CN101902371A - Security control method, signature key sending method, terminal, server and system - Google Patents
Security control method, signature key sending method, terminal, server and system Download PDFInfo
- Publication number
- CN101902371A CN101902371A CN 201010239403 CN201010239403A CN101902371A CN 101902371 A CN101902371 A CN 101902371A CN 201010239403 CN201010239403 CN 201010239403 CN 201010239403 A CN201010239403 A CN 201010239403A CN 101902371 A CN101902371 A CN 101902371A
- Authority
- CN
- China
- Prior art keywords
- terminal
- network application
- signature key
- network
- conversation request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an integrated network application security control method, a signature key sending method, a terminal, an NACC (Network Application Control Center) server and a system. The method comprises the following steps of: when a safety verification certificate personal firewall SHF arranged on a terminal monitors a dialogue request initiated by the terminal, if the SHF arranged on the terminal determines that the network application of the dialogue request satisfies an acquired network application control security policy, then requesting and acquiring a first signature key of the dialogue request from the network application control center (NACC) server; generating a corresponding security verification certificate (SVC) by the SHF arranged on the terminal according to the first signature key, and sending the SVC to the terminal; and if the SHF arranged on the terminal receives a successful SVC authentication message returned by an opposite terminal, then successfully creating the dialogue. The network application on the terminal is controlled, so that the network application conforming to the security policy can go through normal network communication, and thus, the security of a local network is increased.
Description
Technical field
The present invention relates to Internet technical field, particularly a kind of centralized network application method for safety monitoring, sending method, terminal, NACC server and the system of signature key.
Background technology
Fast development along with the Internet, web application is more and more abundanter, the application program of installing on the network terminal is more and more numerous and diverse, and major applications program and without security assertion, harm such as wooden horse, virus, malicious code and back door are hidden probably in these are used.In the Intranet environment, if the application program on the network terminal is not effectively supervised, then some rogue programs especially have network and connect and the Internet communication functional programs, jeopardize intranet security probably, the Intranet machine is attacked and caused heavy losses.So internally the network application on the network termination is supervised extremely important.
A little less than traditional intranet security protection is supervised to the application program on the network terminal, most of based on network safety means, for example the fail safe of BlueDrama can only be analyzed and judge to fire compartment wall, intruding detection system (IDS) etc. from the procotol aspect, can't discern and detect the real-life program that participates in session; And be installed in the security protection software (for example anti-virus software, personal fire wall etc.) on the network terminal though can discern and detect local application, the security information of opposite end program that can't obtaining communication.Therefore, from the BlueDrama process, each network terminal safe condition separately that participates in communication may be different, but communicating pair can only be discerned the other side's essential information (for example IP address, host name etc.) from network protocol layer, and whether main frame and the signal procedure that can not discern the other side be genuine and believable, such as, the program essence that may communicate by letter with oneself is a Hacker Program.
In research and practice process to prior art, the present inventor finds, in the existing implementation, the security protection of safety means Network Based, before network terminal access network, the have no way of finding out about it fail safe of the network terminal of network manager then is subjected to the control of hacker, wooden horse, worm or virus that Intranet is destroyed and propagated probably after the network terminal inserts, make Intranet suffer serious threat.And use personal fire wall to carry out security protection, because personal fire wall is not controlled at each session, the control granularity is thicker, request is inserted in the outside lack basis for estimation.
Summary of the invention
The embodiment of the invention provides sending method, terminal, NACC server and the system of a kind of centralized network application safety method for supervising, signature key, so that the network application on the terminal is monitored, make the network application that meets security strategy carry out normal network communication, thereby improve intranet security.
For this reason, the embodiment of the invention provides a kind of centralized network application safety method for supervising, and described method comprises:
Fail safe on being deployed in terminal confirms that statement personal fire wall SHF monitors described terminal when initiating a session request, if the described SHF that is deployed on the terminal determines the network application of described conversation request and satisfies the network application monitoring security strategy obtain, then from the NACC of network application Surveillance center server requests and obtain first signature key of described conversation request;
The described SHF that is deployed on the terminal generates corresponding fail safe according to described first signature key and confirms statement SVC, and sends described SVC to the opposite end;
If during the message that described SVC is proved to be successful that the described SHF that is deployed on the terminal receives that the opposite end returns, described session is set up successfully.
The present invention is the sending method that embodiment provides a kind of signature key, and described method comprises:
The NACC of network application Surveillance center server receives the conversation request that first terminal sends;
The NACC server generates according to described conversation request and is used for first signature key that first terminal and second terminal are carried out session;
Described NACC server returns described first signature key to described first terminal.
The present invention is that embodiment also provides a kind of centralized network application safety method for supervising, and described method comprises:
When the network termination initiation is carried out the conversation request of session with interior network termination outside the fail safe confirmation statement network firewall SNF network equipment monitors, if the described SNF network equipment determines the network application of described conversation request and satisfies the network application monitoring security strategy obtain, then to the NACC of network application Surveillance center server requests and obtain first signature key of described conversation request;
The described SNF network equipment generates corresponding fail safe according to described first signature key and confirms statement SVC, and network termination sends described SVC in described;
If the described SNF network equipment receive described in network termination return the message that described SVC is proved to be successful the time, then session is set up successfully.
Accordingly, a kind of terminal of the embodiment of the invention, this terminal deploy have fail safe to confirm statement personal fire wall SHF, and described SHF comprises:
Whether monitoring unit is used to monitor described terminal and initiates a session request;
Session signature key acquiring unit, being used for monitoring described terminal at described monitoring unit initiates a session request, and when the network application monitoring security strategy of obtaining is satisfied in the network application of the described conversation request that monitors, obtain first signature key of conversation request from the NACC of network application Surveillance center server;
Generation unit is used for generating corresponding fail safe according to described first signature key and confirms statement SVC;
Transmit-Receive Unit is used for sending described SVC to the opposite end, and the message that described SVC is proved to be successful that receives that the opposite end returns, and described message is used to represent that session sets up successfully.
The embodiment of the invention also provides a kind of NACC server, comprising:
The conversation request receiving element is used to receive the conversation request that first terminal sends;
Session signature key generation unit is used for generating first signature key that first terminal and second terminal are carried out session according to described conversation request;
Session signature key transmitting element is used for returning described first signature key to described first terminal.
The embodiment of the invention also provides a kind of network equipment that fail safe confirms statement network firewall SNF that has, and comprising:
The conversation request detecting unit, whether be used to monitor has outer network termination to initiate the conversation request of carrying out session with interior network termination;
Session signature key acquiring unit, be used for when the network application monitoring security strategy obtain is satisfied in the network application that described conversation request detecting unit monitors conversation request and detected described conversation request, to the NACC server requests and obtain first signature key of described conversation request;
Generation unit is used for generating corresponding fail safe according to described first signature key and confirms statement SVC;
Transmit-Receive Unit is used for that network termination sends described SVC in described, and receive described in the message that described SVC is proved to be successful returned of network termination, described message is used to represent that session sets up successfully.
The embodiment of the invention also provides a kind of centralized network application safety supervisory control system, comprising: be deployed with terminal and the NACC of network application Surveillance center server that fail safe confirms statement personal fire wall SHF, wherein,
Described SHF is used for monitoring this terminal when initiating a session request, if when determining that the network application monitoring security strategy of obtaining is satisfied in the network application of described conversation request, then from the request of NACC server and obtain first signature key of described conversation request; And the fail safe confirmation statement SVC corresponding according to described first signature key generation, send described SVC to the opposite end; And when the message that described SVC is proved to be successful that receives that the opposite end returns, described session is set up successfully;
Described NACC server is used to receive the conversation request that described terminal sends, and according to first signature key that described conversation request generates described terminal and target terminal carries out session, and sends described first signature key to described terminal.
By the foregoing description as can be known, in the embodiment of the invention, confirm statement personal fire wall SHF owing to disposed fail safe in terminal, when terminal initiates a session request, SHF just monitors described conversation request, and whether the network application of determining described conversation request satisfies the network application monitoring security strategy of obtaining, and when satisfying, send conversation request to the NACC of network application Surveillance center server, the NACC server generates according to described conversation request and is used for first signature key that first terminal and second terminal are carried out session, and returns described first signature key to this terminal; Then, this terminal generates corresponding fail safe according to described first signature key and confirms statement SVC, and sends described SVC to the opposite end, and when receiving the message that described SVC is proved to be successful of opposite end feedback, described session is set up successfully.That is to say that the SHF that is deployed in terminal can monitor the initiation and the reception program of each BlueDrama, and judge whether to satisfy the network application monitoring security strategy of obtaining,, then this session is let pass if satisfy.Thereby make the network application that meets network application monitoring security strategy can carry out normal network communication, the fail safe that improves whole network.
Description of drawings
The flow chart of a kind of centralized network application safety method for supervising of providing in the embodiment of the invention is provided Fig. 1;
The flow chart of the sending method of a kind of signature key of providing in the embodiment of the invention is provided Fig. 2;
The flow chart of another centralized network application safety method for supervising of providing in the embodiment of the invention is provided Fig. 3;
The first application example figure of a kind of centralized network application safety method for supervising of providing in the embodiment of the invention is provided Fig. 4;
The second application example figure of a kind of centralized network application safety method for supervising of providing in the embodiment of the invention is provided Fig. 5;
The 3rd application example figure of a kind of centralized network application safety method for supervising of providing in the embodiment of the invention is provided Fig. 6;
The 4th application example figure of a kind of centralized network application safety method for supervising of providing in the embodiment of the invention is provided Fig. 7;
The structural representation of a kind of terminal of providing in the embodiment of the invention is provided Fig. 8 a;
The structural representation of the another kind of terminal that provides in the embodiment of the invention is provided Fig. 8 b;
The structural representation of a kind of NACC server of providing in the embodiment of the invention is provided Fig. 9 a;
The structural representation of the another kind of NACC server that provides in the embodiment of the invention is provided Fig. 9 b;
A kind of structural representation with network equipment of fail safe confirmation statement network firewall SNF of Figure 10 a for providing in the embodiment of the invention;
Figure 10 b has the structural representation that fail safe confirms the network equipment of statement network firewall SNF for the another kind that provides in the embodiment of the invention;
The structural representation of a kind of centralized network application safety supervisory control system of providing in the embodiment of the invention is provided Figure 11.
Embodiment
In order to make those skilled in the art person understand the scheme of the embodiment of the invention better, the embodiment of the invention is described in further detail below in conjunction with drawings and embodiments.
See also Fig. 1, the flow chart of a kind of centralized network application safety method for supervising that provides for the embodiment of the invention, in this embodiment, confirm statement personal fire wall SHF in the fail safe of terminal deploy earlier, SHF obtains the network application monitoring security strategy of configuration in advance on the described terminal from the network application monitoring central server; Described method comprises:
Step 101: fail safe on being deployed in terminal confirms that statement personal fire wall SHF monitors described terminal when initiating a session request, if the described SHF that is deployed on the terminal determines the network application of described conversation request and satisfies the network application monitoring security strategy obtain, then from the NACC of network application Surveillance center server requests and obtain first signature key of described conversation request; Wherein, first signature key is the signature key that is used for this terminal and target terminal session/communicate by letter, and also can be described as the session signature key;
In the step 101, the described SHF that is deployed on the terminal is monitoring this terminal when initiating a session request, the network application of the conversation request that terminal is initiated is judged, judge whether this network application satisfies the network application monitoring security strategy of obtaining, if satisfy, just allow this network application to communicate, promptly to the NACC of network application Surveillance center server requests and obtain first signature key of described conversation request; If do not satisfy, then stop this network application, to improve the fail safe of network application.Such as, the described SHF that is deployed on the terminal monitors this terminal initiation session and sets up request, then this SHF that is deployed on the terminal adopts the Has algorithm that this conversation request is carried out feature extraction, and with the monitoring security strategy mate, if the match is successful, then allow this terminal to obtain the session signature key that obtains conversation request from described network application monitoring central server, if it fails to match, then should block request, refused or report relevant information to the NACC of network application Surveillance center server according to configuration.
Step 102: the described SHF that is deployed on the terminal generates corresponding fail safe according to described first signature key and confirms statement SVC, and sends described SVC to the opposite end;
Step 103: if during the message that described SVC is proved to be successful that the described SHF that is deployed on the terminal receives that the opposite end returns, described session is set up successfully.
As seen, the embodiment of the invention provides a kind of centralized network application method for safety monitoring, its objective is the strictness monitoring that realizes the network application (such as setting up session connection etc.) on the internal network termination, make the network application that meets network application monitoring security strategy can carry out normal network communication, and network application in violation of rules and regulations is blocked, in time find and the warning abnormal flow, improve intranet security.
Wherein, in the above-described embodiments, if described conversation request is the network termination conversation request that network termination is initiated in second in first, then described opposite end is another terminal that has SVC personal fire wall function in the Intranet;
As if described conversation request is the conversation request that the outside network termination of interior network termination is initiated, and then described opposite end is the network equipment with SVC network firewall.
Described fail safe in the present embodiment confirms statement (SVC, Secuirty Validation Claim) can comprise: BlueDrama characteristic information and signing messages, wherein, the BlueDrama characteristic information can include but not limited to following content: the essential information of the main program of network application sign, session, statement effective time, can also comprise: the integrality statement of program; Wherein, the essential information of session comprises: protocol type (such as TCP/UDP/IP/ICMP etc.), protocol source port numbers, agreement destination slogan, source address, destination address etc.; Main program is designated the program identification of this request of initiation etc.; Signing messages is by the session signature key BlueDrama characteristic information to be signed to obtain after the computing.The signature computing can be carried out hash to feature information network or cryptographic operation obtains with the session signature key.But be not limited thereto, certainly, can comprise other session characteristics information and signing messages yet, present embodiment does not limit.
Wherein, SVC in the present embodiment: be exactly the safety inspection software (SHF on the terminal (such as main frame), the SVC personal fire wall, SVC Host Firewall) to the fail safe of the initiation program of certain BlueDrama (by verify its software integrity or according to other principles) detect one group of data of description that the back produces with legitimacy, wherein, described SVC comprises: network application main program sign, the integrality statement (optional) of this program, the essential information of session (as protocol type, source/order IP address, port), statement effective time, signature etc.
SVC can preserve by fixed data structure, XML or other textual description form, on network can by udp protocol or Transmission Control Protocol mode be sent to target terminal (such as interior network termination) or outside web network equipment (such as the SNF network equipment).In an internal network,, should adopt unified descriptor format in order to discern SVC each other between security component mutually.
Further, in the above-described embodiments, described method can also comprise: utilize hash algorithm that the characteristic information of the network application of the described conversation request that monitors is extracted, and will extract result and described network application monitoring security strategy and mate, if the match is successful, determine that then described network application monitoring security strategy is satisfied in the network application of described conversation request.Wherein, among this embodiment, being not limited to hash algorithm, also can be other corresponding algorithms.
Further, in the above-described embodiments, described fail safe according to described session signature key generation correspondence confirms that statement SVC comprises: the described SHF that is deployed on the terminal detects according to the fail safe and the legitimacy of described session signature key to described conversation request, and fail safe and legitimacy detect pass through after, produce the fail safe that comprises BlueDrama characteristic information and signing messages and confirm statement SVC
Further, in the above-described embodiments, described method can also comprise:
If the described SHF that is deployed on the terminal judges described network application and does not satisfy the network application monitoring security strategy of obtaining in advance, then reports described relevant information to described network application monitoring central server, and stop this conversation request.
Further, in the above-described embodiments, described method can also comprise: the described SHF that is deployed on the terminal sends register requirement to described network application monitoring central server, to ask second signature key of this terminal; The described SHF that is deployed on the terminal receives described second signature key that described NACC returns, so that initiate to set up conversation request.Wherein, second signature key is the terminal signature key.
Further, in the above-described embodiments, described method can also comprise:
The described SHF that is deployed on the terminal regularly receives the network application monitoring security strategy that described network application monitoring central server sends, and the described network application monitoring security strategy of obtaining is upgraded.
In the embodiment of the invention, the SHF that is deployed in terminal can monitor the initiation and the reception program of each BlueDrama, and judges whether to satisfy the network application monitoring security strategy of obtaining, if satisfy, then this session is let pass,, then stop if do not satisfy.Thereby make the network application that meets network application monitoring security strategy can carry out normal network communication, the network Border Protection is strengthened in the fail safe that improves whole network.That is, the fine granularity monitoring is carried out in the external reference session of initiating from Intranet, the malicious traffic stream of hiding is in time found in the control that can conduct interviews from the program rank of network application; Simultaneously, also for the terminal that personal fire wall SHF is installed provides stronger access control ability, the terminal that personal fire wall promptly is installed can get access to the application program summary info of request connection, and can formulate access control policy according to these information; Further, network application operating position in the whole Intranet can be unified to collect, be monitored and control to network application monitoring central server.
That is to say, the cover safety monitoring mechanism that the embodiment of the invention provides, can carry out safety inspection and statement to the initiation and the reception program of each BlueDrama, and can determine whether let pass or forbid according to check result, thereby can be from improving the fail safe of whole network to a great extent, compare the conventional security protection, this security control dynamics will be thinner higher.
Accordingly, also see also Fig. 2, the flow chart of the sending method of a kind of signature key that provides for the embodiment of the invention, in this embodiment, first signature key is the session signature key, second signature key is the signature key of terminal self; Described method comprises:
Step 201: network application Surveillance center (NACC, Network Application Control Center) server receives the conversation request of first terminal;
Step 202:NACC server generates according to described conversation request and is used for first signature key that first terminal and second terminal are carried out session;
Step 203: described NACC server sends described first signature key to described first terminal.
Before step 201, described method can also comprise:
The NACC of network application Surveillance center server receives the register requirement that first terminal sends;
Described NACC server is verified the register requirement of described first terminal, and when being proved to be successful, is generated second signature key;
Described NACC server sends this second signature key to described first terminal.
Before step 201, described method can also comprise: the NACC server carries out centralized and unified configuration to the network application monitoring security strategy of each terminal in the Intranet in advance, and sends described network application monitoring security strategy to this terminal.
Wherein, the described generation according to conversation request is used for first terminal and comprises with first signature key that second terminal is carried out session: the characteristic information that the signature key of second terminal that described NACC server is related with described conversation request and described conversation request comprise session carries out Hash calculation, obtains first signature key.Wherein, calculation mode can adopt Hash calculation, also can adopt other algorithm, and present embodiment does not limit.
In this embodiment, owing to disposed the NACC of network application Surveillance center in the server among this embodiment, described NACC is one group of service routine, and its basic function comprises: the network application monitoring strategies to Intranet is carried out centralized and unified configuration; For network application monitoring security component provides monitoring strategies to issue function; Reception and supervising the network are used the monitor event of monitoring security component and are reported; The signature key management function is provided, promptly be deployed in the network application monitoring security component on each terminal, can be by escape way to the signature key (i.e. first signature key) of NACC server interrogates self and the signature key (i.e. second signature key) of the SVC that communicates by letter with target terminal (being present main frame).Wherein, the signature key of SVC is to be used to ensure SVC authenticity and the important information that prevents to forge, and the complete processing scheme of a cover must be arranged, and provides a kind of simple and effective Implementation Modes in the embodiment of the invention, but is not limited to this:
The NACC server dynamically generates the signature key KEYs (i.e. second signature key) of each terminal, and the signature key KEYs of each terminal is managed;
Security component SVC personal fire wall on the terminal (SHF, SVC Host Firewall) at first to the NACC registration, obtains the signature key KEYs of self after inserting Intranet;
When needs send SVC to destination host IP, the SHF that is deployed on the terminal needs to obtain this signature key KEYs to host ip to the NACC server interrogates, after calculating the IP of the KEYs of destination host and requesting host, the NACC server obtains session key KEYcs (i.e. first signature key), and with the described terminal that sends to request of session key K EYcs; Wherein, calculation mode can calculate KEYcs by Hash (hash); Also can ... Keys and feature information network, perhaps a part wherein carries out obtaining KEYcs after hash calculates such as purpose IP address; Can also be other algorithm, present embodiment limit.
Because the SHF in the destination host can directly utilize the KEYs of this terminal self to calculate the session key KEYcs that each inserts session in conjunction with the source IP address among the SVC, so can verify the authenticity of SVC.Wherein, session key KEYcs can be that terminal signature key KEYs and BlueDrama characteristic information carry out computing and obtain, and perhaps session key KEYcs also can be that the partial content computing of terminal signature key KEYs and BlueDrama characteristic information obtains.
Also see also Fig. 3, the flow chart of another the centralized network application safety method for supervising that provides for the embodiment of the invention, in this embodiment, first signature key is the session signature key, second signature key is the signature key of terminal self, also can abbreviate the terminal signature key as; Described method comprises:
Step 301: when the network termination initiation is carried out the conversation request of session with interior network termination outside the fail safe confirmation statement network firewall SNF network equipment monitors, if the described SNF network equipment determines the network application of described conversation request and satisfies the network application monitoring security strategy obtain, then to the NACC of network application Surveillance center server requests and obtain first signature key of described conversation request;
Step 302: the described SNF network equipment generates corresponding fail safe according to described first signature key and confirms statement SVC, and network termination sends described SVC in described;
Wherein, described fail safe confirms that statement SVC comprises: BlueDrama characteristic information and signing messages, specifically see for details above-mentioned.
Step 303: if the described SNF network equipment receive described in network termination return the message that described SVC is proved to be successful the time, then session is set up successfully.
Further, described method can also comprise: SNF utilizes hash algorithm that the characteristic information of the network application of conversation request is extracted, and mate with described network application monitoring security strategy, if the match is successful, determine that then the network application monitoring security strategy of obtaining is satisfied in the network application of described conversation request.
Further, described generation fail safe confirms that statement SVC comprises: the described SNF network equipment detects according to the fail safe and the legitimacy of described session signature key to described conversation request, and fail safe and legitimacy detect pass through after, produce the fail safe that comprises BlueDrama characteristic information and signing messages and confirm statement SVC.
This embodiment sets up the process of session for the inside network termination request of outer network termination, be that SNF in the network equipment is in monitoring the outer net terminal access during network termination, use the monitoring security strategy according to the Intranet that the network application monitoring central server from Intranet obtains, judge whether the network application of this conversation request satisfies Intranet application monitoring security strategy, if satisfying Intranet, described network application uses the monitoring security strategy, then allow to pass through, otherwise, this network application stoped.Thereby improve the fail safe of network.
For the ease of those skilled in the art's understanding, illustrate with concrete application example below.
See also Fig. 4, the first application example figure of a kind of centralized network application safety method for supervising that provides for the embodiment of the invention, this application example is the implementation procedure of endpoint registration, in this embodiment, the keeper is configuration network application monitoring security strategy on the NACC server in advance, and set the detected characteristics value of the program that allows the network application used in this on network termination, this detected characteristics value specifically can with the IP address binding.Terminal among this embodiment, for disposing the terminal of SHF software function, or dispose the network equipment of SNF software function, for convenience of description, interior network termination in the present embodiment is an example with the SHF terminal, the network equipment is an example with the network equipment of disposing SNF, and the process of its SHF terminal/SNF network device registration is similar, specifically comprises:
Step 401:NACC server configuration network is used the monitoring security strategy, and the detected characteristics value of the program of the network application that permission is used on the network termination in setting;
Also can be that keeper's configuration network on the NACC server is used the monitoring security strategy, and the detected characteristics value of the program of the network application that permission is used on the network termination in setting,
After step 402:SHF terminal/SNF network equipment inserts Intranet, send register requirement to the NACC of appointment server; Promptly obtain the signature key KEYs of self; This KEYs is the terminal signature key;
Step 403:NACC server is verified this SHF terminal or the SNF network equipment, if be proved to be successful, generates the signature key of the terminal signature key/person SNF network equipment of this SHF terminal according to described register requirement; Be convenient to describe for example, in the present embodiment, the signature key of SHF terminal/SNF network equipment all uses signature key KEYs to represent, but in actual applications, the signature key difference of the two.
Step 404:NACC server sends to SHF terminal/SNF network equipment with described signature key KEYs; Issue described network application monitoring security strategy simultaneously.
Further, after this SHF terminal/SNF network device registration success, this SHF terminal/SNF network equipment can regularly receive NACC and issue new network application monitoring security strategy, and according to original network application monitoring security strategy.
In this embodiment, the NACC server carries out centralized and unified configuration to the network application monitoring strategies of network termination in being used to monitor, and issues network application monitoring security strategy for network termination in each; And the signature key management function is provided, after each SHF terminal/SNF network equipment inserts Intranet, can certainly, can also obtain the session signature key of communicating by letter by the signature key of escape way to NACC server interrogates self with target terminal.The session signature key of communicating by letter with target terminal mainly is to be used to generate fail safe to confirm statement SVC, and SVC is the SVC authenticity and the important information that prevents to forge that is used to ensure network application.
Further, during SVC that follow-up this terminal need generate target terminal IP, this SHF terminal needs to the NACC server requests and obtains the session signature key KEYcs of this session, the NACC server carries out the IP of the KEYs of target terminal and requesting terminal to obtain the session signature key KEYcs of session after Hash (HASH) calculates, and session signature key KEYcs is sent to the terminal of this request;
Because target SHF terminal can directly utilize the KEYs of self to calculate the KEYcs that each inserts session in conjunction with the source IP address among the SVC, so can verify the authenticity of SVC.
Also see also Fig. 5, the second application example figure for a kind of centralized network application safety method for supervising provided by the invention, this embodiment sets up the process of session for outer net to the Intranet request, in this embodiment, terminal 1 and terminal 2 are respectively the terminal that is deployed with SHF software, i.e. SHF terminal 1 and SHF terminal 2.The process that SHF terminal 1 and SHF terminal 2 are set up session specifically comprises:
Step 501:SHF terminal 1 is set up conversation request to terminal 2;
Step 502:SHF terminal 1 (can be understood as, be deployed in the SHF on the terminal, down together) is monitored the network application of the conversation request session of this foundation according to the network application monitoring security strategy of obtaining from the NACC server; Wherein, this network application monitoring security strategy can be obtained in advance, also can be that session is set up in the process and obtained in real time, and present embodiment does not limit.
Step 503:SHF terminal 1 judges whether this network application is complementary with the network application monitoring security strategy of obtaining, if do not match, and execution in step 504, otherwise, execution in step 505;
Step 504:SHF terminal 1 is reported the server to NACC with relevant information, and the blocking-up or refuse this conversation request, finish this conversation request;
Step 505:SHF terminal 1 sends conversation request to the NACC server, and conversation request is used for the session signature key that acquisition request and SHF terminal 2 are carried out session fully;
Step 506:NACC server generates the session signature key of this time session according to described conversation request;
Step 507:NACC server starts described session signature key to SHF terminal 1;
Wherein, the signature key that the NACC server generates this time session is: the NACC server carries out Hash (HASH) calculating with the KEYs of SHF terminal 2 and the IP of SHF terminal 1, obtain the signature key KEYcs of local session, and signature key KEYcs is sent to this SHF terminal 1;
Step 508:SHF terminal 1 generates a fail safe and confirms statement SVC after receiving the session signature key of this session;
Step 509:SHF terminal 1 sends to SHF terminal 2 with described SVC;
The legitimacy of the described SVC that 2 checkings of step 510:SHF terminal receive, if legal, then execution in step 511; Otherwise, execution in step 512;
Step 511: if described SVC is legal, the session between described SHF terminal 2 and the SHF terminal 1 is successfully set up;
Step 512: if described SVC is illegal, failure is set up in session between then described SHF terminal 2 and the SHF terminal 1.
In the present embodiment, when setting up session for Intranet, SHF terminal 1 being initiated to set up the network application of session monitors, and judge whether this network application satisfies the network application monitoring security strategy of obtaining, if satisfy, then allow this SHF terminal 1 initiation session, and obtain the session signature key of this conversation request to the NACC server, and when obtaining the session signature key of this conversation request, generate SVC, and send described SVC to SHF terminal 2, and receive that SHF terminal 2 sends be proved to be successful message the time, session is set up successfully.That is to say, present embodiment is monitored the network application of the conversation request that access Intranet terminal is initiated, promptly the SHF terminal 1 that initiates a session request is detected, and whether the network application of judging initiation session satisfies the network application monitoring security strategy of obtaining, to satisfying the BlueDrama of network application monitoring security strategy, allow session, and before allowing session, each session is produced a fail safe confirmation statement SVC, and SVC is sent to the opposite end; To not satisfying the BlueDrama of network application monitoring security strategy, then stop or interrupt this network application.That is to say, SHF terminal in the present embodiment (terminal of the personal fire wall of SVC processing capacity promptly is installed) is the personal fire wall function expansion to conventional terminal (terminal of existing personal fire wall promptly is installed), opened a new market space, the terminal that is the personal fire wall of the installation SVC processing capacity that provides in the present embodiment not only can be discerned the local program information of using, also can discern and insert the program information of using, thus the fail safe that has improved network.
Also see also Fig. 6, the 3rd application example figure of a kind of centralized network application safety method for supervising that provides for the embodiment of the invention, this embodiment sets up the process of session for the outside network termination request of interior network termination, in this embodiment, terminal 1 is for installing the interior network termination of SHF software, it is network termination in the SHF, the webserver of this Intranet is for installing the server of SNF software function, be SNF server (or network equipment), the monitor server of this Intranet is for installing the server of NACC software function, i.e. NACC server.Wherein, the outside network termination request of network termination is set up session and is specifically comprised in described:
The outside network termination of network termination is set up conversation request in the step 601:SHF;
Network termination is monitored the network application of the conversation request session of this foundation according to the network application monitoring security strategy of obtaining from the NACC server in advance in the step 602:SHF;
Whether this web application of step 603:SHF Intranet terminal judges is complementary with the network application monitoring security strategy of obtaining in advance, if do not match, and execution in step 604, otherwise, execution in step 605;
Network termination reports relevant information to server NACC in the step 604:SHF, and blocking-up or refuse this conversation request, finishes this conversation request;
Network termination obtains the signature key of this session in the step 605:SHF to the NACC server requests;
Step 606:NACC server generates the session signature key of this session;
Step 607:NACC server sends to network termination in the SHF with described session signature key;
Network termination generates a fail safe and confirms statement SVC after receiving described session signature key in the step 608:SHF;
Network termination sends to corresponding SNF server (promptly disposing the server of SVC network firewall) with described SVC in the step 609:SHF;
The legitimacy of the described SVC that the network termination checking receives in the step 610:SNF, if legal, execution in step 611;
Step 611: if SVC is legal, session is set up successfully.
Certainly, if described SVC is illegal, then failure is set up in session, does not just connect outer network termination (not shown).
This embodiment is the process that the outside network termination initiation session of interior network termination is set up, the process of this process and above-mentioned application example two is basic identical, its difference, the interior network termination of SNF need send to the SNF server with the SVC that generates and verify, and send when being proved to be successful receiving the SNF server, session is set up successfully.That is to say to possess network (border) fire compartment wall of SVC processing capacity, can remedy traditional firewall can only be from the defective of recognition network application on the procotol, and stronger to the control dynamics of network boundary, the Internet that especially is fit to the control enterprise network exports.
Also see also Fig. 7, the 4th application example figure for a kind of centralized network application safety method for supervising provided by the invention, this embodiment sets up the process of session for the inside network termination request of outer network termination, in this embodiment, terminal 1 is the interior network termination of installation SHF software, i.e. network termination in the SHF, the webserver of this Intranet is for installing the server of SNF software function, be the SNF server, the monitor server of this Intranet is for installing the server of NACC software function, i.e. NACC server.Wherein, the inside network termination request of the described outer network termination process of setting up session specifically comprises:
Step 701: outer network termination is to SNF server requests and SHF Intranet terminal session;
Step 702:SNF server judges whether the network application of described request session is satisfied the Intranet of obtaining from the NACC server in advance and used the monitoring security strategy, if do not satisfy execution in step 703; Otherwise, execution in step 704;
Step 703:SNF server abandons this conversation request, and refusal inserts, and finishes the foundation of this session;
Step 704:SNF server sends conversation request to the NACC server, and this conversation request is used for the session signature key of this this session of acquisition request;
Step 705:NACC server generates the session signature key of this session according to described conversation request;
Step 706:NACC server sends to the SNF server with described session signature key;
Step 707:SNF server is according to described session signature key, for this conversation request generates a SVC;
Step 708:SNF server sends to network termination in the corresponding SHF with SVC;
The legitimacy of network termination checking SVC in the step 709:SHF; If legal, execution in step 710;
Step 710: if SVC is legal, session is set up successfully.
Certainly, if SVC is illegal, the failure (not shown) is set up in session.
Among this embodiment, in the SNF server, because network (border) fire compartment wall of SVC processing capacity has been installed, can remedy traditional firewall can only be from the defective of recognition network application on the procotol, control dynamics to network boundary is stronger, especially is fit to the Internet outlet of control enterprise network.
The embodiment of the invention also provides a kind of terminal, and its structural representation sees Fig. 8 a for details, has fail safe to confirm statement personal fire wall SHF in this terminal deploy, described SHF comprises: monitoring unit 81, session signature key acquiring unit 82, generation unit 83 and Transmit-Receive Unit 84, wherein:
Whether monitoring unit 81 is used to monitor described terminal and initiates a session request;
Session signature key acquiring unit 82, being used for monitoring described terminal at described monitoring unit initiates a session request, and when the network application monitoring security strategy of obtaining is satisfied in the network application of the described conversation request that monitors, obtain first signature key of conversation request from the NACC of network application Surveillance center server;
Transmit-Receive Unit 84 is used for sending described SVC to the opposite end, and the message that described SVC is proved to be successful that receives that the opposite end returns, and described message is used to represent that session sets up successfully.
Further, shown in Fig. 8 b, described terminal can also comprise: determining unit 85, be used for monitoring described terminal when initiating to set up conversation request at described monitoring unit, utilize hash algorithm that the characteristic information of the network application of setting up conversation request is extracted, and the result that will extract and described network application monitoring security strategy mates, if the match is successful, determines that then described network application satisfies described network application monitoring security strategy; When the result who extracts does not match with described network application monitoring security strategy, determine that described network application do not satisfy described network application and monitor security strategy;
Accordingly, described session signature key acquiring unit 82 specifically is used for when described determining unit determines that the described described network application monitoring security strategy of obtaining is satisfied in the network application of described conversation request, to described NACC server requests and obtain first signature key of described conversation request.
Further, can also comprise: security strategy acquiring unit 89 is used for obtaining pre-configured network application monitoring security strategy from the network application monitoring central server in advance.
Further, can also comprise: report unit 88, be used for when the network application monitoring security strategy of obtaining is not satisfied in described network application, reporting relevant information to described network application monitoring central server, and stopping this conversation request.
Further, can also comprise: registering unit 86 and terminal signature key acquiring unit 87, wherein, registering unit 86 is used for behind accessing terminal to network, sends register requirement to the NACC server, to ask second signature key of this terminal; Terminal signature key acquiring unit 87 is used to receive second signature key that described NACC server sends, so that initiate a session request.Its structural representation is shown in Fig. 8 b.
Further, described method can also comprise: updating block 80 is used for regularly receiving the new network application monitoring security strategy that described network application monitoring central server sends, and the described network application monitoring security strategy of obtaining is upgraded.
The implementation procedure of each unit sees the implementation procedure of above-mentioned corresponding method for details in the described device, does not repeat them here.
As seen, in the embodiment of the invention, confirm statement personal fire wall SHF owing to disposed fail safe in terminal, when terminal initiates a session request, SHF just monitors described conversation request, and whether the network application of determining described conversation request satisfies the network application monitoring security strategy of obtaining, and when satisfying, send conversation request to the NACC of network application Surveillance center server, the NACC server generates according to described conversation request and is used for first signature key that first terminal and second terminal are carried out session, and returns described first signature key to this terminal; Then, this terminal generates corresponding fail safe according to described first signature key and confirms statement SVC, and sends described SVC to the opposite end, and when receiving the message that described SVC is proved to be successful of opposite end feedback, described session is set up successfully.That is to say that the SHF that is deployed in terminal can monitor the initiation and the reception program of each BlueDrama, and judge whether to satisfy the network application monitoring security strategy of obtaining,, then this session is let pass if satisfy.Thereby make the network application that meets network application monitoring security strategy can carry out normal network communication, the fail safe that improves whole network.
Accordingly, the embodiment of the invention also provides a kind of NACC server, and its structural representation is referring to Fig. 9 a, and described device comprises: conversation request receiving element 91, and session signature key generation unit 92 and session signature key transmitting element 93, wherein:
Conversation request receiving element 91 is used to receive the conversation request that first terminal sends, and wherein, this conversation request is used to ask to carry out with target terminal the session signature key of session;
Session signature key generation unit 92 is used for generating first signature key that first terminal and second terminal are carried out session according to described conversation request;
Session signature key transmitting element 93 is used for returning described first signature key to described first terminal.
Further, shown in Fig. 9 b, described NACC server can also comprise: register requirement receiving element 94, and authentication unit 95, terminal signature key generation unit 96 and terminal signature key transmitting element 97, its structural representation is referring to Fig. 9 b, wherein:
Register requirement receiving element 94 is used to receive the register requirement that first terminal sends;
Terminal signature key generation unit 96 is used for when described authentication unit is proved to be successful, and generates second signature key of this first terminal;
Terminal signature key transmitting element 97 is used for sending described second signature key to described first terminal, so that described first terminal initiates a session request.
Wherein, in the present embodiment, described session signature key generation unit 92 specifically is used for the characteristic information of the signature key of second terminal of described conversation request association and the session that described conversation request comprises is carried out Hash calculation, obtains first signature key.
Further, described device can also comprise: security strategy dispensing unit and security strategy transmitting element (not shown); Wherein, the security strategy dispensing unit is used in advance the network application monitoring security strategy of each terminal of Intranet being carried out centralized and unified configuration; The security strategy transmitting element is used for sending described network application monitoring security strategy receiving terminal when initiating to set up conversation request to this terminal.
The implementation procedure of each unit sees the implementation procedure of above-mentioned corresponding method for details in the described device, does not repeat them here.
As seen, in the embodiment of the invention, when first terminal that is deployed with fail safe confirmation statement personal fire wall SHF initiates a session request, the NACC server generates according to described conversation request and is used for first signature key that first terminal and second terminal are carried out session, and return described first signature key to first terminal, thereby be convenient to this first terminal and generate corresponding fail safe confirmation statement SVC according to described first signature key, and send described SVC to the opposite end, and when receiving the message that described SVC is proved to be successful of opposite end feedback, described session is set up successfully.
Confirm statement personal fire wall SHF owing to disposed fail safe in terminal, when terminal initiates a session request, SHF just monitors described conversation request, and whether the network application of determining described conversation request satisfies the network application monitoring security strategy of obtaining, and when satisfying, send conversation request to the NACC of network application Surveillance center server, that is to say, the SHF that is deployed in terminal can monitor the initiation and the reception program of each BlueDrama, and judge whether to satisfy the network application monitoring security strategy obtain, if satisfy, then this session let pass.Thereby make the network application that meets network application monitoring security strategy can carry out normal network communication, the fail safe that improves whole network.
Accordingly, the embodiment of the invention also provides a kind of network equipment that fail safe confirms statement network firewall SNF that has, its structural representation is referring to Figure 10 a, described device comprises: conversation request detecting unit 110, session signature key acquiring unit 111, generation unit 112, Transmit-Receive Unit 113, wherein:
Described conversation request detecting unit 110, whether be used to monitor has outer network termination to initiate the conversation request of carrying out session with interior network termination;
Session signature key acquiring unit 111, be used for when the network application monitoring security strategy obtain is satisfied in the network application that described conversation request detecting unit monitors conversation request and detected described conversation request, to the NACC server requests and obtain first signature key of described conversation request;
Transmit-Receive Unit 113 is used for that network termination sends described SVC in described, and receive described in the message that described SVC is proved to be successful returned of network termination, described message is used to represent that session sets up successfully.
Further, shown in Figure 10 b, described device can also comprise: determining unit 114, when being used for outside described conversation request detecting unit 110 monitors network termination and initiating to carry out the conversation request of session with interior network termination, utilize hash algorithm that the characteristic information of the network application of described conversation request is extracted, and the result that will extract and described network application monitoring security strategy mates, if the match is successful, determines that then described network application satisfies described network application monitoring security strategy;
Described session signature key acquiring unit 111 specifically is used for when described determining unit 114 determines that the network application of described conversation request is satisfied from described network application monitoring security strategy that the NACC server obtains, to the NACC server requests and obtain first signature key of described conversation request.
Further, described method can also comprise: updating block 115 is used for regularly receiving the new network application monitoring security strategy that described NACC server sends, and the described network application monitoring security strategy of obtaining is upgraded.
The implementation procedure of each unit sees the implementation procedure of above-mentioned corresponding method for details in the described device, does not repeat them here.
As seen, in the embodiment of the invention, when the network termination initiation is carried out the conversation request of session with interior network termination outside the fail safe confirmation statement network firewall SNF network equipment monitors, if the described SNF network equipment determines the network application of described conversation request and satisfies the network application monitoring security strategy obtain, then to the NACC of network application Surveillance center server requests and obtain first signature key of described conversation request; The described SNF network equipment generates corresponding fail safe according to described first signature key and confirms statement SVC, and network termination sends described SVC in described; If the described SNF network equipment receive described in network termination return the message that described SVC is proved to be successful the time, then session is set up successfully.That is to say that the fail safe confirmation statement network firewall SNF network equipment can be monitored the initiation and the reception program of each BlueDrama, and judges whether to satisfy the network application monitoring security strategy of obtaining, if satisfy, then this session is let pass.Thereby make the network application that meets network application monitoring security strategy can carry out normal network communication, the fail safe that improves whole network.
Accordingly, the embodiment of the invention also provides a kind of centralized network application safety supervisory control system, its structural representation sees Figure 11 for details, and described system comprises terminal 121 and the NACC of the network application Surveillance center server 122 that is deployed with fail safe confirmation statement personal fire wall SHF, wherein:
The fail safe that is deployed on the described terminal confirms statement personal fire wall SHF, be used for monitoring this terminal when initiating a session request, if when determining that the network application monitoring security strategy of obtaining is satisfied in the network application of described conversation request, then ask and obtain first signature key of described conversation request from the NACC server; And the fail safe confirmation statement SVC corresponding according to described first signature key generation, send described SVC to the opposite end; And when the message that described SVC is proved to be successful that receives that the opposite end returns, described session is set up successfully;
Described NACC server 122 is used to receive the conversation request that described terminal sends, and according to first signature key that described conversation request generates described terminal and target terminal carries out session, and sends described first signature key to described terminal.
Wherein, if the conversation request that described terminal is initiated is the network termination conversation request that network termination is initiated in second in first, then described opposite end is for having another terminal of SVC personal fire wall function in this Intranet;
If the conversation request of described terminal initiation is the conversation request that the outside network termination of interior network termination is initiated, then described opposite end is the network equipment with SVC network firewall.
Further, described system can also comprise: fail safe confirms statement network firewall SNF network equipment (not shown), is used for that monitoring outside network termination is initiated and the conversation request of interior network termination; If when determining that the described network application monitoring security strategy of obtaining is satisfied in the network application of described conversation request, to the NACC server requests and obtain first signature key of described conversation request; And the fail safe confirmation statement SVC corresponding according to described first signature key generation; Network termination sends described SVC in described; And receive described in network termination return the message that described SVC is proved to be successful the time, described session is set up successfully.
The implementation procedure of each unit sees the implementation procedure of above-mentioned corresponding method for details in the described device, does not repeat them here.
In embodiments of the present invention, configuration network is used the monitoring security strategy on the NACC server in advance, on the main frame of terminal, need to install SVC personal fire wall (SHF), wherein, fail safe confirmation statement (SVC) is that the fail safe of the initiation program of certain BlueDrama and legitimacy are detected one group of data of description that the back produces, its step comprises: the end host access network, and the SHF that is deployed on the terminal registers to the NACC of appointment; For the network application that does not meet the NACC security strategy, network access request is blocked, refuses or reports relevant information according to configuration to NACC; For the network application that meets the NACC security strategy, SHF produces a SVC, if the session target address is an outer net, then SVC sends to corresponding SVC network firewall SNF, if Intranet then sends to the SHF of peer node; Be deployed in SHF on the terminal and monitor and receive SVC,, then set up session if meet security strategy from requesting node; Otherwise, denial of service.SNF monitoring and reception, are then let pass if meet security strategy from the SVC of internal network node; Otherwise, denial of service.Monitor BlueDrama request simultaneously, and be that legal network requests generates SVC, send to the terminal of Intranet correspondence from outer net.
For the ease of understanding, also see also following a kind of typical application example, specifically comprise:
Suppose that under certain Intranet environment, the keeper only allows to intercom mutually by specific program PA between the PC node, the service end tcp port of PA is 1234, and the client tcp port of PA is produced at random by operating system.The keeper carries out feature extraction and is provided with strategy at NACC PA.Computer PC 1 and PC2 with Intranet are example, and two nodes have all been disposed SHF, below are the groundwork flow processs of using supervisory control system when PA communicates by letter between these two nodes.
After PC1 and PC2 inserted Intranet, SHF separately registered to NACC, had obtained session signature KEYs separately, and had upgraded the network application monitoring security strategy that NACC sets.
When the PA program on the PC1 when the PA of PC2 program is initiated TCP connection request session S1, SHF on the PC1 is based on the security strategy of NACC, monitored this incident, adopt hash algorithm that PA is carried out feature extraction, and mate with security strategy, according to rule, this application can provide the TCP monitoring service and can externally initiate and connect, so connection request session S1 can pass through.
SHF on the PC1 is before session S1 initiates first network packet, generating a fail safe confirms statement SVC and sends to PC2, the TCP characteristic information (protocol type, source address, destination address, source port and target port) that has comprised S1 among this SVC, and the identification information of the program of initiation PA etc.
SHF on the PC2 monitors and receives from requesting node SVC, and after receiving the SVC of S1, SHF differentiates its validity according to information such as signature and times and handles, and differentiates S1 for passing through.Subsequently, when the TCP request package of S1 arrived, to the effective SVC that once received S1, can pass through by session according to its TCP five-tuple information matches for SHF.
If there is another computer PC 3 to be linked into Intranet, for a certain reason, SHF is not installed, PA program in its system also attempts visiting the PA on the PC2, owing to before initiating to connect, do not send corresponding SVC to PC2, so the SHF on the PC2 is after monitoring this incident, can block this session, and can send alarm to NACC.Thereby can be from improving the fail safe of whole network to a great extent.
This shows that the embodiment of the invention provides a kind of network applications management mechanism, this mechanism has supervision and the control ability stronger than traditional approach, is suitable for the enterprise network higher to safety requirements.Further, because the terminal in the present embodiment has been installed the personal fire wall with SVC processing capacity, the personal fire wall terminal that promptly possesses the SVC processing capacity not only can be discerned the local program information of using, and also can discern and insert the program information of using, thus the fail safe that has improved network.Further, network (border) the fire compartment wall network equipment or the webserver that possess the SVC processing capacity, can remedy the defective that traditional firewall can only be used from recognition network on the procotol, stronger to the control dynamics of network boundary, thus the fail safe that has also further improved network.
Need to prove, herein, relational terms such as first and second grades only is used for an entity or operation are made a distinction with another entity or operation, and not necessarily requires or hint and have the relation of any this reality or in proper order between these entities or the operation.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thereby make and comprise that process, method, article or the equipment of a series of key elements not only comprise those key elements, but also comprise other key elements of clearly not listing, or also be included as this process, method, article or equipment intrinsic key element.Do not having under the situation of more restrictions, the key element that limits by statement " comprising ... ", and be not precluded within process, method, article or the equipment that comprises described key element and also have other identical element.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product can be stored in the storage medium, as ROM/RAM, magnetic disc, CD etc., comprise that some instructions are with so that a computer equipment (can be a personal computer, server, the perhaps network equipment etc.) carry out the described method of some part of each embodiment of the present invention or embodiment.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (26)
1. a centralized network application safety method for supervising is characterized in that, comprising:
Fail safe on being deployed in terminal confirms that statement personal fire wall SHF monitors described terminal when initiating a session request, if the described SHF that is deployed on the terminal determines the network application of described conversation request and satisfies the network application monitoring security strategy obtain, then from the NACC of network application Surveillance center server requests and obtain first signature key of described conversation request;
The described SHF that is deployed on the terminal generates corresponding fail safe according to described first signature key and confirms statement SVC, and sends described SVC to the opposite end;
If during the message that described SVC is proved to be successful that the described SHF that is deployed on the terminal receives that the opposite end returns, described session is set up successfully.
2. method according to claim 1 is characterized in that,
If described conversation request is the network termination conversation request that network termination is initiated in second in first, then described opposite end is another terminal that has SVC personal fire wall function in the Intranet;
As if described conversation request is the conversation request that the outside network termination of interior network termination is initiated, and then described opposite end is the network equipment with SVC network firewall.
3. method according to claim 1 is characterized in that, described method also comprises:
Utilize hash algorithm that the characteristic information of the network application of the described conversation request that monitors is extracted, and will extract result and described network application monitoring security strategy and mate, if the match is successful, determine that then described network application monitoring security strategy is satisfied in the network application of described conversation request.
4. method according to claim 1, it is characterized in that, described fail safe according to described session signature key generation correspondence confirms that statement SVC comprises: the described SHF that is deployed on the terminal detects according to the fail safe and the legitimacy of described session signature key to described conversation request, and fail safe and legitimacy detect pass through after, produce the fail safe that comprises BlueDrama characteristic information and signing messages and confirm statement SVC.
5. according to each described method of claim 1 to 4, it is characterized in that described method also comprises:
The described SHF that is deployed on the terminal sends register requirement to described network application monitoring central server, to ask second signature key of this terminal;
The described SHF that is deployed on the terminal receives described second signature key that described NACC returns, so that initiate a session request.
6. according to each described method of claim 1 to 4, it is characterized in that described method also comprises:
The described SHF that is deployed on the terminal regularly receives the network application monitoring security strategy that described network application monitoring central server sends, and the described network application monitoring security strategy of obtaining is upgraded.
7. the sending method of a signature key is characterized in that, comprising:
The NACC of network application Surveillance center server receives the conversation request that first terminal sends;
The NACC server generates according to described conversation request and is used for first signature key that first terminal and second terminal are carried out session;
Described NACC server returns described first signature key to described first terminal.
8. method according to claim 7 is characterized in that, described method also comprises:
The NACC server receives the register requirement that described first terminal sends;
Described NACC server is verified the register requirement of described first terminal, and when being proved to be successful, is generated second signature key;
Described NACC server sends this second signature key to described first terminal.
9. according to claim 7 or 8 described methods, it is characterized in that, the described generation according to conversation request is used for first terminal and comprises with first signature key that second terminal is carried out session: the characteristic information that the signature key of second terminal that described NACC server is related with described conversation request and described conversation request comprise session carries out Hash calculation, obtains first signature key.
10. a centralized network application safety method for supervising is characterized in that, comprising:
When the network termination initiation is carried out the conversation request of session with interior network termination outside the fail safe confirmation statement network firewall SNF network equipment monitors, if the described SNF network equipment determines the network application of described conversation request and satisfies the network application monitoring security strategy obtain, then to the NACC of network application Surveillance center server requests and obtain first signature key of described conversation request;
The described SNF network equipment generates corresponding fail safe according to described first signature key and confirms statement SVC, and network termination sends described SVC in described;
If the described SNF network equipment receive described in network termination return the message that described SVC is proved to be successful the time, then session is set up successfully.
11. method according to claim 10 is characterized in that, described method also comprises:
Utilize hash algorithm that the characteristic information of the network application of conversation request is extracted, and mate with described network application monitoring security strategy, if the match is successful, determine that then the network application monitoring security strategy of obtaining is satisfied in the network application of described conversation request.
12. according to claim 10 or 11 described methods, it is characterized in that, described generation fail safe confirms that statement SVC comprises: the described SNF network equipment detects according to the fail safe and the legitimacy of described session signature key to described conversation request, and fail safe and legitimacy detect pass through after, produce the fail safe that comprises BlueDrama characteristic information and signing messages and confirm statement SVC.
13. a terminal is characterized in that, this terminal deploy has fail safe to confirm statement personal fire wall SHF, and described SHF comprises:
Whether monitoring unit is used to monitor described terminal and initiates a session request;
Session signature key acquiring unit, being used for monitoring described terminal at described monitoring unit initiates a session request, and when the network application monitoring security strategy of obtaining is satisfied in the network application of the described conversation request that monitors, obtain first signature key of conversation request from the NACC of network application Surveillance center server;
Generation unit is used for generating corresponding fail safe according to described first signature key and confirms statement SVC;
Transmit-Receive Unit is used for sending described SVC to the opposite end, and the message that described SVC is proved to be successful that receives that the opposite end returns, and described message is used to represent that session sets up successfully.
14. device according to claim 13, it is characterized in that, also comprise: determining unit, be used for monitoring described terminal when initiating to set up conversation request at described monitoring unit, utilize hash algorithm that the characteristic information of the network application of setting up conversation request is extracted, and the result that will extract and described network application monitoring security strategy mates, if the match is successful, determines that then described network application satisfies described network application monitoring security strategy; When the result who extracts does not match with described network application monitoring security strategy, determine that described network application do not satisfy described network application and monitor security strategy;
Described session signature key acquiring unit specifically is used for when described determining unit determines that the described described network application monitoring security strategy of obtaining is satisfied in the network application of described conversation request, to described NACC server requests and obtain first signature key of described conversation request.
15. according to claim 13 or 14 described devices, it is characterized in that, also comprise:
Report the unit, be used for when the network application monitoring security strategy of obtaining is not satisfied in described network application, reporting relevant information to described network application monitoring central server, and stopping this conversation request.
16. according to claim 13 or 14 described devices, it is characterized in that, also comprise:
Registering unit is used for behind accessing terminal to network, sends register requirement to the NACC server in advance, to ask second signature key of this terminal;
Terminal signature key acquiring unit is used to receive second signature key that described NACC server sends.
17. according to claim 13 or 14 described devices, it is characterized in that, also comprise:
Updating block is used for regularly receiving the new network application monitoring security strategy that described NACC server sends, and the described network application monitoring security strategy of obtaining is upgraded.
18. a NACC server is characterized in that, comprising:
The conversation request receiving element is used to receive the conversation request that first terminal sends;
Session signature key generation unit is used for generating first signature key that first terminal and second terminal are carried out session according to described conversation request;
Session signature key transmitting element is used for returning described first signature key to described first terminal.
19. device according to claim 18 is characterized in that, also comprises:
The register requirement receiving element is used to receive the register requirement that first terminal sends;
Authentication unit is used for the register requirement of described first terminal is verified;
Terminal signature key generation unit is used for when described authentication unit is proved to be successful, and generates second signature key of this first terminal;
Terminal signature key transmitting element is used for sending described second signature key to described first terminal.
20. according to claim 18 or 19 described devices, it is characterized in that, described session signature key generation unit specifically is used for the characteristic information of the signature key of second terminal of described conversation request association and the session that described conversation request comprises is carried out Hash calculation, obtains first signature key.
21. one kind has the network equipment that fail safe confirms statement network firewall SNF, it is characterized in that, comprising:
The conversation request detecting unit, whether be used to monitor has outer network termination to initiate the conversation request of carrying out session with interior network termination;
Session signature key acquiring unit, be used for when the network application monitoring security strategy obtain is satisfied in the network application that described conversation request detecting unit monitors conversation request and detected described conversation request, to the NACC server requests and obtain first signature key of described conversation request;
Generation unit is used for generating corresponding fail safe according to described first signature key and confirms statement SVC;
Transmit-Receive Unit is used for that network termination sends described SVC in described, and receive described in the message that described SVC is proved to be successful returned of network termination, described message is used to represent that session sets up successfully.
22. device according to claim 21 is characterized in that, also comprises:
Determining unit, when being used for outside described conversation request detecting unit monitors network termination and initiating to carry out the conversation request of session with interior network termination, utilize hash algorithm that the characteristic information of the network application of described conversation request is extracted, and the result that will extract and described network application monitoring security strategy is mated, if the match is successful, described network application monitoring security strategy is satisfied in then definite described network application;
Described session signature key acquiring unit, specifically be used for when described determining unit determines that the network application of described conversation request is satisfied from described network application monitoring security strategy that the NACC server obtains, to the NACC server requests and obtain first signature key of described conversation request.
23. according to claim 21 or 22 described devices, it is characterized in that, also comprise:
Updating block is used for regularly receiving the new network application monitoring security strategy that described NACC server sends, and the described network application monitoring security strategy of obtaining is upgraded.
24. a centralized network application safety supervisory control system is characterized in that, comprising: be deployed with terminal and the NACC of network application Surveillance center server that fail safe confirms statement personal fire wall SHF, wherein,
Described SHF is used for monitoring this terminal when initiating a session request, if when determining that the network application monitoring security strategy of obtaining is satisfied in the network application of described conversation request, then from the request of NACC server and obtain first signature key of described conversation request; And the fail safe confirmation statement SVC corresponding according to described first signature key generation, send described SVC to the opposite end; And when the message that described SVC is proved to be successful that receives that the opposite end returns, described session is set up successfully;
Described NACC server is used to receive the conversation request that described terminal sends, and according to first signature key that described conversation request generates described terminal and target terminal carries out session, and sends described first signature key to described terminal.
25. system according to claim 24 is characterized in that,
If the conversation request that described terminal is initiated is the network termination conversation request that network termination is initiated in second in first, then described opposite end is for having another terminal of SVC personal fire wall function in this Intranet;
If the conversation request of described terminal initiation is the conversation request that the outside network termination of interior network termination is initiated, then described opposite end is the network equipment with SVC network firewall.
26. according to claim 24 or 25 described systems, it is characterized in that, also comprise:
Fail safe confirms the statement network firewall SNF network equipment, is used for that monitoring outside network termination is initiated and the conversation request of interior network termination; If when determining that the described network application monitoring security strategy of obtaining is satisfied in the network application of described conversation request, to the NACC server requests and obtain first signature key of described conversation request; And the fail safe confirmation statement SVC corresponding according to described first signature key generation; Network termination sends described SVC in described; And receive described in network termination return the message that described SVC is proved to be successful the time, described session is set up successfully.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010239403 CN101902371A (en) | 2010-07-26 | 2010-07-26 | Security control method, signature key sending method, terminal, server and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010239403 CN101902371A (en) | 2010-07-26 | 2010-07-26 | Security control method, signature key sending method, terminal, server and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101902371A true CN101902371A (en) | 2010-12-01 |
Family
ID=43227591
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010239403 Pending CN101902371A (en) | 2010-07-26 | 2010-07-26 | Security control method, signature key sending method, terminal, server and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101902371A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105430009A (en) * | 2015-12-25 | 2016-03-23 | 北京奇虎科技有限公司 | Network access method, terminal and gateway server |
| CN105554005A (en) * | 2015-12-24 | 2016-05-04 | 北京奇虎科技有限公司 | Enterprise network security management method, device and system and security gateway |
| CN105704066A (en) * | 2016-01-12 | 2016-06-22 | 北京奇虎科技有限公司 | Networking control method, device and system, security gateway and mobile terminal |
| WO2020057360A1 (en) * | 2018-09-19 | 2020-03-26 | 中兴通讯股份有限公司 | Method and apparatus for improving security of terminal, and computer-readable storage medium |
| CN114389809A (en) * | 2022-02-18 | 2022-04-22 | 山西清网信息技术有限公司 | Information network security protection method for encrypted https protocol |
| CN115190581A (en) * | 2016-07-01 | 2022-10-14 | 瑞典爱立信有限公司 | System and method for User Equipment (UE) registration |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030115341A1 (en) * | 2001-12-17 | 2003-06-19 | Bhaskar Sinha | Method and system for authenticating a user in a web-based environment |
| US20030237004A1 (en) * | 2002-06-25 | 2003-12-25 | Nec Corporation | Certificate validation method and apparatus thereof |
| CN1700699A (en) * | 2004-05-19 | 2005-11-23 | 阿尔卡特公司 | Method of providing a signing key for digitally signing verifying or encrypting data and mobile terminal |
| CN101047504A (en) * | 2006-03-29 | 2007-10-03 | 腾讯科技(深圳)有限公司 | Network log-in authorization method and authorization system |
| CN101483866A (en) * | 2009-02-11 | 2009-07-15 | 中兴通讯股份有限公司 | WAPI terminal certificate managing method, apparatus and system |
-
2010
- 2010-07-26 CN CN 201010239403 patent/CN101902371A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030115341A1 (en) * | 2001-12-17 | 2003-06-19 | Bhaskar Sinha | Method and system for authenticating a user in a web-based environment |
| US20030237004A1 (en) * | 2002-06-25 | 2003-12-25 | Nec Corporation | Certificate validation method and apparatus thereof |
| CN1700699A (en) * | 2004-05-19 | 2005-11-23 | 阿尔卡特公司 | Method of providing a signing key for digitally signing verifying or encrypting data and mobile terminal |
| CN101047504A (en) * | 2006-03-29 | 2007-10-03 | 腾讯科技(深圳)有限公司 | Network log-in authorization method and authorization system |
| CN101483866A (en) * | 2009-02-11 | 2009-07-15 | 中兴通讯股份有限公司 | WAPI terminal certificate managing method, apparatus and system |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105554005A (en) * | 2015-12-24 | 2016-05-04 | 北京奇虎科技有限公司 | Enterprise network security management method, device and system and security gateway |
| CN105430009A (en) * | 2015-12-25 | 2016-03-23 | 北京奇虎科技有限公司 | Network access method, terminal and gateway server |
| CN105430009B (en) * | 2015-12-25 | 2019-03-08 | 北京奇虎科技有限公司 | A kind of Network Access Method, terminal and gateway server |
| CN105704066A (en) * | 2016-01-12 | 2016-06-22 | 北京奇虎科技有限公司 | Networking control method, device and system, security gateway and mobile terminal |
| CN105704066B (en) * | 2016-01-12 | 2019-06-25 | 北京奇虎科技有限公司 | Networking control method and device, system, security gateway, mobile terminal |
| CN115190581A (en) * | 2016-07-01 | 2022-10-14 | 瑞典爱立信有限公司 | System and method for User Equipment (UE) registration |
| US11864149B2 (en) | 2016-07-01 | 2024-01-02 | Telefonaktiebolaget Lm Ericsson (Publ) | Systems and methods for user equipment (UE) registration |
| CN115190581B (en) * | 2016-07-01 | 2024-05-14 | 瑞典爱立信有限公司 | System and method for User Equipment (UE) registration |
| WO2020057360A1 (en) * | 2018-09-19 | 2020-03-26 | 中兴通讯股份有限公司 | Method and apparatus for improving security of terminal, and computer-readable storage medium |
| CN114389809A (en) * | 2022-02-18 | 2022-04-22 | 山西清网信息技术有限公司 | Information network security protection method for encrypted https protocol |
| CN114389809B (en) * | 2022-02-18 | 2024-05-03 | 山西清网信息技术有限公司 | Information network security protection method for encrypting https protocol |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109688105B (en) | Threat alarm information generation method and system | |
| CN114598540B (en) | Access control system, method, device and storage medium | |
| KR100835820B1 (en) | Total internet security system and method the same | |
| CN101902371A (en) | Security control method, signature key sending method, terminal, server and system | |
| JP2002342279A (en) | Filtering device, filtering method and program for making computer execute the method | |
| CN101690144A (en) | Wireless device monitoring methods, wireless device monitoring system and manufacture | |
| CN114629719B (en) | Resource access control method and resource access control system | |
| CN103314562A (en) | Session initiation protocol (SIP) firewall for IP multimedia subsystem (IMS) core to defend against SIP registration-based DOS/ODDS attacks | |
| CN103581203A (en) | Trusted network connection method based on trusted computing | |
| CN111510453A (en) | Business system access method, device, system and medium | |
| CN103188254A (en) | Network security protection method capable of giving consideration to both smoothness and safety of internal and external network information | |
| CN102045310B (en) | Industrial Internet intrusion detection as well as defense method and device | |
| CN110830444A (en) | Method and device for single-packet enhanced security verification | |
| CN117155716B (en) | Access verification method and device, storage medium and electronic equipment | |
| CN112231679B (en) | Terminal equipment verification method and device and storage medium | |
| CN101247618A (en) | Terminal validity detecting method and system | |
| CN111064731B (en) | Identification method and identification device for access authority of browser request and terminal | |
| CN113206852B (en) | Safety protection method, device, equipment and storage medium | |
| Al-Ayed et al. | An Efficient Practice of Privacy Implementation: Kerberos and Markov Chain to Secure File Transfer Sessions. | |
| CN116032660B (en) | AD domain threat identification method, device, electronic equipment and storage medium | |
| CN115242440B (en) | Block chain-based internet of things equipment trusted calling method, device and equipment | |
| CN101572703B (en) | Platform authentication system and method capable of protecting platform configuration information | |
| KR101333305B1 (en) | Apparatus and method for managing safe transmission control protocol connection | |
| KR20150143394A (en) | System, apparatus, method and computer readable recording medium for detecting and treating illegal access | |
| KR20170041574A (en) | Apparatus and method for protecting malicious site |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20101201 |