CN114143076A - A security protection system for the Internet of Things in electric power - Google Patents
A security protection system for the Internet of Things in electric power Download PDFInfo
- Publication number
- CN114143076A CN114143076A CN202111435812.5A CN202111435812A CN114143076A CN 114143076 A CN114143076 A CN 114143076A CN 202111435812 A CN202111435812 A CN 202111435812A CN 114143076 A CN114143076 A CN 114143076A
- Authority
- CN
- China
- Prior art keywords
- virtual
- security
- things
- component
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000005540 biological transmission Effects 0.000 claims abstract description 9
- 238000012544 monitoring process Methods 0.000 claims description 31
- 238000000034 method Methods 0.000 claims description 10
- 230000008569 process Effects 0.000 claims description 7
- 230000003993 interaction Effects 0.000 claims description 6
- 238000013519 translation Methods 0.000 claims description 3
- 101800000618 Protein kinase C delta type catalytic subunit Proteins 0.000 description 16
- 102100021004 Protein sidekick-1 Human genes 0.000 description 16
- 101000716310 Homo sapiens Protein sidekick-2 Proteins 0.000 description 12
- 102100021005 Protein sidekick-2 Human genes 0.000 description 12
- 230000009471 action Effects 0.000 description 12
- 230000006870 function Effects 0.000 description 11
- 238000007726 management method Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 5
- 101100513046 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) eth-1 gene Proteins 0.000 description 4
- 230000010354 integration Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000009466 transformation Effects 0.000 description 3
- 102100034663 Caseinolytic peptidase B protein homolog Human genes 0.000 description 2
- 101000946436 Homo sapiens Caseinolytic peptidase B protein homolog Proteins 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000013481 data capture Methods 0.000 description 1
- 238000013499 data model Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/20—Support for services
- H04L49/208—Port mirroring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/70—Virtual switches
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a power Internet of things safety protection system, which is applied to edge Internet of things agents and comprises the following components: the system comprises a virtual switch and a plurality of security components, wherein the security components are respectively packaged in virtual containers and connected with the virtual switch; the virtual switch is provided with a plurality of virtual ports and is connected with the safety component through the virtual ports; the virtual switch matches every two virtual ports through the flow table items, controls the transmission sequence of the data messages between the security components, and realizes the arrangement of the security components. According to the electric power Internet of things safety protection system, the virtual exchange frame is applied to the edge Internet of things agent, the virtual exchange frame is applied to the edge side, the pairing of virtual ports is realized through the control of the flow table entry, and the flow direction of the two-layer message is controlled, so that the on-demand dynamic arrangement of safety components is realized, and the requirements of accurate, moderate, light and flexible safety protection of electric power Internet of things service scenes are met.
Description
Technical Field
The invention relates to the technical field of electric power internet of things safety, in particular to an electric power internet of things safety protection system.
Background
With the wide application of the internet of things technology, the internet of things terminal will grow in a geometric progression, and the internet of things terminal is accessed to the network through a sensing technology, a communication technology and a computer technology, so that higher requirements are provided for network security protection. With the increasingly complex network structure and the wide access of heterogeneous mass terminals, the electric power internet of things hierarchical architecture introduces an edge internet of things agent to realize local disposal and safety protection at the edge side and provide a first line of defense at the edge side of the internet of things. In order to protect the terminal security of the power internet of things, a variety of security devices are generally deployed in the edge internet of things agent, or a variety of security services are provided, such as a WAF Firewall (WAF), an Intrusion Detection System (IDS), an Intrusion Prevention System (IPS), and the like. According to the safety protection deployment mode depending on hardware stacking, many edge functions are crossed with each other, integration is lacked, and the deployment cost is extremely high. Meanwhile, in the face of different environments and service requirements, safety protection requirements are dynamically changed, and safety protection measures based on hardware are relatively solidified, and the control interfaces are different and difficult to realize linkage and unified scheduling, so that the safety protection measures lack elasticity and are not suitable for the requirements of accurate protection and proper protection of the power internet of things. At present, some problems remain to be solved in the edge safety protection of the power internet of things:
(1) the safety protection measures of the edge Internet of things agent depend on a hardware deployment mode, and the protection requirements are difficult to effectively implement. In the safety system of the internet of things, safety functions such as safety access, safety access and safety monitoring exist, the edge functions are crossed and lack of integration, the edge functions depend on a hardware deployment mode, the deployment geographic position of the edge internet of things agent is not controllable, and the edge internet of things agent is limited by the problems of cost, technology and the like, and the traditional safety protection measures are difficult to effectively implement.
(2) The safety protection capability of the edge Internet of things agent is solidified, and the method is not suitable for the scene of dynamic change of the safety requirements of the power Internet of things. In each scene of power internet of things transmission, transformation, distribution, use, dispatching and the like, safety requirements are different, and meanwhile, in the face of different actual environments and different business requirements, safety protection requirements also change dynamically, and once existing safety protection measures of the edge internet of things agent are deployed, the existing safety protection measures are solidified in the safety protection measures, so that the safety protection capability of the edge side is lack of elasticity.
(3) The internal flow of the edge Internet of things agent is lack of safety arrangement and analysis, and cannot be controlled according to the actual safety condition of the field side. At present, the edge side safety protection adopts a shell type, the protection effect is realized by externally deploying special hardware, dynamic arrangement, monitoring and analysis are lacked for the internal flow of the edge Internet of things agent, the control granularity of the edge Internet of things agent is relatively coarse, and internal fine-grained control cannot be carried out according to the actual safety condition of the edge Internet of things agent.
Disclosure of Invention
Therefore, the technical problem to be solved by the invention is to overcome the defects that the safety protection deployment modes depending on hardware stacking in the prior art have functions of mutual intersection, lack of integration, extremely high deployment cost and incapability of flexibly changing according to requirements, thereby providing the electric power internet of things safety protection system.
The invention provides a power Internet of things safety protection system, which is applied to edge Internet of things agents and comprises the following components: the system comprises a virtual switch and a plurality of security components, wherein the security components are respectively packaged in virtual containers and connected with the virtual switch; the virtual switch is provided with a plurality of virtual ports and is connected with the safety component through the virtual ports; the virtual switch matches every two virtual ports through the flow table items, controls the transmission sequence of the data messages between the security components, and realizes the arrangement of the security components.
Optionally, the electric power internet of things security protection system provided by the invention further includes: and the service application is packaged in the virtual container, is connected with the virtual switch through a virtual port on the virtual switch and runs in the virtual switch, and is used for sending a data packet to a specified destination address and the port through the security component and/or receiving the data packet.
Optionally, the electric power internet of things security protection system provided by the invention further includes: the forwarding component is packaged in a virtual container and comprises two virtual network ports, the two virtual network ports are respectively connected with the virtual switch and the virtual network bridge and are used for receiving the data message sent by the security component and sending the data message to a target host through the virtual network bridge, or receiving the data packet through the virtual network bridge and sending the data packet to the security component; the virtual network bridge is respectively connected with the forwarding component and the operating system in the edge physical association agent, receives the data message and sends the data message to the operating system, and the data message is forwarded by the operating system and sent to the destination host through the physical network port in the edge physical association agent.
Optionally, in the electric power internet of things security protection system provided by the present invention, the virtual switch and the virtual network bridge operate in different network segments, and the virtual network port connected to the virtual switch in the forwarding component and the virtual switch operate in the same network segment; the virtual network port connected with the virtual network bridge in the forwarding component and the virtual network bridge work in the same network segment.
Optionally, in the electric power internet of things security protection system provided by the present invention, after receiving the data packet through the virtual port, the security component changes the original destination IP in the data packet into its own IP according to the destination address translation rule in the firewall, and the application layer of the security component processes the data packet and then packages the data packet for transmission.
Optionally, in the electric power internet of things security protection system provided by the invention, the security component comprises a security access component, the security access component is used for performing security interaction with the internet of things sensing terminal, and software and hardware fingerprint information of the internet of things sensing terminal is utilized to perform agent-free deployment through a bypass.
Optionally, in the electric power internet of things security protection system provided by the present invention, the security component includes a security access component, and the security access component is configured to perform security interaction with the internet of things management platform and is deployed in the edge internet of things agent in a security protocol processing process manner.
Optionally, in the electric power internet of things security protection system provided by the invention, the secure access component supports the SSAL/SSL protocol.
Optionally, in the electric power internet of things security protection system provided by the present invention, the security component includes a security monitoring component, and the security monitoring component is configured to perform security monitoring on data transmitted in the virtual switch, send a monitoring result to the security access component, and send the monitoring result to the internet of things management platform through the security access component.
Optionally, in the electric power internet of things security protection system provided by the invention, the virtual port includes a mirror image port, and the security monitoring component is connected with the virtual switch through the mirror image port; the mirror image port is used for obtaining mirror image data of the appointed virtual port, the mirror image data are input into the safety monitoring assembly, and the safety monitoring assembly carries out safety monitoring on the mirror image data to obtain a monitoring result.
The technical scheme of the invention has the following advantages:
according to the electric power Internet of things safety protection system, the virtual exchange frame is applied to the edge Internet of things agent, the virtual exchange frame is applied to the edge side, the pairing of virtual ports is realized through the control of the flow table entry, and the flow direction of the two-layer message is controlled, so that the on-demand dynamic arrangement of safety components is realized, and the requirements of accurate, moderate, light and flexible safety protection of electric power Internet of things service scenes are met.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic block diagram of a specific example of a security protection system of an electric power internet of things in an embodiment of the present invention;
FIG. 2 is a diagram illustrating a security protection architecture of an edge agent in accordance with an embodiment of the present invention;
FIG. 3 shows the results of telnet operation in the APPs containers according to an embodiment of the present invention;
FIG. 4(a) shows the result of the operation of the program in the SDK1 according to the embodiment of the present invention;
FIG. 4(b) shows the result of the operation of the program in the SDK2 according to the embodiment of the present invention;
FIG. 5(a) shows the tcpdump run in SDK1 according to this embodiment of the present invention;
FIG. 5(b) shows the tcpdump run result in SDK2 according to this embodiment of the present invention;
FIG. 6 shows the result of tcpdump capture mirroring data in SDK3 according to an embodiment of the present invention;
FIG. 7(a) shows the tcpdump run result in SDK1 according to this embodiment of the present invention;
FIG. 7(b) shows the tcpdump operation result in SDK2 according to this embodiment of the present invention;
FIG. 8 shows the result of tcpdump capture mirroring data in SDK3 according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it should be understood that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it should be noted that the technical features related to the different embodiments of the present invention described below can be combined with each other as long as they do not conflict with each other.
The embodiment of the invention provides an electric power internet of things safety protection system, which is applied to an edge internet of things agent, and as shown in figure 1, the electric power internet of things safety protection system comprises: a virtual switch and a plurality of security components,
the security components are each encapsulated in a virtual container, connected to a virtual switch.
In an optional embodiment, the virtual container is connected to the virtual switch in a network card binding manner.
In the embodiment of the present invention, the edge physical agent security protection prototype is deployed in a software integration manner, as shown in fig. 2, and the edge physical agent is located at the terminal layer of the internet of things.
In the embodiment of the present invention, the security function of the edge internet of things proxy is packaged into different security components, and exemplarily, the function of the edge internet of things proxy includes: the method comprises the steps of communication protocol adaptation, data storage processing, management and control strategies, edge calculation, data model adaptation, security strategies, complete access to a communication network, security interaction with an Internet of things sensing terminal and the like. In an alternative embodiment, the above security functions may be classified into different types, and the security functions belonging to the same type are packaged in the same security component, and the different security components are respectively packaged in different virtual containers.
In an alternative embodiment, each security component can provide the programmable and customizable capability of the security component prototype externally in the form of an Application Programming Interface (API), that is, the security function of the security component can be customized according to actual requirements through the API.
The virtual switch is provided with a plurality of virtual ports and is connected with the safety component through the virtual ports; the virtual switch matches every two virtual ports through the flow table items, controls the transmission sequence of the data messages between the security components, and realizes the arrangement of the security components.
In an optional embodiment, each security component is connected to two virtual ports, and acquires a data packet through one of the virtual ports and transmits the data packet through the other virtual port.
In an optional embodiment, the matching of the virtual ports with each other means defining an input-output correspondence between the virtual ports, that is, a connection relationship between the virtual ports, and when the connection relationship between the virtual ports changes, a transmission sequence of the data packets between the security components also changes.
Exemplarily, as shown in fig. 1, if the correspondence between the virtual ports is: the port 1 corresponds to the port 2, and the port 3 corresponds to the port 4, which means that the data packet enters the first security module (SDK1) through the virtual port 2 after being output from the virtual port 1, the data packet enters the second security module (SDK2) through the virtual port 4 after being output from the virtual port 3 by the SDK1, and the data packet is output from the virtual port 5 by the SDK 2. It can be seen that in the current embodiment, the orchestration order of the security components is SDK1- > SDK 2.
If the corresponding relationship between the virtual ports is as follows: the port 1 corresponds to the port 4, and the port 2 corresponds to the port 5, which means that the data message enters the SDK2 through the virtual port 4 after being output from the virtual port 1, the data message enters the SDK1 through the virtual port 2 after being output from the virtual port 5 by the SDK2, and the data message is output from the virtual port 3 by the SDK 1. It can be seen that in the current embodiment, the orchestration order of the security components is SDK2- > SDK 1.
According to the electric power internet of things safety protection system provided by the embodiment of the invention, the virtual exchange frame is applied to the edge internet of things agent, the virtual exchange frame is applied to the edge side, the pairing of virtual ports is realized by using the flow table entry control, and the flow direction of the two-layer message is controlled, so that the on-demand dynamic arrangement of safety components is realized, and the requirements of accurate, moderate, light and flexible safety protection of electric power internet of things service scenes are met.
In an optional embodiment, the power internet of things security protection system provided in the embodiment of the present invention further includes a service Application (APP), the service application is encapsulated in the virtual container, and is connected to the virtual switch through a virtual port on the virtual switch, and runs in the virtual switch, and the service application is configured to send a data packet to a specified destination address and a port through the security component, and/or receive the data packet. In the embodiment of the invention, the service application has the capability of sending data packets outwards, and the security component has the port forwarding capability.
In an alternative embodiment, when there are multiple non-passing service applications, different service applications are respectively packaged in the non-passing containers, and the different service applications are used for transmitting different types of data packets.
In an optional embodiment, the service application is connected to the virtual switch through a virtual port, and when the virtual port is pairwise matched through the flow table entry, the virtual switch matches the virtual port connected to the service application with one of the virtual ports connected to the security component, and controls a packet sent by the service application to be received by one of the security components and forwarded through the security component.
In an alternative embodiment, each security component, service application, and virtual switch operate on the same network segment, and in the embodiment shown in fig. 1, the network segment on which each security component, service application, and virtual switch operate is 192.268.121.0/24.
In an optional embodiment, the power internet of things security protection system further comprises a forwarding component and a virtual bridge.
The forwarding component is packaged in a virtual container and comprises two virtual network ports, the two virtual network ports are respectively connected with the virtual switch and the virtual network bridge and used for receiving the data message sent by the security component and sending the data message to the destination host through the virtual network bridge, or receiving the data packet through the virtual network bridge and sending the data packet to the security component.
In an optional embodiment, the forwarding component monitors the designated port, and after receiving the data packet, sends the data packet to the destination host through routing.
In an optional embodiment, the virtual switch and the virtual bridge have different working network segments, the virtual network port working network segment connected with the virtual switch in the forwarding component is the same as the virtual switch working network segment, and the virtual network port working network segment connected with the virtual bridge is the same as the virtual bridge working network segment.
Illustratively, in the embodiment shown in fig. 1, the network segment on which the virtual switch operates is 192.268.121.0/24, the network segment on which the virtual bridge operates is 192.268.122.0/24, the network segment on which the virtual port connected to the virtual switch operates in the forwarding component is 192.268.121.0/24, and the network segment on which the virtual port connected to the virtual bridge operates is 192.268.122.0/24.
In the embodiment of the invention, the two virtual network ports of the forwarding component work in different network segments, thereby playing a role in network isolation.
The virtual network bridge is respectively connected with the forwarding component and the operating system in the edge physical association agent, receives the data message and sends the data message to the operating system, and the data message is forwarded by the operating system and sent to the destination host through the physical network port in the edge physical association agent.
In the embodiment of the invention, the virtual bridge is used as the outlet of the virtual switch flow and is also used as a network isolation component to ensure that each virtual container is not exposed on the public network.
In an optional embodiment, in the power internet of things security protection system provided in the embodiment of the present invention, after receiving the data packet through the virtual port, the security component changes an original destination IP in the data packet into a self IP of the security component according to a destination address translation rule in the firewall, and an application layer of the security component processes the data packet and then packages the data packet for transmission.
In an optional embodiment, when the electric power internet of things security protection system is constructed, a host firewall is configured, after an original destination IP in a data packet is changed into a self IP of a security component through a destination address conversion rule in the firewall, the data packet can be received by an application layer of the security component, and the data packet is processed by the application layer of the security component and then is sent in a packaged manner.
In an optional embodiment, in the electric power internet of things security protection system provided by the embodiment of the invention, the security component includes a security access component, the security access component is used for performing security interaction with the internet of things sensing terminal, and the identifier of the internet of things sensing terminal is generated by using software and hardware fingerprint information of the internet of things sensing terminal, and the identifier of each internet of things sensing terminal is unique, and identity authentication is performed on the internet of things sensing terminal through the identifier.
In an optional embodiment, the safety access component can realize functions of identity authentication, access authority control, abnormal behavior discovery, blocking and the like of the terminal, solves safety problems of illegal terminal access, illegal terminal control, unauthorized terminal access and the like caused by lack of strict management and control of the terminal access of the internet of things at present, overcomes the defects that a traditional solution depends on terminal transformation, network transformation, incomplete terminal coverage and the like, and is suitable for characteristics of complexity and heterogeneity, uncontrollable environment and the like of the terminal of the internet of things.
In an optional embodiment, in the electric power internet of things security protection system provided in the embodiment of the present invention, the security component includes a security access component, and the security access component is configured to perform security interaction with the internet of things management platform.
In an optional embodiment, the secure access component supports the SSAL/SSL protocol, is deployed in the internet of things proxy in a secure protocol processing manner, and is responsible for SSAL/SSL protocol encapsulation and offloading, large packet segmentation and assembly, basic cryptographic algorithm operation, and session key negotiation with the access gateway.
In an optional embodiment, in the electric power internet of things security protection system provided by the embodiment of the invention, the virtual port in the virtual switch includes a mirror port, and the security component includes a security monitoring component.
The safety monitoring component is connected with the virtual switch through the mirror image port. Illustratively, in the embodiment shown in fig. 1, the virtual port 7 in the virtual switch is a mirror port, the SKD3 is a security monitoring component, and the SKD3 is connected to the virtual switch through the virtual port 7.
The mirror image port is used for acquiring mirror image data of the designated virtual port, inputting the mirror image data into the safety monitoring assembly, inputting a monitoring result of the mirror image data into the safety access assembly by the safety monitoring assembly, and sending the monitoring result to the Internet of things management platform through the safety access assembly. In the embodiment of the present invention, the designated virtual port is any one or more virtual ports on the virtual switch, and the mirror image port acquires all data passing through the designated virtual port.
In an optional embodiment, the monitoring result is uploaded to the internet of things management platform through a secure transmission channel established between the secure access component and the secure access gateway, and the monitoring result is displayed and analyzed through the internet of things management platform.
In an optional embodiment, the electric power internet of things safety protection system is constructed by the following steps:
1) loading a basic mirror image:
loading a mirror image: tar, docker load-i ssss-image
Labeling: docker tag { image id } sds-image: 1.0
And (4) viewing mirror images: docker images
Tar is a basic image provided, and an ubuntu-armhf system is provided inside, and comprises net-tools, iptables, telnet, ping, portfwd (port forwarding program), tcpdump.
2) Launching virtual containers of business applications (apps) and security components (sdk1, sdk2, sdk3) using base-image images:
docker run-idt--name[apps]--net=none--privileged--init sds-img:1.0/bin/bash
docker run-idt--name[sdk1]--net=none--privileged--initsds-img:1.0/bin/bash
docker run-idt--name[sdk2]--net=none--privileged--initsds-img:1.0/bin/bash
docker run-idt--name[sdk3]--net=none--privileged--initsds-img:1.0/bin/bash
wherein, -net ═ none represents that the docker container is started in a none mode, and a network card needs to be additionally added to the container, an IP needs to be configured, and the like; -privileged represents a container started in this way, the root in the container having real root rights; -init runs and initializes in the container to forward signals and acquire processes, solving the problems that the containerized processes cannot be normally terminated, the zombie processes cannot be normally recovered, and the like.
An enter container command: docker exec-it apps/bin/bash.
3) Starting a virtual bridge mynet, linking forwarding component (fwd) containers of the mynet bridge:
docker network create-d bridge--subnet=[192.168.122.0/24]--gateway=[192.168.122.1][mynet]
([ mynet ] is the name of the network bridge which can be defined by user, the network segment and the gateway can be set by themselves-d parameter appoints the driving type as the network bridge)
docker run-idt--name[fwd]--net=mynet--privileged--initsds-img:1.0/bin/bash
([ fwd ] container one port connected to ovs and one port connected to mynet, acting as a firewall).
4) Configuring host iptables:
iptables-t nat-nvL
(looking at the nat Table of iptables)
ifconfig[br-31ee69976f88]promisc
(New bridge id is established for br-31ee69976f88 in hybrid mode)
iptables-t filter-P FORWARD ACCEPT
(changing the default policy for forward chain in filter table to accept)
5) Install ovs environment and create virtual switch:
an ovs environment is installed offline, which is performed through an installation script and requires 12 deb installation packages;
checking ovs whether the environment was installed successfully via ovs-vsctl-version command;
ovs-vsctl add-br[br0]
([ br0] is a customizable virtual switch name);
delete virtual switch command: ovs-vsctl del-br 0.
6) Add virtual network cards for apps, sdk1, sdk2, sdk3, fwd:
ovs-docker add-port[br0][eth1][1921]--ipaddress=[192.168.121.1]--macaddress=[11:00:00:00:00:01]
([1921] for apps container id, add 1 virtual network card for apps, specify mac address and ip address at the same time)
ovs-docker add-port[br0][eth2][4be1]--ipaddress=[192.168.121.2]--macaddress=[11:00:00:00:00:02]
ovs-docker add-port[br0][eth3][4be1]--ipaddress=[192.168.121.3]--macaddress=[11:00:00:00:00:03]
([4be1] sdk1 container id, 2 virtual network cards added to sdk1, mac address and ip address can be specified, 1 block communicates with apps, 1 block communicates with sdk2)
ovs-docker add-port[br0][eth4][8879]--ipaddress=[192.168.121.4]--macaddress=[11:00:00:00:00:04]
ovs-docker add-port[br0][eth5][8879]--ipaddress=[192.168.121.5]--macaddress=[11:00:00:00:00:05]
([8879] is sdk2 container id, 2 pieces of virtual network card are added for sdk2, mac address and ip address can be specified, 1 piece is communicated with sdk1, 1 piece is communicated with fwd)
ovs-docker add-port[br0][eth6][106b]--ipaddress=[192.168.121.6]--macaddress=[11:00:00:00:00:06]
([106b ] is fwd container id, 1 piece of virtual network card bound with ovs is added to fwd, mac address and ip address can be appointed, and one piece can be automatically generated when bridging with mynet)
ovs-docker add-port[br0][eth7][1e47]--ipaddress=[192.168.121.7]--macaddress=[11:00:00:00:00:07]
([106b ] is sdk3 container id, sdk3 adds 1 virtual network card, can specify mac address and ip address, sdk3 is mirror image container)
Viewing a virtual network card ip, and a mac address command: ifconfig
7) Configuring routing table and arp table:
a) entering an apps container docker exec-it apps/bin/bash:
route add-net[192.168.121.0/24]dev[eth1]
route add-net[192.168.122.0/24]dev[eth1]
route add-net[192.168.123.0/24]dev[eth1]
arp-s[192.168.121.2][11:00:00:00:00:02]
arp-s[192.168.123.235][11:00:00:00:00:02]
(all mac addresses corresponding to all ip addresses of the arp table in apps are mac addresses of next hop, eth 2)
b) Entering sdk1 container docker exec-it sdk 1/bin/bash:
route add-host[192.168.121.1]dev[eth2]
route add-host[192.168.121.4]dev[eth3]
arp-s[192.168.121.1][11:00:00:00:00:01]
arp-s[192.168.121.4][11:00:00:00:00:04]
c) entering sdk2 container docker exec-it sdk 2/bin/bash:
route add-host[192.168.121.3]dev[eth4]
route add-host[192.168.121.6]dev[eth5]
arp-s[192.168.121.3][11:00:00:00:00:03]
arp-s[192.168.121.6][11:00:00:00:00:06]
d) entering a fwd container docker exec-it fwd/bin/bash:
route add-net[192.168.121.0/24]dev[eth6]
route add-net[192.168.122.0/24]dev[eth0]
route add-net[192.168.123.0/24]gw[192.168.122.1]dev[eth0]
arp-s[192.168.121.5][11:00:00:00:00:05]
e) host machine:
route add-net[192.168.121.0/24]gw[192.168.122.1]dev[br-31ee69976f88]
8) configuring a flow table:
ovs-ofctl add-flow[br0][in_port=1,actions=output:2]
ovs-ofctl add-flow[br0][in_port=2,actions=output:1]
ovs-ofctl add-flow[br0][in_port=3,actions=output:4]
ovs-ofctl add-flow[br0][in_port=4,actions=output:3]
ovs-ofctl add-flow[br0][in_port=5,actions=output:6]
ovs-ofctl add-flow[br0][in_port=6,actions=output:5]
view flow table commands: ovs-ofctl dump-flows [ br0]
Delete flow entry command: ovs-ofctl del-flows [ br0] [ in _ port ═ 1] (when a new flow entry is added to in _ port ═ 1, the old flow entry will be automatically overwritten)
9) Iptables of configurations sdk1 and sdk 2:
sdk1:
iptables-t nat-I PREROUTING-d[192.168.123.235]-j DNAT--to[192.168.121.2]
sdk2:
iptables-t nat-I PREROUTING-d[192.168.123.235]-j DNAT--to[192.168.121.4]
the parameter of (-d is the ip address of the target machine, the parameter of-to is the ip address of the sdk input end)
10) Configuring a mirror image interface:
ovs-ofctl show br0 view port name, ovs-vsctl list port view uuid from name
ovs-vsctl----id=@m create mirror name=m0 select_dst_port=[uuid]output_port=[uuid]--set bridge br0 mirrors=@m
(uuid obtains uuid of virtual switch interface through ovs-vsctl list port command, select _ dst _ port represents mirror copy data sent to the interface, select-all represents all data through the interface, select-dst-port represents data sent from the interface, output _ port represents that mirror copy data is sent from the interface)
(each mirror may have two data sources, a select _ src _ port, a select _ dst _ port. if more than two mirror sources are used or two destination mirror sources are intercepted or two source mirror sources are needed, a new virtual network card is newly built in the target container to join ovs virtual switches, and then new mirrors are added.)
11) Starting portfwd:
sdk1:
portfwd-arm32[23][192.168.121.4:23][-v]
sdk2:
portfwd-arm32[23][192.168.121.6:23][-v]
fwd:
portfwd-arm32[23][192.168.123.235:23][-v]
(portfwd for tcp port forwarding, here telnet data forwarding, [23] argument represents snoop port, i.e. data source port, [ 192.168.121.4: 23] argument represents 23 port to destination ip address 192.168.121.4, [ -v ] argument represents view execution details)
12) Start telnet:
apps:telnet 192.168.123.235
13) flow arrangement:
for example, the order of apps- > sdk1- > sdk2- > fwd is changed to apps- > sdk2- > sdk1- > fwd
And by running the script file, port matching and flow arrangement are realized.
#!/bin/bash
ovs-ofctl add-flow br0 in_port=1,actions=output:4
ovs-ofctl add-flow br0 in_port=4,actions=output:1
ovs-ofctl add-flow br0 in_port=5,actions=output:2
ovs-ofctl add-flow br0 in_port=2,actions=output:5
ovs-ofctl add-flow br0 in_port=3,actions=output:6
ovs-ofctl add-flow br0 in_port=6,actions=output:3
After the electric power internet of things safety protection system is constructed by implementing the method provided by the embodiment, a test is carried out, and telnet operates in APPs containers as shown in FIG. 3.
The programs in the SDK1 and SDK2 operate as shown in fig. 4(a) and 4 (b). As shown in fig. 5(a) and 5(b), tcpdump operations in SDK1 and SDK2 indicate that APPs flow through SDK1 → SDK2 to the destination host, as can be seen from tcpdump operations in SDK1 and SDK 2.
Tcpdump mirrors data capture within SDK3 as shown in fig. 6, it can be seen from fig. 6 that SDK3 has mirrored traffic data in SDK1, where the traffic data in SDK1 passes through virtual switch number 3 virtual port.
The flow scheduling script is run for testing, and the tcpdump running conditions in the SDK1 and the SDK2 are shown in FIG. 7(a) and FIG. 7 (b). The tcpdump operation conditions in the SDK1 and the SDK2 show that the flow of APPs passes through the SDK2 → the SDK1 and then reaches the destination host, and the dynamic arrangement of the security components is successfully realized.
The situation of tcpdump capturing mirror image data in the SDK3 is shown in FIG. 8, and the flow data in the SDK3 mirror image SDK1 is kept unchanged and is not influenced by dynamic arrangement.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications therefrom are within the scope of the invention.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111435812.5A CN114143076B (en) | 2021-11-29 | 2021-11-29 | Electric power thing networking safety protection system based on virtual switch frame |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111435812.5A CN114143076B (en) | 2021-11-29 | 2021-11-29 | Electric power thing networking safety protection system based on virtual switch frame |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114143076A true CN114143076A (en) | 2022-03-04 |
| CN114143076B CN114143076B (en) | 2024-01-19 |
Family
ID=80389161
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111435812.5A Active CN114143076B (en) | 2021-11-29 | 2021-11-29 | Electric power thing networking safety protection system based on virtual switch frame |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114143076B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114969827A (en) * | 2022-06-22 | 2022-08-30 | 工银科技有限公司 | Sensitive data file control method and device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107612843A (en) * | 2017-09-27 | 2018-01-19 | 国云科技股份有限公司 | A method to prevent cloud platform IP and MAC forgery |
| CN107911313A (en) * | 2017-11-15 | 2018-04-13 | 北京易讯通信息技术股份有限公司 | A kind of method that virtual machine port flow moves outside in private clound |
| CN109962832A (en) * | 2017-12-26 | 2019-07-02 | 华为技术有限公司 | The method and apparatus of Message processing |
| CN111556136A (en) * | 2020-04-26 | 2020-08-18 | 全球能源互联网研究院有限公司 | A data interaction method between internal containers of power edge IoT agent |
| CN111752679A (en) * | 2020-06-22 | 2020-10-09 | 中国电子科技集团公司第五十四研究所 | Dynamic arranging device for safety service chain |
| CN112104540A (en) * | 2020-09-08 | 2020-12-18 | 中国电子科技集团公司第五十四研究所 | Cross-domain resource dynamic arranging method and cross-domain interconnection system |
| CN113542092A (en) * | 2021-05-27 | 2021-10-22 | 贵州电网有限责任公司 | Openstack-based automatic drainage method |
-
2021
- 2021-11-29 CN CN202111435812.5A patent/CN114143076B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107612843A (en) * | 2017-09-27 | 2018-01-19 | 国云科技股份有限公司 | A method to prevent cloud platform IP and MAC forgery |
| CN107911313A (en) * | 2017-11-15 | 2018-04-13 | 北京易讯通信息技术股份有限公司 | A kind of method that virtual machine port flow moves outside in private clound |
| CN109962832A (en) * | 2017-12-26 | 2019-07-02 | 华为技术有限公司 | The method and apparatus of Message processing |
| CN111556136A (en) * | 2020-04-26 | 2020-08-18 | 全球能源互联网研究院有限公司 | A data interaction method between internal containers of power edge IoT agent |
| CN111752679A (en) * | 2020-06-22 | 2020-10-09 | 中国电子科技集团公司第五十四研究所 | Dynamic arranging device for safety service chain |
| CN112104540A (en) * | 2020-09-08 | 2020-12-18 | 中国电子科技集团公司第五十四研究所 | Cross-domain resource dynamic arranging method and cross-domain interconnection system |
| CN113542092A (en) * | 2021-05-27 | 2021-10-22 | 贵州电网有限责任公司 | Openstack-based automatic drainage method |
Non-Patent Citations (2)
| Title |
|---|
| 杜石存;田沛;许红彬;: "基于虚拟化技术的电厂弱电集成系统", 电力信息与通信技术, no. 09 * |
| 马巍娜;张延园;: "基于二层交换技术的改进型SSL VPN的设计与实现", 计算机应用, no. 12 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114969827A (en) * | 2022-06-22 | 2022-08-30 | 工银科技有限公司 | Sensitive data file control method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114143076B (en) | 2024-01-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11799831B2 (en) | Intelligent service layer for separating application from physical networks and extending service layer intelligence over IP across the internet, cloud, and edge networks | |
| US11979384B2 (en) | Dynamic proxy response from application container | |
| US11451509B2 (en) | Data transmission method and computer system | |
| RU2269873C2 (en) | Wireless initialization device | |
| US7738457B2 (en) | Method and system for virtual routing using containers | |
| US20030088787A1 (en) | Method and apparatus to manage address translation for secure connections | |
| US20140181248A1 (en) | Simple Remote Access Through Firewalls For Networked Devices and Applications | |
| Ashraf et al. | Analyzing challenging aspects of IPv6 over IPv4 | |
| CN108390937B (en) | Remote monitoring method, device and storage medium | |
| WO2003073305A1 (en) | Methods and systems for resolving addressing conflicts based on tunnel information | |
| EP3993331A1 (en) | Flow metadata exchanges between network and security functions for a security service | |
| EP2548346B1 (en) | Packet node for applying service path routing at the mac layer | |
| CN115134141B (en) | Micro-service container cluster cross-network communication system and communication method thereof | |
| US12231399B2 (en) | Distributed traffic steering and enforcement for security solutions | |
| Spiekermann et al. | Challenges of network forensic investigation in virtual networks | |
| EP1563664A1 (en) | Management of network security domains | |
| US20070006292A1 (en) | Method and system for the transparent transmission of data traffic between data processing devices, corresponding computer program product, and corresponding computer-readable storage medium | |
| CN114143076A (en) | A security protection system for the Internet of Things in electric power | |
| WO2024073113A1 (en) | System and method for creating a private service access network | |
| Parola et al. | Creating disaggregated network services with eBPF: The kubernetes network provider use case | |
| CN115865601A (en) | SDN network communication system of cross-cloud data center | |
| CN112866074B (en) | Virtual network connection method and virtual network system | |
| CN115277190B (en) | Method for realizing neighbor discovery on network by link layer transparent encryption system | |
| CN112039854A (en) | Data transmission method, device and storage medium | |
| US20250031124A1 (en) | Extending local cellular wan capabilities to a connected device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |