BACKGROUND
With the rapid development of computer technology, the network in people's daily life, study and work in the hair
Play an increasing role. Resulting also in a variety of network services office and gained popularity in life
And promotion. Network brings great convenience to people at the same time, network security issues are also increasingly by people
Attention. Currently, the endless variety of network attacks, network security caused great harm.
Network attacks often cause machine failures, network paralysis, and usually also bring substantial economic losses
Losses. Current common network attacks mainly worm propagation, password theft, virus attacks.
...
With the rapid development of computer technology, the network in people's daily life, study and work in the hair
Play an increasing role. Resulting also in a variety of network services office and gained popularity in life
And promotion. Network brings great convenience to people at the same time, network security issues are also increasingly by people
Attention. Currently, the endless variety of network attacks, network security caused great harm.
Network attacks often cause machine failures, network paralysis, and usually also bring substantial economic losses
Losses. Current common network attacks mainly worm propagation, password theft, virus attacks.
...
IDS system through the collection and analysis of computer network or computer system in a number of key points of the letter
Interest, to discover whether there are network or system behavior and security policy violations signs of being attacked. However
And, a separate IDS system does not guarantee a good network security. For example, if the switch,
Routers and other network devices are only responsible for the transmission of data, even if IDS can check out the attack packets
Also does not block the attack packet transmission.
% E5% 9B% A0% E6% AD% A4% EF% BC% 8C% E5% A6% 82% E6% 9E% 9C% E7% BD% 91% E7% BB% 9C% E8% AE% BE% E5 % A4% 87% E5% 92% 8CIDS% E4% B9% 8B% E9% 97% B4% E8% 83% BD% E5% A4% 9F% E8% 81% 94% E5% 8A% A8% EF% BC % 8C% E4% BB% 8E% E8% 80% 8C% E5% BD% A2% E6% 88% 90% E4% B8% 80% E4% B8% AA% E7% BB% 9F% E4% B8% 80 % E7% 9A% 84% E7% BD% 91% E7% BB% 9C% E5% B9% B3% 0A% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20 % E5% 8F% B0% EF% BC% 8C% E5% B9% B6% E4% B8% 94% E8% BF% 9B% E8% 80% 8C% E5% 9C% A8% E8% BF% 99% E4 % B8% AA% E7% BB% 9F% E4% B8% 80% E7% 9A% 84% E5% B9% B3% E5% 8F% B0% E4% B8% 8A% E5% 88% 87% E6% 96 % AD% E5% 90% 84% E7% A7% 8D% E7% BD% 91% E7% BB% 9C% E6% 94% BB% E5% 87% BB% E7% 9A% 84% E4% BC% A0 % E6% 92% AD% E9% 80% 94% E5% BE% 84% EF% BC% 8C% E6% 98% BE% E7% 84% B6% E5% 8F% AF% E4% BB% A5% 0A % 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% E6% 9B% B4% E5% A5% BD% E5% 9C% B0% E4% BF% 9D% E8 % AF% 81% E7% BD% 91% E7% BB% 9C% E7% 9A% 84% E5% AE% 89% E5% 85% A8% E6% 80% A7% E3% 80% 82
Figure 1 is a prior art apparatus and network IDS linkage networking diagram. Shown in Figure 1,
When the attacker tried to attack the enterprise data center, the switch mirror port by setting the attacker sent
Out data mirroring traffic to IDS devices; IDS device data flow analysis, as found in the data stream of attacks
Packets generated when specific data packets, which will need to block or restrict the flow characteristics of the packets assembled
As SNMP (SNMP) packets to the switch; switch based IDS sent
Over packet characteristics, issued the access control list (ACL) rules to its own specific port, from
And to achieve the attack packets blocked.
...
Existing IDS and network devices such linkage technique, when detected attack packets, IDS
Will be linked to all the linkage device sends packets to perform linkage, but does not have a choice of a few to the United
Dynamic linkage device sends packets, which resulted in a switch control is not refined linkage, the linkage is very blind.
Essentially, when it is detected after the attack packets do not necessarily need all the linkage device to perform linkage, than
For example, may require only a certain segment of the linkage device, or some type of linkage device to perform linkage.
In addition, the existing linkage techniques, only to realize the linkage control network devices, but does not implement
Now on the specific interface control linkage.
...
Existing IDS and network devices such linkage technique, when detected attack packets, IDS
Will be linked to all the linkage device sends packets to perform linkage, but does not have a choice of a few to the United
Dynamic linkage device sends packets, which resulted in a switch control is not refined linkage, the linkage is very blind.
Essentially, when it is detected after the attack packets do not necessarily need all the linkage device to perform linkage, than
For example, may require only a certain segment of the linkage device, or some type of linkage device to perform linkage.
In addition, the existing linkage techniques, only to realize the linkage control network devices, but does not implement
Now on the specific interface control linkage.
...
In addition, the prior art performed linkage, only supports block data streams do not support limiting. However
And, in many cases only need to limit the data flow, data flow does not need to completely blocked, for example:
When the attack machine through ftp to the enterprise data center a device to transfer files, you may only need to ftp
Restrict the flow rate, rather than be blocked.
SUMMARY OF THE INVENTION
In view of this, the main object of the present invention is to provide a linkage IDS systems and network equipment,
IDS and network equipment to make the linkage between the more refined.
Another object of the present invention is to provide a network device and IDS linkage method so IDS
Linkage between network devices and more refined.
To achieve the above object, the technical solution of the present invention is achieved:
One kind of linkage IDS systems and network equipment, the system comprising: IDS, for the detection of data flow
If it contains the attack packets, network equipment linkage groups, including at least one network device;
Wherein the network device receives a data stream, the data mirroring traffic to IDS, IDS detects when
The received data stream contains the attack packets, they send the network device for each network linkage group
Linkage device sends packets.
The linkage system further includes a management center for receiving IDS detect attacks when sending packets
The alarm information.
The network device linkage network device configuration within the group have the same properties.
The properties include the linkage group master switch, linkage groups enable switch, protection interface lists the IP protection
Address list, white list, at least one current-limiting type.
Disposed within the IDS linkage policy table, the linkage policy table includes the type of attack packets
Corresponding collaboration policy.
When IDS detects attack packets, further linkage policy table for queries and attack packets
Corresponds to the type of linkage strategy and send messages that contain the collaboration policy linkage packets.
The network equipment linkage group network devices in the same network segment.
Said network equipment linkage group network devices of the same model.
One kind of IDS linkage method and network equipment, network equipment will be based on pre-defined rules into
Network equipment linkage group; the method further comprises:
A, network device receives a data stream, the data mirroring traffic to IDS;
B, IDS test data stream contains the attack packets when packets contain attacks to mirror the number
The network device data flow network device belongs to the linkage group linked to each network device sends the packets;
C, the packet network equipment based on the linkage of the attack packets containing the data flow processing.
For assigned to the same linkage group network devices configured with the same attributes.
The properties include: linkage group master switch, linkage groups enable switch, protecting the list of interfaces, IP protection
Address list, white list, at least one current-limiting type.
Further pre-configured within the IDS linkage policy table, the table includes a linkage strategy of attack packets
Corresponding to the type of linkage strategies.
Step B IDS detects attack packets, further linkage policy table queries and attack packets
Corresponding to the type of linkage strategies, and send messages that contain the collaboration policy linkage packets; Step C network
Network equipment for the application of the linkage strategy of attack packets containing the data flow processing.
The step C as follows: the attack packets containing data streams to block or limit.
Wherein the data stream is limited to: the same type of multiple data streams to limit the total flow stream,
Or for each traffic stream individually limiting.
Further linkage group pre-set master switch, step B IDS detects attack packets, further
Determine the linkage group, the total state of the switch, when the main switch is turned on linkage group, mirroring the data stream to network devices
Equipment belongs to the network equipment linkage group linkage for each network device sends packets to switch off when the linkage group, the total
Closed, the linkage does not send packets.
Further linkage groups were set in advance to enable the switch, step B IDS detects attack packets,
Mirroring the data stream to further determine the network device belongs to group network devices linked to the linkage group enable switch
State when the linkage groups enable switch is turned on, to the linkage group linkage for each network device sends
Packets, when the linkage group enable switch is closed, the linkage does not send packets.
Further pre-set linkage group whitelist, Step B IDS detects attack packets, further
Determine the attack packet's source address / destination address is on the white list, while not in the whitelist when the linkage
Group interaction for each network device sends packets, when the white list, the message is not sent linkage.
Further linkage group protection pre-set list of interfaces, step B IDS detects attack packets,
Further determine whether the attack packets from the protected interface list, and if so, in each of the linkage group
Linkage network device sends packets; If not, the message is not sent linkage.
Further pre-set list of IP addresses linked group protection, Step B IDS detects attack packets,
IDS further determine the attack packet source / destination address is in linkage group protection IP address list,
When a list, to the linkage group linkage each network device sends packets when not, do not send
Linkage packets.
The pre-defined rules: will belong to the same segment network devices assigned to the same network equipment
Linkage group.
Said pre-defined rule is: the same type of network device assigned to the same network equipment linkage
Group.
The linkage packets are encapsulated TLV format.
When the step B to determine the data stream contains attack packets, to further determine whether the attack packets with
There are virtual LAN (VLAN) tag, and if so, to that VLAN, IDS-ACL (access control list
Table) enabled network device sends packets linkage, if not, then withdraw from the process.
From the above technical solution, it can be seen, in the present invention, by the network device to the linkage
Group, IDS only attack packets to the mirror that contains a data stream network equipment network equipment belongs to linkage group
Send linkage packets, rather than to all network device sends packets linkage, the present invention makes
IDS and network linkage between devices more refined. Moreover, by open or close linkage group, the total open
Off, the user can for all network equipment as a whole is involved in linkage unified control; through
Open or close linkage groups enable switch, users can for each linkage group as a whole is involved in joint
Dynamic unified control; linkage group protection by setting the IP address list, the user can specify the IP address for
Address for linkage protection; linkage group by setting the white list, the user can fully trust to come from
Address of the packets without linkage; linkage group protection by setting the list of interfaces, users can right linkage
Control further refinement to the interface, thus more accurately interface protection.
...
From the above technical solution, it can be seen, in the present invention, by the network device to the linkage
Group, IDS only attack packets to the mirror that contains a data stream network equipment network equipment belongs to linkage group
Send linkage packets, rather than to all network device sends packets linkage, the present invention makes
IDS and network linkage between devices more refined. Moreover, by open or close linkage group, the total open
Off, the user can for all network equipment as a whole is involved in linkage unified control; through
Open or close linkage groups enable switch, users can for each linkage group as a whole is involved in joint
Dynamic unified control; linkage group protection by setting the IP address list, the user can specify the IP address for
Address for linkage protection; linkage group by setting the white list, the user can fully trust to come from
Address of the packets without linkage; linkage group protection by setting the list of interfaces, users can right linkage
Control further refinement to the interface, thus more accurately interface protection.
...
Meanwhile, the present invention uses TLV encapsulated packets linkage, linkage strategy can be based on
Configuration, making it easy to add new linkage strategy.
Specific embodiments
For purposes of this invention, technical solutions and advantages of the express more clearly understood, the following conjunction with the accompanying
Figure and the specific examples illustrate the present invention is described in more detail further.
The main idea of the present invention are: advance network devices network equipment linkage group; when the network set up
Ready to receive the data stream, the data mirroring traffic to IDS; IDS detection data stream contains attack
Packets, and when it is detected that contains attack packets, mirroring the data stream to a network device belongs network
Equipment linkage group linkage for each network device sends packets, network equipment, network equipment linkage group
Which according to the data stream linkage packet processing.
Figure 2 is exemplary of the present invention IDS linkage system and network equipment network structure schematically
Figure. The system comprising: a network apparatus 203, the network device 204, the network device 205 and IDS 202.
Network device 203, the network device 204, the network device 205 receives the data stream, respectively, and the number of
According mirroring traffic to IDS 202; these network devices, network devices 203 and 204 form a network set up
Preparation linkage group 200, and the network device 205 does not belong to the linkage groups. IDS 202 for each network device
Mirrored backup data stream is analyzed to detect whether it contains attack packets. When the attack is detected included
Chance packets, IDS 202 to mirror the data flow network equipment network equipment belongs to linkage group
Each network device sends packets linkage, in response to the attack packets. For example, in Figure 2, when the attack
Strike by 201 to 203 network devices transmit data stream, the network device 203 will be first through the mirror port
Data mirroring traffic to IDS 202; IDS 202 analyzed by the network device 203 over the data flow mirroring
Contains the attack packets, sent to the entire linkage group 200 includes features linkage attack packets packets
Linkage attack packets include packets for linkage strategy; Then, the linkage group 200 in all network
Equipment, which is the network devices 203 and 204, according to the characteristics of the attack packets and collaboration policy, issued
ACL rules to a specific port, to achieve the attack packets blocking or limiting.
...
Network device 203, the network device 204, the network device 205 receives the data stream, respectively, and the number of
According mirroring traffic to IDS 202; these network devices, network devices 203 and 204 form a network set up
Preparation linkage group 200, and the network device 205 does not belong to the linkage groups. IDS 202 for each network device
Mirrored backup data stream is analyzed to detect whether it contains attack packets. When the attack is detected included
Chance packets, IDS 202 to mirror the data flow network equipment network equipment belongs to linkage group
Each network device sends packets linkage, in response to the attack packets. For example, in Figure 2, when the attack
Strike by 201 to 203 network devices transmit data stream, the network device 203 will be first through the mirror port
Data mirroring traffic to IDS 202; IDS 202 analyzed by the network device 203 over the data flow mirroring
Contains the attack packets, sent to the entire linkage group 200 includes features linkage attack packets packets
Linkage attack packets include packets for linkage strategy; Then, the linkage group 200 in all network
Equipment, which is the network devices 203 and 204, according to the characteristics of the attack packets and collaboration policy, issued
ACL rules to a specific port, to achieve the attack packets blocking or limiting.
...
Preferably, IDS detect the attack packets, and further on the type of attack packets for analysis and
And the results of the analysis to the network device sends packets containing the attacker corresponding to the type of linkage strategies associated
Move packets. In other words, IDS based on the type of attack packets to configure different linkage strategies. For instance,
For the same linkage device, when subjected to DOS attacks, IDS 202 can send blocking the source address 1000
Second linkage packets; when subjected to buffer overflow attacks, IDS 202 transmit data stream 100 seconds blocking
Linkage packets. IDS 202 and attacks to the network device sends packets corresponding to the type of linkage packets
Network device which can vary according to the type of attack on the data stream to perform different response operation. Network
Devices can attack packets containing data streams completely blocked, it can be restricted. In the data
Stream execution limit, either for the same type of multiple data streams to limit the total traffic flow, but also
So the data stream for each individual flow limiting.
...
IDS 202 can also be configured within a linkage policy table, the linkage policy table includes the class of attack packets
Type the corresponding linkage strategy. IDS 202 when the detected attack packets, in collaboration policy table query
Attack packets corresponding to the type of linkage strategies, and send messages that contain the collaboration policy linkage packets. In
Before sending packets linkage, IDS 202 packets need to be encapsulated linkage, linkage attack packets are encapsulated
Strike packet characteristics and linkage strategy, preferably based on the linkage TLV format packet encapsulation. In linkage
Policy, the policy options of the various linkage TLV format package. Each policy contains a linkage
TLV of one or more binary field, and issued in accordance with the option number. Where, T (type) is
1 byte; L (length) is 1 byte; V (value) of a length determined by the L. Because according to TLV format
Linkage type to encapsulate packets, making it easy to extend a new linkage policy options. When you need to add a new linkage election
Items, only need to add a linked list of options you can define new TLV, each TLV field
Including flow and operating parameters in two parts.
...
IDS 202 can also be configured within a linkage policy table, the linkage policy table includes the class of attack packets
Type the corresponding linkage strategy. IDS 202 when the detected attack packets, in collaboration policy table query
Attack packets corresponding to the type of linkage strategies, and send messages that contain the collaboration policy linkage packets. In
Before sending packets linkage, IDS 202 packets need to be encapsulated linkage, linkage attack packets are encapsulated
Strike packet characteristics and linkage strategy, preferably based on the linkage TLV format packet encapsulation. In linkage
Policy, the policy options of the various linkage TLV format package. Each policy contains a linkage
TLV of one or more binary field, and issued in accordance with the option number. Where, T (type) is
1 byte; L (length) is 1 byte; V (value) of a length determined by the L. Because according to TLV format
Linkage type to encapsulate packets, making it easy to extend a new linkage policy options. When you need to add a new linkage election
Items, only need to add a linked list of options you can define new TLV, each TLV field
Including flow and operating parameters in two parts.
...
Sequence
Number | Flow parameters |
T
|
L
| Explanation |
1
| Terminator |
0
|
0
| Identifies the end of stream parameters |
2
| Source MAC address |
1
|
6
| |
3
| Destination MAC address |
2
|
6
| |
4
|
VLAN TAG
|
3
|
2
| Network order; contain VLAN information for
Linkage message, the switch should be used only in the case of
The physical interface to the VLAN down
ACL rules. |
5
| Source IP Address (IPv4) |
4
|
4
| |
6
| Source IP address mask
(IPv4) |
5
|
4
| Normal mask; such as 255.255.255.255
Said the host mask |
7
| Destination IP Address (IPv4) |
6
|
4
| |
8
| Destination IP address mask
(IPv4) |
7
|
4
| Normal mask; such as 255.255.255.255
Said the host mask |
9
| Source IP address (IPv6) |
8
|
16
| |
10
| Source IP address mask
(IPv6) |
9
|
16
| |
11
| Destination IP address (IPv6) |
10
|
16
| |
12
| Destination IP address mask
(IPv6) |
11
|
16
| |
13
| Source port |
12
|
2
| Network order; Layer 4 port number |
14
| Destination port |
13
|
2
| Network order; Layer 4 port number |
15
| ICMP packets TYPE |
14
|
1
| ICMP packet type |
16
| ICMP packets CODE |
15
|
1
| ICMP message code |
17
| Protocol Type |
16
|
1
| ICMP is 1, IP to 0, TCP is 6,
UDP is 17. The Layer 3 protocol type,
Transport layer protocol based on IP header fields
Standard definition |
Sequence
Number | Operating Parameters |
T
|
L
| Explanation |
1
| Terminator |
0
|
0
| Identifies the operating parameters of the end of the |
2
| Effective Time |
1
|
4
| Network order, in seconds, not included
This parameter indicates the block forever |
3
| Flow control rate |
2
|
4
| Network order, in kbps for
Flow control. Class ID the same stream,
Its flow control should be consistent for the class
Total Flow |
4
| Class ID |
3
|
4
| Network order, for flow control logo
A common stream with the same general |
| | | | Flow volume threshold. The same "class ID" Generation
The same type of flow meter. The same "class
ID "stream can contain different" streams
ID ". Extreme cases, each containing only
A stream, then a flow restriction
Rate threshold. |
Table 1
Users can be visualized via the Web configuration to configure the collaboration policy, and upon completion of associated configuration
Dynamic linkage strategy write strategy table, and the linkage policy table into the collaboration policy database to facilitate inquiries
And use. Meanwhile, in the linkage strategy to increase the limit support. For one attack, the user can
Select blocking or limiting. Preferably, you can specify the linkage policy supports VLAN Tag function. If
This feature is specified for the packets with VLAN Tag, the linkage device only for this VLAN
And IDS-ACL-enabled port issued linkage rules. Linkage strategy in the configuration, you can also further decided
Blocking the full seven-tuple, or blocked quintuple, seven tuple includes the source MAC address, destination
MAC address, source IP address, destination IP address, source port, destination port, protocol type; quintuple
Including the source IP address, destination IP address, source port, destination port, and protocol type.
...
Users can be visualized via the Web configuration to configure the collaboration policy, and upon completion of associated configuration
Dynamic linkage strategy write strategy table, and the linkage policy table into the collaboration policy database to facilitate inquiries
And use. Meanwhile, in the linkage strategy to increase the limit support. For one attack, the user can
Select blocking or limiting. Preferably, you can specify the linkage policy supports VLAN Tag function. If
This feature is specified for the packets with VLAN Tag, the linkage device only for this VLAN
And IDS-ACL-enabled port issued linkage rules. Linkage strategy in the configuration, you can also further decided
Blocking the full seven-tuple, or blocked quintuple, seven tuple includes the source MAC address, destination
MAC address, source IP address, destination IP address, source port, destination port, protocol type; quintuple
Including the source IP address, destination IP address, source port, destination port, and protocol type.
...
Specifically, the network device can switch or router device, and the connection data, respectively
Centers to exchange the data stream to its connected data center. In Figure 2, the network device 203 and
206 connected to the data center, the network device 204 connected to the data center 207, the network device 205 and the number of
According to the center 208 connection.
The linkage system may further include a management center 209, when the IDS detects the attack packets when
When, IDS management center 209 to send alarm information to management center 209 can know is there attack
Chance packet data center attack.
While the present invention is an IDS linkage system and network devices are described below according to the present
IDS and network equipment inventive linkage method described.
Figure 3 according to the present invention, the linkage IDS and network equipment schematic flow diagram of an exemplary method.
In this method, the at least one network device in advance a network equipment linkage group, which preferably is a
Network devices on the same network segment, or the same type of network equipment network equipment installed in the same linkage group
Medium. Shown in Figure 3, the method further comprising the steps of:
Step 301: The network device receives a data stream, and data mirroring traffic to IDS;
Here, the network device receives first data stream is then connected with the mirror port IDS
Data Mirroring to IDS. Preferably, the network device having a data exchange function switch or path
Router. When the attacker attack packets sent, you need to through a switch or router sends the data stream
To the data center, then the switch or router forwards data mirroring traffic to IDS.
Step 302: IDS test data stream contains the attack packets, when the attack packets contain,
Mirroring the data stream to the network device belongs to the group of network devices linked each network device sends
Linkage packets;
Here, IDS mirrored by the network equipment to analyze the data flow when analyzing the data flow
Contains the attack packets, to mirror the data flow network equipment network equipment belongs to linkage group
Each network device sends packets linkage, in response to the attack packets. That is, when the analysis of the data
Stream contains attack packets, IDS device to the linkage group linkage for each network device sends packets.
Linkage packet attack packets encapsulated preferred characteristics and linkage strategies, network device receives linkage newspaper
Man, you can parse out the attack packets characteristics and linkage policies.
Step 303: The network equipment according to the linkage packet attack packets containing the data flow processing.
Here, the network device receives packets linkage, the first parse out the attack packets characteristics and associated
Action strategies, according to the characteristics of the attack packets can be determined attack packets contain the data flow, according to the linkage policy
Little data stream can be processed, such as the attack packets containing the data flow block or
Those restrictions. Restrict the data stream which can be the same type of a plurality of data streams total flow
To limit the current, or the flow rate of each stream individually limiting. Specifically, the further pre-
Configured within the IDS linkage policy table, which includes the policy table linkage attack packets corresponding to the type
Linkage strategy. IDS detects attack packets, in collaboration with the policy table query class attack packets
Type corresponding linkage strategy and send messages that contain the collaboration policy linkage packets, network equipment received
The linkage packet, then apply the linkage strategy attack packets containing the data flow processing. Is
Say, IDS attack packets according to the type of linkage to configure different policies. In addition, IDS preferred
Packets on the linkage TLV format package, when you need to add a new option, only need to choose the linkage
List of items to add to the definition of a TLV, which facilitates the linkage strategy for expansion.
...
Here, the network device receives packets linkage, the first parse out the attack packets characteristics and associated
Action strategies, according to the characteristics of the attack packets can be determined attack packets contain the data flow, according to the linkage policy
Little data stream can be processed, such as the attack packets containing the data flow block or
Those restrictions. Restrict the data stream which can be the same type of a plurality of data streams total flow
To limit the current, or the flow rate of each stream individually limiting. Specifically, the further pre-
Configured within the IDS linkage policy table, which includes the policy table linkage attack packets corresponding to the type
Linkage strategy. IDS detects attack packets, in collaboration with the policy table query class attack packets
Type corresponding linkage strategy and send messages that contain the collaboration policy linkage packets, network equipment received
The linkage packet, then apply the linkage strategy attack packets containing the data flow processing. Is
Say, IDS attack packets according to the type of linkage to configure different policies. In addition, IDS preferred
Packets on the linkage TLV format package, when you need to add a new option, only need to choose the linkage
List of items to add to the definition of a TLV, which facilitates the linkage strategy for expansion.
...
The above process, it is preferable to further advance the linkage group settings separately for each linkage group that can open
Off When IDS detects attack packets, mirroring the data stream to further determine network device belongs
Network equipment linkage group linkage groups enable switch state, when the linkage group enable switch is opened, to the
Linkage group, linked to each network device sends packets when the linkage group enable the switch is closed, do not send
Linkage to send packets. Thus, depending on the configuration linkage group enable state of the switch can be made for each linkage group
As a whole is involved in linkage unified control.
The above process, it is preferable to further advance the linkage group settings separately for each linkage group that can open
Off When IDS detects attack packets, mirroring the data stream to further determine network device belongs
Network equipment linkage group linkage groups enable switch state, when the linkage group enable switch is opened, to the
Linkage group, linked to each network device sends packets when the linkage group enable the switch is closed, do not send
Linkage to send packets. Thus, depending on the configuration linkage group enable state of the switch can be made for each linkage group
As a whole is involved in linkage unified control....
The above process, preferably, the further pre-set linkage group whitelist whitelist includes a network
Network of trusted host or network IP address. Upon detection of attack packets, to further determine attack reported
The source address / destination address is in the whitelist, when not in the white list, the linkage group to
Each network device sends packets linkage, when the white list, the message is not sent linkage. In this way, the root
According to the white list settings linkage group, you can have full confidence in the address from the packet without linkage.
The above process, it is preferable to further pre-set list of interfaces linkage group protection, when IDS
Detect the attack packets, to further determine whether the attack packets from the protected interface list, and if yes,
The linkage group to each of the network device sends packets linkage; if not, the linkage does not send packets.
Thus, according to linkage group set up to protect the interface list, you can further refine the control linkage to the ground
Mouth, more precisely on the interface protection.
According to specific needs, you can set the master switch linkage group, linkage groups enable switch, linkage group White
List, the linkage group protection interface list operations make the appropriate selections.
Figure 4 is an embodiment according to the present invention, IDS and network equipment schematic flow diagram of the linkage method.
Shown in Figure 4, the method comprising:
Step 401: Each network device receives a data stream and the data stream respectively mirrored to IDS;
Step 402: IDS for each network device mirroring data flow analysis to determine which is the
Whether it contains the attack packets, when included, perform step 403 and subsequent steps, when not included, knot
Beam the process;
Step 403: IDS determine the linkage group master switch has been turned on, when turned on, perform steps
404 and subsequent steps, when closed, the end of this process;
Step 404: IDS attack packets judge image contains a data stream network device belongs linkage
Groups enable switch is turned on, when turned on, perform step 405 and subsequent steps, when closed,
The end of this process;
Step 405: IDS determine whether the attack packets from the protected interface list contains protection
Interfaces, if it is, step 406 and subsequent steps, and if not, then the end of the process;
Step 406: IDS attack packets determine the source or destination address is in the whitelist,
If not, step 407 and subsequent steps, if it is, then the end of the process;
Step 407: IDS linkage assembly packets and attack packets to the mirror that contains a data stream network
Network device belongs linkage linkage group to send messages.
Which IDS based on the type of attack packets to extract the source MAC address, destination MAC address, source
IP address, destination IP address, source port, destination port, protocol type, and VLAN Tag, and bear
Combined linkage strategy generation scalable linkage TLV format packets.
At this point, the linkage group linkage each network device receives a packet, the packet according to the linkage
Linkage strategy contained in the data stream and dealt with accordingly.
Above are only preferred embodiments of the present invention only, not intended to limit the present invention is to
Range. Where in the spirit and principles of the invention within any modification, equivalent replacement, or improvement
Should be included in the present invention within the scope of.