WO2020147032A1 - Système de gestion de sécurité de réseau et procédé associé - Google Patents

Système de gestion de sécurité de réseau et procédé associé Download PDF

Info

Publication number
WO2020147032A1
WO2020147032A1 PCT/CN2019/071967 CN2019071967W WO2020147032A1 WO 2020147032 A1 WO2020147032 A1 WO 2020147032A1 CN 2019071967 W CN2019071967 W CN 2019071967W WO 2020147032 A1 WO2020147032 A1 WO 2020147032A1
Authority
WO
WIPO (PCT)
Prior art keywords
computer terminal
data packet
communication
security management
network
Prior art date
Application number
PCT/CN2019/071967
Other languages
English (en)
Chinese (zh)
Inventor
王松伟
Original Assignee
永信科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 永信科技股份有限公司 filed Critical 永信科技股份有限公司
Priority to PCT/CN2019/071967 priority Critical patent/WO2020147032A1/fr
Publication of WO2020147032A1 publication Critical patent/WO2020147032A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming

Definitions

  • the present invention relates to a network security related field, in particular to a network security management system and method.
  • the existing network protection function uses a firewall as a line of defense to prevent external attacks.
  • the firewall can set specific packets. When the firewall receives a specific packet, it will be allowed to enter the device, and the packets that are not set will be blocked by the firewall. .
  • firewalls can effectively block these attacks, protect the security of equipment and software, and ensure that data is not stolen.
  • the firewall can only block packets that are not accepted by the device.
  • higher-level network attacks such as attacks against system and application vulnerabilities, buffer overflow attacks or Trojan horse attacks, it cannot detect Or intercept.
  • High-level cyber attacks will pretend to be packets permitted by the original system, and enter the system without being blocked by firewalls to attack, thereby paralyzing the device system or stealing confidential information, causing data security problems.
  • the present invention provides a network security management system and method. By confirming whether the transmitted data packets comply with the exclusive communication authority between each computer terminal, it can effectively avoid the mutual transmission of data viruses between the computer terminals to ensure data Security of transmission.
  • An embodiment of the present invention provides a network security management system, which is set up on a network transmission device of an internal area network.
  • the network transmission device is connected to a plurality of computer terminals.
  • the network security management system includes: a setting module and a check Module, the setting module is provided with a path table, and the path table stores the communication authority of each computer terminal corresponding to the specific computer terminal; the checking module is used to receive a data packet transmitted by one of the computer terminals, and the data packet has a communication Data; the checking module judges the communication data through the path table, wherein, when the communication data of the data packet meets the communication authority of the path table, the data packet is transmitted to the corresponding target computer terminal according to the communication data.
  • the checking module determines that the communication data of the data packet cannot correspond to the path table, the checking module deletes or ignores the data packet, and chooses whether to return a failure message.
  • the path table stores the Internet Protocol address (IP Address) of each computer terminal at the network layer and the communication authority of the communication port (PORT) used by the application software at the transport layer.
  • IP Address Internet Protocol address
  • PORT communication port
  • the communication data is the Internet Protocol address (IP Address) or the communication port (PORT) of the computer terminal.
  • IP Address Internet Protocol address
  • PORT communication port
  • the path table stores a media access control address (Media Access Control Address) that allows the computer terminal.
  • Media Access Control Address Media Access Control Address
  • the network transmission equipment is selected from any one of a hub, a switch, and a router.
  • the network security management system of the present invention can confirm whether the data packets transmitted by each computer terminal comply with the exclusive communication authority between each computer terminal through the path table stored in the setting module; thereby, it can effectively avoid each computer Data viruses infect each other between terminals to ensure the security of data transmission.
  • the check module when the check module judges that the communication data of the data packet cannot correspond to the path table, the check module deletes the data packet and returns a failure message; thereby, it can prevent the problematic data packet from still existing in the system, Prevent the risk of problematic data packets from causing disease or infection.
  • the media access control address of the computer terminal can ensure that the communication information is transmitted to the computer terminal existing in the internal area network instead of an externally connected computer terminal, so as to ensure the security of data transmission.
  • An embodiment of the present invention provides a network security management method, which is applied to an internal area network.
  • the network transmission device is connected to multiple computer terminals.
  • the network security management method includes: setting each computer terminal corresponding to a specific A communication authority of a computer terminal; when one of the computer terminals requests to transmit a data packet to another computer terminal, it is determined whether the data packet meets the communication authority; and when the data packet meets the communication authority, the network transmission device transmits the data packet to The computer terminal of the target.
  • the data packet when the data packet cannot meet the communication authority, the data packet is deleted or ignored, and a failure message is selected whether to return.
  • the communication authority is that each computer terminal corresponds to the Internet Protocol address (IP Address) of the specific computer terminal at the network layer and the communication port (PORT) of the application software at the transport layer.
  • IP Address Internet Protocol address
  • PORT communication port
  • the path table stores the media access control address (Media Access Control Address) of the computer terminal.
  • a path table is established in the network transmission device according to the communication authority allowed for transmission by each computer terminal corresponding to the specific computer terminal; the path table is used to determine whether the transmission destination of the data packet is allowed.
  • the network security management method of the present invention can confirm whether the data packets transmitted by each computer terminal comply with the exclusive communication authority between each computer terminal; thereby, it can effectively prevent the data viruses between the computer terminals from infecting each other to ensure data Security of transmission.
  • Figure 1 is a schematic diagram of the connection of the present invention.
  • Figure 2 is a schematic diagram of the system architecture of the present invention.
  • Figure 3 is a schematic flow diagram of the method of the present invention.
  • the first computer terminal 201 The first computer terminal 201
  • Second computer terminal 202 Second computer terminal 202
  • the third computer terminal 203 The third computer terminal 203
  • the present invention provides a network security management system 100, which is set up on a network transmission device 1 of an internal area network.
  • the network transmission device 1 is connected to a plurality of computer terminals 2.
  • the network transmission equipment 1 is selected from any one of a hub, a switch, and a router.
  • the network security management system 100 of the present invention includes: a setting module 10 and a checking module 20.
  • the setting module 10 is provided with a path table 11, which stores the communication authority of each computer terminal 2 corresponding to a specific computer terminal 2, wherein the path table 11 stores the Internet protocol address of each computer terminal 2 at the network layer ( IP Address) and the communication authority of the communication port (PORT) used by the application software on the transport layer. Furthermore, the media access control address (Media Access Control Address) of each computer terminal 2 may also be stored; in the embodiment of the present invention Each computer terminal 2 has the same communication port (PORT) corresponding to the specific computer terminal 2.
  • IP Address the network layer
  • PORT communication authority of the communication port
  • the network transmission equipment 1 is connected to four computer terminals 2, and the computer terminals 2 are the first computer terminal 201, the second computer terminal 202, the third computer terminal 203, and the fourth computer terminal 204, and the setting module 10
  • the communication permissions allowed for transmission or reception are set in the path table 11 as follows: the first computer terminal 201 specifies the Internet protocol address of the second computer terminal 202, the second computer terminal 202 specifies the transmission of information to the third computer terminal 203 and The internet protocol address of the fourth computer terminal 204.
  • the fourth computer terminal 204 specifies the internet protocol address to transmit credit to the first computer terminal 201; the PORT number used by the A application software of the first computer terminal 201 is 01, and the second computer terminal 202’s A application software will use the same PORT number as 01; the second computer terminal 202’s B application software and C application software’s PORT numbers are 02 and 03, and the third computer terminal 203’s B application software will use the same PORT number.
  • the PORT number is 02
  • the C application software of the fourth computer terminal 204 will use the same PORT number as 03;
  • the D application software of the fourth computer terminal 204 uses the PORT number 04, and the D application software of the first computer terminal 201 will Use the same PORT number as 04.
  • the path table 11 also stores the media access control addresses of the first computer terminal 201, the second computer terminal 202, the third computer terminal 203, and the fourth computer terminal 204, respectively.
  • the checking module 20 is used for receiving a data packet transmitted by one of the computer terminals 2.
  • the data packet has a communication data, and the communication data is the Internet Protocol address, communication port and media access control address of the sending and target receiving computer terminal 2.
  • the checking module 20 judges the communication data of the data packet through the path table 11, where, when the communication data of the data packet meets the communication authority of the path table 11, the data packet is transmitted to the corresponding target computer terminal 2 according to the communication data;
  • the verification module 20 deletes the data packet and returns a failure message, as shown in FIG. 3.
  • the checking module 20 will determine whether the communication data of the data packet meets the communication authority of the route table 11, that is, checking The core module 20 first judges that the sending end is the first computer terminal 201 based on the Internet Protocol address and the media access control address; then, the check module 20 judges that among the data packets transmitted by the first computer terminal 201, the object to be transmitted is the second The Internet Protocol address of the computer terminal 202 and the port number of the used communication port is 01, which conforms to the communication authority of the path table 11. Therefore, it is determined that the data packet conforms to the transmission communication authority.
  • the network transmission device 1 transmits the data packet to the target second computer terminal 202.
  • the network transmission device 1 can delete or ignore the data packet, and choose whether to return the failure information to the transmission first computer terminal 201, and notify The data packet transmitted by the first computer terminal 201 is not successfully transmitted to the target second computer terminal 202; wherein, the data packet cannot meet the communication authority of the routing table 11 in any or more of the following situations:
  • the media access control address of the transmitting computer terminal 2 is not stored in the path table 11, which means that the transmitting computer terminal 2 is not originally connected to the internal area network, and may be a newly added computer terminal 2.
  • the data packet sent by the sending computer terminal 2 is not sent to the Internet Protocol address specified in the path table 11, which means that the sending computer terminal 2 wants to send to another unauthorized destination computer terminal 2, and the destination computer terminal 2 It is not permitted by the path table 11.
  • the communication port that transmits the data packet transmitted by the computer terminal 2 is not the communication port allowed in the path table. Since each application software uses a specific communication port for credit transmission, the foregoing situation indicates the communication port for the software used by the computer terminal 2 Application software not intended to be used by default.
  • the present invention provides a network security management method, which includes the following steps:
  • the communication authority of each computer terminal 2 connected to the internal area network corresponding to the specific computer terminal 2 is set in the network transmission device 1 through the setting module 10.
  • the checking module 20 will determine whether the communication data of the data packet meets the communication authority stored in the path table 11.
  • the network transmission device 1 When the communication data of the data packet meets the communication authority, the network transmission device 1 will transmit the data packet to the target computer terminal 2; if the communication data of the data packet cannot meet the communication authority, the data packet will be deleted or ignored , And choose whether to return a failure message.
  • the network security management system 100 of the present invention can confirm whether the data packets transmitted by each computer terminal 2 meet the exclusive communication authority between each computer terminal 2 through the path table 11 stored in the setting module 10 and the checking module 20 In this way, even if the computer terminal 2 of any endpoint is infected with malicious programs or viruses due to any factor, it can effectively prevent the computer terminals 2 from further infecting data viruses with each other to ensure the security of data transmission.
  • the present invention only needs to judge whether the data packet is allowed or blocked according to the Internet Protocol address and communication port in the data packet, and does not need to judge the actual internal transmission characteristics and information of the data packet to judge whether it is a virus as required by the firewall. Therefore, the present invention will not affect the transmission speed of the internal network.
  • the network security management system 100 of the present invention can operate on the network transmission equipment 1, so as to achieve the effect of fast checking and secure credit exchange without affecting the performance of the existing network, and no additional hardware equipment is required.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un système de gestion de sécurité de réseau (100) et un procédé associé. Le système de gestion de sécurité de réseau (100) est disposé dans un dispositif de transmission de réseau (1) d'un réseau de zone interne, et le dispositif de transmission de réseau (1) est connecté à une pluralité de terminaux informatiques (2). Le système de gestion de sécurité de réseau (100) comprend : un module de réglage et un module de vérification, le module de réglage comprenant une table de chemin, et la table de chemin stockant une autorisation de communication de chaque terminal informatique (2) correspondant à un terminal informatique (2) spécifique ; le module de vérification recevant un paquet de données transmis par l'un des terminaux informatiques (2) ; et le module de vérification déterminant le paquet de données au moyen de la table de chemin, lorsque des données de communication du paquet de données sont conformes à l'autorisation de communication de la table de chemin, transmettant le paquet de données au terminal informatique (2) cible correspondant selon les données de communication. Grâce à ce procédé, une infection par un virus de données mutuelles entre divers terminaux informatiques (2) peut être efficacement évitée, de façon à assurer la sécurité de la transmission de données.
PCT/CN2019/071967 2019-01-16 2019-01-16 Système de gestion de sécurité de réseau et procédé associé WO2020147032A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/071967 WO2020147032A1 (fr) 2019-01-16 2019-01-16 Système de gestion de sécurité de réseau et procédé associé

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/071967 WO2020147032A1 (fr) 2019-01-16 2019-01-16 Système de gestion de sécurité de réseau et procédé associé

Publications (1)

Publication Number Publication Date
WO2020147032A1 true WO2020147032A1 (fr) 2020-07-23

Family

ID=71613014

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/071967 WO2020147032A1 (fr) 2019-01-16 2019-01-16 Système de gestion de sécurité de réseau et procédé associé

Country Status (1)

Country Link
WO (1) WO2020147032A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101459604A (zh) * 2008-12-23 2009-06-17 华为技术有限公司 本地交换的控制方法及装置
CN102457516A (zh) * 2010-10-27 2012-05-16 株式会社日立制作所 文件传输装置、文件传输方法以及文件传输程序
CN103813330A (zh) * 2012-11-15 2014-05-21 中兴通讯股份有限公司 一种通信终端、***以及权限管理方法
US20180069962A1 (en) * 2015-05-07 2018-03-08 Yoshinaga Kato Information processing apparatus, information processing method, and recording medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101459604A (zh) * 2008-12-23 2009-06-17 华为技术有限公司 本地交换的控制方法及装置
CN102457516A (zh) * 2010-10-27 2012-05-16 株式会社日立制作所 文件传输装置、文件传输方法以及文件传输程序
CN103813330A (zh) * 2012-11-15 2014-05-21 中兴通讯股份有限公司 一种通信终端、***以及权限管理方法
US20180069962A1 (en) * 2015-05-07 2018-03-08 Yoshinaga Kato Information processing apparatus, information processing method, and recording medium

Similar Documents

Publication Publication Date Title
JP4327630B2 (ja) インターネット・プロトコルを用いたストレージエリア・ネットワーク・システム、セキュリティ・システム、セキュリティ管理プログラム、ストレージ装置
US7886335B1 (en) Reconciliation of multiple sets of network access control policies
CN101455041B (zh) 网络环境的检测
US7913077B2 (en) Preventing IP spoofing and facilitating parsing of private data areas in system area network connection requests
KR100459569B1 (ko) 미디어 억세스 제어 어드레스에 의한 통신제한 방법
US7568236B2 (en) Methods and systems of managing concurrent access to multiple resources
US7624434B2 (en) System for providing firewall capabilities to a communication device
US20070294416A1 (en) Method, apparatus, and computer program product for enhancing computer network security
US20050138417A1 (en) Trusted network access control system and method
US20050283831A1 (en) Security system and method using server security solution and network security solution
KR101290963B1 (ko) 가상화 기반 망분리 시스템 및 방법
CN115603932A (zh) 一种访问控制方法、访问控制***及相关设备
WO2023279782A1 (fr) Procédé de contrôle d'accès, système de contrôle d'accès et dispositif associé
CN112087427B (zh) 通信验证方法、电子设备及存储介质
KR100418445B1 (ko) 인터넷 망을 통한 접근 통제 방법 및 장치
CN117879942A (zh) 一种跨网数据交换装置及方法
EP3180705B1 (fr) Point final de réseau sécurisé
WO2020147032A1 (fr) Système de gestion de sécurité de réseau et procédé associé
US20110216770A1 (en) Method and apparatus for routing network packets and related packet processing circuit
TW202027461A (zh) 網路安全管理系統及其方法
KR102412933B1 (ko) 소프트웨어 정의 네트워크 기반 망 분리 서비스를 제공하는 시스템 및 방법
KR102628441B1 (ko) 네트워크 보호 장치 및 그 방법
JP2021057717A (ja) セキュリティ監視装置及びセキュリティ監視方法
JP4418211B2 (ja) ネットワークセキュリティ維持方法,接続許可サーバおよび接続許可サーバ用プログラム
KR20000017720A (ko) 인증 서버와 결합된 방화벽 시스템

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19910419

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19910419

Country of ref document: EP

Kind code of ref document: A1