WO2020147032A1 - Network security management system, and method therefor - Google Patents

Network security management system, and method therefor Download PDF

Info

Publication number
WO2020147032A1
WO2020147032A1 PCT/CN2019/071967 CN2019071967W WO2020147032A1 WO 2020147032 A1 WO2020147032 A1 WO 2020147032A1 CN 2019071967 W CN2019071967 W CN 2019071967W WO 2020147032 A1 WO2020147032 A1 WO 2020147032A1
Authority
WO
WIPO (PCT)
Prior art keywords
computer terminal
data packet
communication
security management
network
Prior art date
Application number
PCT/CN2019/071967
Other languages
French (fr)
Chinese (zh)
Inventor
王松伟
Original Assignee
永信科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 永信科技股份有限公司 filed Critical 永信科技股份有限公司
Priority to PCT/CN2019/071967 priority Critical patent/WO2020147032A1/en
Publication of WO2020147032A1 publication Critical patent/WO2020147032A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming

Definitions

  • the present invention relates to a network security related field, in particular to a network security management system and method.
  • the existing network protection function uses a firewall as a line of defense to prevent external attacks.
  • the firewall can set specific packets. When the firewall receives a specific packet, it will be allowed to enter the device, and the packets that are not set will be blocked by the firewall. .
  • firewalls can effectively block these attacks, protect the security of equipment and software, and ensure that data is not stolen.
  • the firewall can only block packets that are not accepted by the device.
  • higher-level network attacks such as attacks against system and application vulnerabilities, buffer overflow attacks or Trojan horse attacks, it cannot detect Or intercept.
  • High-level cyber attacks will pretend to be packets permitted by the original system, and enter the system without being blocked by firewalls to attack, thereby paralyzing the device system or stealing confidential information, causing data security problems.
  • the present invention provides a network security management system and method. By confirming whether the transmitted data packets comply with the exclusive communication authority between each computer terminal, it can effectively avoid the mutual transmission of data viruses between the computer terminals to ensure data Security of transmission.
  • An embodiment of the present invention provides a network security management system, which is set up on a network transmission device of an internal area network.
  • the network transmission device is connected to a plurality of computer terminals.
  • the network security management system includes: a setting module and a check Module, the setting module is provided with a path table, and the path table stores the communication authority of each computer terminal corresponding to the specific computer terminal; the checking module is used to receive a data packet transmitted by one of the computer terminals, and the data packet has a communication Data; the checking module judges the communication data through the path table, wherein, when the communication data of the data packet meets the communication authority of the path table, the data packet is transmitted to the corresponding target computer terminal according to the communication data.
  • the checking module determines that the communication data of the data packet cannot correspond to the path table, the checking module deletes or ignores the data packet, and chooses whether to return a failure message.
  • the path table stores the Internet Protocol address (IP Address) of each computer terminal at the network layer and the communication authority of the communication port (PORT) used by the application software at the transport layer.
  • IP Address Internet Protocol address
  • PORT communication port
  • the communication data is the Internet Protocol address (IP Address) or the communication port (PORT) of the computer terminal.
  • IP Address Internet Protocol address
  • PORT communication port
  • the path table stores a media access control address (Media Access Control Address) that allows the computer terminal.
  • Media Access Control Address Media Access Control Address
  • the network transmission equipment is selected from any one of a hub, a switch, and a router.
  • the network security management system of the present invention can confirm whether the data packets transmitted by each computer terminal comply with the exclusive communication authority between each computer terminal through the path table stored in the setting module; thereby, it can effectively avoid each computer Data viruses infect each other between terminals to ensure the security of data transmission.
  • the check module when the check module judges that the communication data of the data packet cannot correspond to the path table, the check module deletes the data packet and returns a failure message; thereby, it can prevent the problematic data packet from still existing in the system, Prevent the risk of problematic data packets from causing disease or infection.
  • the media access control address of the computer terminal can ensure that the communication information is transmitted to the computer terminal existing in the internal area network instead of an externally connected computer terminal, so as to ensure the security of data transmission.
  • An embodiment of the present invention provides a network security management method, which is applied to an internal area network.
  • the network transmission device is connected to multiple computer terminals.
  • the network security management method includes: setting each computer terminal corresponding to a specific A communication authority of a computer terminal; when one of the computer terminals requests to transmit a data packet to another computer terminal, it is determined whether the data packet meets the communication authority; and when the data packet meets the communication authority, the network transmission device transmits the data packet to The computer terminal of the target.
  • the data packet when the data packet cannot meet the communication authority, the data packet is deleted or ignored, and a failure message is selected whether to return.
  • the communication authority is that each computer terminal corresponds to the Internet Protocol address (IP Address) of the specific computer terminal at the network layer and the communication port (PORT) of the application software at the transport layer.
  • IP Address Internet Protocol address
  • PORT communication port
  • the path table stores the media access control address (Media Access Control Address) of the computer terminal.
  • a path table is established in the network transmission device according to the communication authority allowed for transmission by each computer terminal corresponding to the specific computer terminal; the path table is used to determine whether the transmission destination of the data packet is allowed.
  • the network security management method of the present invention can confirm whether the data packets transmitted by each computer terminal comply with the exclusive communication authority between each computer terminal; thereby, it can effectively prevent the data viruses between the computer terminals from infecting each other to ensure data Security of transmission.
  • Figure 1 is a schematic diagram of the connection of the present invention.
  • Figure 2 is a schematic diagram of the system architecture of the present invention.
  • Figure 3 is a schematic flow diagram of the method of the present invention.
  • the first computer terminal 201 The first computer terminal 201
  • Second computer terminal 202 Second computer terminal 202
  • the third computer terminal 203 The third computer terminal 203
  • the present invention provides a network security management system 100, which is set up on a network transmission device 1 of an internal area network.
  • the network transmission device 1 is connected to a plurality of computer terminals 2.
  • the network transmission equipment 1 is selected from any one of a hub, a switch, and a router.
  • the network security management system 100 of the present invention includes: a setting module 10 and a checking module 20.
  • the setting module 10 is provided with a path table 11, which stores the communication authority of each computer terminal 2 corresponding to a specific computer terminal 2, wherein the path table 11 stores the Internet protocol address of each computer terminal 2 at the network layer ( IP Address) and the communication authority of the communication port (PORT) used by the application software on the transport layer. Furthermore, the media access control address (Media Access Control Address) of each computer terminal 2 may also be stored; in the embodiment of the present invention Each computer terminal 2 has the same communication port (PORT) corresponding to the specific computer terminal 2.
  • IP Address the network layer
  • PORT communication authority of the communication port
  • the network transmission equipment 1 is connected to four computer terminals 2, and the computer terminals 2 are the first computer terminal 201, the second computer terminal 202, the third computer terminal 203, and the fourth computer terminal 204, and the setting module 10
  • the communication permissions allowed for transmission or reception are set in the path table 11 as follows: the first computer terminal 201 specifies the Internet protocol address of the second computer terminal 202, the second computer terminal 202 specifies the transmission of information to the third computer terminal 203 and The internet protocol address of the fourth computer terminal 204.
  • the fourth computer terminal 204 specifies the internet protocol address to transmit credit to the first computer terminal 201; the PORT number used by the A application software of the first computer terminal 201 is 01, and the second computer terminal 202’s A application software will use the same PORT number as 01; the second computer terminal 202’s B application software and C application software’s PORT numbers are 02 and 03, and the third computer terminal 203’s B application software will use the same PORT number.
  • the PORT number is 02
  • the C application software of the fourth computer terminal 204 will use the same PORT number as 03;
  • the D application software of the fourth computer terminal 204 uses the PORT number 04, and the D application software of the first computer terminal 201 will Use the same PORT number as 04.
  • the path table 11 also stores the media access control addresses of the first computer terminal 201, the second computer terminal 202, the third computer terminal 203, and the fourth computer terminal 204, respectively.
  • the checking module 20 is used for receiving a data packet transmitted by one of the computer terminals 2.
  • the data packet has a communication data, and the communication data is the Internet Protocol address, communication port and media access control address of the sending and target receiving computer terminal 2.
  • the checking module 20 judges the communication data of the data packet through the path table 11, where, when the communication data of the data packet meets the communication authority of the path table 11, the data packet is transmitted to the corresponding target computer terminal 2 according to the communication data;
  • the verification module 20 deletes the data packet and returns a failure message, as shown in FIG. 3.
  • the checking module 20 will determine whether the communication data of the data packet meets the communication authority of the route table 11, that is, checking The core module 20 first judges that the sending end is the first computer terminal 201 based on the Internet Protocol address and the media access control address; then, the check module 20 judges that among the data packets transmitted by the first computer terminal 201, the object to be transmitted is the second The Internet Protocol address of the computer terminal 202 and the port number of the used communication port is 01, which conforms to the communication authority of the path table 11. Therefore, it is determined that the data packet conforms to the transmission communication authority.
  • the network transmission device 1 transmits the data packet to the target second computer terminal 202.
  • the network transmission device 1 can delete or ignore the data packet, and choose whether to return the failure information to the transmission first computer terminal 201, and notify The data packet transmitted by the first computer terminal 201 is not successfully transmitted to the target second computer terminal 202; wherein, the data packet cannot meet the communication authority of the routing table 11 in any or more of the following situations:
  • the media access control address of the transmitting computer terminal 2 is not stored in the path table 11, which means that the transmitting computer terminal 2 is not originally connected to the internal area network, and may be a newly added computer terminal 2.
  • the data packet sent by the sending computer terminal 2 is not sent to the Internet Protocol address specified in the path table 11, which means that the sending computer terminal 2 wants to send to another unauthorized destination computer terminal 2, and the destination computer terminal 2 It is not permitted by the path table 11.
  • the communication port that transmits the data packet transmitted by the computer terminal 2 is not the communication port allowed in the path table. Since each application software uses a specific communication port for credit transmission, the foregoing situation indicates the communication port for the software used by the computer terminal 2 Application software not intended to be used by default.
  • the present invention provides a network security management method, which includes the following steps:
  • the communication authority of each computer terminal 2 connected to the internal area network corresponding to the specific computer terminal 2 is set in the network transmission device 1 through the setting module 10.
  • the checking module 20 will determine whether the communication data of the data packet meets the communication authority stored in the path table 11.
  • the network transmission device 1 When the communication data of the data packet meets the communication authority, the network transmission device 1 will transmit the data packet to the target computer terminal 2; if the communication data of the data packet cannot meet the communication authority, the data packet will be deleted or ignored , And choose whether to return a failure message.
  • the network security management system 100 of the present invention can confirm whether the data packets transmitted by each computer terminal 2 meet the exclusive communication authority between each computer terminal 2 through the path table 11 stored in the setting module 10 and the checking module 20 In this way, even if the computer terminal 2 of any endpoint is infected with malicious programs or viruses due to any factor, it can effectively prevent the computer terminals 2 from further infecting data viruses with each other to ensure the security of data transmission.
  • the present invention only needs to judge whether the data packet is allowed or blocked according to the Internet Protocol address and communication port in the data packet, and does not need to judge the actual internal transmission characteristics and information of the data packet to judge whether it is a virus as required by the firewall. Therefore, the present invention will not affect the transmission speed of the internal network.
  • the network security management system 100 of the present invention can operate on the network transmission equipment 1, so as to achieve the effect of fast checking and secure credit exchange without affecting the performance of the existing network, and no additional hardware equipment is required.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A network security management system (100), and a method therefor. The network security management system (100) is provided in a network transmission device (1) of an internal area network, and the network transmission device (1) is connected to a plurality of computer terminals (2). The network security management system (100) comprises: a setting module and a checking module, the setting module being provided with a path table, and the path table storing a communication permission of each computer terminal (2) corresponding to a specific computer terminal (2); the checking module receiving a data packet transmitted by one of the computer terminals (2); and the checking module determining the data packet by means of the path table, when communication data of the data packet conforms to the communication permission of the path table, transmitting the data packet to the corresponding target computer terminal (2) according to the communication data. By means of this, mutual data virus infection between various computer terminals (2) can be effectively avoided, so as to ensure the security of data transmission.

Description

网络安全管理系统及其方法Network safety management system and method 技术领域Technical field
本发明关于一种网络安全相关领域,尤其涉及一种网络安全管理系统及其方法。The present invention relates to a network security related field, in particular to a network security management system and method.
背景技术Background technique
随着网络科技发展与普及化,网络已成为生活不可或缺的部分,人们通过网络快速交换所需资信,然而,于交换资信的过程中,电脑系统可能会被骇客入侵窃取资料,或电脑系统遭到破坏,令电脑资料被感染。With the development and popularization of network technology, the network has become an indispensable part of life. People quickly exchange the required credit through the network. However, in the process of exchanging credit, the computer system may be hacked to steal data or computers. The system was damaged and the computer data was infected.
技术问题technical problem
现有网络防护功能采用防火墙作为防止外部攻击的一道防线,防火墙可设定特定的封包,当防火墙接收到特定的封包时,会被允许进入设备,而不在设定中的封包则会被防火墙阻挡。对于一般的网络攻击,防火墙都能有效阻挡这些攻击,保护设备与软件的安全,以及确保资料不被窃取。 The existing network protection function uses a firewall as a line of defense to prevent external attacks. The firewall can set specific packets. When the firewall receives a specific packet, it will be allowed to enter the device, and the packets that are not set will be blocked by the firewall. . For general network attacks, firewalls can effectively block these attacks, protect the security of equipment and software, and ensure that data is not stolen.
但是,防火墙仅能阻挡不被设备所接受的封包,对于较高阶的网络攻击行为,例如:针对系统及应用程序的漏洞进行攻击、缓冲区溢位攻击或木马程序的攻击,则无法侦测或拦截。However, the firewall can only block packets that are not accepted by the device. For higher-level network attacks, such as attacks against system and application vulnerabilities, buffer overflow attacks or Trojan horse attacks, it cannot detect Or intercept.
而高阶网络攻击行为会伪装成是原本系统允许的封包,而不受防火墙阻挡进入系统中进行攻击,进而瘫痪设备系统或是窃取机密资料,产生资料安全问题。High-level cyber attacks will pretend to be packets permitted by the original system, and enter the system without being blocked by firewalls to attack, thereby paralyzing the device system or stealing confidential information, causing data security problems.
技术解决方案Technical solution
为解决上述课题,本发明提供一种网络安全管理系统及其方法,通过确认传送的数据包是否符合各电脑终端间专属的通信权限,以有效避免各电脑终端间资料病毒相互传染,以确保资料传输的安全性。In order to solve the above-mentioned problems, the present invention provides a network security management system and method. By confirming whether the transmitted data packets comply with the exclusive communication authority between each computer terminal, it can effectively avoid the mutual transmission of data viruses between the computer terminals to ensure data Security of transmission.
本发明的一项实施例提供一种网络安全管理系统,其架设于内部区域网络的网络传输设备,网络传输设备与多个电脑终端连接,网络安全管理系统包括:一设定模块以及一检核模块,设定模块设有一路径表,路径表储存有每一电脑终端对应特定所述电脑终端的通信权限;检核模块用以接收其中一电脑终端所传送的一数据包,数据包具有一通信资料;检核模块通过路径表判断通信资料,其中,当数据包的通信资料符合路径表的通信权限时,将数据包依据通信资料传至对应目标所述电脑终端。An embodiment of the present invention provides a network security management system, which is set up on a network transmission device of an internal area network. The network transmission device is connected to a plurality of computer terminals. The network security management system includes: a setting module and a check Module, the setting module is provided with a path table, and the path table stores the communication authority of each computer terminal corresponding to the specific computer terminal; the checking module is used to receive a data packet transmitted by one of the computer terminals, and the data packet has a communication Data; the checking module judges the communication data through the path table, wherein, when the communication data of the data packet meets the communication authority of the path table, the data packet is transmitted to the corresponding target computer terminal according to the communication data.
于其中一项实施例中,检核模块判断数据包的通信资料无法对应路径表,则检核模块删除或不理会数据包,并选择是否回传一失败信息。In one of the embodiments, the checking module determines that the communication data of the data packet cannot correspond to the path table, the checking module deletes or ignores the data packet, and chooses whether to return a failure message.
于其中一项实施例中,路径表储存有各电脑终端于网络层的互联网协议地址(IP Address)以及应用软件于传输层所使用的通信端口(PORT)的通信权限。In one of the embodiments, the path table stores the Internet Protocol address (IP Address) of each computer terminal at the network layer and the communication authority of the communication port (PORT) used by the application software at the transport layer.
于其中一项实施例中,通信资料为所述电脑终端的互联网协议地址(IP Address)或是通信端口(PORT)。In one of the embodiments, the communication data is the Internet Protocol address (IP Address) or the communication port (PORT) of the computer terminal.
于其中一项实施例中,路径表储存有允许所述电脑终端的媒体访问控制地址(Media Access Control Address)。In one of the embodiments, the path table stores a media access control address (Media Access Control Address) that allows the computer terminal.
于其中一项实施例中,网络传输设备选自于由集线器、交换器及路由器的任意一个。In one of the embodiments, the network transmission equipment is selected from any one of a hub, a switch, and a router.
通过上述,本发明网络安全管理系统,能够通过设定模块所储存的路径表,确认各电脑终端所传送的数据包,是否符合各电脑终端间专属的通信权限;借此,能有效避免各电脑终端间资料病毒相互传染,以确保资料传输的安全性。Through the above, the network security management system of the present invention can confirm whether the data packets transmitted by each computer terminal comply with the exclusive communication authority between each computer terminal through the path table stored in the setting module; thereby, it can effectively avoid each computer Data viruses infect each other between terminals to ensure the security of data transmission.
再者,当检核模块判断数据包的通信资料无法对应该路径表,则检核模块删除数据包,并回传一失败信息;借此,能够避免有问题的数据包仍存在于系统中,防止问题数据包可能产生病变或感染的风险存在。Furthermore, when the check module judges that the communication data of the data packet cannot correspond to the path table, the check module deletes the data packet and returns a failure message; thereby, it can prevent the problematic data packet from still existing in the system, Prevent the risk of problematic data packets from causing disease or infection.
此外,所述电脑终端的媒体访问控制地址能够确保传输交流资信为既有设于内部区域网络中的所述电脑终端,而非外部连接的电脑终端,以确保资料传输的安全性。In addition, the media access control address of the computer terminal can ensure that the communication information is transmitted to the computer terminal existing in the internal area network instead of an externally connected computer terminal, so as to ensure the security of data transmission.
本发明的一项实施例提供一种网络安全管理方法,其应用于内部区域网络,网络传输设备与多个电脑终端连接,网络安全管理方法包括:于网络传输设备设定每一电脑终端对应特定电脑终端的一通信权限;当其中一电脑终端请求传送一数据包至另一电脑终端时,判断数据包是否符合通信权限;以及当数据包符合通信权限时,则网络传输设备将数据包传送至目标的所述电脑终端。An embodiment of the present invention provides a network security management method, which is applied to an internal area network. The network transmission device is connected to multiple computer terminals. The network security management method includes: setting each computer terminal corresponding to a specific A communication authority of a computer terminal; when one of the computer terminals requests to transmit a data packet to another computer terminal, it is determined whether the data packet meets the communication authority; and when the data packet meets the communication authority, the network transmission device transmits the data packet to The computer terminal of the target.
于其中一项实施例中,当数据包无法符合通信权限时,则删除或不理会数据包,并选择是否回传一失败信息。In one of the embodiments, when the data packet cannot meet the communication authority, the data packet is deleted or ignored, and a failure message is selected whether to return.
于其中一项实施例中,通信权限为每一电脑终端对应特定所述电脑终端于网络层的互联网协议地址(IP Address)以及应用软件于传输层的通信端口(PORT)。In one of the embodiments, the communication authority is that each computer terminal corresponds to the Internet Protocol address (IP Address) of the specific computer terminal at the network layer and the communication port (PORT) of the application software at the transport layer.
于其中一项实施例中,路径表储存有所述电脑终端的媒体访问控制地址(Media Access Control Address)。In one of the embodiments, the path table stores the media access control address (Media Access Control Address) of the computer terminal.
于其中一项实施例中,依据每一电脑终端对应特定所述电脑终端允许传输的所述通信权限建立一路径表于网络传输设备中;通过路径表判断该数据包的传送目标是否允许。In one of the embodiments, a path table is established in the network transmission device according to the communication authority allowed for transmission by each computer terminal corresponding to the specific computer terminal; the path table is used to determine whether the transmission destination of the data packet is allowed.
有益效果Beneficial effect
通过上述,本发明网络安全管理方法,能够确认各电脑终端所传送的数据包,是否符合各电脑终端间专属的通信权限;借此,能有效避免各电脑终端间资料病毒相互传染,以确保资料传输的安全性。Through the above, the network security management method of the present invention can confirm whether the data packets transmitted by each computer terminal comply with the exclusive communication authority between each computer terminal; thereby, it can effectively prevent the data viruses between the computer terminals from infecting each other to ensure data Security of transmission.
附图说明BRIEF DESCRIPTION
图1是本发明连接示意图。Figure 1 is a schematic diagram of the connection of the present invention.
图2是本发明系统架构示意图。Figure 2 is a schematic diagram of the system architecture of the present invention.
图3是本发明方法流程示意图。Figure 3 is a schematic flow diagram of the method of the present invention.
附图标记说明DESCRIPTION OF REFERENCE NUMERALS
网络传输设备1Network transmission equipment 1
电脑终端2Computer terminal 2
第一电脑终端201The first computer terminal 201
第二电脑终端202Second computer terminal 202
第三电脑终端203The third computer terminal 203
第四电脑终端204Fourth computer terminal 204
网络安全管理系统100Network Security Management System 100
设定模块10Setting module 10
路径表11Path table 11
检核模块20。Check module 20.
本发明的最佳实施方式Best Mode of the Invention
为便于说明本发明于上述发明内容一栏中所表示的中心思想,现以具体实施例表达。实施例中各种不同物件按适于说明的比例、尺寸、变形量或位移量而描绘,而非按实际元件的比例予以绘制,合先叙明。In order to facilitate the description of the central idea of the present invention expressed in the above column of the content of the invention, it is now expressed in specific embodiments. The various objects in the embodiment are drawn according to the proportion, size, deformation or displacement suitable for explanation, rather than drawn according to the proportion of the actual element, which will be described first.
请参阅图1至图3,本发明提供一种网络安全管理系统100,其架设于内部区域网络的网络传输设备1,网络传输设备1与多个电脑终端2连接,其中,于本发明实施例中,网络传输设备1选自于由集线器、交换器及路由器的任意一个。1 to 3, the present invention provides a network security management system 100, which is set up on a network transmission device 1 of an internal area network. The network transmission device 1 is connected to a plurality of computer terminals 2. Among them, in the embodiment of the present invention Here, the network transmission equipment 1 is selected from any one of a hub, a switch, and a router.
本发明网络安全管理系统100包括:一设定模块10及一检核模块20。The network security management system 100 of the present invention includes: a setting module 10 and a checking module 20.
设定模块10设有一路径表11,路径表11储存有每一电脑终端2对应特定所述电脑终端2的通信权限,其中,路径表11存有各电脑终端2于网络层的互联网协议地址(IP Address)以及应用软件于传输层所使用的通信端口(PORT)的通信权限,更进一步地,亦可储存有各电脑终端2的媒体访问控制地址(Media Access Control Address);于本发明实施例中,每一电脑终端2对应特定所述电脑终端2具有相同的通信端口(PORT)。The setting module 10 is provided with a path table 11, which stores the communication authority of each computer terminal 2 corresponding to a specific computer terminal 2, wherein the path table 11 stores the Internet protocol address of each computer terminal 2 at the network layer ( IP Address) and the communication authority of the communication port (PORT) used by the application software on the transport layer. Furthermore, the media access control address (Media Access Control Address) of each computer terminal 2 may also be stored; in the embodiment of the present invention Each computer terminal 2 has the same communication port (PORT) corresponding to the specific computer terminal 2.
举例说明:网络传输设备1与四台电脑终端2连接,其电脑终端2分别为第一电脑终端201、第二电脑终端202、第三电脑终端203及第四电脑终端204,而设定模块10于路径表11内设定允许传送或接收的通信权限为:第一电脑终端201指定传送资信至第二电脑终端202的互联网协议地址,第二电脑终端202指定传送资信至第三电脑终端203及第四电脑终端204的互联网协议地址,第四电脑终端204指定传送资信至第一电脑终端201的互联网协议地址;第一电脑终端201的A应用软件使用的PORT号为01,而第二电脑终端202的A应用软件会使用相同的PORT号为01;第二电脑终端202的B应用软件及C应用软件使用的PORT号为02及03,而第三电脑终端203的B应用软件会使用相同的PORT号为02,第四电脑终端204的C应用软件会使用相同的PORT号为03;第四电脑终端204的D应用软件使用的PORT号为04,而第一电脑终端201的D应用软件会使用相同的PORT号为04。For example: the network transmission equipment 1 is connected to four computer terminals 2, and the computer terminals 2 are the first computer terminal 201, the second computer terminal 202, the third computer terminal 203, and the fourth computer terminal 204, and the setting module 10 The communication permissions allowed for transmission or reception are set in the path table 11 as follows: the first computer terminal 201 specifies the Internet protocol address of the second computer terminal 202, the second computer terminal 202 specifies the transmission of information to the third computer terminal 203 and The internet protocol address of the fourth computer terminal 204. The fourth computer terminal 204 specifies the internet protocol address to transmit credit to the first computer terminal 201; the PORT number used by the A application software of the first computer terminal 201 is 01, and the second computer terminal 202’s A application software will use the same PORT number as 01; the second computer terminal 202’s B application software and C application software’s PORT numbers are 02 and 03, and the third computer terminal 203’s B application software will use the same PORT number. The PORT number is 02, the C application software of the fourth computer terminal 204 will use the same PORT number as 03; the D application software of the fourth computer terminal 204 uses the PORT number 04, and the D application software of the first computer terminal 201 will Use the same PORT number as 04.
再者,路径表11亦分别储存有第一电脑终端201、第二电脑终端202、第三电脑终端203以及第四电脑终端204的媒体访问控制地址。Furthermore, the path table 11 also stores the media access control addresses of the first computer terminal 201, the second computer terminal 202, the third computer terminal 203, and the fourth computer terminal 204, respectively.
检核模块20用以接收其中一电脑终端2所传送的一数据包,数据包具有一通信资料,而通信资料为发送及目标接收电脑终端2的互联网协议地址、通信端口以及媒体访问控制地址。检核模块20通过路径表11判断数据包的通信资料,其中,当数据包的通信资料符合路径表11的通信权限时,将数据包依据通信资料传至对应目标所述电脑终端2;若检核模块20判断数据包的通信资料无法对应路径表11,则检核模块20删除数据包,并回传一失败信息,如图3所示。The checking module 20 is used for receiving a data packet transmitted by one of the computer terminals 2. The data packet has a communication data, and the communication data is the Internet Protocol address, communication port and media access control address of the sending and target receiving computer terminal 2. The checking module 20 judges the communication data of the data packet through the path table 11, where, when the communication data of the data packet meets the communication authority of the path table 11, the data packet is transmitted to the corresponding target computer terminal 2 according to the communication data; When the core module 20 judges that the communication data of the data packet cannot correspond to the path table 11, the verification module 20 deletes the data packet and returns a failure message, as shown in FIG. 3.
举例:当第一电脑终端201向网络传输设备1请求传送数据包至第二电脑终端202时,检核模块20会判断数据包的通信资料是否符合路径表11的通信权限,也就是说,检核模块20首先会通过互联网协议地址及媒体访问控制地址判断发送端为第一电脑终端201;接着,检核模块20判断第一电脑终端201所传送的数据包中,所欲传送对象为第二电脑终端202的互联网协议地址,并且所使用通信端口的端口号为01,符合路径表11的通信权限,因而判断数据包符合传输通信权限。For example: when the first computer terminal 201 requests the network transmission device 1 to send a data packet to the second computer terminal 202, the checking module 20 will determine whether the communication data of the data packet meets the communication authority of the route table 11, that is, checking The core module 20 first judges that the sending end is the first computer terminal 201 based on the Internet Protocol address and the media access control address; then, the check module 20 judges that among the data packets transmitted by the first computer terminal 201, the object to be transmitted is the second The Internet Protocol address of the computer terminal 202 and the port number of the used communication port is 01, which conforms to the communication authority of the path table 11. Therefore, it is determined that the data packet conforms to the transmission communication authority.
所以当检核模块20判断传送第一电脑终端201传送的数据包符合路径表11所储存的通信权限时,则网络传输设备1会将数据包传送至目标第二电脑终端202。Therefore, when the checking module 20 determines that the data packet transmitted by the first computer terminal 201 meets the communication authority stored in the path table 11, the network transmission device 1 transmits the data packet to the target second computer terminal 202.
反之,当第一电脑终端201传送数据包无法符合路径表11的通信权限时,则网络传输设备1可以删除或不理会数据包,并选择是否回传失败信息至传送第一电脑终端201,告知第一电脑终端201所传送的数据包并未顺利传送至目标第二电脑终端202;其中,数据包无法符合路径表11的通信权限有下列任一或以上的情形:Conversely, when the data packet transmitted by the first computer terminal 201 cannot meet the communication authority of the route table 11, the network transmission device 1 can delete or ignore the data packet, and choose whether to return the failure information to the transmission first computer terminal 201, and notify The data packet transmitted by the first computer terminal 201 is not successfully transmitted to the target second computer terminal 202; wherein, the data packet cannot meet the communication authority of the routing table 11 in any or more of the following situations:
一、传送电脑终端2的媒体访问控制地址未储存于路径表11,其表示传送电脑终端2非既有原始连接于内部区域网络中,可能为新增的电脑终端2。1. The media access control address of the transmitting computer terminal 2 is not stored in the path table 11, which means that the transmitting computer terminal 2 is not originally connected to the internal area network, and may be a newly added computer terminal 2.
二、传送电脑终端2所传送的数据包非传送至路径表11中所指定的互联网协议地址,其表示传送电脑终端2想要传送到其他未被允许的目的电脑终端2,而目的电脑终端2并非路径表11所许可的范围。2. The data packet sent by the sending computer terminal 2 is not sent to the Internet Protocol address specified in the path table 11, which means that the sending computer terminal 2 wants to send to another unauthorized destination computer terminal 2, and the destination computer terminal 2 It is not permitted by the path table 11.
三、传送电脑终端2所传送数据包的通信端口并非路径表中所允许的通信端口,由于各应用软件使用特定的通信端口进行资信传递,前述情形则表示传送电脑终端2所使用软件的通信端口非为预设使用的应用软件。3. The communication port that transmits the data packet transmitted by the computer terminal 2 is not the communication port allowed in the path table. Since each application software uses a specific communication port for credit transmission, the foregoing situation indicates the communication port for the software used by the computer terminal 2 Application software not intended to be used by default.
请参阅图1至图3,通过上述网络安全管理系统100,本发明提供一种网络安全管理方法,其包括下列步骤:1 to 3, through the above-mentioned network security management system 100, the present invention provides a network security management method, which includes the following steps:
通过设定模块10于网络传输设备1设定连接于内部区域网络的每一电脑终端2对应特定电脑终端2的通信权限。The communication authority of each computer terminal 2 connected to the internal area network corresponding to the specific computer terminal 2 is set in the network transmission device 1 through the setting module 10.
接着,当其中一电脑终端2请求传送数据包至另一电脑终端2时,检核模块20会判断数据包的通信资料是否符合路径表11中所储存的通信权限。Then, when one of the computer terminals 2 requests to send a data packet to the other computer terminal 2, the checking module 20 will determine whether the communication data of the data packet meets the communication authority stored in the path table 11.
当数据包的通信资料符合通信权限时,则网络传输设备1会将数据包传送至目标的所述电脑终端2;若是当数据包的通信资料无法符合通信权限时,则删除或不理会数据包,并选择是否回传一失败信息。When the communication data of the data packet meets the communication authority, the network transmission device 1 will transmit the data packet to the target computer terminal 2; if the communication data of the data packet cannot meet the communication authority, the data packet will be deleted or ignored , And choose whether to return a failure message.
综合上述,本发明能够达成的功效:In summary, the effects that the present invention can achieve:
一、本发明网络安全管理系统100,能够通过设定模块10所储存的路径表11,通过检核模块20确认各电脑终端2所传送的数据包,是否符合各电脑终端2间专属的通信权限;借此,纵使任一端点的电脑终端2因任何因素导致感染恶意程序或病毒时,能有效避免各电脑终端2间更进一步将资料病毒相互传染,以确保资料传输的安全性。1. The network security management system 100 of the present invention can confirm whether the data packets transmitted by each computer terminal 2 meet the exclusive communication authority between each computer terminal 2 through the path table 11 stored in the setting module 10 and the checking module 20 In this way, even if the computer terminal 2 of any endpoint is infected with malicious programs or viruses due to any factor, it can effectively prevent the computer terminals 2 from further infecting data viruses with each other to ensure the security of data transmission.
二、本发明仅需根据数据包中的互联网协议地址以及通信端口,便可进行数据包的允许或阻挡判断,不需要如防火墙需要去判断数据包实际的内部传递特征及信息来判断是否为病毒,因此,本发明不会影响内部网络传输速度。2. The present invention only needs to judge whether the data packet is allowed or blocked according to the Internet Protocol address and communication port in the data packet, and does not need to judge the actual internal transmission characteristics and information of the data packet to judge whether it is a virus as required by the firewall. Therefore, the present invention will not affect the transmission speed of the internal network.
三、本发明网络安全管理系统100能够在网络传输设备1进行作业,借以在不影响既有网络效能的情况下,达到快速检查及安全交换资信的效果,而且不需要额为增加硬体设备。3. The network security management system 100 of the present invention can operate on the network transmission equipment 1, so as to achieve the effect of fast checking and secure credit exchange without affecting the performance of the existing network, and no additional hardware equipment is required.
四、当数据包无法对应该路径表11则删除数据包,并回传失败信息;借此,能够避免有问题的数据包仍存在于网络安全管理系统100中,防止问题数据包可能产生病变或感染的风险存在。4. When the data packet cannot correspond to the path table 11, the data packet is deleted and the failure information is returned; this can prevent the problematic data packet from still existing in the network security management system 100, and prevent the problematic data packet from causing disease or The risk of infection exists.
显然,所描述的实施例仅仅是本发明的一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without making creative efforts fall within the protection scope of the present invention.

Claims (11)

  1. 一种网络安全管理系统,其架设于内部区域网络的网络传输设备,网络传输设备与多个电脑终端连接,其特征在于,该网络安全管理系统包括:A network security management system, which is set up on a network transmission device of an internal area network, and the network transmission device is connected to a plurality of computer terminals, characterized in that the network security management system includes:
    一设定模块,其设有一路径表,该路径表储存有每一电脑终端对应所述电脑终端的通信权限;以及A setting module, which is provided with a path table that stores the communication authority of each computer terminal corresponding to the computer terminal; and
    一检核模块,其用以接收其中一电脑终端所传送的一数据包,该数据包具有一通信资料;该检核模块通过该路径表判断该通信资料,其中,当该数据包的通信资料符合该路径表的通信权限时,将该数据包依据该通信资料传至对应目标所述电脑终端。A checking module for receiving a data packet sent by one of the computer terminals, the data packet having a communication data; the checking module determines the communication data through the path table, wherein, when the communication data of the data packet When the communication authority of the path table is met, the data packet is transmitted to the computer terminal corresponding to the target according to the communication data.
  2. 如权利要求1所述的网络安全管理系统,其特征在于,该检核模块判断该数据包的通信资料无法对应该路径表,则该检核模块删除或不理会该数据包,并选择是否回传一失败信息。The network security management system of claim 1, wherein the check module determines that the communication data of the data packet cannot correspond to the path table, then the check module deletes or ignores the data packet, and selects whether to return Send a failure message.
  3. 如权利要求1所述的网络安全管理系统,其特征在于,该路径表储存有各电脑终端于网络层的 互联网协议地址以及应用软件于传输层所使用的通信端口的通信权限。The network security management system of claim 1, wherein the path table stores the information of each computer terminal at the network layer The communication authority of the Internet protocol address and the communication port used by the application software in the transport layer.
  4. 如权利要求3所述的网络安全管理系统,其特征在于,该通信资料为所述电脑终端的互联网协议地址或是通信端口。4. The network security management system of claim 3, wherein the communication data is an Internet Protocol address or a communication port of the computer terminal.
  5. 如权利要求3所述的网络安全管理系统,其特征在于,该路径表储存有允许所述电脑终端的媒体访问控制地址。3. The network security management system of claim 3, wherein the path table stores a media access control address allowing the computer terminal.
  6. 如权利要求1所述的网络安全管理系统,其特征在于,网络传输设备选自于由集线器、交换器及路由器的任意一个。The network security management system according to claim 1, wherein the network transmission equipment is selected from any one of a hub, a switch and a router.
  7. 一种网络安全管理方法,其应用于内部区域网络,网络传输设备与多个电脑终端连接,其特征在于,该网络安全管理方法包括下列步骤:A network security management method, which is applied to an internal area network, and a network transmission device is connected to multiple computer terminals, characterized in that the network security management method includes the following steps:
    于网络传输设备设定每一电脑终端对应特定电脑终端的一通信权限;Set a communication authority for each computer terminal corresponding to a specific computer terminal on the network transmission equipment;
    当其中一电脑终端请求传送一数据包至另一电脑终端时,判断该数据包是否符合该通信权限;以及When one of the computer terminals requests to transmit a data packet to another computer terminal, determine whether the data packet meets the communication authority; and
    当该数据包符合该通信权限时,则网络传输设备将该数据包传送至目标的所述电脑终端。When the data packet complies with the communication authority, the network transmission device transmits the data packet to the target computer terminal.
  8. 如权利要求7所述的网络安全管理方法,其特征在于,当该数据包无法符合该通信权限时,则删除或不理会该数据包,并选择是否回传一失败信息。8. The network security management method of claim 7, wherein when the data packet cannot meet the communication authority, the data packet is deleted or ignored, and a failure message is selected whether to return.
  9. 如权利要求7所述的网络安全管理方法,其特征在于,该通信权限为每一电脑终端对应特定所述电脑终端于网络层的互联网协议地址以及应用软件于传输层的通信端口。8. The network security management method of claim 7, wherein the communication authority is that each computer terminal corresponds to an Internet Protocol address of a specific computer terminal at the network layer and a communication port of the application software at the transport layer.
  10. 如权利要求7所述的网络安全管理方法,其特征在于,依据每一电脑终端对应所述电脑终端允许传输的所述通信权限建立一路径表于网络传输设备中;通过该路径表判断该数据包的传送目标是否允许。7. The network security management method of claim 7, wherein a path table is established in the network transmission device according to the communication authority of each computer terminal corresponding to the computer terminal allowed to transmit; the data is determined by the path table Whether the transfer destination of the packet is allowed.
  11. 如权利要求10所述的网络安全管理方法,其特征在于,该路径表储存有所述电脑终端的媒体访问控制地址。10. The network security management method of claim 10, wherein the path table stores a media access control address of the computer terminal.
PCT/CN2019/071967 2019-01-16 2019-01-16 Network security management system, and method therefor WO2020147032A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/071967 WO2020147032A1 (en) 2019-01-16 2019-01-16 Network security management system, and method therefor

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/071967 WO2020147032A1 (en) 2019-01-16 2019-01-16 Network security management system, and method therefor

Publications (1)

Publication Number Publication Date
WO2020147032A1 true WO2020147032A1 (en) 2020-07-23

Family

ID=71613014

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/071967 WO2020147032A1 (en) 2019-01-16 2019-01-16 Network security management system, and method therefor

Country Status (1)

Country Link
WO (1) WO2020147032A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101459604A (en) * 2008-12-23 2009-06-17 华为技术有限公司 Control method and device for local exchange
CN102457516A (en) * 2010-10-27 2012-05-16 株式会社日立制作所 File transmitting apparatus, file transmitting method, and file transmitting program
CN103813330A (en) * 2012-11-15 2014-05-21 中兴通讯股份有限公司 Communication terminal and system and authority management method
US20180069962A1 (en) * 2015-05-07 2018-03-08 Yoshinaga Kato Information processing apparatus, information processing method, and recording medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101459604A (en) * 2008-12-23 2009-06-17 华为技术有限公司 Control method and device for local exchange
CN102457516A (en) * 2010-10-27 2012-05-16 株式会社日立制作所 File transmitting apparatus, file transmitting method, and file transmitting program
CN103813330A (en) * 2012-11-15 2014-05-21 中兴通讯股份有限公司 Communication terminal and system and authority management method
US20180069962A1 (en) * 2015-05-07 2018-03-08 Yoshinaga Kato Information processing apparatus, information processing method, and recording medium

Similar Documents

Publication Publication Date Title
JP4327630B2 (en) Storage area network system, security system, security management program, storage device using Internet protocol
US7886335B1 (en) Reconciliation of multiple sets of network access control policies
CN101455041B (en) Detection of network environment
US7913077B2 (en) Preventing IP spoofing and facilitating parsing of private data areas in system area network connection requests
US8683059B2 (en) Method, apparatus, and computer program product for enhancing computer network security
KR100459569B1 (en) Secure communicating method using media access control address
US7568236B2 (en) Methods and systems of managing concurrent access to multiple resources
US7624434B2 (en) System for providing firewall capabilities to a communication device
US20050138417A1 (en) Trusted network access control system and method
KR101290963B1 (en) System and method for separating network based virtual environment
CN115603932A (en) Access control method, access control system and related equipment
WO2023279782A1 (en) Access control method, access control system and related device
CN112087427B (en) Communication verification method, electronic device, and storage medium
KR100418445B1 (en) Method and system for restricting access from external
EP3180705B1 (en) End point secured network
WO2020147032A1 (en) Network security management system, and method therefor
US20110216770A1 (en) Method and apparatus for routing network packets and related packet processing circuit
TW202027461A (en) Network security management system and method thereof
KR102412933B1 (en) System and method for providing network separation service based on software-defined network
KR102628441B1 (en) Apparatus and method for protecting network
JP2021057717A (en) Security monitoring device and security monitoring method
JP4418211B2 (en) Network security maintenance method, connection permission server, and connection permission server program
US11683196B2 (en) Communication control device and non-transitory computer readable medium
KR102114484B1 (en) Method, apparatus AND COMPUTER PROGRAM for controlling network access in a software defined network
TWI732708B (en) Network security system and network security method based on multi-access edge computing

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19910419

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19910419

Country of ref document: EP

Kind code of ref document: A1