform access certificate, and if the validity verification is successful, the primary verification is successful; if the validity verification fails, the primary verification fails, and the industrial switch disconnects the first communication channel.
In specific implementation, the default request certificate is verified by the following steps:
judging whether the effective time range in the authentication data comprises the current time, if so, judging whether the user name and the signature in the authentication data are matched with information stored by the admission platform, and if so, successfully verifying a default request certificate; otherwise, the verification of the default request certificate fails.
Specifically, a first communication channel (for example, TLS secure communication channel) based on a secure transport layer protocol is established between the industrial switch and the admission platform, and the industrial switch sends a certificate of a default request (i.e., the default request certificate described above) to the admission platform, wherein the certificate of the default request is only used for initializing the first communication channel. The access platform acquires a default request certificate carried by the verification request, and the access platform performs validity verification on the default request certificate, for example, judges whether a valid time range (namely, a preset time range) in the authentication data comprises the current time, if so, judges whether a user name and a signature of a user using the industrial switch in the authentication data (namely, the user name of the user using the industrial switch and the signature of the user using the industrial switch can be a company, a unit, a person and the like, and the user takes the company as an example, and then the company name and the company signature) are matched with information (namely, the user name and the signature of the user using the industrial switch pre-stored by the access platform) stored by the access platform, and if so, the verification on the default request certificate is successful; otherwise (i.e., any of the authentication data fails to verify), the default request certificate fails to verify.
In specific implementation, in order to further improve the security of the access control of the industrial switch, the re-verification is realized through the following steps:
generating a second platform access certificate by the access platform based on the request of updating the certificate and sending the second platform access certificate to the industrial switch, wherein the second platform access certificate is a certificate of the industrial switch for accessing the access platform for a long time; the industrial exchanger stores a second platform access certificate and establishes a second communication channel based on a secure transport layer protocol with the access platform by using the second platform access certificate, wherein the second communication channel is an encrypted communication channel; the industrial exchanger sends the encrypted equipment identification code and the encrypted preset password to the access platform through the second communication channel, the equipment identification code and the preset password are verified on the access platform, and if the verification is successful, the verification is successful again; if the verification fails, the verification fails again, and the industrial switch disconnects the second communication channel.
Specifically, the industrial switch requests an update certificate from the access platform to obtain a second platform access certificate, which is used for the basis of the credentials and secure communications of the access platform of the industrial switch. The access platform issues a second platform access certificate to the industrial switch. The industrial switch reestablishes secure encrypted communication with the access platform with the second platform access certificate. And sending a device identification code to the access platform for checking the legitimacy of the physical hardware of the switch, and simultaneously sending an encrypted preset password agreed by the industrial switch and the access platform for secondary checking. And the admission platform receives the equipment identification code and the encrypted preset password sent by the industrial switch and performs verification. If the verification fails, the industrial switch is not allowed to be accessed into the working network; and checking is passed, allowing the industrial switch to be accessed into the working network, and finishing the admission control of the industrial switch.
In specific implementation, the preset passwords are mutually authenticated passwords of the industrial switch and the access platform, and are respectively stored in the industrial switch and the access platform, and each industrial switch corresponds to only one preset password.
In specific implementation, the preset password may be a preset password generated after the industrial switch and the admission platform agree after the industrial switch leaves the factory; the preset password can also be a password which is generated before the industrial switch leaves the factory and used for representing the uniqueness of the industrial switch, and the industrial switch is agreed with the admission platform and mutually authenticated by using the password as the preset password.
In order to further improve the security of the industrial switch and enhance the management of the industrial switch in the implementation, in this embodiment, it is also proposed to control the service ports of the industrial switch, for example,
determining an interface state of any industrial switch through the access platform aiming at the industrial switch accessed to the access platform, wherein the interface state comprises a switching state of an electric port and a switching state of an optical port;
controlling the activation or deactivation of service ports of the industrial switch according to the interface state through the access platform, wherein each service port is connected with a downstream access device (for example, the downstream access device can be any one or any combination of an ammeter, an electrical storage device, a camera, a computer terminal device and the like);
after the service ports of the industrial switch are started, determining the safety state of each service port through the access platform according to the network information of the downstream access equipment connected with each service port, wherein the network information comprises a local area network address and an IP address;
and controlling the starting and stopping of each service port by the access platform according to the safety state of each service port.
Specifically, the service port of the industrial switch can be controlled through the admission platform. The interface state of the industrial switch which is allowed to access the network at present can be checked in real time on the access platform; for example: and if the electric port and the optical port are in an open state or a closed state, the corresponding service port is controlled to be started, and if the electric port and the optical port are in the closed state, the corresponding service port is controlled to be stopped, so that the control that any service port on a certain (any) industrial switch can be independently started or stopped on an access platform in real time is realized, and further, the network access control of downstream access equipment (access equipment such as an ammeter, an electric storage device, a camera, a computer terminal and the like) of the industrial switch is realized.
Further, after the service ports of the industrial switch are started, the access platform can monitor the security state of the downstream access device through network information such as the local area network address of the downstream access device and the IP address used by the downstream device, so that the starting and stopping of each service port can be controlled according to the security state of each service port. The method comprises the following specific steps: after the service port of the industrial switch is started, the access platform is accessed to the industrial switch; the admission platform checks the flow of the downstream access equipment flowing through the industrial switch; and extracting the local area network address of the downstream access equipment and the information of using the IP included in the traffic, and uploading the information to an admission platform. The access platform stores the local area network address of the downstream access equipment and the information of using IP; when the local area network address of the downstream access equipment and the information of the using IP are changed, the safety state of the downstream access equipment is judged to be unsafe, and at the moment, the access platform can generate early warning and control the service port connected with the corresponding downstream access equipment to be deactivated, so that the safety control of the access platform on the downstream access equipment is enhanced. On the basis that the admittance platform and the industrial exchanger establish a safe admittance mode, other unsafe external connection is blocked, and the accuracy and the safety of the admittance platform for receiving the flow information of the downstream access equipment are improved, so that the safety monitoring of the admittance platform to the downstream access equipment is more accurate and effective.
In a specific implementation, the admission platform may be a platform implemented by software and/or hardware for controlling the industrial switch to access the working network.
In this embodiment, a computer device is provided, as shown in fig. 3, including a memory 301, a processor 302, and a computer program stored in the memory and capable of running on the processor, where the processor implements the control method for admitting any of the industrial switches described above when executing the computer program.
In particular, the computer device may be a computer terminal, a server or similar computing means.
In this embodiment, a computer-readable storage medium storing a computer program for executing the control method of admittance of any of the industrial switches described above is provided.
In particular, computer-readable storage media, including both permanent and non-permanent, removable and non-removable media, may be used to implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer-readable storage media include, but are not limited to, phase-change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable storage media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
Based on the same inventive concept, the embodiment of the application also provides a control device for the admission of the industrial switch, as described in the following embodiment. The principle of solving the problem of the control device for the admission of the industrial switch is similar to that of the control method for the admission of the industrial switch, so that the implementation of the control device for the admission of the industrial switch can be referred to the implementation of the control method for the admission of the industrial switch, and the repetition is omitted. As used below, the term "unit" or "module" may be a combination of software and/or hardware that implements the intended function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 4 is a block diagram of a control device for industrial switch admission according to an embodiment of the present application, as shown in fig. 4, including: the structure is described below, and the physical information acquisition module 401, the primary admission verification module 402, the secondary admission verification module 403, and the switch access module 404 are described.
The physical information collection module 401 is configured to collect physical information of the industrial switches, and generate device identification codes of the industrial switches from the physical information, where the device identification code of each industrial switch is unique to the device identification codes of other industrial switches;
the primary access verification module 402 is configured to establish a first communication channel based on a secure transport layer protocol between the industrial switch and the access platform, the industrial switch sends a verification request to the access platform through the first communication channel, the access platform performs primary verification on the industrial switch based on the verification request, and if the primary verification is successful, the access platform sends an access certificate to the industrial switch;
the re-admittance verification module 403 is configured to send a request for updating the certificate to the admittance platform through the first communication channel based on the admittance certificate, re-verify the industrial switch through the device identifier admittance platform, and if the re-verification is successful, access the industrial switch to the admittance platform, and allow the industrial switch to access to the working network;
the switch access module 404 is configured to control, for an industrial switch accessing the access platform, activation and deactivation of a service port of the industrial switch according to a security state of the service port of the industrial switch.
In one embodiment, a module for collecting physical information includes:
the first serial number generation character string unit is used for splicing physical information into a serial number character string, wherein the physical information comprises a network card physical string number, a main board serial number, a CPU serial number, a hard disk serial number and a memory serial number of the switch;
a verification character string generation unit for generating a verification character string from the serial number character string;
and the equipment identification code splicing unit is used for splicing the verification character string to the tail end of the serial number character string, and taking the generated character string as the equipment identification code.
In one embodiment, the primary admission verification module includes:
the second serial number generating character string unit is used for acquiring a default request certificate carried by the verification request by the access platform, wherein the default request certificate comprises authentication data, and the authentication data comprises a valid time range, a user name and a signature of a user using the industrial switch;
the request certificate verification unit is used for verifying a default request certificate according to the authentication data by the admission platform;
the access certificate sending unit is used for sending a first platform access certificate to the industrial switch with the successful verification of the default request certificate by the access platform, wherein the first platform access certificate is a temporary access certificate of the access platform;
the access certificate verification unit is used for receiving the access certificate of the first platform by the industrial switch, verifying the validity of the access certificate of the first platform, and if the validity verification is successful, the primary verification is successful; if the validity verification fails, the first verification fails, and the first communication channel is disconnected.
In one embodiment, a certificate verification unit is requested for judging whether a valid time range in the authentication data includes a current time; if yes, judging whether the user name and the signature in the authentication data are matched with information stored in the admission platform, and if yes, successfully verifying a default request certificate; otherwise, the verification of the default request certificate fails.
In one embodiment, the re-admission verification module comprises:
the system comprises an update certificate request unit, a certificate generation unit and an industrial switch, wherein the update certificate request unit is used for generating a second platform access certificate by the access platform based on a request of the update certificate and sending the second platform access certificate to the industrial switch, and the second platform access certificate is a certificate of the industrial switch for accessing the access platform for a long time;
the encrypted communication channel construction unit is used for storing a second platform access certificate by the industrial switch and establishing a second communication channel based on a secure transport layer protocol with the access platform by using the second platform access certificate, wherein the second communication channel is an encrypted communication channel;
the preset password sending unit is used for sending the encrypted equipment identification code and the encrypted preset password to the access platform through the second communication channel by the industrial switch;
the preset password verification unit is used for verifying the equipment identification code and the preset password on the access platform, and if the verification is successful, the verification is successful again; if the verification fails, the verification fails again, and the second communication channel is disconnected.
In one embodiment, a switch access module includes:
a checking switch state unit, configured to determine, for the industrial switch accessing the access platform, an interface state of any one of the industrial switches through the access platform, where the interface state includes a switch state of an electrical port and a switch state of an optical port;
the fracture control unit is used for controlling the starting or stopping of service ports of the industrial switch according to the interface state through the access platform, wherein each service port is connected with one downstream access device; after the service ports of the industrial switch are started, determining the safety state of each service port through the access platform according to the network information of the downstream access equipment connected with each service port, wherein the network information comprises a local area network address and an IP address; and controlling the starting and stopping of each service port by the access platform according to the safety state of each service port.
The embodiment of the application realizes the following technical effects: by the method comprising primary verification and secondary verification by means of the equipment identification code, access of the industrial switch and the access platform is established, and the capability of the industrial switch for resisting external attack and the safety of the industrial switch are improved. Meanwhile, the access platform can control the port of the industrial switch, so that the management of the access platform to the industrial switch can be enhanced, and the operation efficiency of the whole network is improved. The control method for the admittance of the industrial switch is characterized in that a safety communication system based on a safety transmission layer protocol is introduced into the traditional industrial switch, and technical means including certificates, authentication, encryption and anti-counterfeiting are used on the switch to construct the safety admittance control method on the industrial switch. By the control method of safety access, the industrial switch supports a safer network equipment management protocol, a series of information safety functions such as identity verification, data encryption transmission, data integrity verification and the like are supported in the management protocol, the problems that the industrial switch cannot communicate, is difficult to manage, is safe and guaranteeing nothing and the like are fundamentally solved, the problem that the safety of the industrial switch equipment is uncontrolled is solved, and the unification of authentication, authentication and information safety is realized.
It will be apparent to those skilled in the art that the modules or steps of the embodiments of the application described above may be implemented in a general purpose computing device, they may be concentrated on a single computing device, or distributed across a network of computing devices, they may alternatively be implemented in program code executable by computing devices, so that they may be stored in a storage device for execution by computing devices, and in some cases, the steps shown or described may be performed in a different order than what is shown or described, or they may be separately fabricated into individual integrated circuit modules, or a plurality of modules or steps in them may be fabricated into a single integrated circuit module. Thus, embodiments of the application are not limited to any specific combination of hardware and software.
The above description is only of the preferred embodiments of the present application and is not intended to limit the present application, and various modifications and variations can be made to the embodiments of the present application by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (9)
1. A method for controlling access to an industrial switch, comprising:
collecting physical information of industrial switches and generating equipment identification codes of the industrial switches from the physical information, wherein the equipment identification code of each industrial switch is unique relative to the equipment identification codes of other industrial switches;
establishing a first communication channel based on a secure transport layer protocol between the industrial switch and an access platform, wherein the industrial switch sends a verification request to the access platform through the first communication channel, the access platform performs primary verification on the industrial switch based on the verification request, and if the primary verification is successful, the access platform sends an access certificate to the industrial switch, wherein the access platform performs primary verification on the industrial switch based on the verification request, and the method comprises the following steps: the access platform obtains a default request certificate carried by the verification request, wherein the default request certificate contains authentication data, and the authentication data comprises an effective time range, a user name of a user using the industrial switch and a signature; the access platform verifies the default request certificate according to the authentication data; the access platform sends a first platform access certificate to the industrial switch with successful verification of a default request certificate, wherein the first platform access certificate is a temporary access certificate accessed to the access platform; the industrial switch receives the first platform access certificate, verifies the validity of the first platform access certificate, and if the validity verification is successful, the primary verification is successful; if the validity verification fails, the primary verification fails, and the first communication channel is disconnected;
the industrial switch sends a request for updating a certificate to the access platform through the first communication channel based on the access certificate, the industrial switch is re-verified through the access platform of the equipment identification code, if the re-verification is successful, the industrial switch is accessed to the access platform, and the industrial switch is allowed to be accessed to a working network;
for the industrial switch accessing the access platform, the access platform controls the activation and deactivation of the service port of the industrial switch according to the security state of the service port of the industrial switch.
2. The method of controlling admission of an industrial switch according to claim 1, wherein verifying the default request certificate based on the authentication data comprises:
judging whether the effective time range in the authentication data comprises the current time or not;
if yes, judging whether the user name and the signature in the authentication data are matched with the information stored by the access platform, and if yes, successfully verifying the default request certificate; otherwise, the default request certificate is failed to verify.
3. The method for controlling admission of an industrial switch according to claim 1, wherein the re-validating the industrial switch by the admission platform comprises:
the access platform generates a second platform access certificate based on the request of updating the certificate and sends the second platform access certificate to the industrial switch, wherein the second platform access certificate is a certificate of the industrial switch for accessing the access platform for a long time;
the industrial switch stores the second platform access certificate and establishes a second communication channel based on a secure transport layer protocol with the access platform by using the second platform access certificate, wherein the second communication channel is an encrypted communication channel;
the industrial switch sends the encrypted equipment identification code and the encrypted preset password to the access platform through the second communication channel;
verifying the equipment identification code and the preset password on the access platform, and if the verification is successful, verifying again; if the verification fails, the verification fails again, and the second communication channel is disconnected.
4. The method for controlling admission of an industrial switch according to claim 3, wherein the preset password is a password authenticated by the industrial switch and the admission platform, and the password is stored in the industrial switch and the admission platform respectively, and each industrial switch corresponds to only one preset password.
5. The method of controlling admission of an industrial switch of claim 1, wherein generating the physical information into a device identification code of the industrial switch comprises:
splicing the physical information into a serial number character string, wherein the physical information comprises a network card physical serial number, a main board serial number, a CPU serial number, a hard disk serial number and a memory serial number of the switch;
generating a verification character string from the serial number character string;
and splicing the verification character string to the tail end of the serial number character string, and taking the generated character string as the equipment identification code.
6. The method for controlling admission of an industrial switch according to any one of claims 1 to 5, wherein the admission platform controls activation and deactivation of traffic ports of the industrial switch according to a security state of the traffic ports of the industrial switch, comprising:
determining an interface state of any industrial switch through the access platform aiming at the industrial switch accessed to the access platform, wherein the interface state comprises a switching state of an electric port and a switching state of an optical port;
controlling the activation or deactivation of service ports of the industrial switch according to the interface state through the access platform, wherein each service port is connected with a downstream access device;
after the service ports of the industrial switch are started, determining the safety state of each service port through the access platform according to the network information of the downstream access equipment connected with each service port, wherein the network information comprises a local area network address and an IP address;
and controlling the starting and stopping of each service port by the access platform according to the safety state of each service port.
7. An apparatus for controlling access to an industrial switch, comprising:
the device comprises a physical information acquisition module, a physical information acquisition module and a physical information generation module, wherein the physical information acquisition module is used for acquiring physical information of industrial switches and generating equipment identification codes of the industrial switches, and the equipment identification code of each industrial switch is unique relative to the equipment identification codes of other industrial switches;
the first access verification module is configured to establish a first communication channel based on a secure transport layer protocol between the industrial switch and an access platform, the industrial switch sends a verification request to the access platform through the first communication channel, the access platform performs primary verification on the industrial switch based on the verification request, and if the primary verification is successful, the access platform sends an access certificate to the industrial switch, where the access platform performs primary verification on the industrial switch based on the verification request, and the first access verification module includes: the access platform obtains a default request certificate carried by the verification request, wherein the default request certificate contains authentication data, and the authentication data comprises an effective time range, a user name of a user using the industrial switch and a signature; the access platform verifies the default request certificate according to the authentication data; the access platform sends a first platform access certificate to the industrial switch with successful verification of a default request certificate, wherein the first platform access certificate is a temporary access certificate accessed to the access platform; the industrial switch receives the first platform access certificate, verifies the validity of the first platform access certificate, and if the validity verification is successful, the primary verification is successful; if the validity verification fails, the primary verification fails, and the first communication channel is disconnected;
the re-admittance verification module is used for sending a request for updating the certificate to the admittance platform through the first communication channel based on the admittance certificate by the industrial switch, re-verifying the industrial switch to the admittance platform through the equipment identification code, and if the re-verification is successful, accessing the industrial switch to the admittance platform, and allowing the industrial switch to be accessed to a working network;
and the switch access module is used for controlling the starting and stopping of the service port of the industrial switch according to the safety state of the service port of the industrial switch aiming at the industrial switch accessed to the access platform.
8. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements a method for controlling admission of an industrial switch according to any one of claims 1-6 when executing the computer program.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program that executes the control method of industrial switch admission according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310746592.0A CN116506221B (en) | 2023-06-25 | 2023-06-25 | Industrial switch admission control method, device, computer equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310746592.0A CN116506221B (en) | 2023-06-25 | 2023-06-25 | Industrial switch admission control method, device, computer equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116506221A CN116506221A (en) | 2023-07-28 |
| CN116506221B true CN116506221B (en) | 2023-09-19 |
Family
ID=87325071
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310746592.0A Active CN116506221B (en) | 2023-06-25 | 2023-06-25 | Industrial switch admission control method, device, computer equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116506221B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108965170A (en) * | 2018-06-13 | 2018-12-07 | 四川微迪智控科技有限公司 | A kind of industrial switch system and operation method for gras generally recognized as safe access |
| CN112383557A (en) * | 2020-11-17 | 2021-02-19 | 北京明朝万达科技股份有限公司 | Security access gateway and industrial equipment communication management method |
| CN112953976A (en) * | 2021-05-13 | 2021-06-11 | 金锐同创(北京)科技股份有限公司 | Access method and device of network equipment |
| CN114037457A (en) * | 2021-11-05 | 2022-02-11 | 西北工业大学 | Industrial complex product terminal cross-domain access authentication method based on identity |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8707032B2 (en) * | 2012-04-30 | 2014-04-22 | General Electric Company | System and method for securing controllers |
-
2023
- 2023-06-25 CN CN202310746592.0A patent/CN116506221B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108965170A (en) * | 2018-06-13 | 2018-12-07 | 四川微迪智控科技有限公司 | A kind of industrial switch system and operation method for gras generally recognized as safe access |
| CN112383557A (en) * | 2020-11-17 | 2021-02-19 | 北京明朝万达科技股份有限公司 | Security access gateway and industrial equipment communication management method |
| CN112953976A (en) * | 2021-05-13 | 2021-06-11 | 金锐同创(北京)科技股份有限公司 | Access method and device of network equipment |
| CN114037457A (en) * | 2021-11-05 | 2022-02-11 | 西北工业大学 | Industrial complex product terminal cross-domain access authentication method based on identity |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116506221A (en) | 2023-07-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106034104B (en) | Verification method, device and system for network application access | |
| US8452954B2 (en) | Methods and systems to bind a device to a computer system | |
| CN106452782A (en) | Method and system for producing a secure communication channel for terminals | |
| CN105262597B (en) | Network access verifying method, client terminal, access device and authenticating device | |
| CN112436940B (en) | Internet of things equipment trusted boot management method based on zero-knowledge proof | |
| CN104125567B (en) | Home eNodeB accesses method for authenticating, device and the Home eNodeB of network side | |
| EP2544397A1 (en) | Method and communication device for accessing to devices in security | |
| CN112491829B (en) | MEC platform identity authentication method and device based on 5G core network and blockchain | |
| CN114500120B (en) | Public cloud expansion method, device, system and storage medium | |
| CN113972995B (en) | Network configuration method and device | |
| CN111641651B (en) | Access verification method and device based on Hash chain | |
| KR102278808B1 (en) | System for single packet authentication using tcp packet and method thereof | |
| CN116506221B (en) | Industrial switch admission control method, device, computer equipment and medium | |
| CN112261103A (en) | Node access method and related equipment | |
| CN113766450A (en) | Vehicle virtual key sharing method, mobile terminal, server and vehicle | |
| CN113596823B (en) | Slice network protection method and device | |
| CN115242480A (en) | Device access method, system and non-volatile computer storage medium | |
| CN112565209B (en) | Network element equipment access control method and equipment | |
| CN114786170A (en) | Method, terminal, USIM and system for switching uplink data security processing entity | |
| CN110830465B (en) | Security protection method for accessing UKey, server and client | |
| CN113169953B (en) | Method and apparatus for authenticating a device or user | |
| CN112491886A (en) | Security control method, system, device and storage medium based on network system | |
| CN114745138B (en) | Equipment authentication method, device, control platform and storage medium | |
| CN114157475B (en) | Equipment access method and device, authentication equipment and access equipment | |
| CN115514502A (en) | Block chain-based edge computing platform identity authentication method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |