RU131928U1 - DEVICE FOR CHANGING TRAFFIC ROUTE FOR PROCESSING - Google Patents

Abstract

1. A device for changing the route of the passage of traffic for processing, containing at least one input and one output physical interfaces used to connect to a data network, connected to a traffic capture module, which includes an interface for connecting captured information processing systems and a hardware-software unit work with network protocols of the Open Systems Interaction Model (OSI), characterized in that the block of work with network protocols of the Open Systems Interaction Model (OSI) implements methods changing the route of traffic passage, adding or substituting an information processing device into the usual traffic route, to which the captured traffic is redirected or branched for filtering, protection and recording, by using a dynamic routing protocol such as BGP, its modifications and analogues to change the route, models of interaction of open systems used at certain levels, which are controlled through the physical control interface of the dynamic march Disposal. 2. The device for changing the route of the passage of traffic for processing according to claim 1, characterized in that the software and hardware unit for working with network protocols of various levels of the interaction model of open systems performs the procedure of capturing traffic from a local autonomous system for processing. The device for changing the route of the passage of traffic for processing according to claim 1, characterized in that the software and hardware unit for working with network protocols of various levels of the interaction model of open systems performs the redirection procedure

Description

FIELD OF TECHNOLOGY

This technical solution relates to the field of working with digital information transmitted over a data transmission network, namely to systems for capturing, redirecting or branching a schedule by changing the route of its passage in order to pass transmitted information through filtering systems, protection against network attacks, analysis, archiving or various other digital information processing systems. The claimed technical solution can be used in data networks of various sizes.

BACKGROUND

A technical solution is known from the prior art for capturing a schedule by installing the device in a network break in order to control the schedule and ensure the security of digital information passing through (patent SECURE COMPUTER NETWORK WITH A NETWORK SCREEN, US 20020087889 A1, G06F 11/30, published 04.06.2002; patent COMPUTING NETWORK WITH INTER-NETWORK SCREEN AND INTER-NETWORK SCREEN RU 2214623, G06F 15/163 published October 20, 2003). A network security device is also known (NETWORK SECURITY APPLIANCE patent US 20120151558 A1, G06F 21/00, published on June 14, 2012). The main drawback of the proposed solutions regarding the capture of the schedule is the installation of the device in the network break, which entails a change in the organization system and the operation of the protected network, which inevitably leads to large labor costs of the network personnel, as well as the interruption of the normal functioning of the network for a while required to install the system. Also known are devices, systems and methods for working with routing protocols, in order to control the passing traffic and control routing. One of such systems is a distributed system of protection against network attacks by selective deletion of the schedule in IP networks (Distributed denial-of-service attack mitigation by selective black-holing in IP networks, G06F 15/16 published on 01.29.2009). This solution implements the BGP Dynamic Routing Protocol management method. The disadvantage of this solution is the implementation only on the network of the operator providing services of data transmission networks and the lack of capture and processing of traffic.

Closest to the claimed technical solution is a system for capturing, analyzing and storing information transmitted over a network, which uses a traffic capture device by listening to a key network segment (patent SYSTEM AND METHOD FOR THE CAPTURE AND ARCHIVAL OF ELECTRONIC COMMUNICATIONS, US 20080034049 A1, G06F 15/16 published on 02/07/2008). In this technical solution, a device for capturing traffic is not connected to a network break, but by connecting to a key network segment through a physical connection interface made in the form of a network adapter. The device consists of a physical connection interface, a module for working with the TCP / IP protocol stack, which is connected to a traffic capture module that transmits the captured traffic to the nodes for analyzing and archiving the captured traffic. The disadvantages of this technical solution are: the use of a physical interface for connecting to the network to capture the traffic of the listening mode of the network, which entails the need to choose a location for connecting to the network, it should be in the key segment that passes all the traffic that needs to be processed; the impossibility of using this system on a dial-up network, since the device uses the network connection mode through a physical interface operating in listening mode, and this solution is not applicable on a dial-up network, since it will not fulfill its main function of intercepting the entire schedule; the impossibility of filtering and deleting malicious information, since the schedule capture procedure consists in simple listening, without changing the direction of the network traffic for its processing.

DISCLOSURE OF A USEFUL MODEL

The technical problem to which the claimed technical solution is directed is to connect the device to the data network with minimal changes to the configuration of the data network, without changing the organization and operation of the network itself, in order to capture and redirect or branch the schedule for processing.

This problem is solved due to the fact that the inventive device for changing the route of the traffic flow for processing, containing input and output physical interfaces used to connect to a data network, connected to a traffic capture module, incorporating an interface for connecting captured information processing systems, characterized in order to simplify connecting the device to the data network, a software and hardware unit for working with network protocols of the model has been added to the traffic capture module Open Systems Interaction (OSI), which implements methods for changing the route of traffic passage, adding or substituting an information processing device into the usual route of the graph using dynamic routing protocols such as BGP, its modifications and analogues used at certain levels of the open interaction model systems that are managed through a physical interface for managing dynamic routing. As a procedure performed by the hardware-software unit, there may be a procedure for capturing or branching a graph of a local autonomous system, a procedure for capturing or branching a graph of a remote autonomous system, as well as a procedure for returning a graph through prepared network tunnels.

The technical result provided by the given set of features is a simplified connection of digital information processing devices to the data transmission network, which is carried out with minimal changes to the configuration of the data transmission network, without changing the organization system and the operation system of the network itself.

BRIEF DESCRIPTION OF THE DRAWINGS

The essence of the proposed technical solution is illustrated by drawings, which depict:

Figure 1 - Block diagram of a device for changing the route of the graph for processing;

Figure 2 - A typical diagram of the connection to the data network of the device changing the route of the graph for processing;

Figure 3 - Block diagram of the process of the device changing the route of the graph for processing.

IMPLEMENTATION OF A USEFUL MODEL

The device for changing the route of the graph for processing has a block diagram shown in FIG. 1 and consists of an input physical interface (101), an output physical interface (102) and a physical dynamic routing control interface (107), made in the form of network adapters having physical addresses with the bandwidth needed to solve the tasks, as well as the capture module of the schedule (103), which includes a hardware-software unit for working with network protocols of the model OSI open systems (104), which is controlled, configured, and monitored by the control and configuration module (106). The graph capture module also has an interface to the connection to the redirected or branched graph processing systems (105), through which the graph for processing is transmitted from the capture module (103) to the graph processing system (108). Structurally, the device can be performed as a separate, hook and together with the graphics processing system.

The device operates as follows. A typical connection diagram of the inventive device to a data network is shown in FIG. 2. The inventive device for changing the route of the schedule for processing (201) is connected to the border router (202) and the internal router (203) via physical input (208) and output (209) interfaces, respectively. The physical dynamic routing management interface (210), also connected to the border router, serves to control the operation of the BGP routing protocol, its modifications and analogues. This switching scheme is used when changing the route of the incoming schedule, if it is necessary to change the route of the outgoing schedule, then the input physical interface (208) and the physical interface of dynamic routing control (210) are connected to the internal router (203), and the output physical interface (209) is connected to border router (202). Also, through the connection interface with processing systems (211), the inventive device is connected to an information processing system (207). A typical network to which the claimed device is connected may consist of routing devices (202, 203, 212), switching devices (204, 213), terminal devices (205, 206, 214, 215), such as workstations, servers, printers and other devices that can connect to a data network. It should be noted that the network organization diagram presented in FIG. 2 is a special case and serves only to explain the principle of connecting the inventive device. In the scope of this technical solution, the network may have a different organization scheme, a different set of devices and the connections between them, corresponding to the standards for building data transmission networks.

The process of the inventive device consists of several stages, a block diagram of this process is shown in Fig.3. After connecting the inventive device to the data network, the device starts to work (301). The first procedure that it performs is the initialization of work (302), which includes the determination and application of settings made by the control and configuration module (106) shown in FIG. 1. These settings indicate to the claimed device with which border routers it is necessary to establish a connection using the BGP protocol, its modifications or analogues. After making the settings and determining the routers with which it is necessary to establish a connection, the device establishes a connection with the border routers (303) and starts to query the routing table, which contains information about the networks that can be reached, through the border routers with which the connection is established (304 ) It should be noted that the connection can be established both with the border router of the local autonomous system, and with the border router of the remote autonomous system, as well as the internal router of the network, if it is necessary to capture outgoing traffic. This procedure is performed through the exchange of service information through the dynamic routing protocol BGP, its modifications or analogues. After receiving the routing table from the border routers with which the connection is established via the BGP protocol, its modifications or analogs, the claimed device starts the process of changing the route of the graph (305-310). The process of changing the route of passing the schedule begins with checking the activity of the process of changing the route (306), this check is necessary to stop the operation of the device if a sign is displayed that the change in the route of passing the schedule has been set. This attribute is set by the control and adjustment module (106). When this attribute is set, the device enters the final phase of operation (311, 312), in which the changed routes of the graph are restored, if they have been changed, and the device stops working. In the event that the process for changing the route of the schedule is active and the sign of completion of this process by the control and configuration module is not set, then the claimed device checks for network addresses (307), the schedule of which must be redirected or branched along the new route. These addresses are set by the control and configuration module (106). If there are such addresses, then the system proceeds to change the route of the graph, if it is not, then the system remains in anticipation of further action. When changing the route of the schedule, the system sends service messages to the border router (308), these messages are BGP messages in which the border router is informed about the next node in the route of the schedule to the nodes whose addresses are determined by the configuration and control module (106) . The next node in the route for passing this schedule indicates the input interface of the inventive device (208). After receiving messages about changing the route, the border routers to which these messages were sent redirect the route of the schedule to the nodes whose addresses were indicated in the messages through the input physical interface of the claimed device by changing the routing tables. For the case when a change in the route of the graph occurs for the local autonomous system, only the routing tables of the border router of the local autonomous system change, without transferring the changed route to the external network. In the case when the route change of the route occurs for the remote autonomous system, the routing tables of the border routers change and the changed route is transmitted to the external network. When the routing tables of the border routers have changed, the schedule begins to flow to the input interface of the claimed device. After receiving the graph to the input interface, the claimed device redirects or branches this graph (309) to the graph processing system through the corresponding interface of the graph processing systems. The transmission of the processed schedule occurs through the output physical interface of the claimed device. It should be noted that the system only intercepts the incoming or outgoing schedule, depending on the connection scheme, the route of the graph going in the opposite direction does not change.

Thus, the inventive device for changing the route of the schedule for processing connects to the data network, and redirects or branches traffic to the processing system of the schedule, with minimal changes to the configuration of the data network, without changing the organization and operation of the network itself. It should be noted that various systems can act as graph processing systems, as a special case, these can be network protection protection systems, graph filtering systems, archiving systems and many other systems working with digital information passing through data transmission networks.

Claims (4)

1. A device for changing the route of the passage of traffic for processing, containing at least one input and one output physical interfaces used to connect to a data network, connected to a traffic capture module, which includes an interface for connecting captured information processing systems and a hardware-software unit work with network protocols of the Open Systems Interaction Model (OSI), characterized in that the block of work with network protocols of the Open Systems Interaction Model (OSI) implements methods changing the route of traffic passage, adding or substituting an information processing device into the usual traffic route, to which the captured traffic is redirected or branched for filtering, protection and recording, by using a dynamic routing protocol such as BGP, its modifications and analogues to change the route, models of interaction of open systems used at certain levels, which are controlled through the physical control interface of the dynamic march disposal. 2. The device for changing the route of the passage of traffic for processing according to claim 1, characterized in that the software and hardware unit for working with network protocols of various levels of the interaction model of open systems performs the process of capturing traffic from the local autonomous system for processing. 3. The device for changing the route of the passage of traffic for processing according to claim 1, characterized in that the software and hardware unit for working with network protocols of various levels of the interaction model of open systems performs the procedure of redirecting traffic of the local autonomous system for processing. 4. The device for changing the route of the passage of traffic for processing according to claim 1, characterized in that the software and hardware unit for working with network protocols of various levels of the interaction model of open systems performs the process of capturing traffic from a remote autonomous system for processing.

Images