CN111181955B - Session control method, device and storage medium based on mark - Google Patents

Session control method, device and storage medium based on mark Download PDF

Info

Publication number
CN111181955B
CN111181955B CN201911369512.4A CN201911369512A CN111181955B CN 111181955 B CN111181955 B CN 111181955B CN 201911369512 A CN201911369512 A CN 201911369512A CN 111181955 B CN111181955 B CN 111181955B
Authority
CN
China
Prior art keywords
information
control strategy
level
category
subject
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911369512.4A
Other languages
Chinese (zh)
Other versions
CN111181955A (en
Inventor
郑一友
雷奕康
蔡敬忠
马志浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jusontech Co ltd
Original Assignee
Beijing Jusontech Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jusontech Co ltd filed Critical Beijing Jusontech Co ltd
Priority to CN201911369512.4A priority Critical patent/CN111181955B/en
Publication of CN111181955A publication Critical patent/CN111181955A/en
Application granted granted Critical
Publication of CN111181955B publication Critical patent/CN111181955B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a session control method and equipment based on marks, wherein the method comprises the following steps: obtaining mark information in a session request message sent by a subject to an object, wherein both the subject and the object are provided with marks corresponding to the mark information, which are determined according to a unified Internet protocol security option (CIPSO); judging whether the mark information is matched with a preset session control strategy, wherein the preset session control strategy is a confidentiality level control strategy or an integrity level control strategy corresponding to the level information and a category control strategy corresponding to the category information; if so, establishing session connection between the subject and the object; if not, the session request message is blocked, so that the security of session control between the subject and the object is further improved.

Description

Session control method, device and storage medium based on mark
Technical Field
The present application relates to the field of network security, and more particularly, to a method and apparatus for session control based on a tag.
Background
In the existing TCP/IP network communication protocol, information transmission is mainly controlled by corresponding fields of each layer, and these fields are fixed and unchangeable, and cannot control communication according to specific requirements in the data transmission process, and it is difficult to meet specific communication requirements of special users, for example, some military departments and security departments need to determine whether information on a path is allowed to be transmitted according to information such as security level, department level, and the like, and such information cannot be embodied in the existing public network protocol. If the control on the special information is not available, certain private data or confidential information can be circulated in the public network environment, and immeasurable negative social influence and economic loss are caused.
Session control in the prior art is generally implemented by mandatory access control, which refers to access control constrained by an operating system in the field of computer security, and aims to limit the ability of a subject or initiator to access or perform some operation on an object or a target, and is mainly characterized by enforcing mandatory access control on all subjects and objects controlled by the subjects. Many security policies are generated based on the mandatory access control model, including a confidentiality control policy or an integrity control policy, however, current mandatory access control generally only follows one security policy, which limits further security improvement of session control to some extent.
The network label based on CIPSO (Common Internet Protocol Security Option) (RFC 1108) is introduced into the Linux kernel system in 2006, the operating system is quite mature, some data manufacturers such as Oracle also support the CIPSO-based Security data layer, and IPv6 also has a related standard (RFC 5570).
However, as a security extension protocol, CIPSO has a very unclear definition of a specific security extension content that can be carried, as a security marker, a host and an object represented by the marker itself have a unclear definition, and an asset identifier representing core information is not clear, and as a carrier for trusted computing in network transmission, a function and a key application that should be carried have not been developed for a long time, and a mode for performing session control between a host and an object based on the CIPSO marker technology is not available in the prior art.
Therefore, how to further improve the security of session control between the host and the object is a technical problem to be solved in the art.
Disclosure of Invention
The invention provides a session control method based on a mark, which is used for solving the technical problems that the security strategy is single when session control is carried out in the prior art, and the security of the session control is further improved, and comprises the following steps:
obtaining mark information in a session request message sent by a subject to an object, wherein both the subject and the object are provided with marks corresponding to the mark information, which are determined according to a unified Internet protocol security option (CIPSO);
judging whether the mark information is matched with a preset session control strategy, wherein the preset session control strategy is a confidentiality level control strategy or an integrity level control strategy corresponding to the level information and a category control strategy corresponding to the category information;
if so, establishing session connection between the subject and the object;
and if not, blocking the session request message.
Preferably, the determining whether the mark information matches a preset session control policy specifically includes:
judging whether the level information is matched with the confidentiality level control strategy or the integrity level control strategy;
when the level information is judged not to match the confidentiality level control strategy or the integrity level control strategy, the marking information is confirmed not to match the preset session control strategy;
when the level information is judged to be matched with the confidentiality level control strategy or the integrity level control strategy, continuously judging whether the category information is matched with the category control strategy or not;
when the category information matches the category control strategy, confirming that the marking information matches the preset session control strategy;
and when the category information does not match the category control strategy, confirming that the marking information does not match the preset session control strategy.
Preferably, the confidentiality level control policy follows a BLP confidentiality model, and is:
when the security level of the subject dominates the security level of the object, allowing the subject to perform read operation on the object;
and when the security level of the object dominates the security level of the subject, allowing the subject to write to the object.
Preferably, the integrity level control policy follows a BIBA integrity model, and is:
when the integrity level of the object dominates the integrity level of the subject, allowing the subject to perform read operation on the object;
and when the integrity level of the object is dominated by the integrity level of the subject, allowing the subject to write to the object.
Preferably, the category control strategy specifically includes:
when the subject category information is a subset of the object category information, allowing the subject to access the object;
or, when there is an intersection between the subject category information and the object category information, allowing the subject to access the object.
Preferably, before acquiring the tag information in the session request message sent by the subject to the object, the method further includes:
and filtering the data packet corresponding to the session request message according to a preset Access Control List (ACL).
Preferably, after filtering the data packet corresponding to the session request packet according to a preset access control list ACL, the method further includes:
judging whether the session request message carries the marking information or not;
if not, blocking the session request message;
and if so, acquiring the marking information.
Preferably, the Level information is mapped based on a Level field in the CIPSO, the Level field is an unsigned integer value with a value range of 0-255, the Category information is mapped based on a Category field in the CIPSO, the range of the Category field is 0-239, and the mark type of the Category field is a bitmap.
Correspondingly, the invention also provides a session control device based on the mark, which comprises:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring mark information in a session request message sent by a subject to an object, and the subject and the object are provided with marks corresponding to the mark information, which are determined according to a unified Internet protocol security option (CIPSO);
a judging module, configured to judge whether the tag information matches a preset session control policy, where the preset session control policy is a confidentiality level control policy or an integrity level control policy corresponding to the level information, and a category control policy corresponding to the category information;
the establishing module is used for establishing session connection between the subject and the object when the marking information is matched with a preset session control strategy;
and the blocking module is used for blocking the session request message when the marking information does not match a preset session control strategy.
Accordingly, the present invention also proposes a computer-readable storage medium, in which instructions are stored, which, when run on a terminal device, cause the terminal device to execute the tag-based session control method as described above.
Compared with the prior art, the invention has the following beneficial effects:
the invention discloses a session control method and equipment based on marks, wherein the method comprises the following steps: obtaining mark information in a session request message sent by a subject to an object, wherein both the subject and the object are provided with marks corresponding to the mark information, which are determined according to a unified Internet protocol security option (CIPSO); judging whether the mark information is matched with a preset session control strategy, wherein the preset session control strategy is a confidentiality level control strategy or an integrity level control strategy corresponding to the level information and a category control strategy corresponding to the category information; if so, establishing session connection between the subject and the object; if not, the session request message is blocked, so that the session request message is verified through various security strategies, and the security of session control between the subject and the object is further improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart illustrating a session control method based on a token according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a session control method based on tags according to another embodiment of the present invention;
fig. 3 is a flowchart illustrating a session control method based on tags according to another embodiment of the present invention;
fig. 4 is a schematic flowchart illustrating a session control method based on a tag according to an embodiment in a specific application scenario of the present invention;
FIG. 5 is a diagram illustrating the definition of a CIPSO field in an IP packet by a specific protocol according to an embodiment of the present invention;
FIG. 6 illustrates a markup format definition in an embodiment of the present invention;
fig. 7 is a schematic diagram illustrating a network data transmission control principle based on a tag enforced access control technique according to an embodiment of the present invention;
FIG. 8 is a logic diagram illustrating the BLP model disabling high-to-low uni-directional transmission in an embodiment of the present invention;
FIG. 9 is a logic diagram illustrating the logic of the BLP model for allowing low-to-high uni-directional transmission in an embodiment of the present invention;
FIG. 10 is a logic diagram illustrating the logic of the BIBA model for allowing high-to-low unidirectional transmission in the embodiment of the present invention;
FIG. 11 is a logic diagram illustrating BIBA model disable low-to-high uni-directional transmission in an embodiment of the present invention;
FIG. 12 is a diagram illustrating a bit definition of Category (class bitmap) according to an embodiment of the present invention;
FIG. 13 is a diagram illustrating a data security switching gateway structure and data flow in an embodiment of the present invention;
FIG. 14 is a diagram illustrating a system safeguard function and a corresponding relationship between modules according to an embodiment of the present invention;
fig. 15 is a schematic structural diagram of a tag-based session control system according to an embodiment of the present invention;
fig. 16 is a schematic structural diagram illustrating a session control device based on a token according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
As described in the background, in the prior art, the session control generally only follows a security policy, which limits further security improvement of the session control to some extent.
In order to solve the above problems, embodiments of the present application provide a method and an apparatus for session control based on a tag, which determine whether the tag information matches a preset session control policy by obtaining CIPSO-based tag information in a message, where the preset session control policy is a confidentiality level control policy or an integrity level control policy corresponding to level information, and a category control policy corresponding to category information, and establish a session connection or block the message according to a determination result.
Embodiments of the present application will be described in detail below with reference to the accompanying drawings.
Referring to fig. 1, a session control method based on a tag according to an embodiment of the present application includes:
step S101, obtaining the mark information in the conversation request message sent by the subject to the object.
Specifically, in an operating system, each physical component must be a subject or an object, or both. The main body is an active entity, including users, user groups, processes and the like; the object is a passive entity, and in an operating system, the object may be data information stored on a recording medium according to a certain format (data is usually stored in a file system format), or may be a process in the operating system. In a network, a subject is an entity in an initiator host of an access request, and an object is an object in a host to be accessed.
Both the subject and the object have a mark corresponding to the mark information determined according to the unified internet protocol security Option CIPSO, as shown in fig. 5, the CIPSO protocol is a definition of an IP packet Option field.
The meaning of each field of the CIPSO protocol is explained as follows:
(1) type (2): this field is the type field of the CIPSO, represented by 1 byte, for CIPSO, its value is a fixed value 134;
(2) CIPSO length: the field is the length field of the CIPSO, which is expressed by 1 byte, and the maximum value and the minimum value of the length of the CIPSO are 40 and 3 because the CIPSO exists as an IP option;
(3) DOI (Digital Object identity) (interpretation field): this field consists of specific values of a number of Security options, identifying the unique identity of the Security Domain, represented in 4 bytes, the identity of the Domain, also called DOI identity, the interpretation Domain is managed uniformly by SDRC (Security Domain Registered Center);
(4) a marker domain: this field indicates security label information of the packet, including label type, label length, security Level (Level), Category (Category), and the like. Different tag types may be defined for representing a variety of security tag information.
The marking information in the embodiment of the application still conforms to the standard of the CIPSO on the whole, the first three fields are the same as the CIPSO, and the fourth field is a custom marking field. In the standard CIPSO, considering the universality of information security, and simultaneously facilitating encapsulation and resolution, the mark domain structure comprises three fields of mark type, mark length and mark content:
(1) the type of the mark: the field is expressed by 1 byte, wherein the definitions of 0 to 127 are standard mark formats, the specific formats can be found in corresponding RFC documents, mark types larger than 127 are managed and defined by DOI authorities, and the definition of the mark by the DOI is only three types of type 1, type 2 and type 5. In the embodiment of the application, only type 1 is used, and the Category field represents a "bitmap" (bit-mapped) tag type;
(2) mark length: this field is also represented using 1 byte, the value of length is the length of the tag content, in bytes;
(3) marking the content: in the DOI official definition, the specific content format of the tag is specified, and only fields such as the confidentiality level and the category are included. The proposal of the special protocol is based on the modification of the specific meaning of the mark content field. The content of the tag may be modified or expanded according to particular needs, and does not necessarily represent only the level and category of confidentiality.
The format of the label information is shown in fig. 6, the label consists of a level and category bitmap, and the minimum label is 2 bytes; the host and the object are all allocated with a mark, and the mark takes an integer form; the levels take on unsigned integer values and the category bitmap values may be decimal, hexadecimal integer values or binary values.
As shown in fig. 7, which is a schematic diagram of a network data transmission control principle based on the label enforced access control technology, on the basis of IP address addressing, following the label enforced access control model, the data packets are controlled to be transmitted by the label attributes carried by the data packets, where the routers A, B are label gateways respectively, and the functions of the routers are completed by data security switching gateways. The data security switching gateway can identify the marking information carried in the message, and compare and match the marking information with the configured marking strategy, so as to take corresponding actions on the message, such as releasing, blocking or marking conversion.
The network data transmission control based on the mark mandatory access control has the following characteristics: the data packet transmission control is processed according to the rule of the mark mandatory access control model; the network area range is determined by the mark, and the area boundary can be designed to be hidden; the bidirectional and unidirectional control of a network level can be realized, and the method can be used for the logic isolation of the network; the marked trusted network relies on an IP network, but needs to be configured correspondingly.
The security of the session request message is verified by using the mark information through obtaining the mark information in the session request message sent by the subject to the object.
And step S102, judging whether the marking information is matched with a preset session control strategy, if so, executing step S103, and if not, executing step S104.
The mark information comprises level information and category information, and the preset session control strategy is a confidentiality level control strategy or an integrity level control strategy corresponding to the level information and a category control strategy corresponding to the category information.
As a mode, firstly judging whether the marking information matches a confidentiality level control strategy or an integrity level control strategy corresponding to the level information, when the marking information does not match the confidentiality level control strategy or the integrity level control strategy, confirming that the marking information does not match the preset session control strategy, when the marking information matches the preset session control strategy, continuously judging whether the marking information matches the category control strategy corresponding to the category information, when the marking information does not match the preset session control strategy, and when the marking information matches the preset session control strategy;
as another mode, while judging whether the marking information matches the confidentiality level control policy or the integrity level control policy corresponding to the level information, judging whether the marking information matches the category control policy corresponding to the category information, when both the level information and the category information match the corresponding control policies, determining that the marking information matches the preset session control policy, otherwise, determining that the marking information does not match the preset session control policy.
It should be noted that, a person skilled in the art may flexibly select different manners to determine whether the flag information matches the preset session control policy according to actual needs, and different determination processes do not affect the protection scope of the present application.
Step S103, establishing a session connection between the subject and the object.
And when the marking information is matched with a preset session control strategy, determining that the session connection between the subject and the object can be established.
And step S104, blocking the session request message.
And when the marking information does not match the preset session control strategy, determining that the session connection cannot be established, and blocking the session request message.
According to the session control method based on the marks, the mark information in a session request message sent by a subject to an object is obtained, and the subject and the object are provided with marks corresponding to the mark information and determined according to a unified Internet protocol security option (CIPSO); judging whether the mark information is matched with a preset session control strategy, wherein the preset session control strategy is a confidentiality level control strategy or an integrity level control strategy corresponding to the level information and a category control strategy corresponding to the category information; if so, establishing session connection between the subject and the object; if not, the session request message is blocked, so that the session request message is verified through various security strategies, and the security of session control between the subject and the object is further improved.
Referring to fig. 2, another embodiment of the present application provides a method for session control based on a token, where the method includes:
step S201, acquiring the tag information in the session request message sent by the subject to the object.
Wherein the subject and the object are both provided with a mark corresponding to the mark information determined according to the unified internet protocol security option CIPSO.
In a specific application scenario of the present application, the CIPSO mark field has two parts, namely Level and Category, and by defining the two fields, the division of the security domain and the definition of the host in the domain can be realized. In a tagged security policy scheme, the security Level of a domain is mapped with a Level value; category is used to assign hosts within the corresponding domain. The Level and Category together form the marking attribute of the subject and object, and the attribute is customized by a user and can carry safety information and control information.
The Client and the Server connected with the data security exchange gateway are located in two different security domains and have different security levels respectively. In a scheme of marking security policies, the security Level of a security domain is mapped with a Level field in CIPSO. The Level field is an unsigned integer value, the value range is 0-255, and the larger the value is, the higher the security Level is.
The Category field of the CIPSO tag is used to map hosts within the corresponding security domain. According to the CIPSO standard, Category is a variable length field, the range is from 0 to 30 bytes, the value can be decimal or hexadecimal, commas are used for separation, and the actual value is represented by binary bits corresponding to the numerical values.
The bit order of Category is from left to right, and each binary bit (position 1) of each byte represents a Category. According to the principle, the most significant bit (position 1) of the first byte in the 0 th to 29 th bytes represents Category 0; and so on, the least significant bit (position 1) of the second byte represents Category 15. Therefore, the Category range is 0 to 239, as shown in FIG. 12.
In the present invention, the host may be defined by a category bitmap or a combination of a plurality of category bitmaps; if a host is defined by a category bitmap, there are at most 240 hosts per Level. Generally, a server (receiver) host is defined by a combination of a plurality of Category bitmaps, that is, a Category field of the tag information includes a plurality of Category bitmaps.
For example (this example uses only two bytes of the Category field):
the Level of the security domain where the host Server is located is 16, the Category field value of the Server is 0xF0,0x01, which indicates that the Category includes the Category bitmap: cat0, 1, 2, 3, 15;
host Client1 has a Level of 15 and a Category field value of 0x80,0, indicating that its Category contains a Category bitmap: cat 0.
As shown in the following table:
main unit Host location Level Category
Server High-level security domain 16 0xF0,0x01
Client Low-level security domain 15 0x80,0
Step S202, determining whether the level information matches the confidentiality level control policy or the integrity level control policy, if yes, performing step S203, and if no, performing step S206.
The confidentiality level control strategy follows a BLP confidentiality model, and when the security level of the subject governs the security level of the object, the subject is allowed to read the object; when the security level of the object dominates the security level of the subject, the subject is allowed to write to the object, as shown in fig. 8, a logic diagram of a BLP model in an embodiment of the present invention is shown in which a logic diagram of unidirectional transmission from high to low is prohibited, in the diagram, high-level data is prohibited to flow to a low security domain based on confidentiality, and only when the level of a data packet is less than or equal to the level of a processing process of a border system, the data packet is allowed to be transmitted, otherwise, the data packet is prohibited; fig. 9 is a logic diagram of the BLP model allowing unidirectional transmission from low to high in the embodiment of the present invention, in which the level value of the switching process of the high-level area is greater than 15, and if data passes through a plurality of areas, the level value of each switching process of the area is greater than or equal to 15.
The integrity level control strategy follows a BIBA integrity model, and when the integrity level of the object dominates the integrity level of the subject, the subject is allowed to read the object; and when the integrity level of the object is dominated by the integrity level of the subject, allowing the subject to write to the object. Fig. 10 is a logic diagram of a BIBA model allowing unidirectional transmission from high to low in the embodiment of the present invention, in which high-level data is allowed to flow to a low-level security domain based on integrity, and only when a tag value of a packet is greater than or equal to a tag value of a boundary processing process, the packet is allowed to be transmitted; fig. 11 is a schematic diagram of logic of inhibiting low-to-high unidirectional transmission by the BIBA model in the embodiment of the present invention, where a level value of a high-level area switching process is greater than or equal to 15, and if a main body needs to pass through multiple areas, a level value of each area switching process is greater than or equal to 15.
It should be noted that, the above determination of whether the level information matches the confidentiality level control policy or the integrity level control policy is only a specific implementation scheme proposed in the present application, and those skilled in the art can also flexibly make the confidentiality level control policy or the integrity level control policy follow other models, and different determination methods all belong to the protection scope of the present application.
Step S203, determining whether the category information matches the category control policy, if yes, performing step S204, and if no, performing step S206.
The category control strategy specifically comprises the following steps:
when the subject category information is a subset of the object category information, allowing the subject to access the object;
or, when there is an intersection between the subject category information and the object category information, allowing the subject to access the object.
In a specific application scenario of the present application, a Category value of a sending end needs to be a subset of a receiving end, or the two have an intersection, so as to allow access.
It should be noted that, the above determining whether the category information matches the category control policy is only a specific implementation scheme provided by the present application, and those skilled in the art may also flexibly select other category control policies, and different determination manners all belong to the protection scope of the present application.
And step S204, confirming that the marking information is matched with the preset session control strategy.
Step S205, establishing a session connection between the subject and the object;
step S206, confirming that the marking information does not match the preset session control strategy;
step S207, blocking the session request packet.
For example, in a specific application scenario of the present application, if the session process follows the BLP model, the access situation between two hosts is as follows:
Figure BDA0002339309620000111
if the session process follows the BIBA model, the access between the two hosts is as follows:
Figure BDA0002339309620000112
according to the session control method based on the marks, the mark information in a session request message sent by a subject to an object is obtained, and the subject and the object are provided with marks corresponding to the mark information and determined according to a unified Internet protocol security option (CIPSO); judging whether the mark information is matched with a preset session control strategy, wherein the preset session control strategy is a confidentiality level control strategy or an integrity level control strategy corresponding to the level information and a category control strategy corresponding to the category information; if so, establishing session connection between the subject and the object; if not, the session request message is blocked, so that the session request message is verified through various security strategies, and the security of session control between the subject and the object is further improved.
Referring to fig. 3, a session control method based on a token according to another embodiment of the present application includes:
step S301, filtering the data packet corresponding to the session request message according to the preset access control list ACL.
The access control list ACL is a packet filtering based access control technique that can filter packets on an interface, allow them to pass or drop, depending on set conditions. The access control list is widely applied to routers and three-layer switches, and by means of the access control list, the access of users to the network can be effectively controlled, so that the network security is guaranteed to the greatest extent. After receiving the session request message, the information in the third and fourth layer headers, such as the source address, the destination address, the source port, the destination port, etc., are filtered according to the predefined rule, so as to complete the protection function of L2-L4 (data link layer, network layer, transport layer).
In a specific application scenario of the present application, as shown in fig. 13, which is a schematic diagram of a data security switching gateway structure and data flow in an embodiment of the present invention, an exchange process of service data includes the following steps:
a message sent by a service host (Client) in the step (1) reaches a zero trust security card of a data security switching gateway through an access/convergence switch, and the zero trust is zero trust;
step (2), the trust-free security card reads information in the packet headers of the third layer and the fourth layer, such as a source address, a destination address, a source port, a destination port and the like, filters the packets according to a predefined rule, and finishes the protection function of L2-L4;
step (3) the zero-credit security card reads the marking information in the message, compares and matches the marking information with a marking strategy, and finishes the processing of the marking information;
step (4) the letter security card submits the message to a Proxy module, and the Proxy module completes the Application layer protection functions of WAF (Web Application Firewall, Web Application protection system) and the like;
and (5) the Proxy module issues the message to an isolation card, and the isolation card encrypts (selects) the data and then sends the data to an opposite-end equipment isolation card through a proprietary high-speed transmission protocol.
And ending the service data exchange process of the data security exchange gateway. If the opposite terminal device is also a data security switching gateway, the processing procedure is as follows: the received message finally reaches a corresponding host (Server) of an opposite-end security domain through the isolation card, the Proxy module, the null message security card and the switch.
The security management platform realizes the configuration of the data security exchange gateway and the acquisition of system state information through the security agent communication module. And the log, the alarm information and the like are reported to a security management platform or a third party monitoring platform (such as a situation awareness system) through a Syslog protocol.
As shown in fig. 14, the null security card provides protection functions from L2 to L4, the host OS implements its own security protection through security reinforcement, and the Proxy module provides a protection function of an application layer.
Step S302, determining whether the session request message carries the flag information, if so, performing step S303, and if not, performing step S306.
According to the embodiment of the application, the session control is carried out based on the mark, so that whether the session request message carries the mark information or not is judged, the message which does not carry the mark information can be directly blocked, and the message processing efficiency is improved.
Step S303, acquiring the tag information in the session request message sent by the subject to the object.
And the subject and the object are provided with marks corresponding to the mark information, which are determined according to the unified Internet protocol security option CIPSO.
Step S304, determining whether the flag information matches a preset session control policy, if so, performing step S305, and if not, performing step S306.
The preset session control strategy is a confidentiality level control strategy or an integrity level control strategy corresponding to the level information, and a category control strategy corresponding to the category information.
Step S305, establishing a session connection between the subject and the object.
Step S306, blocking the conversation request message.
According to the session control method based on the marks, a data packet corresponding to a session request message sent by a subject to an object is filtered according to a preset Access Control List (ACL), the session request message not carrying the mark information is blocked, the mark information in the session request message is obtained, and the subject and the object are provided with marks corresponding to the mark information and determined according to a unified Internet protocol security option (CIPSO); judging whether the mark information is matched with a preset session control strategy, wherein the preset session control strategy is a confidentiality level control strategy or an integrity level control strategy corresponding to the level information and a category control strategy corresponding to the category information; if so, establishing session connection between the subject and the object; if not, the session request message is blocked, so that the session request message is verified through various security strategies, and the security of session control between the subject and the object is further improved.
In order to further illustrate the technical idea of the present invention, the technical solution of the present invention will now be described with reference to specific application scenarios.
Referring to fig. 4, a flowchart of a session control method based on a tag according to an embodiment of the present invention is shown, where the method includes:
step S401, receiving a session request message.
It is understood that the session request message is sent by the subject to the object.
Step S402 determines whether a flag is present, if so, step S403 is executed, and if not, step S408 is executed.
It can be understood that, it is determined whether the session request message carries the flag information, where the flag information is determined according to the CIPSO.
And step S403, reading the Level value in the mark and matching the strong access strategy.
It is to be understood that the Level value corresponds to the Level information, the mandatory access control policy corresponds to a preset session control policy, and the preset session control policy is a confidentiality Level control policy or an integrity Level control policy corresponding to the Level information, and a category control policy corresponding to the category information.
Step S404, judging whether the Level value is matched with the mandatory access control strategy, if so, executing step S405, and if not, executing step S408.
It is understood that it is determined whether a Level value matches the confidentiality Level control policy or the integrity Level control policy.
Step S405, read the Category value in the tag and match the mandatory access control policy.
It is understood that Category values correspond to the Category information.
Step S406, determining whether the Category value matches the mandatory access control policy, if yes, performing step S407, and if no, performing step S408.
It is understood that a determination is made as to whether the Category value matches the Category control strategy.
Step S407, establish a connection and complete the session process.
Step S408, blocking the message.
And step S409, generating an alarm and reporting to the situation perception system.
It can be understood that the situation awareness system is a third-party monitoring platform, generates alarm information for the blocked messages and reports the alarm information to the situation awareness system, so that the blocked messages can be conveniently recorded and processed.
In order to achieve the above technical object, an embodiment of the present application further provides a tag-based session control system, as shown in fig. 15, including:
the hardware platform module 501 and the current hardware device of the data security switching gateway are 2U or 4U hosts, and can be placed in a 19-inch standard cabinet. As the system version is upgraded, the subsequent hardware morphology may vary.
The card module 502 includes a trusted security card, which is the most critical component of the overall system, and an isolation card. The L2-L4 protection functions of the data security exchange gateway are all provided by a zero-trust security card; besides, the label mandatory access control function of the system is also realized on the safe card of the retail mail. In terms of hardware design, the isolation card is completely consistent with the zero-trust security card, and only because the functions and the functions of the isolation card and the zero-trust security card are different, the software parameter configuration is different.
And the management network card module 503 is used for interacting the session control system with the security management control platform through the management network card to realize the visual management function of the system. The management network card provides a physical connection interface with the management and control platform, the management and control platform issues the configuration information of the security card/the isolation card to a security Agent communication (Agent) module through the management network card, and then the Agent module writes the configuration information into the corresponding security card or isolation card. All logs and alarm information generated by each module of the system are also reported to a control platform or a situation perception system through a management network card.
The host OS module 504 and the core of the data security switching gateway host operating system are Linux, which are used as a software platform of the system, and the host OS must ensure its own security. Two schemes are currently employed: a Linux operating system subjected to security reinforcement processing; a secure operating system.
And a Proxy module 505, which provides information landing and application layer protection functions (such as WAF protection) for the system. The Proxy module terminates the session and recombines the messages, thereby realizing the micro-isolation function based on the application layer; meanwhile, fine-grained structure inspection is carried out on the data, and application layer defense capacity is provided.
The security Agent communication module (Agent)506 runs on the host OS in a service form, and functions to provide a uniform service interface for the management and control platform, so that the management and control platform can implement control and management of the entire system. The Agent program is one of the functional modules of the system software and is a bridge between the control platform and the security card/isolation card and the Proxy module. The Agent provides a group of API functions, the management and control platform issues configuration information or commands by calling the API functions, and the Agent analyzes the received information and issues the information to other corresponding modules (such as a security card, a Proxy module and the like) by calling a library function or a system command.
The security management control platform 507 provides a visual operation interface, and most configuration and management operations of the data security exchange gateway can be implemented on the visual operation interface. The management and control platform interacts with an Agent module running in the OS system through a management network card to complete the issuing of configuration information or other commands of the security card/isolation card and the Proxy module, thereby realizing the management function of the whole system.
In addition to a GUI (Graphical User Interface) management Interface, the CLI module 508 provides a set of powerful CLI tools, and all management and configuration of the system can be implemented by the CLI tools. For ordinary daily operation and maintenance operations, a graphical safety management control platform is preferably selected, and the CLI tool has higher operation risk and is only used by experienced technicians.
The Syslog protocol interface module 509 provides a Syslog protocol interface, and may output information (such as traffic statistics information), log information, alarm information, and the like based on various services to a third-party situation awareness system or a security management control platform, so as to implement multi-dimensional security collaboration.
In order to achieve the above technical object, an embodiment of the present application further proposes a tag-based session control device, as shown in fig. 16, the device including:
an obtaining module 601, configured to obtain tag information in a session request message sent by a subject to an object, where the subject and the object both have tags corresponding to the tag information and determined according to a unified internet protocol security option CIPSO;
a determining module 602, configured to determine whether the tag information matches a preset session control policy, where the preset session control policy is a confidentiality level control policy or integrity level control policy corresponding to the level information, and a category control policy corresponding to the category information;
an establishing module 603, configured to establish a session connection between the subject and the object when the tag information matches a preset session control policy;
a blocking module 604, configured to block the session request packet when the flag information does not match a preset session control policy.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not necessarily depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims (9)

1. A tag-based session control method, the method comprising:
obtaining mark information in a session request message sent by a subject to an object, wherein both the subject and the object are provided with marks corresponding to the mark information, which are determined according to a unified Internet protocol security option (CIPSO);
judging whether the mark information is matched with a preset session control strategy, wherein the preset session control strategy is a confidentiality level control strategy or an integrity level control strategy corresponding to the level information and a category control strategy corresponding to the category information;
if so, establishing session connection between the subject and the object;
if not, blocking the session request message;
the tag information includes the level information and the category information;
judging whether the marking information is matched with a preset session control strategy, specifically:
judging whether the level information is matched with the confidentiality level control strategy or the integrity level control strategy;
when the level information is judged not to match the confidentiality level control strategy or the integrity level control strategy, the marking information is confirmed not to match the preset session control strategy;
when the level information is judged to be matched with the confidentiality level control strategy or the integrity level control strategy, continuously judging whether the category information is matched with the category control strategy or not;
when the category information matches the category control strategy, confirming that the marking information matches the preset session control strategy;
and when the category information does not match the category control strategy, confirming that the marking information does not match the preset session control strategy.
2. The method of claim 1, wherein the confidentiality level control policy conforms to a BLP confidentiality model as:
when the security level of the subject dominates the security level of the object, allowing the subject to perform read operation on the object;
and when the security level of the object dominates the security level of the subject, allowing the subject to write to the object.
3. The method of claim 1, wherein the integrity level control policy follows a BIBA integrity model of:
when the integrity level of the object dominates the integrity level of the subject, allowing the subject to perform read operation on the object;
and when the integrity level of the object is dominated by the integrity level of the subject, allowing the subject to write to the object.
4. The method of claim 1, wherein the domain control strategy is specifically:
when the subject category information is a subset of the object category information, allowing the subject to access the object;
or, when there is an intersection between the subject category information and the object category information, allowing the subject to access the object.
5. The method of claim 1, before obtaining the tag information in the session request message sent by the subject to the object, further comprising:
and filtering the data packet corresponding to the session request message according to a preset Access Control List (ACL).
6. The method according to claim 5, further comprising, after filtering the data packet corresponding to the session request packet according to a preset access control list ACL, further comprising:
judging whether the session request message carries the marking information or not;
if not, blocking the session request message;
and if so, acquiring the marking information.
7. The method of claim 1, wherein the Level information is mapped based on a Level field in the CIPSO, the Level field is an unsigned integer value with a value range of 0 to 255, the Category information is mapped based on a Category field in the CIPSO, the Category field is in a range of 0 to 239, and a tag type of the Category field is a bitmap.
8. A tag-based session control device, the device comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring mark information in a session request message sent by a subject to an object, and the subject and the object are provided with marks corresponding to the mark information, which are determined according to a unified Internet protocol security option (CIPSO);
a judging module, configured to judge whether the tag information matches a preset session control policy, where the preset session control policy is a confidentiality level control policy or an integrity level control policy corresponding to the level information, and a category control policy corresponding to the category information;
the establishing module is used for establishing session connection between the subject and the object when the marking information is matched with a preset session control strategy;
the blocking module is used for blocking the session request message when the marking information does not match a preset session control strategy;
the tag information includes the level information and the category information;
judging whether the marking information is matched with a preset session control strategy, specifically:
judging whether the level information is matched with the confidentiality level control strategy or the integrity level control strategy;
when the level information is judged not to match the confidentiality level control strategy or the integrity level control strategy, the marking information is confirmed not to match the preset session control strategy;
when the level information is judged to be matched with the confidentiality level control strategy or the integrity level control strategy, continuously judging whether the category information is matched with the category control strategy or not;
when the category information matches the category control strategy, confirming that the marking information matches the preset session control strategy;
and when the category information does not match the category control strategy, confirming that the marking information does not match the preset session control strategy.
9. A computer-readable storage medium having stored therein instructions that, when run on a terminal device, cause the terminal device to perform the tag-based session control method according to any one of claims 1-7.
CN201911369512.4A 2019-12-26 2019-12-26 Session control method, device and storage medium based on mark Active CN111181955B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911369512.4A CN111181955B (en) 2019-12-26 2019-12-26 Session control method, device and storage medium based on mark

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911369512.4A CN111181955B (en) 2019-12-26 2019-12-26 Session control method, device and storage medium based on mark

Publications (2)

Publication Number Publication Date
CN111181955A CN111181955A (en) 2020-05-19
CN111181955B true CN111181955B (en) 2022-02-08

Family

ID=70657516

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911369512.4A Active CN111181955B (en) 2019-12-26 2019-12-26 Session control method, device and storage medium based on mark

Country Status (1)

Country Link
CN (1) CN111181955B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113242249B (en) * 2021-05-18 2022-03-08 中铁信(北京)网络技术研究院有限公司 Session control method and device
CN113438216B (en) * 2021-06-15 2023-02-28 中国国家铁路集团有限公司 Access control method based on security marker
CN115174185B (en) * 2022-06-30 2023-09-22 中国人民解放军战略支援部队信息工程大学 Access control method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6304973B1 (en) * 1998-08-06 2001-10-16 Cryptek Secure Communications, Llc Multi-level security network system
CN102413198A (en) * 2011-09-30 2012-04-11 山东中创软件工程股份有限公司 Security-marker-based access control method and related system
CN103647771A (en) * 2013-12-12 2014-03-19 浪潮电子信息产业股份有限公司 Method for carrying out mandatory access controlling on network data packet
CN105357201A (en) * 2015-11-12 2016-02-24 中国科学院信息工程研究所 Access control method and system for object cloud storage
CN105959322A (en) * 2016-07-13 2016-09-21 浪潮(北京)电子信息产业有限公司 Mandatory access control method and system based on fusion of multiple protection strategies

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6304973B1 (en) * 1998-08-06 2001-10-16 Cryptek Secure Communications, Llc Multi-level security network system
CN102413198A (en) * 2011-09-30 2012-04-11 山东中创软件工程股份有限公司 Security-marker-based access control method and related system
CN103647771A (en) * 2013-12-12 2014-03-19 浪潮电子信息产业股份有限公司 Method for carrying out mandatory access controlling on network data packet
CN105357201A (en) * 2015-11-12 2016-02-24 中国科学院信息工程研究所 Access control method and system for object cloud storage
CN105959322A (en) * 2016-07-13 2016-09-21 浪潮(北京)电子信息产业有限公司 Mandatory access control method and system based on fusion of multiple protection strategies

Also Published As

Publication number Publication date
CN111181955A (en) 2020-05-19

Similar Documents

Publication Publication Date Title
CN111181955B (en) Session control method, device and storage medium based on mark
US8301771B2 (en) Methods, systems, and computer program products for transmission control of sensitive application-layer data
JP4630896B2 (en) Access control method, access control system, and packet communication apparatus
Wendzel et al. Covert channels and their prevention in building automation protocols: A prototype exemplified using BACnet
US11546266B2 (en) Correlating discarded network traffic with network policy events through augmented flow
US11223643B2 (en) Managing a segmentation policy based on attack pattern detection
CN110933048B (en) Method and equipment for identifying abnormal application operation based on message
CN111163473B (en) NRF permission level-based 5G core network data protection method
US10868835B2 (en) Method for managing data traffic within a network
CN108111536B (en) Application-level secure cross-domain communication method and system
CN105282157A (en) Secure communication control method
TW202137735A (en) Programmable switching device for network infrastructures
CN114143068A (en) Electric power internet of things gateway equipment container safety protection system and method thereof
CN112511523A (en) Network security control method based on access control
CN111064750A (en) Network message control method and device of data center
US20170149821A1 (en) Method And System For Protection From DDoS Attack For CDN Server Group
US20190007306A1 (en) Device and method for controlling route of traffic flow
CN110602110A (en) Method, device, equipment and storage medium for isolating ports of whole network
CN114024767B (en) Method for constructing password definition network security system, system architecture and data forwarding method
KR102412933B1 (en) System and method for providing network separation service based on software-defined network
CN101631121B (en) Message control method and access equipment in endpoint admission defense
CN115277221B (en) Transmission method and isolation equipment based on transparent data landing and protocol isolation
CN113572700A (en) Flow detection method, system, device and computer readable storage medium
CN113014530A (en) ARP spoofing attack prevention method and system
WO2024020962A1 (en) Method, apparatus and system for covert path discovering and computer-readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: A Tag Based Session Control Method, Device, and Storage Medium

Effective date of registration: 20230920

Granted publication date: 20220208

Pledgee: Beijing first financing Company limited by guarantee

Pledgor: BEIJING JUSONTECH CO.,LTD.

Registration number: Y2023110000402