CN116866008A - System network security guarantee device and method under super fusion architecture - Google Patents
System network security guarantee device and method under super fusion architecture Download PDFInfo
- Publication number
- CN116866008A CN116866008A CN202310708972.5A CN202310708972A CN116866008A CN 116866008 A CN116866008 A CN 116866008A CN 202310708972 A CN202310708972 A CN 202310708972A CN 116866008 A CN116866008 A CN 116866008A
- Authority
- CN
- China
- Prior art keywords
- message
- data message
- address
- data
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000004927 fusion Effects 0.000 title claims abstract description 46
- 238000000034 method Methods 0.000 title claims description 33
- 238000005538 encapsulation Methods 0.000 claims abstract description 29
- 238000004806 packaging method and process Methods 0.000 claims abstract description 8
- 238000012795 verification Methods 0.000 claims description 17
- 230000008569 process Effects 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 8
- 230000000694 effects Effects 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 description 5
- 238000007726 management method Methods 0.000 description 5
- RTZKZFJDLAIYFH-UHFFFAOYSA-N Diethyl ether Chemical compound CCOCC RTZKZFJDLAIYFH-UHFFFAOYSA-N 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000002955 isolation Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000002547 anomalous effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005265 energy consumption Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The application relates to the technical field of system network security, and provides a system network security device under a super fusion architecture, which comprises: the packaging generator randomly generates two different characters to form an encryption pair; updating a timer, periodically calling a packaging generator to update the encryption pair, and replacing the encryption pair after all nodes in the super fusion architecture synchronously complete configuration; the message encryptor inserts the encryption pair generated by the packaging generator into the head information of the data message; the address checker performs address checking on the received data message, and if the address checking is not passed, the data message is considered to be a counterfeit message constructed by an attacker, and discarding is performed; and the message parser judges whether the encryption pair contained in the header information of the data message is consistent with the encryption pair generated by the current encapsulation generator. The network security system is integrated in the super fusion system, no additional deployment is needed, and the aim of improving the network security of the super fusion system can be achieved without additional configuration of a user.
Description
Technical Field
The application relates to the technical field of system network security, in particular to a system network security device and method under a super fusion architecture.
Background
The super fusion architecture system (Hyperconverged Infrastructure, HCI) is an integrated data center architecture that integrates computing, storage, and networking functions. It integrates computing, storage and network resources into one physical server or node, managing and providing services in a software-defined manner. HCI aims to simplify the deployment and management of data centers and to provide a high degree of scalability and flexibility.
A typical super fusion architecture system includes the following components:
(1) Compute Nodes (computer Nodes): each computing node is a physical server responsible for running Virtual Machines (VMs) and processing computing tasks. Computing nodes are typically equipped with multiple processors, large amounts of memory, and local storage resources.
(2) Storage Nodes (Storage Nodes): the storage nodes provide distributed storage, and storage resources of all nodes are collected together to form a shared storage pool. Storage nodes use software-defined storage techniques, such as distributed file systems or object storage, to provide efficient data storage and management.
(3) Network Devices (networks): the super-converged architecture system requires a high-performance network infrastructure for communication and data transmission between nodes. The network equipment comprises a switch, a router and a network controller to ensure smooth and reliable network traffic in the data center.
(4) Management software (Management Software): the super fusion architecture system uses specialized management software to implement resource management, virtual machine configuration, performance monitoring, fault tolerance, and automation management. The management software provides a centralized control interface, so that the configuration, deployment and maintenance of the system are simplified.
Advantages of the super fusion architecture system include:
(1) Simplified management: with integrated management software, an administrator can manage the entire infrastructure, including computing, storage, and network resources, through a single control interface.
(2) Flexibility and scalability: the super-fusion architecture system can be laterally expanded according to requirements, and computing and storage capacities are increased by adding more nodes.
(3) High availability: multiple nodes and distributed storage technologies in a system provide fault tolerance and redundancy functions to ensure continued availability in the event of a single node or storage device failure.
(4) Space and energy are saved: by integrating computing, storage, and networking functions into a small number of physical nodes, the super-fusion architecture system can reduce the footprint and energy consumption of the data center.
Super fusion architecture systems have become an important choice for modern data centers, particularly for virtualized environments and private cloud deployments. It provides an integrated, efficient and flexible way to manage and provide infrastructure services for data centers.
While the super fusion architecture system has some inherent advantages in terms of security, security remains a continuing challenge. The system administrator needs to take appropriate security measures, such as reasonable configuration and management, periodic security assessment and vulnerability scanning, to ensure that the security performance of the super-fusion architecture system is maximally guaranteed.
In the prior art, a common method for improving the network security level of the super-fusion architecture system at present generally uses security devices such as a north-south firewall, intrusion detection and attack prevention. But almost all of these security devices require the deployment of additional hardware or software components to be able to be implemented and require the user to manually add corresponding security rules.
Disclosure of Invention
Aiming at the problems, the application aims to provide a system network security guarantee device and method under a super fusion architecture, which are integrated in a super fusion system, do not need additional deployment, and can achieve the aim of improving the network security of the super fusion system without additional configuration of users.
The above object of the present application is achieved by the following technical solutions:
a system network security assurance device under a super fusion architecture comprises the following components:
a package generator for randomly generating two different characters to form a set of encryption pairs;
an update timer for periodically calling the encapsulation generator to update the encryption pair and replacing the encryption pair after all nodes in the super fusion architecture synchronously complete configuration;
a message encryptor for inserting the encryption pair generated by the encapsulation generator into header information of the data message before the data message is sent out from the node;
the address checker is used for performing address check on the data messages received from other nodes, and if the address check is not passed, the data messages are considered to be counterfeit messages constructed by an attacker, and discarding processing is performed;
and the message analyzer is used for judging whether the encryption pair contained in the header information of the data message is consistent with the encryption pair generated by the current encapsulation generator after passing the verification of the address verifier, forwarding the data message if the encryption pair is consistent with the encryption pair generated by the current encapsulation generator, judging that the data message is a counterfeit message if the encryption pair is inconsistent with the encryption pair, and discarding the data message.
Further, in the package generator, two different characters are randomly generated to form a group of the encryption pairs, specifically:
two numbers are randomly generated by adopting a random number generation algorithm and used as VLAN ID identifiers of VLAN fields, and 802.1q encapsulation heads formed by the two different VLAN ID identifiers are combined together to form a group of encryption pairs.
Further, in the packet encryptor, before the data packet is sent out from the node, the encryption pair generated by the encapsulation generator is inserted into the header information of the data packet, specifically:
and acquiring an original VLAN ID in the header information of the data message, and inserting the encryption pair into the original VLAN ID to realize an encryption effect.
Further, in the address checker, address checking is performed on the data packets received from other nodes, specifically:
according to the binding relation between the system network IP addresses and the MAC addresses of all the nodes recorded in the database in the super fusion architecture system, carrying out the address verification on the data messages received from other nodes;
and when the corresponding relation between the IP address and the MAC address in the received data message and the IP address and the MAC address of the node recorded in the database are not matched, the data message is considered to be a counterfeit message constructed by an attacker, and discarding processing is carried out.
Further, in the message parser, after the verification by the address verifier, it is determined whether the encryption pair included in the header information of the data message is consistent with the encryption pair generated by the current package generator, specifically:
after the data message is received and the verification of the address verifier is passed, the message analyzer strips the 802.1q package at the outermost layer of the data message and verifies whether the remaining two-layer package is consistent with the encryption pair set by the current package generator;
if the data messages are consistent, forwarding the data messages, if the data messages are inconsistent, judging that the data messages are counterfeit messages, and discarding the data messages.
A system network security assurance method under the super fusion architecture executed by the system network security assurance device under the super fusion architecture comprises the following steps:
a message sending flow, wherein the encapsulation generator, the update timer and the message encryptor are adopted to generate the data message to be sent for sending;
and in the message receiving process, the encapsulation generator, the updating timer, the address checker and the message parser are adopted to check the received data message, and the data message which is qualified in check is forwarded.
Further, the message sending process specifically includes:
s110: starting a daemon of a super fusion architecture system, wherein the packaging generator, the updating timer and the message encryptor enter a working state;
s120: the update timer periodically invokes the package generator to update the encryption pair and store the encryption pair to a database;
s130: combining the generated encryption pair with the head information of the data message by using the message encryptor, and inserting the encryption pair behind the VLAN ID field of the original head information to encrypt the data message;
s140: and forwarding the encrypted data message.
Further, the message receiving process specifically includes:
s210: starting a daemon of a super fusion architecture system, wherein the packaging generator, the updating timer, the address checker and the message parser enter a working state;
s220: the update timer periodically invokes the package generator to update the encryption pair and store the encryption pair to a database;
s230: the external data message entering equipment checks the corresponding relation between the IP address and the MAC address of the received data message and the IP address and the MAC address of the external node stored in the database through the address checker, and if the corresponding relation between the received IP address and the MAC address does not accord with the corresponding relation stored in the database, the data message is considered to be a counterfeit message constructed by an attacker, and discarding is carried out;
s240: after the data message passes the verification of the address verifier, the message analyzer strips the 802.1q package at the outermost layer of the data message, verifies whether the remaining two layers of packages are consistent with the encryption pair which is set currently, if so, forwards the decrypted data message, and if not, judges that the data message is forged, and discards the data message.
A computer device comprising a memory and one or more processors, the memory having stored therein computer code which, when executed by the one or more processors, causes the one or more processors to perform a method as described above.
A computer readable storage medium storing computer code which, when executed, performs a method as described above.
Compared with the prior art, the application has at least one of the following beneficial effects:
(1) Isolating network traffic: VLAN is a logical division that allows isolation of network traffic by assigning different devices or users to different VLANs. When an encryption pair consisting of two layers of VLAN IDs is inserted into a data message, the data message can be filtered and limited according to the VLAN IDs, so that network traffic is isolated among different VLANs. This isolation prevents unauthorized devices or users from accessing resources that do not belong to the VLAN in which they are located, improving network security.
(2) Fraud and tampering prevention: inserting an encrypted pair of two layers of VLAN IDs can provide authentication and integrity protection for data messages. By adding the encryption pair formed by VLAN ID in the data message, the source and destination VLAN of the data message can be identified, thus preventing the attacker from forging VLAN identification and avoiding deception of other devices or users. In addition, the insertion of the VLAN ID encryption pair may also protect the message from tampering, as any modification to the message content may result in a mismatch of the VLAN ID encryption pair, such that the message is discarded or marked as anomalous.
(3) Message identification: the receiver can identify whether the data message comes from the super fusion system through an address checker.
(4) Replay attack is prevented: the randomly generated encryption pairs may be used to prevent replay attacks. The encryption pair generated each time is random and updated after a period of time, so that an attacker can be prevented from multiplexing old identifiers to disguise legal messages, and the security of the system is improved.
(5) And (3) safety verification: by checking the encryption pair carried by the data message, the device can verify the security of the data message. Only the data message conforming to the current encryption combination can be processed, thereby ensuring the integrity and the legality of the data message.
(6) Preventing falsified data: the device can judge the data messages which do not accord with the current encryption combination as fake data, and discard the data messages, so as to prevent malicious parties or attackers from attacking the system through fake data messages. This protects the system from the potential risk of falsifying data.
(7) Secure communication isolation: by stripping the outer layer message, the device can match the content of the data message with the encapsulation combination, thereby realizing the isolation of the safety communication. Only correctly matched data messages are unpacked, and other data messages are discarded, so that only legal data messages are allowed to enter the system.
(8) And (3) verifying message integrity: by decapsulating the data message, the device may verify the integrity of the data message. If the data message is tampered with or a part of the content is lost in the transmission process, the decapsulation operation may fail, thereby indicating that the integrity of the data message is problematic.
Drawings
FIG. 1 is a diagram showing the overall structure of a system network security assurance device under the super-fusion architecture of the present application;
FIG. 2 is a flow chart of the present application for sending a message;
fig. 3 is a flow chart of the application for receiving a message.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless expressly stated otherwise, as understood by those skilled in the art. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
In the super-fusion system architecture, the system network carries a quite important role, and once the counterfeit attack is received, serious consequences are caused. The application reduces the possibility of successful attack by the imitated message by using the method of binding the IP address and the MAC address, and encrypts the transmitted message by using the encryption pair which is randomly generated and updated at fixed time. When processing the received message, after checking that the corresponding relation between the IP and the MAC address is correct, the VLAN encapsulation on the outer layer is stripped, whether the appointed encryption pair exists in the message is checked, if yes, the message is forwarded, and otherwise, the message is discarded. The method can effectively improve the overall security of the super fusion system network.
The application can realize data encryption in the data message sending process, and improves the safety of data in the transmission process. The method has the advantages that the method can play a role in safety verification and protection of data in the receiving and processing process, ensure that the system only receives legal and verified messages and discards potential fake data, and improve the safety and protection capability of the system. The following is described by way of specific examples:
first embodiment
As shown in fig. 1, the present embodiment provides a system network security assurance device under a super-fusion architecture, which is characterized by comprising the following components:
the package generator 1 is used for randomly generating two different characters to form a group of encryption pairs.
Specifically, in this embodiment, two numbers are randomly generated by using a random number generation algorithm, and are used as VLAN ID identifiers of the VLAN field, and 802.1q encapsulation headers formed by the two different VLAN ID identifiers are combined together to form a set of encryption pairs. For example, a random number generation algorithm may be used to generate two data (16,760,836 combinations in total) in the range of 1-4094, used as identifiers for VLAN fields (VLAN IDs), and the 802.1q headers formed by the two different VLAN IDs are combined together to form a set of encryption pairs.
The present application is not limited in any way with respect to the random number generation algorithm employed in the present embodiment. For example, a random number generation function (e.g., random of Python) provided in a programming language, a hardware random number generator (Hardware Random Number Generator, HRNG) provided by a hardware data number generator (some computing devices and operating systems), a physical process may be used to generate a true random number.
And the updating timer 2 is used for periodically calling the encapsulation generator to update the encryption pair and replacing the encryption pair after all nodes in the super fusion architecture synchronously complete configuration.
Specifically, in this embodiment, the encryption pair is updated by periodically (e.g., every 5 minutes) calling the package generator, and after confirming that all nodes synchronously complete configuration, the encryption pair is replaced. By the timing updating mechanism, the data message can be prevented from being counterfeited by an attacker because a fixed structure is continuously used, so that the risk of being attacked by the counterfeited message is reduced, and the overall stability of the system is improved.
A message encryptor 3 for inserting the encryption pair generated by the encapsulation generator into header information of the data message before the data message is sent out from the node.
Specifically, in this embodiment, the original VLAN ID in the header information of the data packet is obtained, and after the encryption pair is inserted into the original VLAN ID, an encryption effect is achieved.
And the address checker 4 is configured to perform address checking on the data packets received from other nodes, and if the address checking is not passed, consider that the data packets are counterfeit packets constructed by an attacker, and discard the data packets.
Specifically, in this embodiment, according to the binding relationship between the system network IP addresses and the MAC addresses of all the nodes recorded in the database in the super-fusion architecture system, the address verification is performed on the data packets received from other nodes; and when the corresponding relation between the IP address and the MAC address in the received data message and the IP address and the MAC address of the node recorded in the database are not matched, the data message is considered to be a counterfeit message constructed by an attacker, and discarding processing is carried out.
And the message parser 5 is configured to determine whether the encryption pair included in the header information of the data message is consistent with the encryption pair generated by the current encapsulation generator after passing through the verification of the address verifier, forward the data message if the encryption pair is consistent with the encryption pair generated by the current encapsulation generator, and determine that the data message is a counterfeit message if the encryption pair is inconsistent with the encryption pair, and discard the data message.
Specifically, in this embodiment, after the data packet is received and the data packet passes the verification of the address verifier, the packet parser strips the 802.1q package on the outermost layer of the data packet, and verifies whether the remaining two-layer package is consistent with the encryption pair set by the current package generator; if the data messages are consistent, forwarding the data messages, if the data messages are inconsistent, judging that the data messages are counterfeit messages, and discarding the data messages.
Second embodiment
The present embodiment provides a system network security assurance method under a super fusion architecture, which is executed by a system network security assurance device under the super fusion architecture as in the first embodiment, including:
(1) And a message sending flow, wherein the encapsulation generator, the update timer and the message encryptor are adopted to generate the data message to be sent for sending.
As shown in fig. 2, the message sending flow specifically includes:
s110: and starting a daemon of the super fusion architecture system, wherein the encapsulation generator, the update timer and the message encryptor enter a working state.
S120: the update timer periodically invokes the package generator to update the encryption pair and stores the encryption pair to a database.
S130: and combining the generated encryption pair with the header information of the data message by using the message encryptor, and inserting the encryption pair behind the VLAN ID field of the original header information to encrypt the data message.
S140: and forwarding the encrypted data message.
Specifically, after the daemon of the super fusion architecture system is started, components including an encapsulation generator, an update timer and a message encryptor enter a working state, the update timer generates an encryption pair by calling the encapsulation generator and updates the encryption pair at a fixed time, and before a data message to be sent is sent out from a node, the message encryptor inserts the generated encryption pair into the back of an original VLAN ID field of a data header so as to encrypt the sent data message, thereby achieving the effect of improving confidentiality and security in the data message transmission process.
For example:
the standard ethernet datagram format is as follows:
the format of the unencrypted data message is as follows:
| destination MAC | Source MAC | VLANID package | Ether type | Load(s) |
The update timer calls the encryption pair generated by the encapsulation generator as follows (VLAN 100 and VLAN200 combined):
| VLAN100 | VLAN200 |
the format of the encrypted pair inserted into the message is as follows, and then the message is forwarded in the encrypted format:
| destination MAC | Source MAC | VLANID package | Encryption pair | Ether type | Load(s) |
(2) And in the message receiving process, the encapsulation generator, the updating timer, the address checker and the message parser are adopted to check the received data message, and the data message which is qualified in check is forwarded.
As shown in fig. 3, the flow of receiving the message specifically includes:
s210: and starting a daemon of the super fusion architecture system, wherein the packaging generator, the updating timer, the address checker and the message parser enter a working state.
S220: the update timer periodically invokes the package generator to update the encryption pair and stores the encryption pair to a database.
S230: and checking the corresponding relation between the IP address and the MAC address of the received data message and the IP address and the MAC address of the external node stored in the database through the address checker, and if the corresponding relation between the received IP address and the MAC address does not accord with the corresponding relation stored in the database, considering the data message as a counterfeit message constructed by an attacker, and discarding the data message.
S240: after the data message passes the verification of the address verifier, the message analyzer strips the 802.1q package at the outermost layer of the data message, verifies whether the remaining two layers of packages are consistent with the encryption pair which is set currently, if so, forwards the decrypted data message, and if not, judges that the data message is forged, and discards the data message.
Specifically, in the flow of receiving the data message, the address verifier will verify the received data message according to the binding relation between the system network IP addresses and the MAC addresses of all the nodes recorded in the database in the super fusion system, and if the received data message does not conform to the corresponding relation recorded in the database, the data message is considered to be a counterfeit message constructed by an attacker, and then the discarding process is performed. And after the external data message enters the equipment and passes the verification of the address verifier, the message analyzer peels off the 802.1q package at the outermost layer of the data packet corresponding to the data message, verifies whether the remaining two layers of packages are consistent with the encryption pair which is currently set, forwards the data message if the remaining two layers of packages are consistent with the encryption pair which is currently set, judges that the data message is counterfeit if the data message is not matched with the encryption pair, and discards the data message to protect the system from the counterfeit data.
Further, the scheme of the application is a validated and feasible scheme, and specifically comprises the following steps: the exchanger can receive the message carrying the multi-layer VLAN, and only learns according to the VLAN at the outermost layer in the MAC address learning stage, and the VLAN exchanger in the transmission process does not process, so that the structure can be kept to be transmitted to the super fusion device.
A computer readable storage medium storing computer code which, when executed, performs a method as described above. Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of the above embodiments may be implemented by a program to instruct related hardware, the program may be stored in a computer readable storage medium, and the storage medium may include: read Only Memory (ROM), random access Memory (RAM, random Access Memory), magnetic or optical disk, and the like.
The above description is only a preferred embodiment of the present application, and the protection scope of the present application is not limited to the above examples, and all technical solutions belonging to the concept of the present application belong to the protection scope of the present application. It should be noted that modifications and adaptations to the present application may occur to one skilled in the art without departing from the principles of the present application and are intended to be within the scope of the present application.
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
It should be noted that the above embodiments can be freely combined as needed. The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application, which are intended to be comprehended within the scope of the present application.
Claims (10)
1. The system network security assurance device under the super fusion architecture is characterized by comprising the following components:
a package generator for randomly generating two different characters to form a set of encryption pairs;
an update timer for periodically calling the encapsulation generator to update the encryption pair and replacing the encryption pair after all nodes in the super fusion architecture synchronously complete configuration;
a message encryptor for inserting the encryption pair generated by the encapsulation generator into header information of the data message before the data message is sent out from the node;
the address checker is used for performing address check on the data messages received from other nodes, and if the address check is not passed, the data messages are considered to be counterfeit messages constructed by an attacker, and discarding processing is performed;
and the message analyzer is used for judging whether the encryption pair contained in the header information of the data message is consistent with the encryption pair generated by the current encapsulation generator after passing the verification of the address verifier, forwarding the data message if the encryption pair is consistent with the encryption pair generated by the current encapsulation generator, judging that the data message is a counterfeit message if the encryption pair is inconsistent with the encryption pair, and discarding the data message.
2. The system network security protection apparatus under the super fusion architecture according to claim 1, wherein in the package generator, two different characters are randomly generated to form a group of the encryption pairs, specifically:
two numbers are randomly generated using a random number generation algorithm and used as VLAN id identifiers for VLAN fields, and the 802.1q headers formed by the two different VLAN id identifiers are combined together to form a set of encryption pairs.
3. The system network security protection apparatus under the super fusion architecture according to claim 1, wherein, in the packet encryptor, before the data packet is sent out from the node, the encryption pair generated by the encapsulation generator is inserted into the header information of the data packet, specifically:
and obtaining the original VLANID in the header information of the data message, and inserting the encryption pair into the original VLANID to realize the encryption effect.
4. The system network security protection apparatus under the super fusion architecture according to claim 1, wherein in the address checker, address checking is performed on the data packets received from other nodes, specifically:
according to the binding relation between the system network IP addresses and the MAC addresses of all the nodes recorded in the database in the super fusion architecture system, carrying out the address verification on the data messages received from other nodes;
and when the corresponding relation between the IP address and the MAC address in the received data message and the IP address and the MAC address of the node recorded in the database are not matched, the data message is considered to be a counterfeit message constructed by an attacker, and discarding processing is carried out.
5. The system network security protection apparatus under the super fusion architecture according to claim 1, wherein the determining, in the message parser, whether the encryption pair included in the header information of the data message is consistent with the encryption pair generated by the current package generator after passing the verification of the address verifier is specifically:
after the data message is received and the verification of the address verifier is passed, the message analyzer strips the 802.1q package at the outermost layer of the data message and verifies whether the remaining two-layer package is consistent with the encryption pair set by the current package generator;
if the data messages are consistent, forwarding the data messages, if the data messages are inconsistent, judging that the data messages are counterfeit messages, and discarding the data messages.
6. A system network security assurance method under a super fusion architecture executed by the system network security assurance device under the super fusion architecture according to claims 1-5, comprising:
a message sending flow, wherein the encapsulation generator, the update timer and the message encryptor are adopted to generate the data message to be sent for sending;
and in the message receiving process, the encapsulation generator, the updating timer, the address checker and the message parser are adopted to check the received data message, and the data message which is qualified in check is forwarded.
7. The method for guaranteeing system network security under super fusion architecture according to claim 6, wherein the message sending process specifically comprises:
s110: starting a daemon of a super fusion architecture system, wherein the packaging generator, the updating timer and the message encryptor enter a working state;
s120: the update timer periodically invokes the package generator to update the encryption pair and store the encryption pair to a database;
s130: combining the generated encryption pair with the header information of the data message by using the message encryptor, and inserting the encryption pair behind the original VLANID field of the header information to encrypt the data message;
s140: and forwarding the encrypted data message.
8. The method for guaranteeing system network security under super fusion architecture according to claim 6, wherein the message receiving process specifically comprises:
s210: starting a daemon of a super fusion architecture system, wherein the packaging generator, the updating timer, the address checker and the message parser enter a working state;
s220: the update timer periodically invokes the package generator to update the encryption pair and store the encryption pair to a database;
s230: the external data message entering equipment checks the corresponding relation between the IP address and the MAC address of the received data message and the IP address and the MAC address of the external node stored in the database through the address checker, and if the corresponding relation between the received IP address and the MAC address does not accord with the corresponding relation stored in the database, the data message is considered to be a counterfeit message constructed by an attacker, and discarding is carried out;
s240: after the data message passes the verification of the address verifier, the message analyzer strips the 802.1q package at the outermost layer of the data message, verifies whether the remaining two layers of packages are consistent with the encryption pair which is set currently, if so, forwards the decrypted data message, and if not, judges that the data message is forged, and discards the data message.
9. A computer device comprising a memory and one or more processors, the memory having stored therein computer code that, when executed by the one or more processors, causes the one or more processors to perform the method of any of claims 6-8.
10. A computer readable storage medium storing computer code which, when executed, performs the method of any one of claims 6 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310708972.5A CN116866008A (en) | 2023-06-15 | 2023-06-15 | System network security guarantee device and method under super fusion architecture |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310708972.5A CN116866008A (en) | 2023-06-15 | 2023-06-15 | System network security guarantee device and method under super fusion architecture |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116866008A true CN116866008A (en) | 2023-10-10 |
Family
ID=88233173
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310708972.5A Pending CN116866008A (en) | 2023-06-15 | 2023-06-15 | System network security guarantee device and method under super fusion architecture |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116866008A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104333562A (en) * | 2014-11-27 | 2015-02-04 | 沈文策 | Data packet transmission method and device |
| EP3787264A1 (en) * | 2019-08-30 | 2021-03-03 | Nutanix, Inc. | Handling ip network addresses in a virtualization system |
| CN113014530A (en) * | 2019-12-19 | 2021-06-22 | 中国航发上海商用航空发动机制造有限责任公司 | ARP spoofing attack prevention method and system |
| CN113660273A (en) * | 2021-08-18 | 2021-11-16 | 国家电网公司东北分部 | Intrusion detection method and device based on deep learning under super-fusion framework |
| CN115174520A (en) * | 2022-06-09 | 2022-10-11 | 郑州信大捷安信息技术股份有限公司 | Network address information hiding method and system |
-
2023
- 2023-06-15 CN CN202310708972.5A patent/CN116866008A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104333562A (en) * | 2014-11-27 | 2015-02-04 | 沈文策 | Data packet transmission method and device |
| EP3787264A1 (en) * | 2019-08-30 | 2021-03-03 | Nutanix, Inc. | Handling ip network addresses in a virtualization system |
| CN113014530A (en) * | 2019-12-19 | 2021-06-22 | 中国航发上海商用航空发动机制造有限责任公司 | ARP spoofing attack prevention method and system |
| CN113660273A (en) * | 2021-08-18 | 2021-11-16 | 国家电网公司东北分部 | Intrusion detection method and device based on deep learning under super-fusion framework |
| CN115174520A (en) * | 2022-06-09 | 2022-10-11 | 郑州信大捷安信息技术股份有限公司 | Network address information hiding method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10834066B2 (en) | Secure domain name system | |
| US7472414B2 (en) | Method of processing data traffic at a firewall | |
| US6775704B1 (en) | System and method for preventing a spoofed remote procedure call denial of service attack in a networked computing environment | |
| US7051365B1 (en) | Method and apparatus for a distributed firewall | |
| JP2004129272A (en) | Data transfer method in ethernet(r) passive optical subscriber network system | |
| US10586065B2 (en) | Method for secure data management in a computer network | |
| CN111988289B (en) | EPA industrial control network security test system and method | |
| US8406223B2 (en) | Mechanism for protecting H.323 networks for call set-up functions | |
| CN113904807B (en) | Source address authentication method and device, electronic equipment and storage medium | |
| Kim et al. | Network forensic evidence acquisition (NFEA) with packet marking | |
| CN112291248A (en) | Method and equipment for protecting HTTPS DDoS attack | |
| CN107835168A (en) | A kind of authentication method being multiplied based on client information sequence spreading matrix transposition | |
| KR101081433B1 (en) | An ip traceback method with enhanced integrity for ipv6-based network and the recording medium thereof | |
| Khoussainov et al. | LAN security: problems and solutions for Ethernet networks | |
| CN115348118B (en) | Network address and port number hiding method based on cryptographic technology | |
| CN116866008A (en) | System network security guarantee device and method under super fusion architecture | |
| US20060225141A1 (en) | Unauthorized access searching method and device | |
| CRISTESCU et al. | Volumetric Distributed Denial-of-Service and Session Replay Attacks-Resistant AAA-RADIUS Solution Based on EAP and LDAP | |
| CN116418602B (en) | Metadata protection anonymous communication method and system based on trusted hardware | |
| EP3697056A1 (en) | System and method for securing a network communication session | |
| CN112839009B (en) | Method, device and system for processing message | |
| KR20110087972A (en) | Method for blocking abnormal traffic using session table | |
| CN115733618A (en) | Access control method based on single-packet authorization mechanism and cipher machine | |
| CN115834164A (en) | Method and system for preventing bill attack in Kerberos authentication | |
| CN116455646A (en) | SPA data transmission method and system based on zero trust |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |