WO2013071821A1 - Procédé de présentation de politiques de sécurité et élément de réseau et système pour les mettre en œuvre - Google Patents

Procédé de présentation de politiques de sécurité et élément de réseau et système pour les mettre en œuvre Download PDF

Info

Publication number
WO2013071821A1
WO2013071821A1 PCT/CN2012/083791 CN2012083791W WO2013071821A1 WO 2013071821 A1 WO2013071821 A1 WO 2013071821A1 CN 2012083791 W CN2012083791 W CN 2012083791W WO 2013071821 A1 WO2013071821 A1 WO 2013071821A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
location
security
ilr
security policy
Prior art date
Application number
PCT/CN2012/083791
Other languages
English (en)
Chinese (zh)
Inventor
颜正清
张世伟
符涛
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2013071821A1 publication Critical patent/WO2013071821A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent

Definitions

  • the present invention relates to the field of mobile communications and the Internet, and specifically relates to a method for issuing a security policy and a network element and system for implementing the method. Background technique
  • Traditional security devices mainly have basic functions such as packet filtering, network address translation (NAT), anti-DDoS (distributed denial of service) attacks, and anti-aliased packet attacks. They can defend against network layer security. Threat. With the development of the network and the richness of network applications, the attack technology for the application layer has developed rapidly. Security devices that defend against these application layer attacks, such as IDS (Intrusion Detection System), IPS (Intrusion Protection System), and UTM (Unified Threat Management) devices, are also emerging.
  • IDS Intrusion Detection System
  • IPS Intrusion Protection System
  • UTM Unified Threat Management
  • the security policy server can communicate with the security enforcement entity (or the security device) to implement the security policy delivery and reduce the manual maintenance security device. the cost of.
  • IP IP
  • the existing security policy delivery mechanism can only send security policies to fixed users on a single security device, and cannot deliver the same security policy to multiple security devices for mobile users. That is, the security policy server cannot The security device in the different nodes accessed by the user delivers a security policy based on the user.
  • the identity (IP) changes, and the existing security policy delivery mechanism cannot solve the problem of implementing the same security policy for the entire network.
  • the embodiment of the invention provides a security policy delivery method, which can implement the same security policy for the entire network.
  • the method for issuing the security policy includes:
  • the identity and location registration register After receiving the user location registration request sent by the access server (ASR), the identity and location registration register (ILR) sends a message to the policy server (PS) indicating the new location of the user; the PS receives the ILR transmission After the message indicating the new location of the user, the security policy related to the user is sent to the security enforcement entity where the current location of the user is located.
  • ASR access server
  • ILR identity and location registration register
  • the method further includes: the ILR updating the mapping relationship between the locally stored access identifier and the location of the user.
  • the method further includes: the PS recording the current location of the user.
  • the PS sends a security policy related to the user to the security enforcement entity where the current location of the user is located, including: the PS first determines whether the location of the user changes, and if a change occurs, the current location of the user is located.
  • the security enforcement entity sends a security policy associated with the user.
  • the security enforcement entity includes: a security gateway (SG) or an ASR with an SG function.
  • SG security gateway
  • ASR ASR with an SG function.
  • the embodiment of the invention further provides a security policy delivery system, which can implement the same security policy for the entire network.
  • the security policy is delivered by the system, including an identity and location registration register (ILR) and a policy server (PS), where:
  • the ILR is configured to send a message indicating a new location of the user to the PS after receiving the user location registration request sent by the access server (ASR);
  • the PS is configured to, after receiving the message indicating the new location of the user sent by the ILR, send a security policy related to the user to the security enforcement entity where the current location of the user is located.
  • the PS is further configured to record the current location of the user after receiving the message indicating the new location of the user sent by the ILR.
  • the PS is configured to send a security policy related to the user to the security execution entity where the current location of the user is located in the following manner: first, determine whether the user location changes, and if there is a change, then to the user current
  • the security enforcement entity where the location is located sends the security policy associated with the user.
  • the security enforcement entity includes: a security gateway (SG) or an ASR with an SG function.
  • SG security gateway
  • ASR ASR with an SG function.
  • the embodiment of the present invention further provides an identity identification and location registration register (ILR) to enable the security policy server to know when to issue a security policy to the security enforcement entity.
  • ILR identity identification and location registration register
  • the identity and location registration register includes a receiving module and a transmitting module, wherein:
  • the receiving module is configured to receive a user location registration request sent by an access server (ASR);
  • ASR access server
  • the sending module is configured to send a message indicating a new location of the user to the policy server (PS) after the receiving module receives the user location registration request.
  • PS policy server
  • the ILR further includes a saving module, configured to update a mapping relationship between the locally stored access identifier and the location of the user after the receiving module receives the user location registration request.
  • a saving module configured to update a mapping relationship between the locally stored access identifier and the location of the user after the receiving module receives the user location registration request.
  • the embodiment of the invention further provides a policy server (PS), which implements an security policy delivery system, and can implement the same security policy for the user on the entire network.
  • PS policy server
  • the policy server includes a receiving module and a sending module, where: the receiving module is configured to receive a message sent by an identity identifier and a location registration register (ILR) indicating a new location of the user;
  • the sending module is configured to send, after the receiving module receives the message indicating the new location of the user, a security policy related to the user to the security performing entity where the current location of the user is located.
  • ILR location registration register
  • the PS further includes a saving module configured to record the current location of the user after the receiving module receives the message indicating the new location of the user sent by the ILR.
  • a saving module configured to record the current location of the user after the receiving module receives the message indicating the new location of the user sent by the ILR.
  • the PS further includes a determining module configured to receive the at the receiving module
  • the notification sending module After the ILR sends a message indicating the new location of the user, it is determined whether the location of the user changes. If the change occurs, the notification sending module sends a security policy related to the user to the security enforcement entity where the current location of the user is located.
  • the security enforcement entity includes: a security gateway (SG) or an ASR with an SG function.
  • SG security gateway
  • ASR ASR with an SG function.
  • the embodiment of the present invention combines the identity identification and the location separation network, and the ILR queries the user location information according to the AID setting.
  • the ILR can notify the PS to timely deliver the security based on the user AID to the security device at the location of the user.
  • the policy uses the network-wide uniqueness of the user identification identifier (AID) to deliver the user-based network-wide security policy.
  • FIG. 1 is a schematic diagram of a security policy delivery
  • Figure 2 shows the system architecture diagram of the SILSN
  • FIG. 3 is a flowchart of dynamically transmitting a user-based security policy on the entire network according to an embodiment of the present invention
  • FIG. 4 is a flowchart of an application example of the present invention
  • FIG. 5 is a schematic structural diagram of a system for implementing security policy delivery according to an embodiment of the present invention.
  • FIG. 2 is an architectural diagram of the identity and location separation network, in this figure, the identity and location separation system (Subscriber Identifier & Locator Separation Network, SILSN for short) is accessed by Access Service Router (ASR) and User Equipment (UE), Identity and Location Register (ILR), and Authentication Center (AC) and other components.
  • the access servers ASR1 and ASR2 are respectively used to access the user terminal devices UE1 and UE2, and are responsible for implementing access for the user terminal, and performing functions such as charging, switching, and security.
  • the ILR assumes the user's location registration and identification capabilities.
  • the AC assumes the user access authentication function.
  • UE1 and UE2 have unique identity identifiers AID 1 and AID2, respectively.
  • the network shown in Figure 2 has the following characteristics: Each user in the network can only access after strict authentication. When sending each data packet, the user carries its own real user access identifier AID. This symbol is only assigned to The user uses and is unique to the entire network. The data packets sent by users in various services always carry this identifier. Each data packet sent by the user must be authenticated by the access server ASR to ensure that the data packets sent by the user are carried. It is its own access identity, it will not impersonate other users' AIDs to access the network, and this identifier will remain unchanged when transmitted within the network. This identifier will not change when the user moves or switches.
  • ASR Access Security
  • ASR will report the user's location information to the ILR.
  • the ILR informs the PS (Policy Server) to inform the user of the new location information (for example, the RID of the ASR), and the PS delivers a security policy based on the user to the corresponding security device according to the new location of the user.
  • the PS Policy Server
  • the ILR notifies the new location of the PS user, so that the PS sends a security policy based on the user to the security device in the new location where the user is currently located.
  • a user-based security policy delivery mechanism that implements dynamic network dynamics.
  • Step 301 After receiving the user location registration request sent by the ASR, the ILR sends a message indicating the new location of the user to the PS.
  • the ILR After receiving the user location registration request, the ILR also updates the mapping relationship between the locally stored access identifier and the location of the user.
  • Step 302 After receiving the message sent by the ILR indicating the new location of the user, the PS sends a security policy related to the user to the security enforcement entity where the current location of the user is located.
  • the PS After receiving the message sent by the ILR indicating the new location of the user, the PS records the current location of the user, and sends a security policy related to the user to the security enforcement entity where the current location of the user is located.
  • the security enforcement entity includes: SG or the ASR with SG function.
  • the ILR sends the current location of the user to the PS when the user's location changes.
  • the PS first determines whether the user location changes, and if a change occurs, Send the security policy related to the user to the security enforcement entity where the user's current location is located. If no change occurs, it will not be sent.
  • SG can be deployed independently of ASR, and the functions of SG can also be integrated into ASR. If the SG is deployed separately from the ASR, the PS needs to maintain an association table between the SG and the ASR. When the user moves to the location of the ASR, the PS needs to find the SG of the location according to the location of the ASR, and then issue a security policy.
  • Figure 4 shows an embodiment of a security policy issued in an identity and location separation network.
  • the user first sends an ASR1 access, and the PS (Policy Server) sends a security policy related to the user to the SG (Security Gateway) 1.
  • the ILR informs the PS that the user has moved to the ASR2, and the PS sends the security policy related to the user to the SG2, and deletes the security policy related to the user on the SG1.
  • the security device SG can be a standalone device or integrate the functions of the security device into the ASR.
  • S400 The user goes online on the ASR1, and the ASR1 sends the location registration request of the user to the ILR.
  • the ILR receives the location registration request of the user, and sends a location registration request response to the ASR1 after completing the registration;
  • the ILR notifies the PS, informs the user of the location, and the PS records the location of the user;
  • the PS sends the user-related security policy to the SG1 where the user is located according to the location of the user.
  • the ILR After receiving the user location registration request sent by the ASR2, updating the user identity and the location mapping relationship, the ILR sends a user location registration request response to the ASR2.
  • the ILR After updating the identity and location mapping relationship of the user, the ILR sends a message of changing the location of the user to the PS, and carries the new location information of the user.
  • the PS receives the user location change message, and compares with the original location of the user. If the change occurs, the user sends the security policy related to the user to the SG2 where the user is located.
  • the SG2 sends a security policy response message to the PS.
  • the PS sends the user-related security policy deletion command to the SG1.
  • the above process completes the process of releasing the security policy related to the user during the process of the user going online from the ASR1 and then moving to the ASR2.
  • a system for implementing the foregoing security policy delivery method includes an ILR and a PS, where: the ILR is configured to send a message indicating a new location of the user to the PS after receiving the user location registration request sent by the ASR. ;
  • the PS is configured to, after receiving the message indicating the new location of the user sent by the ILR, send a security policy related to the user to the security enforcement entity where the current location of the user is located.
  • the foregoing ILR includes a first receiving module and a first sending module, where:
  • a first receiving module configured to receive a user location registration request sent by the ASR
  • the first sending module is configured to send a message indicating the new location of the user to the PS after the first receiving module receives the user location registration request.
  • the ILR further includes a first saving module, configured to update a mapping relationship between the locally stored access identifier and the location of the user after the first receiving module receives the user location registration request.
  • a first saving module configured to update a mapping relationship between the locally stored access identifier and the location of the user after the first receiving module receives the user location registration request.
  • the foregoing PS includes a second receiving module and a second sending module, where: a second receiving module, configured to receive a message sent by the ILR to indicate a new location of the user; and a second sending module, configured to: after the second receiving module receives the message indicating the new location of the user, the security of the current location of the user The executing entity sends a security policy related to the user.
  • the PS further includes a second saving module configured to record the current location of the user after the second receiving module receives the message sent by the ILR indicating the new location of the user.
  • a second saving module configured to record the current location of the user after the second receiving module receives the message sent by the ILR indicating the new location of the user.
  • the PS further includes a determining module, configured to: after the second receiving module receives the message indicating the new location of the user sent by the ILR, determining whether the user location changes, and if the change occurs, notifying the second sending module to the The security enforcement entity where the user's current location is located sends the security policy associated with the user.
  • a determining module configured to: after the second receiving module receives the message indicating the new location of the user sent by the ILR, determining whether the user location changes, and if the change occurs, notifying the second sending module to the The security enforcement entity where the user's current location is located sends the security policy associated with the user.
  • the above security enforcement entities include: SG or ASR with SG function.
  • the embodiment of the present invention combines the identity identification and the location separation network, and the ILR queries the user location information according to the AID setting.
  • the ILR can promptly notify the PS to deliver the security device based on the location to the user.
  • the security policy of the AID is based on the network-wide security policy of the user AID.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé de présentation de politiques de sécurité et un élément de réseau et un système pour les mettre en œuvre, qui permettent de mettre en œuvre une même politique de sécurité pour un utilisateur sur l'ensemble d'un réseau. Le procédé comprend les étapes suivantes : après avoir reçu d'un serveur d'accès (ASR) une demande d'inscription d'emplacement d'un utilisateur, un registre d'emplacement d'identité (ILR) envoie à un serveur de politiques (PS) un message indiquant le nouvel emplacement de l'utilisateur ; et après avoir reçu de l'ILR le message indiquant le nouvel emplacement de l'utilisateur, le PS envoie à une entité d'exécution de sécurité une politique de sécurité liée à l'utilisateur pour l'emplacement actuel de l'utilisateur. Le système comprend un ILR et un PS. L'ILR comprend un module récepteur et un module émetteur. Le PS comprend un module récepteur et un module émetteur.
PCT/CN2012/083791 2011-11-15 2012-10-31 Procédé de présentation de politiques de sécurité et élément de réseau et système pour les mettre en œuvre WO2013071821A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110361684.4 2011-11-15
CN201110361684.4A CN103108302B (zh) 2011-11-15 2011-11-15 一种安全策略下发方法及实现该方法的网元和系统

Publications (1)

Publication Number Publication Date
WO2013071821A1 true WO2013071821A1 (fr) 2013-05-23

Family

ID=48315808

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/083791 WO2013071821A1 (fr) 2011-11-15 2012-10-31 Procédé de présentation de politiques de sécurité et élément de réseau et système pour les mettre en œuvre

Country Status (2)

Country Link
CN (1) CN103108302B (fr)
WO (1) WO2013071821A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109429170A (zh) * 2017-09-01 2019-03-05 中国移动通信有限公司研究院 一种呼叫处理方法、监控平台实体及计算机可读存储介质

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150381658A1 (en) * 2014-06-30 2015-12-31 Mcafee, Inc. Premises-aware security and policy orchestration
CN106301901A (zh) * 2016-08-09 2017-01-04 北京北信源软件股份有限公司 一种用于终端设备的策略分配执行和更新方法
CN110943978A (zh) * 2019-11-14 2020-03-31 光通天下网络科技股份有限公司 安全策略的配置方法、装置、电子设备及介质
CN111967000B (zh) * 2020-08-18 2024-02-23 中国银行股份有限公司 跨境金融app合规监测方法、装置及系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101099332A (zh) * 2004-09-13 2008-01-02 Ut斯达康公司 用于无线接入网关的动态防火墙能力
CN101123803A (zh) * 2006-08-11 2008-02-13 华为技术有限公司 一种关联反应系统中移动台状态变化时的处理方法
CN101730101A (zh) * 2009-04-15 2010-06-09 中兴通讯股份有限公司 身份标识与位置分离的实现方法、系统及装置

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101964778B (zh) * 2009-07-24 2014-07-30 华为技术有限公司 一种主机标识标签的安全保障方法及安全管理服务器

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101099332A (zh) * 2004-09-13 2008-01-02 Ut斯达康公司 用于无线接入网关的动态防火墙能力
CN101123803A (zh) * 2006-08-11 2008-02-13 华为技术有限公司 一种关联反应系统中移动台状态变化时的处理方法
CN101730101A (zh) * 2009-04-15 2010-06-09 中兴通讯股份有限公司 身份标识与位置分离的实现方法、系统及装置

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109429170A (zh) * 2017-09-01 2019-03-05 中国移动通信有限公司研究院 一种呼叫处理方法、监控平台实体及计算机可读存储介质

Also Published As

Publication number Publication date
CN103108302B (zh) 2018-02-16
CN103108302A (zh) 2013-05-15

Similar Documents

Publication Publication Date Title
CN109842906B (zh) 一种通信的方法、装置及系统
KR101396042B1 (ko) 다이나믹 호스트 컨피규레이션 및 네트워크 액세스 인증
US8230480B2 (en) Method and apparatus for network security based on device security status
JP5811171B2 (ja) 通信システム、データベース、制御装置、通信方法およびプログラム
EP3720100A1 (fr) Procédé et dispositif de traitement de demande de service
US20060109850A1 (en) IP-SAN network access control list generating method and access control list setup method
JP2014503135A (ja) 通信システム、制御装置、ポリシ管理装置、通信方法およびプログラム
WO2013071821A1 (fr) Procédé de présentation de politiques de sécurité et élément de réseau et système pour les mettre en œuvre
JP2005252717A (ja) ネットワーク管理方法及びネットワーク管理サーバ
US11641341B2 (en) System and method for remotely filtering network traffic of a customer premise device
CN102571811A (zh) 用户接入权限控制系统和方法
WO2014206152A1 (fr) Procédé et système de contrôle de sécurité réseau
JP2008283495A (ja) パケット転送システムおよびパケット転送方法
WO2013189130A1 (fr) Système de communication et procédé de communication dans un système de communication basé sur un réseau ad hoc
WO2012075768A1 (fr) Procédé et système de contrôle de réseau de séparation de localisateur/identifiant
KR20150066401A (ko) M2m 환경에서의 데이터 적용기술
WO2012075770A1 (fr) Procédé et système de blocage dans un réseau de séparation d'identité et de localisation
JP4094485B2 (ja) ユーザ端末の接続制御方法および接続制御サーバ
CN117614752B (zh) 一种双层零信任企业生产网安全自组网方法及系统
JP2004357234A (ja) セキュリティ管理装置、セキュリティ通信装置、ファイアウォール設定方法、ファイアウォール設定用プログラム、及びファイアウォール設定用記録媒体。
CN110753055B (zh) 基于sdn的源地址认证方法
WO2009039710A1 (fr) Système et procédé d'écoute de réseau wimax
Ma et al. A Service-Based Architecture
WO2012155584A1 (fr) Procédé et système de gestion d'authentification pour dispositif formant élément de réseau
WO2011072531A1 (fr) Procédé et système de gestion de protection de réseau tout entier

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12850594

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12850594

Country of ref document: EP

Kind code of ref document: A1