WO2013071821A1 - Procédé de présentation de politiques de sécurité et élément de réseau et système pour les mettre en œuvre - Google Patents
Procédé de présentation de politiques de sécurité et élément de réseau et système pour les mettre en œuvre Download PDFInfo
- Publication number
- WO2013071821A1 WO2013071821A1 PCT/CN2012/083791 CN2012083791W WO2013071821A1 WO 2013071821 A1 WO2013071821 A1 WO 2013071821A1 CN 2012083791 W CN2012083791 W CN 2012083791W WO 2013071821 A1 WO2013071821 A1 WO 2013071821A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user
- location
- security
- ilr
- security policy
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/02—Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/63—Location-dependent; Proximity-dependent
Definitions
- the present invention relates to the field of mobile communications and the Internet, and specifically relates to a method for issuing a security policy and a network element and system for implementing the method. Background technique
- Traditional security devices mainly have basic functions such as packet filtering, network address translation (NAT), anti-DDoS (distributed denial of service) attacks, and anti-aliased packet attacks. They can defend against network layer security. Threat. With the development of the network and the richness of network applications, the attack technology for the application layer has developed rapidly. Security devices that defend against these application layer attacks, such as IDS (Intrusion Detection System), IPS (Intrusion Protection System), and UTM (Unified Threat Management) devices, are also emerging.
- IDS Intrusion Detection System
- IPS Intrusion Protection System
- UTM Unified Threat Management
- the security policy server can communicate with the security enforcement entity (or the security device) to implement the security policy delivery and reduce the manual maintenance security device. the cost of.
- IP IP
- the existing security policy delivery mechanism can only send security policies to fixed users on a single security device, and cannot deliver the same security policy to multiple security devices for mobile users. That is, the security policy server cannot The security device in the different nodes accessed by the user delivers a security policy based on the user.
- the identity (IP) changes, and the existing security policy delivery mechanism cannot solve the problem of implementing the same security policy for the entire network.
- the embodiment of the invention provides a security policy delivery method, which can implement the same security policy for the entire network.
- the method for issuing the security policy includes:
- the identity and location registration register After receiving the user location registration request sent by the access server (ASR), the identity and location registration register (ILR) sends a message to the policy server (PS) indicating the new location of the user; the PS receives the ILR transmission After the message indicating the new location of the user, the security policy related to the user is sent to the security enforcement entity where the current location of the user is located.
- ASR access server
- ILR identity and location registration register
- the method further includes: the ILR updating the mapping relationship between the locally stored access identifier and the location of the user.
- the method further includes: the PS recording the current location of the user.
- the PS sends a security policy related to the user to the security enforcement entity where the current location of the user is located, including: the PS first determines whether the location of the user changes, and if a change occurs, the current location of the user is located.
- the security enforcement entity sends a security policy associated with the user.
- the security enforcement entity includes: a security gateway (SG) or an ASR with an SG function.
- SG security gateway
- ASR ASR with an SG function.
- the embodiment of the invention further provides a security policy delivery system, which can implement the same security policy for the entire network.
- the security policy is delivered by the system, including an identity and location registration register (ILR) and a policy server (PS), where:
- the ILR is configured to send a message indicating a new location of the user to the PS after receiving the user location registration request sent by the access server (ASR);
- the PS is configured to, after receiving the message indicating the new location of the user sent by the ILR, send a security policy related to the user to the security enforcement entity where the current location of the user is located.
- the PS is further configured to record the current location of the user after receiving the message indicating the new location of the user sent by the ILR.
- the PS is configured to send a security policy related to the user to the security execution entity where the current location of the user is located in the following manner: first, determine whether the user location changes, and if there is a change, then to the user current
- the security enforcement entity where the location is located sends the security policy associated with the user.
- the security enforcement entity includes: a security gateway (SG) or an ASR with an SG function.
- SG security gateway
- ASR ASR with an SG function.
- the embodiment of the present invention further provides an identity identification and location registration register (ILR) to enable the security policy server to know when to issue a security policy to the security enforcement entity.
- ILR identity identification and location registration register
- the identity and location registration register includes a receiving module and a transmitting module, wherein:
- the receiving module is configured to receive a user location registration request sent by an access server (ASR);
- ASR access server
- the sending module is configured to send a message indicating a new location of the user to the policy server (PS) after the receiving module receives the user location registration request.
- PS policy server
- the ILR further includes a saving module, configured to update a mapping relationship between the locally stored access identifier and the location of the user after the receiving module receives the user location registration request.
- a saving module configured to update a mapping relationship between the locally stored access identifier and the location of the user after the receiving module receives the user location registration request.
- the embodiment of the invention further provides a policy server (PS), which implements an security policy delivery system, and can implement the same security policy for the user on the entire network.
- PS policy server
- the policy server includes a receiving module and a sending module, where: the receiving module is configured to receive a message sent by an identity identifier and a location registration register (ILR) indicating a new location of the user;
- the sending module is configured to send, after the receiving module receives the message indicating the new location of the user, a security policy related to the user to the security performing entity where the current location of the user is located.
- ILR location registration register
- the PS further includes a saving module configured to record the current location of the user after the receiving module receives the message indicating the new location of the user sent by the ILR.
- a saving module configured to record the current location of the user after the receiving module receives the message indicating the new location of the user sent by the ILR.
- the PS further includes a determining module configured to receive the at the receiving module
- the notification sending module After the ILR sends a message indicating the new location of the user, it is determined whether the location of the user changes. If the change occurs, the notification sending module sends a security policy related to the user to the security enforcement entity where the current location of the user is located.
- the security enforcement entity includes: a security gateway (SG) or an ASR with an SG function.
- SG security gateway
- ASR ASR with an SG function.
- the embodiment of the present invention combines the identity identification and the location separation network, and the ILR queries the user location information according to the AID setting.
- the ILR can notify the PS to timely deliver the security based on the user AID to the security device at the location of the user.
- the policy uses the network-wide uniqueness of the user identification identifier (AID) to deliver the user-based network-wide security policy.
- FIG. 1 is a schematic diagram of a security policy delivery
- Figure 2 shows the system architecture diagram of the SILSN
- FIG. 3 is a flowchart of dynamically transmitting a user-based security policy on the entire network according to an embodiment of the present invention
- FIG. 4 is a flowchart of an application example of the present invention
- FIG. 5 is a schematic structural diagram of a system for implementing security policy delivery according to an embodiment of the present invention.
- FIG. 2 is an architectural diagram of the identity and location separation network, in this figure, the identity and location separation system (Subscriber Identifier & Locator Separation Network, SILSN for short) is accessed by Access Service Router (ASR) and User Equipment (UE), Identity and Location Register (ILR), and Authentication Center (AC) and other components.
- the access servers ASR1 and ASR2 are respectively used to access the user terminal devices UE1 and UE2, and are responsible for implementing access for the user terminal, and performing functions such as charging, switching, and security.
- the ILR assumes the user's location registration and identification capabilities.
- the AC assumes the user access authentication function.
- UE1 and UE2 have unique identity identifiers AID 1 and AID2, respectively.
- the network shown in Figure 2 has the following characteristics: Each user in the network can only access after strict authentication. When sending each data packet, the user carries its own real user access identifier AID. This symbol is only assigned to The user uses and is unique to the entire network. The data packets sent by users in various services always carry this identifier. Each data packet sent by the user must be authenticated by the access server ASR to ensure that the data packets sent by the user are carried. It is its own access identity, it will not impersonate other users' AIDs to access the network, and this identifier will remain unchanged when transmitted within the network. This identifier will not change when the user moves or switches.
- ASR Access Security
- ASR will report the user's location information to the ILR.
- the ILR informs the PS (Policy Server) to inform the user of the new location information (for example, the RID of the ASR), and the PS delivers a security policy based on the user to the corresponding security device according to the new location of the user.
- the PS Policy Server
- the ILR notifies the new location of the PS user, so that the PS sends a security policy based on the user to the security device in the new location where the user is currently located.
- a user-based security policy delivery mechanism that implements dynamic network dynamics.
- Step 301 After receiving the user location registration request sent by the ASR, the ILR sends a message indicating the new location of the user to the PS.
- the ILR After receiving the user location registration request, the ILR also updates the mapping relationship between the locally stored access identifier and the location of the user.
- Step 302 After receiving the message sent by the ILR indicating the new location of the user, the PS sends a security policy related to the user to the security enforcement entity where the current location of the user is located.
- the PS After receiving the message sent by the ILR indicating the new location of the user, the PS records the current location of the user, and sends a security policy related to the user to the security enforcement entity where the current location of the user is located.
- the security enforcement entity includes: SG or the ASR with SG function.
- the ILR sends the current location of the user to the PS when the user's location changes.
- the PS first determines whether the user location changes, and if a change occurs, Send the security policy related to the user to the security enforcement entity where the user's current location is located. If no change occurs, it will not be sent.
- SG can be deployed independently of ASR, and the functions of SG can also be integrated into ASR. If the SG is deployed separately from the ASR, the PS needs to maintain an association table between the SG and the ASR. When the user moves to the location of the ASR, the PS needs to find the SG of the location according to the location of the ASR, and then issue a security policy.
- Figure 4 shows an embodiment of a security policy issued in an identity and location separation network.
- the user first sends an ASR1 access, and the PS (Policy Server) sends a security policy related to the user to the SG (Security Gateway) 1.
- the ILR informs the PS that the user has moved to the ASR2, and the PS sends the security policy related to the user to the SG2, and deletes the security policy related to the user on the SG1.
- the security device SG can be a standalone device or integrate the functions of the security device into the ASR.
- S400 The user goes online on the ASR1, and the ASR1 sends the location registration request of the user to the ILR.
- the ILR receives the location registration request of the user, and sends a location registration request response to the ASR1 after completing the registration;
- the ILR notifies the PS, informs the user of the location, and the PS records the location of the user;
- the PS sends the user-related security policy to the SG1 where the user is located according to the location of the user.
- the ILR After receiving the user location registration request sent by the ASR2, updating the user identity and the location mapping relationship, the ILR sends a user location registration request response to the ASR2.
- the ILR After updating the identity and location mapping relationship of the user, the ILR sends a message of changing the location of the user to the PS, and carries the new location information of the user.
- the PS receives the user location change message, and compares with the original location of the user. If the change occurs, the user sends the security policy related to the user to the SG2 where the user is located.
- the SG2 sends a security policy response message to the PS.
- the PS sends the user-related security policy deletion command to the SG1.
- the above process completes the process of releasing the security policy related to the user during the process of the user going online from the ASR1 and then moving to the ASR2.
- a system for implementing the foregoing security policy delivery method includes an ILR and a PS, where: the ILR is configured to send a message indicating a new location of the user to the PS after receiving the user location registration request sent by the ASR. ;
- the PS is configured to, after receiving the message indicating the new location of the user sent by the ILR, send a security policy related to the user to the security enforcement entity where the current location of the user is located.
- the foregoing ILR includes a first receiving module and a first sending module, where:
- a first receiving module configured to receive a user location registration request sent by the ASR
- the first sending module is configured to send a message indicating the new location of the user to the PS after the first receiving module receives the user location registration request.
- the ILR further includes a first saving module, configured to update a mapping relationship between the locally stored access identifier and the location of the user after the first receiving module receives the user location registration request.
- a first saving module configured to update a mapping relationship between the locally stored access identifier and the location of the user after the first receiving module receives the user location registration request.
- the foregoing PS includes a second receiving module and a second sending module, where: a second receiving module, configured to receive a message sent by the ILR to indicate a new location of the user; and a second sending module, configured to: after the second receiving module receives the message indicating the new location of the user, the security of the current location of the user The executing entity sends a security policy related to the user.
- the PS further includes a second saving module configured to record the current location of the user after the second receiving module receives the message sent by the ILR indicating the new location of the user.
- a second saving module configured to record the current location of the user after the second receiving module receives the message sent by the ILR indicating the new location of the user.
- the PS further includes a determining module, configured to: after the second receiving module receives the message indicating the new location of the user sent by the ILR, determining whether the user location changes, and if the change occurs, notifying the second sending module to the The security enforcement entity where the user's current location is located sends the security policy associated with the user.
- a determining module configured to: after the second receiving module receives the message indicating the new location of the user sent by the ILR, determining whether the user location changes, and if the change occurs, notifying the second sending module to the The security enforcement entity where the user's current location is located sends the security policy associated with the user.
- the above security enforcement entities include: SG or ASR with SG function.
- the embodiment of the present invention combines the identity identification and the location separation network, and the ILR queries the user location information according to the AID setting.
- the ILR can promptly notify the PS to deliver the security device based on the location to the user.
- the security policy of the AID is based on the network-wide security policy of the user AID.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Databases & Information Systems (AREA)
- Computer Security & Cryptography (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
L'invention concerne un procédé de présentation de politiques de sécurité et un élément de réseau et un système pour les mettre en œuvre, qui permettent de mettre en œuvre une même politique de sécurité pour un utilisateur sur l'ensemble d'un réseau. Le procédé comprend les étapes suivantes : après avoir reçu d'un serveur d'accès (ASR) une demande d'inscription d'emplacement d'un utilisateur, un registre d'emplacement d'identité (ILR) envoie à un serveur de politiques (PS) un message indiquant le nouvel emplacement de l'utilisateur ; et après avoir reçu de l'ILR le message indiquant le nouvel emplacement de l'utilisateur, le PS envoie à une entité d'exécution de sécurité une politique de sécurité liée à l'utilisateur pour l'emplacement actuel de l'utilisateur. Le système comprend un ILR et un PS. L'ILR comprend un module récepteur et un module émetteur. Le PS comprend un module récepteur et un module émetteur.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110361684.4 | 2011-11-15 | ||
CN201110361684.4A CN103108302B (zh) | 2011-11-15 | 2011-11-15 | 一种安全策略下发方法及实现该方法的网元和系统 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2013071821A1 true WO2013071821A1 (fr) | 2013-05-23 |
Family
ID=48315808
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2012/083791 WO2013071821A1 (fr) | 2011-11-15 | 2012-10-31 | Procédé de présentation de politiques de sécurité et élément de réseau et système pour les mettre en œuvre |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN103108302B (fr) |
WO (1) | WO2013071821A1 (fr) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109429170A (zh) * | 2017-09-01 | 2019-03-05 | 中国移动通信有限公司研究院 | 一种呼叫处理方法、监控平台实体及计算机可读存储介质 |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150381658A1 (en) * | 2014-06-30 | 2015-12-31 | Mcafee, Inc. | Premises-aware security and policy orchestration |
CN106301901A (zh) * | 2016-08-09 | 2017-01-04 | 北京北信源软件股份有限公司 | 一种用于终端设备的策略分配执行和更新方法 |
CN110943978A (zh) * | 2019-11-14 | 2020-03-31 | 光通天下网络科技股份有限公司 | 安全策略的配置方法、装置、电子设备及介质 |
CN111967000B (zh) * | 2020-08-18 | 2024-02-23 | 中国银行股份有限公司 | 跨境金融app合规监测方法、装置及系统 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101099332A (zh) * | 2004-09-13 | 2008-01-02 | Ut斯达康公司 | 用于无线接入网关的动态防火墙能力 |
CN101123803A (zh) * | 2006-08-11 | 2008-02-13 | 华为技术有限公司 | 一种关联反应系统中移动台状态变化时的处理方法 |
CN101730101A (zh) * | 2009-04-15 | 2010-06-09 | 中兴通讯股份有限公司 | 身份标识与位置分离的实现方法、系统及装置 |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101964778B (zh) * | 2009-07-24 | 2014-07-30 | 华为技术有限公司 | 一种主机标识标签的安全保障方法及安全管理服务器 |
-
2011
- 2011-11-15 CN CN201110361684.4A patent/CN103108302B/zh active Active
-
2012
- 2012-10-31 WO PCT/CN2012/083791 patent/WO2013071821A1/fr active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101099332A (zh) * | 2004-09-13 | 2008-01-02 | Ut斯达康公司 | 用于无线接入网关的动态防火墙能力 |
CN101123803A (zh) * | 2006-08-11 | 2008-02-13 | 华为技术有限公司 | 一种关联反应系统中移动台状态变化时的处理方法 |
CN101730101A (zh) * | 2009-04-15 | 2010-06-09 | 中兴通讯股份有限公司 | 身份标识与位置分离的实现方法、系统及装置 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109429170A (zh) * | 2017-09-01 | 2019-03-05 | 中国移动通信有限公司研究院 | 一种呼叫处理方法、监控平台实体及计算机可读存储介质 |
Also Published As
Publication number | Publication date |
---|---|
CN103108302B (zh) | 2018-02-16 |
CN103108302A (zh) | 2013-05-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109842906B (zh) | 一种通信的方法、装置及系统 | |
KR101396042B1 (ko) | 다이나믹 호스트 컨피규레이션 및 네트워크 액세스 인증 | |
US8230480B2 (en) | Method and apparatus for network security based on device security status | |
JP5811171B2 (ja) | 通信システム、データベース、制御装置、通信方法およびプログラム | |
EP3720100A1 (fr) | Procédé et dispositif de traitement de demande de service | |
US20060109850A1 (en) | IP-SAN network access control list generating method and access control list setup method | |
JP2014503135A (ja) | 通信システム、制御装置、ポリシ管理装置、通信方法およびプログラム | |
WO2013071821A1 (fr) | Procédé de présentation de politiques de sécurité et élément de réseau et système pour les mettre en œuvre | |
JP2005252717A (ja) | ネットワーク管理方法及びネットワーク管理サーバ | |
US11641341B2 (en) | System and method for remotely filtering network traffic of a customer premise device | |
CN102571811A (zh) | 用户接入权限控制系统和方法 | |
WO2014206152A1 (fr) | Procédé et système de contrôle de sécurité réseau | |
JP2008283495A (ja) | パケット転送システムおよびパケット転送方法 | |
WO2013189130A1 (fr) | Système de communication et procédé de communication dans un système de communication basé sur un réseau ad hoc | |
WO2012075768A1 (fr) | Procédé et système de contrôle de réseau de séparation de localisateur/identifiant | |
KR20150066401A (ko) | M2m 환경에서의 데이터 적용기술 | |
WO2012075770A1 (fr) | Procédé et système de blocage dans un réseau de séparation d'identité et de localisation | |
JP4094485B2 (ja) | ユーザ端末の接続制御方法および接続制御サーバ | |
CN117614752B (zh) | 一种双层零信任企业生产网安全自组网方法及系统 | |
JP2004357234A (ja) | セキュリティ管理装置、セキュリティ通信装置、ファイアウォール設定方法、ファイアウォール設定用プログラム、及びファイアウォール設定用記録媒体。 | |
CN110753055B (zh) | 基于sdn的源地址认证方法 | |
WO2009039710A1 (fr) | Système et procédé d'écoute de réseau wimax | |
Ma et al. | A Service-Based Architecture | |
WO2012155584A1 (fr) | Procédé et système de gestion d'authentification pour dispositif formant élément de réseau | |
WO2011072531A1 (fr) | Procédé et système de gestion de protection de réseau tout entier |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12850594 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 12850594 Country of ref document: EP Kind code of ref document: A1 |