[go: up one dir, main page]

CN101170461A - A method and device for strengthening network security - Google Patents

A method and device for strengthening network security Download PDF

Info

Publication number
CN101170461A
CN101170461A CNA2007101952384A CN200710195238A CN101170461A CN 101170461 A CN101170461 A CN 101170461A CN A2007101952384 A CNA2007101952384 A CN A2007101952384A CN 200710195238 A CN200710195238 A CN 200710195238A CN 101170461 A CN101170461 A CN 101170461A
Authority
CN
China
Prior art keywords
network
authorization number
message
wireless
wireless device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2007101952384A
Other languages
Chinese (zh)
Other versions
CN101170461B (en
Inventor
陈高翔
冯冬芹
褚健
金建祥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZHONGKONG SCIENCE AND TECHNOLOGY GROUP Co Ltd
Zhejiang University ZJU
Original Assignee
ZHONGKONG SCIENCE AND TECHNOLOGY GROUP Co Ltd
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZHONGKONG SCIENCE AND TECHNOLOGY GROUP Co Ltd, Zhejiang University ZJU filed Critical ZHONGKONG SCIENCE AND TECHNOLOGY GROUP Co Ltd
Priority to CN2007101952384A priority Critical patent/CN101170461B/en
Publication of CN101170461A publication Critical patent/CN101170461A/en
Application granted granted Critical
Publication of CN101170461B publication Critical patent/CN101170461B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种加强网络安全的方法,包括:当有新的无线设备接入网络时,网络侧判断新设备的授权号是否与已建立连接的无线设备的授权号重号,若重号,则拒绝所述新设备的接入;否则,则等待接收所述新设备的报文。与此同时,本发明还公开了一种用于加强网络安全的装置,本发明能够在新设备接入网络时,通过判断新设备的授权号是否与已经接入的其他设备的授权号重号,进而验证该新设备是否为合法设备,通过本发明能够防止非法设备接入网络,进一步增强网络的安全性。

Figure 200710195238

The invention discloses a method for strengthening network security, which includes: when a new wireless device accesses the network, the network side judges whether the authorization number of the new device is the same as that of the wireless device that has established a connection, and if the same , reject the access of the new device; otherwise, wait to receive the message of the new device. At the same time, the present invention also discloses a device for enhancing network security. The present invention can determine whether the authorization number of the new device is the same as that of other devices already connected when the new device accesses the network. , and then verify whether the new device is a legal device, and the invention can prevent illegal devices from accessing the network, and further enhance the security of the network.

Figure 200710195238

Description

一种加强网络安全的方法和装置 A method and device for strengthening network security

技术领域technical field

本发明涉及网络安全技术领域,尤其涉及一种加强网络安全的方法和装置。The invention relates to the technical field of network security, in particular to a method and device for strengthening network security.

背景技术Background technique

常用的如工业无线网络的无线设备之间通过无线技术进行链接,用户可以经过无线网络方便地访问工业网络中的任何设备,请参见图1所示,图1为工业无线网络的控制系统结构示意框图,工业无线网络通常包括监控层网络和现场控制层网络,其中,所属监控层网络通常包括工程师站101、操作员站102、监控站103、无线网络安全管理服务器104,其中,所述无线网络安全管理服务器104用于维护和管理整个工业无线网络的设备的接入安全;所述现场控制层网络通常包括智能网桥105、无线路由设备106、以及与所述无线路由设备相连的普通无线设备107和无线手持设备108等。Commonly used wireless devices such as industrial wireless networks are linked through wireless technology, and users can easily access any device in the industrial network through the wireless network. Please refer to Figure 1, which is a schematic diagram of the control system structure of the industrial wireless network As a block diagram, an industrial wireless network usually includes a monitoring layer network and an on-site control layer network, wherein the monitoring layer network usually includes an engineer station 101, an operator station 102, a monitoring station 103, and a wireless network security management server 104, wherein the wireless network The security management server 104 is used to maintain and manage the access security of devices in the entire industrial wireless network; the field control layer network usually includes an intelligent bridge 105, a wireless routing device 106, and ordinary wireless devices connected to the wireless routing device 107 and wireless handheld devices 108 and so on.

然而,目前,由于在现有的工业无线网络中监控层网络通常对的现场控制层网络中接入的无线设备没有有效的安全验证手段,因此,非法用户可以经过无线网络接入恶意设备,例如拦截一台变速器的数据,对采样或控制数据数据进行篡改,并将篡改后的数据发送到执行器中,从而导致工业无线网络中的监控层网络的整个系统处于危险情况。或者还可以在工业无线网络的监控网络中,将一台移动PC(计算机)或者无线手持设备108伪装成一台工程师站101或者操作员站102,以恶意修改现场控制层网络中的设备的组态信息,从而导致控制系统处于混乱状态。However, at present, because the monitoring layer network in the existing industrial wireless network usually has no effective security verification means for the wireless devices connected to the on-site control layer network, therefore, illegal users can access malicious devices through the wireless network, such as Intercept the data of a transmission, tamper with the sampling or control data, and send the tampered data to the actuator, thus causing the entire system of the monitoring layer network in the industrial wireless network to be in a dangerous situation. Or in the monitoring network of the industrial wireless network, a mobile PC (computer) or wireless handheld device 108 can be disguised as an engineer station 101 or operator station 102 to maliciously modify the configuration of devices in the field control layer network information, causing the control system to be in a state of confusion.

发明内容Contents of the invention

本发明的目的在于提供一种加强网络安全的方法和装置,能够及时地阻值非法设备的接入,以提高无线网络的接入安全。The purpose of the present invention is to provide a method and device for strengthening network security, which can block the access of illegal devices in time, so as to improve the access security of the wireless network.

本发明提供了一种加强网络安全的方法,包括:The present invention provides a method for strengthening network security, including:

当有新的无线设备接入网络时,网络侧判断新设备的授权号是否与已建立连接的无线设备的授权号重号,若重号,则拒绝所述新设备的接入;否则,则等待接收所述新设备的报文。When a new wireless device accesses the network, the network side judges whether the authorization number of the new device is the same as that of the wireless device that has established a connection. If the number is the same, the access of the new device is rejected; otherwise, the Waiting to receive the message of the new device.

优选地,当判断得到所述新设备的授权号与已建立连接的无线设备重号时,所述方法还包括:Preferably, when it is judged that the authorization number of the new device is the same as that of the wireless device with which the connection has been established, the method further includes:

所述网络侧修改所述修改被重号的无线设备的授权号。The network side modifies the authorization number of the renumbered wireless device.

优选地,所述方法还包括:Preferably, the method also includes:

所述网络侧将修改后的所述被重号的无线设备的授权号通过修改报文通知给所述被重号的无线设备,以及与该设备连接的路由设备,要求更改成修改后的授权号。The network side notifies the modified authorization number of the renumbered wireless device to the renumbered wireless device and the routing device connected to the device through a modification message, requesting to change to the modified authorization number. Number.

优选地,在执行所述判断之前所述方法还包括:Preferably, before performing the judgment, the method further includes:

在无线设备建立连接的过程中,网络侧向所述无线设备发送授权号探测请求报文;In the process of establishing a connection with the wireless device, the network side sends an authorization number detection request message to the wireless device;

当收到所述无线设备返回的授权号探测响应报文后,所述网络侧判断该响应报文中的授权号是否是允许接入的授权号,若是,则执行所述判断步骤。After receiving the authorization number detection response message returned by the wireless device, the network side judges whether the authorization number in the response message is an authorization number that allows access, and if so, executes the determination step.

优选地,在收到所述无线设备返回的授权号探测响应报文之前还包括:Preferably, before receiving the authorization number probe response message returned by the wireless device, it further includes:

所述网络侧判断是否在预置的最大响应时间内收到所述无线设备返回的授权号探测响应报文,若是,则执行所述判断该响应报文中的授权号是否是允许接入的授权号步骤,否则,拒绝所述无线设备接入。The network side judges whether the authorization number detection response message returned by the wireless device is received within the preset maximum response time, and if so, performs the determination of whether the authorization number in the response message is allowed to access The authorization number step, otherwise, deny the access of the wireless device.

优选地,当收到所述新设备的报文后,所述方法还包括:Preferably, after receiving the message of the new device, the method further includes:

所述网络侧按照与所述新设备所在的现场控制层网络预先设置的解密方式对收到的报文进行解密;The network side decrypts the received message according to the decryption method preset with the on-site control layer network where the new device is located;

再将解密后得到的报文按照与所述网络侧的监控层网络预先设置的加密方式进行加密,并在加密后发送至所述监控层网络。Then encrypt the message obtained after decryption according to the encryption method preset with the monitoring layer network on the network side, and send it to the monitoring layer network after encryption.

优选地,在网络侧的设备中预先保存有现场控制层网络设备和监控层网络设备的地址列表;Preferably, the address list of the on-site control layer network device and the monitoring layer network device is pre-stored in the device on the network side;

当收到所述新设备的报文后,所述方法还包括:After receiving the message of the new device, the method also includes:

判断收到的报文中的源地址和目的地址是否存在于所述现场控制层网络设备和监控层网络设备的地址列表中,若是,则转发该报文;否则,丢弃该报文。Judging whether the source address and the destination address in the received message exist in the address lists of the on-site control layer network device and the monitoring layer network device, if so, then forward the message; otherwise, discard the message.

优选地,在网络侧的每个监控层设备中都预先设置有访问权限;Preferably, access rights are preset in each monitoring layer device on the network side;

当收到所述监控层设备发往现场控制层设备的访问请求报文时,所述方法还包括:When receiving the access request message sent to the on-site control layer device by the monitoring layer device, the method also includes:

判断发送所述访问请求报文的监控层设备是否具有该次访问操作的权限,若是,则向所述现场控制层设备转发所述访问请求报文;否则,拒绝转发所述访问请求报文。Judging whether the monitoring layer device sending the access request message has the access operation authority, if so, forwarding the access request message to the on-site control layer device; otherwise, refusing to forward the access request message.

基于上述技术方案,本发明还公开了一种用于加强网络安全的装置,包括:Based on the above technical solution, the present invention also discloses a device for strengthening network security, including:

列表单元,用于保存已经与网络建立连接的所有无线设备的授权号;The list unit is used to save the authorization numbers of all wireless devices that have established connections with the network;

判断处理单元,用于当有新的无线设备接入网络时,判断新设备的授权号是否与所述列表单元中保存的授权号重号,若重号,则拒绝所述新设备的接入;否则,则等待接收所述新设备的报文。A judging processing unit, configured to judge whether the authorization number of the new device is the same as the authorization number stored in the list unit when a new wireless device accesses the network, and reject the access of the new device if the number is the same ; Otherwise, wait to receive the message of the new device.

优选地,所述装置还包括:Preferably, the device also includes:

修改单元,用于当所述判断处理单元判断得到所述新设备的授权号与已建立连接的无线设备重号时,修改所述已建立连接中被重号的无线设备的授权号;A modifying unit, configured to modify the authorization number of the wireless device that has been renumbered in the established connection when the judging processing unit judges that the authorization number of the new device is the same as that of the wireless device that has established the connection;

发送单元,用于将所述修改单元中修改得到的新的授权号通过修改报文通知给所述被重号的无线设备,以及与该设备连接的路由设备。A sending unit, configured to notify the wireless device whose number has been renumbered and the routing device connected to the device through a modification message of the new authorization number modified by the modifying unit.

与现有技术相比,本发明具有以下优点:Compared with the prior art, the present invention has the following advantages:

本发明在当有新的无线设备接入网络时,能够在接入前判断该新设备的授权号是否与已建立连接的其他无线设备的授权号重号,从而检验该新设备是否为非法设备,通过本发明能够防止非法设备接入网络,进一步增强网络的安全性。When a new wireless device accesses the network, the present invention can judge whether the authorization number of the new device is the same as that of other wireless devices that have established connections before accessing, thereby checking whether the new device is an illegal device , the invention can prevent illegal devices from accessing the network, and further enhance the security of the network.

附图说明Description of drawings

图1为现有技术中工业无线网络的控制系统结构示意框图;Fig. 1 is a schematic block diagram of a control system structure of an industrial wireless network in the prior art;

图2为本发明实施例无线设备建立连接的方法流程示意框图;FIG. 2 is a schematic block diagram of a method for establishing a connection by a wireless device according to an embodiment of the present invention;

图3为本发明监测非法设备入侵的方法流程示意框图;Fig. 3 is a schematic flow diagram of the method for monitoring illegal device intrusion in the present invention;

图4为本发明智能网桥安全过滤的方法实施例的流程框图;Fig. 4 is the block flow diagram of the method embodiment of intelligent network bridge security filtering of the present invention;

图5为本发明访问权限验证方法实施例的流程示意图;FIG. 5 is a schematic flow diagram of an embodiment of an access right verification method of the present invention;

图6为本发明一种装置实施例的结构框图;Fig. 6 is a structural block diagram of a device embodiment of the present invention;

图7为本发明另一种装置实施例的结构框图。Fig. 7 is a structural block diagram of another device embodiment of the present invention.

具体实施方式Detailed ways

本发明实施例公开的一种加强网络安全的方法,具体可从设备与无线网络建立连接时开始检测,当建立好连接后,还可以继续对已经接入的设备进一步检验是否有非法设备加入,同时,还可以通过在无线网络中对传输的数据进行加密来进一步提高网络的安全性,以及对设备的访问权限的监控等方式来综合实现网络接入的安全性,从而避免网络被非法设备破坏。A method for strengthening network security disclosed in the embodiment of the present invention can be detected when a device is connected to a wireless network. After the connection is established, it can continue to check whether any illegal device has joined the connected device. At the same time, it is also possible to further improve the security of the network by encrypting the transmitted data in the wireless network, and monitor the access rights of the equipment to comprehensively realize the security of network access, so as to prevent the network from being destroyed by illegal equipment. .

下面结合附图对本发明的各种监控实施方式做进一步的详细阐述。Various monitoring implementation modes of the present invention will be further described in detail below in conjunction with the accompanying drawings.

本发明公开的一种无线设备建立连接的方法实施例,该实施例预先在网络侧的路由设备上维护一份允许接入的授权号列表,该表中保存有允许接入无线网络的所有设备的授权号;同时,对于合法的无线设备都设置有一个允许接入无线网络的授权号,用于在有新设备接入网络时,能够根据该列表检查接入的设备是否为非法接入。如图2所示,为本发明实施例无线设备建立连接的方法流程示意框图,所述方法包括:An embodiment of a method for establishing a connection of a wireless device disclosed in the present invention, this embodiment maintains a list of authorization numbers allowed to access on the routing device on the network side in advance, and all devices allowed to access the wireless network are saved in the table At the same time, a legal wireless device is provided with an authorization number that allows access to the wireless network, which is used to check whether the accessed device is illegally accessed according to the list when a new device is connected to the network. As shown in FIG. 2, it is a schematic block diagram of a method for establishing a connection with a wireless device according to an embodiment of the present invention, and the method includes:

S201:当网络侧的路由设备检测到有无线设备试图与所述路由设备建立无线连接时,所述路由设备向所述无线设备发出授权号探测请求报文。S201: When the routing device on the network side detects that a wireless device attempts to establish a wireless connection with the routing device, the routing device sends an authorization number detection request message to the wireless device.

S202:所述无线设备在收到所述请求报文后,将自身的授权号携带在授权号探测响应报文中,发送给所述无线路由设备。S202: After receiving the request message, the wireless device carries its authorization number in the authorization number detection response message and sends it to the wireless routing device.

S203:所述无线路由设备在收到所述无线设备发来的授权号探测响应报文后,判断所述响应报文中的授权号是否存在于自身存储的允许接入的授权号列表中,若存在,则执行S204;否则,执行S205。S203: After receiving the authorization number detection response message sent by the wireless device, the wireless routing device determines whether the authorization number in the response message exists in the list of authorized numbers stored in itself, If yes, execute S204; otherwise, execute S205.

其中,所述路由设备上保存的允许接入的授权号列表可以为该路由设备所在网络的管理服务器分配得到,该列表中的所有无线设备的授权号都为所述管理服务器设置。Wherein, the list of authorization numbers allowed to access saved on the routing device can be obtained from the management server of the network where the routing device is located, and the authorization numbers of all wireless devices in the list are set by the management server.

S204:所述无线路由设备判断得到该无线设备为合法设备,此时,所述无线路由设备将所述无线设备的授权号加入到已建立连接的设备列表中,同时将转发所述无线设备的所有报文。S204: The wireless routing device judges that the wireless device is a legal device. At this time, the wireless routing device adds the authorization number of the wireless device to the list of devices that have established connections, and at the same time forwards the authorization number of the wireless device. All messages.

S205:判断得到该无线设备为非法设备,此时,可拒绝转发该无线设备的所有报文。S205: It is determined that the wireless device is an illegal device, and at this time, all packets of the wireless device may be refused to be forwarded.

此外,在上述S202和S203中,还可以包括:所述无线路由设备在发出所述授权号探测请求报文后,启动计时器,对响应时间进行计时;同时所述无线路由设备判断在最大的响应时间内,是否收到了所述无线设备返回的所述授权号探测响应报文,如果收到,则继续执行所述S203;否则,则执行所述S205。In addition, in the above S202 and S203, it may also include: after the wireless routing device sends the authorization number detection request message, start a timer to time the response time; at the same time, the wireless routing device determines that the maximum Within the response time, whether the authorization number detection response message returned by the wireless device has been received, if yes, continue to execute the S203; otherwise, execute the S205.

与此同时,本发明实施例公开的一种监测非法设备入侵的方法,该实施例预先在网络侧的管理服务器上动态维护一份允许接入所述网络的所有设备的授权号列表。其中,所述管理服务器可以是无线网络安全管理服务器。在与所述无线网络安全管理服务器相连的无线路由设备上动态维护着一份已建立连接的设备列表,该列表中保存着所有已经通过所述路由设备接入到所述无线网络的无线设备的授权号。本实施例能够通过检查所述已建立连接的设备列表中是否有重名来判断新接入的设备是否为非法接入。如图3所示,为本发明监测非法设备入侵的方法流程示意框图,所述方法可在上述图2所示的实施例的基础上,包括:At the same time, the embodiment of the present invention discloses a method for monitoring the intrusion of illegal devices. In this embodiment, a management server on the network side dynamically maintains a list of authorization numbers of all devices that are allowed to access the network in advance. Wherein, the management server may be a wireless network security management server. A list of connected devices is dynamically maintained on the wireless routing device connected to the wireless network security management server, and the list stores all wireless devices that have been connected to the wireless network through the routing device Authorization Number. In this embodiment, it is possible to determine whether a newly accessed device is illegally accessed by checking whether there is a duplicate name in the list of established connected devices. As shown in Figure 3, it is a schematic block diagram of the method for monitoring illegal device intrusion according to the present invention, and the method may be based on the embodiment shown in Figure 2 above, including:

S301:当网络中有新设备通过路由设备接入到无线网络后,并且在所述路由设备将所述新设备的授权号记录在自身保存的已建立连接的设备列表中后,所述路由设备将包含有所述新设备授权号的所述已建立连接的设备列表发送给所述管理服务器。其中,所述管理服务器可以为无线网络的安全管理服务器。S301: After a new device in the network is connected to the wireless network through the routing device, and after the routing device records the authorization number of the new device in the list of connected devices saved by itself, the routing device Sending the list of connected devices including the new device authorization number to the management server. Wherein, the management server may be a security management server of the wireless network.

S302:所述管理服务器判断所述已建立连接的设备列表中所述新设备的授权号是否与自身存储的已接入设备的授权号相同。即,判断网络中是否存在授权号相同的两个设备同时接入到该网络中。若相同,则执行S303;否则,执行S306。S302: The management server judges whether the authorization number of the new device in the list of established connected devices is the same as the authorization number of the connected device stored in itself. That is, it is judged whether there are two devices with the same authorization number accessing the network at the same time in the network. If they are the same, execute S303; otherwise, execute S306.

S303:所述管理服务器判断得到所述新设备为非法设备,此时,则通知与所述新设备连接的路由设备停止转发该新设备的所有报文。同时执行S304。S303: The management server determines that the new device is an illegal device, and at this time, notifies the routing device connected to the new device to stop forwarding all packets of the new device. Simultaneously execute S304.

S304:所述管理服务器修改被重号的合法设备的授权号,并将修改后的新的授权号记录在自身保存的允许接入的授权号列表中,同时,向所述路由设备和所述被重号的设备发送修改报文,以告知更换授权号。S304: The management server modifies the authorization number of the re-numbered legal device, and records the modified new authorization number in the list of authorization numbers allowed to access saved by itself, and at the same time, sends the authorization number to the routing device and the The device whose number has been renumbered sends a modification message to inform the replacement of the authorization number.

S305:所述路由设备在收到所述S304中发送的修改报文中,将所述修改报文中指定的要更换的授权号记录在自身保存的允许接入的授权号列表中,替换原来的授权号。同时,所述被重号的设备在收到所述修改报文后,将自身的授权号修改为该报文中指定的,然后,所述设备与所述无线路由设备重新建立连接。S305: After receiving the modification message sent in S304, the routing device records the authorization number to be replaced specified in the modification message in the list of authorization numbers allowed to be accessed saved by itself, and replaces the original authorization number. At the same time, after receiving the modification message, the device whose number has been renumbered modifies its own authorization number to that specified in the message, and then re-establishes a connection between the device and the wireless routing device.

S306:所述管理服务器判断得到所述新设备为和合法设备,此时,可继续等待接收所述新设备发送的报文。S306: The management server determines that the new device is a legal device, and at this time, may continue to wait for receiving a message sent by the new device.

此外,在上述实施例中的S301中,所述路由设备除了将包含有所述新设备授权号的整个已建立连接的设备列表发送给所述管理服务器,以供后续检验外,还可以只将所述新设备的授权号告诉所述管理服务器,这样,每当有新设备请求接入网络后,路由设备允许接入后,可将新接入的设备通知给所述管理服务器,所述管理服务器每次判断新设备授权号是否与原来保存的已有设备授权号重复。In addition, in S301 in the above embodiment, in addition to sending the entire list of connected devices including the new device authorization number to the management server for subsequent inspection, the routing device may also only send the The authorization number of the new device is notified to the management server, so that whenever a new device requests to access the network and the routing device allows access, it can notify the management server of the newly accessed device, and the management server The server judges each time whether the new device authorization number is the same as the previously saved existing device authorization number.

此外,还可以每当网络中的设备连接发生变化时,例如当设备断开连接时,所述无线路由设备也可以向所述无线网络安全管理服务器发送所述已接入网络的所有设备的授权号列表。In addition, whenever the connection of devices in the network changes, for example, when the device is disconnected, the wireless routing device may also send the authorization of all devices that have connected to the network to the wireless network security management server. number list.

此外,所述S303中,所述管理服务器除了判断列表中新接入的设备授权号外,还可以判断整个网络中所有已经接入网络的设备的授权号是否重号,如果重,则将后接入的重号设备删除。同时需要在S302中,所述无线路由设备也无需每次当有设备连接或断开时,都要向所述管理服务器上发送已接入网络的设备授权号列表,可以周期地发送。In addition, in the above S303, in addition to judging the authorization numbers of newly connected devices in the list, the management server can also judge whether the authorization numbers of all devices that have already connected to the network in the entire network are duplicated. The imported heavy number device is deleted. At the same time, in S302, the wireless routing device does not need to send the authorization number list of devices connected to the network to the management server every time a device is connected or disconnected, and can be sent periodically.

此外,当网络中有设备断开连接时,该网络中的路由设备也可以将自身保存的已建立连接的设备列表发送给管理服务器;或者,所述管理服务器还可定期检查网络中的设备是否存在重复授权,例如,要求路由设备定期向所述管理服务器发送已建立连接的所有设备的授权号列表。In addition, when a device in the network is disconnected, the routing device in the network can also send the list of connected devices saved by itself to the management server; or, the management server can also regularly check whether the devices in the network are There is duplicate authorization, for example, the routing device is required to periodically send a list of authorization numbers of all devices that have established connections to the management server.

此外,在上述图2和图3所示实施例的基础上,在无线设备与网络建立了连接后,为了进一步增前无线网络的安全,还可以对无线设备与网络侧之间通信的报文进行加密,例如,如果在网络侧是通过智能网桥来连接管理服务器和路由设备与无线设备的情况下,其中,所述路由设备和无线设备位于现场控制层网络,而管理服务器位于监控层网络。则所述无线设备向网络侧发送的报文可以按照预先设置的加密方式进行加密,所述智能网桥当监听到现场控制层网络的报文后,按照与现场控制层网络预先约定的解密方式,对收到的报文进行解密,然后,再按照与监控层网络约定的加密方式,对已经解密的报文重新加密,然后,将加密后的报文发送至位于监控曾网络中的管理服务器。其中,所述解密可以为异或解密算法,所述加密可以为异或加密算法。In addition, on the basis of the above-mentioned embodiments shown in FIG. 2 and FIG. 3 , after the wireless device establishes a connection with the network, in order to further enhance the security of the wireless network, it is also possible to Encryption, for example, if the network side is connected to the management server and the routing device and the wireless device through an intelligent bridge, wherein the routing device and the wireless device are located in the field control layer network, and the management server is located in the monitoring layer network . Then the message sent by the wireless device to the network side can be encrypted according to the preset encryption method, and after the smart bridge monitors the message from the on-site control layer network, it can decrypt the message according to the pre-agreed decryption method with the on-site control layer network , decrypt the received message, and then re-encrypt the decrypted message according to the encryption method agreed with the monitoring layer network, and then send the encrypted message to the management server located in the monitoring layer network . Wherein, the decryption may be an XOR decryption algorithm, and the encryption may be an XOR encryption algorithm.

此外,在上述几个实施例的基础上,在网络侧智能网桥还可以对收到的报文在转发前进行验证,以进一步加强网络的安全过滤。如图4所示,为本发明智能网桥安全过滤的方法实施例的流程框图,该方法包括:In addition, on the basis of the above-mentioned several embodiments, the intelligent network bridge at the network side can also verify the received message before forwarding, so as to further strengthen the security filtering of the network. As shown in Figure 4, it is a flowchart of a method embodiment of intelligent network bridge security filtering of the present invention, the method includes:

S401:在智能网桥上预先保存有现场控制层网络中的所有无线设备的地址列表,以及监控层网络中的例如管理服务器等设备的地址列表。其中,所述列表信息可以由网络侧的管理服务器向所述智能网桥写入保存。S401: An address list of all wireless devices in the on-site control layer network and an address list of devices such as a management server in the monitoring layer network are stored in advance on the intelligent network bridge. Wherein, the list information may be written and saved by the management server on the network side to the intelligent network bridge.

S402:所述智能网络接收无线网络报文。其中,所述无线网络报文可以是由现场控制层网络发往监控层网络的报文,还可以是从监控层网络发往现场控制层网络的报文。S402: The intelligent network receives a wireless network packet. Wherein, the wireless network message may be a message sent from the on-site control layer network to the monitoring layer network, or may be a message sent from the monitoring layer network to the on-site control layer network.

S403:所述智能网络判断所述报文中的源地址和目标地址是否分别存在于自身保存的无线设备地址列表和监控层设备的地址列表中,若是,则转发该报文;否则,丢弃该报文,并向网络侧的管理服务器报告出错情况。S403: The intelligent network judges whether the source address and the destination address in the message exist in the wireless device address list and the address list of the monitoring layer device respectively stored by the intelligent network, and if so, forwards the message; otherwise, discards the message, and report the error to the management server on the network side.

需要说明的是,上述实施例并不仅限于由智能网桥来实现,还可以由处于监控层网络和现场控制层网络中的其他具有转发报文的设备实现。此外,上述图4所示实施例中,是直接将现场控制层网络中的设备地址和监控层网络中的设备地址保存在智能网桥中,在验证时,直接判断报文中的地址是否存在于所述两个地址列表中。此外,还可以分别对每层网络中的设备设置两份地址列表,其中一份针对转入该层的情况,此时的列表为目的地址列表;另一份针对转出该层的情况,此时的列表为源地址列表。这样,在验证报文时,可以分别判断报文中的源地址和目的地址是否是现场控制层中无线设备地址列表和监控层设备地址列表的组合,即现场控制层中无线设备的源地址和监控层设备的目的地址组合,或者监控层设备的源地址和现场控制层中无线设备的目的地址的组合。这样细化判断的好处是:进一步增强了无线网络的安全性。It should be noted that the above embodiment is not limited to be implemented by the intelligent bridge, and may also be implemented by other devices capable of forwarding messages in the monitoring layer network and the field control layer network. In addition, in the above-mentioned embodiment shown in Figure 4, the device addresses in the on-site control layer network and the device addresses in the monitoring layer network are directly stored in the intelligent bridge, and when verifying, it is directly judged whether the address in the message exists in the two address lists. In addition, two address lists can be set for the devices in each layer of the network, one of which is for the case of transferring into this layer, and the list at this time is the destination address list; The list at this time is the source address list. In this way, when verifying the message, it can be judged whether the source address and the destination address in the message are the combination of the wireless device address list and the monitoring layer device address list in the field control layer, that is, the source address and the destination address of the wireless device in the field control layer. The combination of the destination address of the monitoring layer device, or the combination of the source address of the monitoring layer device and the destination address of the wireless device in the field control layer. The advantage of such fine-grained judgment is that the security of the wireless network is further enhanced.

此外,在上述几个实施例的基础上,本发明还可以对网络侧的监控层网络中的设备设置访问权限,以便对由所述监控层设备发往现场控制层设备的所有报文进行权限验证,从而进一步增加了网络访问的安全性。如图5所示,为本发明访问权限验证方法实施例的流程示意图,该方法包括:In addition, on the basis of the above-mentioned several embodiments, the present invention can also set access rights to the devices in the monitoring layer network on the network side, so as to authorize all the messages sent by the monitoring layer devices to the on-site control layer devices. Authentication, thereby further increasing the security of network access. As shown in Figure 5, it is a schematic flow diagram of an embodiment of the access right verification method of the present invention, the method includes:

S501:在网络侧的监控层网络中的每个设备上都预先设置访问权限。其中,可由网络侧的管理服务器设置该权限。S501: Pre-set access rights on each device in the monitoring layer network on the network side. Wherein, the authority can be set by the management server on the network side.

S502:所述管理服务器拦截由所述监控层设备发往现场控制层设备的访问请求报文。S502: The management server intercepts the access request message sent by the monitoring layer device to the field control layer device.

S503:所述管理服务器判断发送所述访问请求报文的监控层设备是否具有该次访问操作的权限,若是,则执行S504;否则,则执行S505。S503: The management server judges whether the monitoring layer device that sends the access request message has the access operation authority, and if so, executes S504; otherwise, executes S505.

S504:向所述现场控制层设备转发所述访问请求报文。S504: Forward the access request message to the on-site control layer device.

S505:放弃转发所述访问请求报文,并向所述监控层设备返回有关该请求的响应报文,以告知所述监控层设备未取得访问权限。S505: Give up forwarding the access request packet, and return a response packet related to the request to the monitoring layer device, so as to inform the monitoring layer device that the access right is not obtained.

基于上述技术方案,本发明还公开了一种用于加强网络安全的装置,所述装置可集成在网络侧的无线网络安全管理服务器上。如图6所示,所述装置包括:列表单元601、判断处理单元602;其中,所述列表单元601,用于保存已经与网络建立连接的所有无线设备的授权号;所述判断处理单元602,用于当有新的无线设备接入网络时,判断新设备的授权号是否与所述列表单元601中保存的授权号重号,若重号,则拒绝所述新设备的接入;否则,则等待接收所述新设备的报文。Based on the above technical solution, the present invention also discloses a device for strengthening network security, which can be integrated on a wireless network security management server on the network side. As shown in Figure 6, the device includes: a list unit 601, a judgment processing unit 602; wherein, the list unit 601 is used to store the authorization numbers of all wireless devices that have established connections with the network; the judgment processing unit 602 , for judging whether the authorization number of the new device is the same as the authorization number stored in the list unit 601 when a new wireless device accesses the network, and if the number is the same, rejecting the access of the new device; otherwise , then wait to receive the message of the new device.

基于图6所示装置实施例的技术方案,本发明还公开了一种装置实施例,如图7所示,为本发明另一种装置实施例的结构框图,该装置除了包括图6所示单元外,还包括:修改单元701、发送单元702,其中,所述修改单元701,用于当所述判断处理单元602判断得到所述新设备的授权号与已建立连接的无线设备重号时,修改所述已建立连接中被重号的无线设备的授权号;所述发送单元702,用于将所述修改单元701中修改得到的新的授权号通过修改报文通知给所述被重号的无线设备,以及与该设备连接的路由设备。Based on the technical solution of the device embodiment shown in Figure 6, the present invention also discloses a device embodiment, as shown in Figure 7, which is a structural block diagram of another device embodiment of the present invention, in addition to the device shown in Figure 6 In addition to the unit, it also includes: a modifying unit 701 and a sending unit 702, wherein the modifying unit 701 is used for when the judging processing unit 602 judges that the authorization number of the new device is the same as that of the wireless device that has established a connection Modifying the authorization number of the renumbered wireless device in the established connection; the sending unit 702 is configured to notify the renumbered wireless device of the new authorization number modified in the modification unit 701 through a modification message number of wireless devices, and routing devices connected to the device.

以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The device embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network elements. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without any creative effort.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到本发明可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例或者实施例的某些部分所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware, but in many cases the former is a better implementation Way. Based on this understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art can be embodied in the form of software products, and the computer software products can be stored in storage media, such as ROM/RAM, disk , CD, etc., including several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) execute the methods described in various embodiments or some parts of the embodiments of the present invention.

以上所述的本发明实施方式,并不构成对本发明保护范围的限定。任何在本发明的精神和原则之内所作的修改、等同替换和改进等,均应包含在本发明的保护范围之内。The embodiments of the present invention described above are not intended to limit the protection scope of the present invention. Any modifications, equivalent replacements and improvements made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.

Claims (11)

1.一种加强网络安全的方法,其特征在于,包括:1. A method for strengthening network security, comprising: 当有新的无线设备接入网络时,网络侧判断新设备的授权号是否与已建立连接的无线设备的授权号重号,若重号,则拒绝所述新设备的接入;否则,则等待接收所述新设备的报文。When a new wireless device accesses the network, the network side judges whether the authorization number of the new device is the same as that of the wireless device that has established a connection. If the number is the same, the access of the new device is rejected; otherwise, the Waiting to receive the message of the new device. 2.如权利要求1所述的加强网络安全的方法,其特征在于,当判断得到所述新设备的授权号与已建立连接的无线设备重号时,还包括:2. The method for strengthening network security according to claim 1, wherein when it is judged that the authorization number of the new device is the same as that of the wireless device that has established a connection, it further includes: 所述网络侧修改被重号的无线设备的授权号。The network side modifies the authorization number of the renumbered wireless device. 3.如权利要求2所述的加强网络安全的方法,其特征在于,还包括:3. The method for strengthening network security as claimed in claim 2, further comprising: 所述网络侧将修改后的所述被重号的无线设备的授权号通过修改报文通知给所述被重号的无线设备,以及与该设备连接的路由设备,要求更改成修改后的授权号。The network side notifies the modified authorization number of the renumbered wireless device to the renumbered wireless device and the routing device connected to the device through a modification message, requesting to change to the modified authorization number. Number. 4.如权利要求1所述的加强网络安全的方法,其特征在于,在执行所述判断之前还包括:4. The method for strengthening network security as claimed in claim 1, further comprising: 在无线设备建立连接的过程中,网络侧向所述无线设备发送授权号探测请求报文;In the process of establishing a connection with the wireless device, the network side sends an authorization number detection request message to the wireless device; 当收到所述无线设备返回的授权号探测响应报文后,所述网络侧判断该响应报文中的授权号是否是允许接入的授权号,若是,则执行所述判断步骤。After receiving the authorization number detection response message returned by the wireless device, the network side judges whether the authorization number in the response message is an authorization number that allows access, and if so, executes the determination step. 5.如权利要求4所述的加强网络安全的方法,其特征在于,在收到所述无线设备返回的授权号探测响应报文之前还包括:5. The method for strengthening network security according to claim 4, further comprising: before receiving the authorization number detection response message returned by the wireless device: 所述网络侧判断是否在预置的最大响应时间内收到所述无线设备返回的授权号探测响应报文,若是,则执行所述判断该响应报文中的授权号是否是允许接入的授权号步骤,否则,拒绝所述无线设备接入。The network side judges whether the authorization number detection response message returned by the wireless device is received within the preset maximum response time, and if so, performs the determination of whether the authorization number in the response message is allowed to access The authorization number step, otherwise, deny the access of the wireless device. 6.如权利要求1所述的加强网络安全的方法,其特征在于,当收到所述新设备的报文后,所述方法还包括:6. The method for strengthening network security as claimed in claim 1, wherein, after receiving the message of the new device, the method further comprises: 所述网络侧按照与所述新设备所在的现场控制层网络预先设置的解密方式对收到的报文进行解密;The network side decrypts the received message according to the decryption method preset with the on-site control layer network where the new device is located; 再将解密后得到的报文按照与所述网络侧的监控层网络预先设置的加密方式进行加密,并在加密后发送至所述监控层网络。Then encrypt the message obtained after decryption according to the encryption method preset with the monitoring layer network on the network side, and send it to the monitoring layer network after encryption. 7.如权利要求1所述的加强网络安全的方法,其特征在于,在网络侧的设备中预先保存有现场控制层网络设备和监控层网络设备的地址列表;7. the method for strengthening network security as claimed in claim 1, is characterized in that, the address list of on-site control layer network equipment and monitoring layer network equipment is preserved in advance in the equipment of network side; 当收到所述新设备的报文后,所述方法还包括:After receiving the message of the new device, the method also includes: 判断收到的报文中的源地址和目的地址是否存在于所述现场控制层网络设备和监控层网络设备的地址列表中,若是,则转发该报文;否则,丢弃该报文。Judging whether the source address and the destination address in the received message exist in the address lists of the on-site control layer network device and the monitoring layer network device, if so, then forward the message; otherwise, discard the message. 8.如权利要求1所述的加强网络安全的方法,其特征在于,在网络侧的每个监控层设备中都预先设置有访问权限;8. the method for strengthening network security as claimed in claim 1, is characterized in that, access authority is all preset in each monitoring layer equipment of network side; 当收到所述监控层设备发往现场控制层设备的访问请求报文时,所述方法还包括:When receiving the access request message sent to the on-site control layer device by the monitoring layer device, the method also includes: 判断发送所述访问请求报文的监控层设备是否具有该次访问操作的权限,若是,则向所述现场控制层设备转发所述访问请求报文;否则,拒绝转发所述访问请求报文。Judging whether the monitoring layer device sending the access request message has the access operation authority, if so, forwarding the access request message to the on-site control layer device; otherwise, refusing to forward the access request message. 9.一种用于加强网络安全的装置,其特征在于,包括:9. A device for enhancing network security, comprising: 列表单元,用于保存已经与网络建立连接的所有无线设备的授权号;The list unit is used to save the authorization numbers of all wireless devices that have established connections with the network; 判断处理单元,用于当有新的无线设备接入网络时,判断新设备的授权号是否与所述列表单元中保存的授权号重号,若重号,则拒绝所述新设备的接入;否则,则等待接收所述新设备的报文。A judging processing unit, configured to judge whether the authorization number of the new device is the same as the authorization number stored in the list unit when a new wireless device accesses the network, and reject the access of the new device if the number is the same ; Otherwise, wait to receive the message of the new device. 10.如权利要求9所述的用于加强网络安全的装置,其特征在于,所述装置还包括:10. The device for strengthening network security as claimed in claim 9, wherein the device further comprises: 修改单元,用于当所述判断处理单元判断得到所述新设备的授权号与已建立连接的无线设备重号时,修改所述已建立连接中被重号的无线设备的授权号;A modifying unit, configured to modify the authorization number of the wireless device whose number has been renumbered in the established connection when the judging processing unit judges that the authorization number of the new device is the same as that of the wireless device with the established connection; 发送单元,用于将所述修改单元中修改得到的新的授权号通过修改报文通知给所述被重号的无线设备,以及与该设备连接的路由设备。A sending unit, configured to notify the wireless device whose number has been renumbered and the routing device connected to the device through a modification message of the new authorization number modified by the modifying unit. 11.如权利要求9或10所述的用于加强网络安全的装置,其特征在于,所述装置集成在网络侧的无线网络安全管理服务器上。11. The device for enhancing network security according to claim 9 or 10, characterized in that the device is integrated on a wireless network security management server on the network side.
CN2007101952384A 2007-12-04 2007-12-04 A method and device for enhancing network security Expired - Fee Related CN101170461B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2007101952384A CN101170461B (en) 2007-12-04 2007-12-04 A method and device for enhancing network security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007101952384A CN101170461B (en) 2007-12-04 2007-12-04 A method and device for enhancing network security

Publications (2)

Publication Number Publication Date
CN101170461A true CN101170461A (en) 2008-04-30
CN101170461B CN101170461B (en) 2010-10-06

Family

ID=39390940

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007101952384A Expired - Fee Related CN101170461B (en) 2007-12-04 2007-12-04 A method and device for enhancing network security

Country Status (1)

Country Link
CN (1) CN101170461B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833607A (en) * 2018-06-12 2018-11-16 腾讯科技(深圳)有限公司 Physical address acquisition methods, device and readable medium
CN110784431A (en) * 2018-07-30 2020-02-11 比亚迪股份有限公司 Vehicle-mounted Ethernet secure access method, system, vehicle-mounted gateway and network equipment
CN112351029A (en) * 2020-11-04 2021-02-09 内蒙古电力(集团)有限责任公司内蒙古电力科学研究院分公司 Integrated system based on detection equipment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100373896C (en) * 2002-07-26 2008-03-05 中兴通讯股份有限公司 Virtual special dialing network business data packet retransmission method
CN100499900C (en) * 2005-12-02 2009-06-10 华为技术有限公司 Method for authentication of access of wireless communication terminal

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833607A (en) * 2018-06-12 2018-11-16 腾讯科技(深圳)有限公司 Physical address acquisition methods, device and readable medium
CN108833607B (en) * 2018-06-12 2022-03-11 腾讯科技(深圳)有限公司 Physical address acquisition method, device and readable medium
CN110784431A (en) * 2018-07-30 2020-02-11 比亚迪股份有限公司 Vehicle-mounted Ethernet secure access method, system, vehicle-mounted gateway and network equipment
CN112351029A (en) * 2020-11-04 2021-02-09 内蒙古电力(集团)有限责任公司内蒙古电力科学研究院分公司 Integrated system based on detection equipment

Also Published As

Publication number Publication date
CN101170461B (en) 2010-10-06

Similar Documents

Publication Publication Date Title
CN112260995B (en) Access authentication method, device and server
CN102970299B (en) File safe protection system and method thereof
CN104580233B (en) An Internet of Things smart home security gateway system
US9294270B2 (en) Detection of stale encryption policy by group members
CN102685165B (en) Method and device for controlling access request on basis of proxy gateway
CN103079200B (en) The authentication method of a kind of wireless access, system and wireless router
KR102396528B1 (en) System for controlling network access based on controller and method of the same
US20140189356A1 (en) Method of restricting corporate digital information within corporate boundary
CN202663444U (en) Cloud safety data migration model
CN102195957A (en) Resource sharing method, device and system
CN103875226A (en) System and method for host-initiated firewall discovery in a network environment
CN108111536B (en) Application-level secure cross-domain communication method and system
KR102377248B1 (en) System for controlling network access based on controller and method of the same
CN111988289A (en) EPA industrial control network security test system and method
CN115250203A (en) A method, device and related products for controlling equipment access
CN106992978A (en) Network safety managing method and server
CN105812338B (en) A data access control method and network management device
CN101170461A (en) A method and device for strengthening network security
KR101425726B1 (en) Linked network security system and method based on virtualization in the separate network environment
CN116527365A (en) System and method for realizing air traffic control heterogeneous data sharing
CN114662080B (en) Data protection method and device and desktop cloud system
KR102377246B1 (en) System for controlling network access based on controller and method of the same
CN108737445A (en) Security strategy sharing method and security strategy shared system
Lacroix et al. Vehicular ad hoc network security and privacy: A second look
CN108400967A (en) A kind of method for authenticating and right discriminating system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20101006

Termination date: 20181204