RU2314562C1 - Method for processing network traffic datagrams for delimiting access to informational and computing resources of computer networks - Google Patents

Abstract

FIELD: electric communications and computer engineering, in particular, method for ensuring information protection, possible use when it is necessary to protect computer networks from unsanctioned intrusion and access to confidential information.

SUBSTANCE: method for processing network traffic datagrams for delimiting access to informational and computing resources of computer networks is based on such processing of network packets, during which inter-network screen checks network datagrams in accordance to a list of computer network access rules set by operator, records marks in datagrams, which marks correspond to access rules, and then performs transparent relaying of correct datagrams, and at receiver side it lets through or blocks network datagrams in accordance with aforementioned marks provided inside.

EFFECT: creation of mechanism for block actions of malefactor including faking of computer addresses of sender and receiver of network datagrams with simultaneous reduction of computing resources needed to solve the problem of delimiting access to informational and computing resources.

4 dwg

Description

The invention relates to the field of telecommunications and computer technology, and more particularly to the field of methods and devices for protecting information in computer systems and networks, and can be used in communication, computing and information systems to detect malicious influences on computer systems connected by computer networks during data exchange government, law enforcement, defense, banking and industrial institutions through local and global computer networks.

A known method of organizing a local computer network and firewall [Kupreenko S.V., Zaborovsky B.C., Shemanin Yu.A. Computing network with firewall and firewall. RF patent No. 2214623, cl. G06F 15/163, 15/173], which means that the internal network is protected using a firewall, which is a set of hardware and software tools that contains at least two network interfaces for exchanging bidirectional network packet flows between network interfaces of a firewall and filtering broadcast network packets in accordance with specified filtering rules. In this case, the firewall is excluded from the number of network subscribers by setting up the firewall control program in which this program uses the network interfaces of the firewall to receive and transmit packets without assigning logical addresses to them, hides information about their physical addresses, and filtering rules are set using Using a separate management interface that is not connected to the network interfaces of the firewall.

However, the method has disadvantages in that there are no mechanisms for monitoring network datagrams inside the protected network, the ability to send network datagrams with a fake address of the sender of the network datagram, and the ability to intercept and modify the contents of network datagrams without hindrance.

Another firewall method is also known [Shrikhande N.V. Application specific distributed firewall. US patent No. 6721890, CL. H04L 009/00], the essence of which is to decentralize the firewall by installing firewalls on all computers of the protected network and synchronizing the filtering rules of network datagrams through a single dedicated server. At the same time, the rules and functions of firewalls are duplicated on the protected computers, and synchronization is performed through the network service for remote management of a single registry of Windows OS records.

The disadvantages of this method are related to the high computational load on the protected computers, the need to deploy and operate a dedicated server to synchronize the filtering rules of network datagrams, and the low filtering efficiency if necessary to quickly respond to threats of computer attacks.

The closest in technical essence to the proposed one is a method for processing datagrams of network traffic to delimit access to information and computing resources of computer networks [Balard D, Ratliff B. Microsoft Internet Security and Acceleration (ISA) Server 2000. Administrator's guide. M: Russian Edition, 2004, 332 p.], Which consists in the fact that for the protection of computer networks they use a gateway computer with a firewall installed on the communication channels of the protected network with other networks, as well as the client part of the firewall on the protected computers by which, upon detection of a network datagram P ₁ , the addresses of the sender S ₁ and the recipient R _{1 of the} datagram are analyzed, as well as the number of the encapsulated protocol T ₁ . This method is adopted as a prototype. In the prototype, an additional mini-screen is installed on the protected computers, which before each forwarding of the network datagram makes a request to the gateway-firewall for compliance of the network datagram with the accepted network security policy and, if necessary, blocks this network datagram. To implement the request, a special secure interaction protocol is used, built on the basis of the TCP protocol of the TCP / IP protocol stack.

The disadvantages of the prototype are the high computational load on the protected computers and the reduction in bandwidth of data transmission channels due to the organization of requests to the gateway-firewall, the lack of protection against forgery of computer addresses of the sender and recipient of network datagrams.

The technical result obtained from the implementation of this invention is the elimination of the above disadvantages, that is, blocking the actions of an attacker to forge computer addresses of the sender and recipient of network datagrams while reducing the computational cost of solving the problem of delimiting access to information and computing resources.

This technical result is achieved due to the fact that in the known method of processing datagrams of network traffic, which consists in using a gateway computer with a firewall installed on the communication channels of the protected network with other networks, as well as the client part of the firewall to protect computer networks protected computers, via which for detecting network datagram P ₁ S ₁ was analyzed and destination addresses R ₁ of the datagram, and the encapsulated protocol number T ₁ after passed I have a firewall solution for the passage of network datagram inside the protected network to a network datagram is written safety mark indicating the correct network datagrams, and at the destination within a computer network is validation of this label. At the same time, a 64-bit cryptographic key K, set by the user and stored on the client part of the firewall and the gateway computer, is used to generate the security label, and the label is generated by calculating the MD4 hash function over the result of concatenation of the bit values of the sender address S ₁ , the recipient address R _1, non nested Protocol T ₁ and cryptographic key K, and the result of the hash function is divided into four 32-bit portion of L1, L2 and B1, B2, and as a security label used bitwise sum The values L1, L2, B2, B2 (Y = L1⊕L2⊕B1⊕B2). Moreover, the security label is recorded in the "options and filling" field of the header structure of the IP network datagram.

The invention is illustrated by drawings. Figure 1 presents typical rules for describing a firewall table. Figure 2 shows the header structure of the IP datagram. Figure 3 presents a comparative scheme of the prototype and the proposed method. Figure 4 presents a block diagram of devices that together implement this method. Network datagrams are processed in accordance with the IP protocol of the TCP / IP network protocol stack.

It is known that network datagrams formed in accordance with the IP protocol are a set of binary data containing routing and control information related to the delivery of datagrams.

Since each computer network has a finite and limited number of communication channels with other computer networks, a gateway-computer with a firewall, software designed to filter and block unwanted and malicious network datagrams, is installed on the communication channels with other networks to protect the internal network in known methods . Firewalls are installed in such a way as to be able to process all network datagrams passing into and out of the network. To verify the datagrams, the firewall rules table is used, which sets the correspondence "datagram → solution" based on the type of encapsulated protocol, sender and receiver addresses, port numbers of the sender and receiver. Firewall rules tables are defined using text strings that contain a description of the parameters to be checked and the action to be performed. In this way, all datagrams coming from outside the protected computer network are checked. Network interaction between workstations is carried out without the participation of a firewall.

For example, in rule (a) of FIG. 1, the word “allow” means permission to relay network datagrams that comply with the TCP protocol (word “tcp”) from any sender (word “from any”) to any recipient on network port number 22 (the words "to any 22"). Rule (b) of Fig. 1 prohibits (the word "deny") the relay of network datagrams of any protocol (the word "any") from the sender with the address 127.0.0.1 (the words "from 127.0.0.1") to the recipient with the address 10.0.0.1 (words "to 10.0.0.1"). Rule (c) of Fig. 1 prohibits (the word "deny") relaying network datagrams of any protocol (the word "any") from senders from the network with addresses from 192.168.0.0 to 192.168.255.255 (the words "from 192.168.0.0/16" specify class B network mask, see [Agranovsky AV, Kostechko NN, Lazurenko IP, Khadi RA Protocols and algorithms for protecting information in information and computer networks. Rostov n / a: Publishing House SKNTs VSh, 2004, 128 pp.]) To any recipients (words "to any"). Rule (d) of Fig. 1 prohibits (the word "deny") the relay of network datagrams corresponding to the IP protocol (the word "any") from the sender with the address 127.0.0.1 (the words "127.0.0.1") to the recipient 192.168.0.0 on the network port 2000 (the words "to 192.168.0.0 2000").

In the method for protecting an internal computer network from an attacker by forging computer addresses of a sender and a receiver of network datagrams, unauthorized scanning and incapacitation of network services, the following method for processing network datagrams on a firewall is used.

To protect the internal network, a gateway computer with a firewall is installed on communication channels with other networks, and a firewall client is installed on workstations and servers within the network — network packet analysis and blocking software. For each installed instance i (i = 1, 2, 3 ...) of the firewall client, the user sets a separate cryptographic verification 64-bit key K. The keys are stored locally on the computers of the protected network and are also written in an additional hexadecimal field in the rules, Describing the firewall table. For example, rule (c) of FIG. 1 is described with the key K = 12345678abcdef00 as follows:

deny all from 192.168.0.0/16 to any 12345678abcdef00,

where the last word "12345678abcdef00" is a hexadecimal notation of 64 bits of key K.

The gateway computer with a firewall uses the following method of processing network datagrams. When a firewall detects a network datagram P ₁ corresponding to the IP protocol, the addresses of the sender S ₁ and receiver R ₁ , the number of the embedded protocol T ₁ , are analyzed (Fig. 2).

Based on a given firewall table, a solution is determined in the form of the value of the variable G (G = 0, 1) - the action that must be performed with this datagram is to accept the datagram for relay (the value G is assigned the value 1) or block its further transfer (the value G is assigned the value 0). To do this, in the list of rules describing the firewall table, the first rule is selected that correctly describes the data of the processed network datagram (see, for example, [Olifer V., Olifer N. New technologies and equipment for IP networks. St. Petersburg: BHV, 2000 - 512 S.; Medvedovsky I.D., Semenov B.V., Leonov D.G., Lukatsky A.V. Attack from the Internet. M: Solon-R, 2002. - 368 p.]). The value of the variable G is taken equal to 1 if the rule allows the datagram to be relayed, and equal to 0, otherwise. At the same time, the value corresponding to the rule found is used as a 64-bit key K. If no suitable rule is found, the variable G is assigned the value 0, and all bits of the key K are set to zero.

If G is zero, the network datagram is not processed further, the firewall proceeds to process the next network datagram. If the G value is greater than zero, the bit value of the sender address value S ₁ , the bit value of the recipient address value R ₁ , the nested protocol number T ₁ , the cryptographic key K are concatenated, and the result is written to the bit variable V. After that, the hash value is calculated from the variable V MD4 functions (see the description in [Schneier B. Applied Cryptography. Protocols, Algorithms, C Source Texts. St. Petersburg: Triumph, 2002 - 816 pp.]), and the resulting 128-bit binary value of the hash function is divided into four 32-bit parts L1, L2 and B1, B2, variable assign to the second Y value bitwise values L1, L2, B1, B2 (i.e. Y = L1⊕L2⊕Bl⊕B2). The value of the variable Y is written in the "options and filling" field of the header of the network datagram in the form of a security label (that is, a record certifying the correctness of the network datagram and its compliance with the established security policy - see figure 2).

The firewall client uses the following method for processing network datagrams. For each client firewall user specifies in advance the cryptographic key K. When receiving network datagram P ₂ corresponding protocol IP, the client concatenates the bit values of the sender of the datagram value S ₁ P _2, bit value of destination address values R _1, R ₂ datagram enclosed protocol number T _{1 of} datagram P ₂ , its cryptographic verification key K, and the result is written to the variable V. After that, the value of the hash function MD4 is calculated from the variable V, and the resulting 128-bit binary value The hash function is divided into four 32-bit parts L1, L2 and B1, B2, the variable Y is assigned the value of bitwise addition of the values L1, L2, B1, B2 (i.e., Y = L1⊕L2⊕B1⊕B2). Variable value Y is compared with the value in field "options and filling" of network datagram header and P _2, in case of a mismatch, is blocked and is not transmitted computer software.

Thus, if the computer addresses of the sender and recipient in the network datagram are modified, the client of the firewall will receive a value of the variable Y different from the one written in the "options and filling" field, and the network datagram corrupted by the attacker will be blocked without additional analysis by the firewall [Agranovsky A.V. ., Hadi R.A., Yakubets M.B. Statistical methods for detecting abnormal behavior in attack detection systems // Information Technologies No. 1, 2005 - pp. 17-21], which significantly saves computing resources during network interaction (see figure 3).

In figure 4. presents a block diagram of two devices for implementing the method in the form of a gateway-firewall using a personal computer and a client firewall using a personal computer.

The first device in the form of a gateway-firewall for implementing the method consists of a unit 1 for receiving network datagrams from an external interface; operating unit 2, which implements the filtering of network datagrams; an operation unit 3 for processing network datagrams and writing labels to them; unit 4 of relaying network datagrams to an internal network interface for sending data to a protected computer network.

The second device in the form of a firewall client for implementing the method consists of a block 5 for receiving network datagrams, similar to block 1 of the first device; operational unit 6, which implements the verification of network datagram labels; block 7 transmit the received network data to the operating system.

According to the proposed method, the devices operate as follows. From multifunction unit 1 (in IBM PC compatible computers, it can be, for example, a network PCI card [Muller S. Modernization and repair of PCs. M: Williams, 2004 - 1344 pages]), the network device receives data link-level datagrams (for example, via Ethernet), transmitted from other computers and routing equipment.

Next, the network datagrams are fed to the input of unit 2 of the first device, where service information and the network IP datagram are extracted from them. Its contents are also processed in block 2. To do this, the set values of the network datagram are checked using the firewall table predefined by the user. If the rule corresponding to the network datagram is not found or the corresponding rule contains a decision to block the datagram, the datagram is blocked, and control passes to block 1. Otherwise, the datagram and key K specified by the rule are sent to the input of block 3.

In block 3 of the first device, the addresses of the sender S ₁ and receiver R ₁ , the number of the embedded protocol T _1, are extracted from the datagram. This data is concatenated into a buffer in the memory of block 3, the value of the 64-bit binary key K is concatenated to it. Then, in block 3, the MD4 hash function is calculated from the buffer received by concatenation. The result of the MD4 hash function is logically divided into four 32-bit parts L1, L2 and B1, B2. Then these four parts are added up bit by bit, and the result is written in the "options and filling" field of the network datagram, after which the network datagram is transferred to block 4.

Block 4 of relaying network datagrams to the internal interface of the first device generates a network layer-level datagram from the incoming network datagram and sends it to the device for accessing the physical medium.

Similarly to block 1 of the first device, block 5 of the second device receives data link network datagrams transmitted from the firewall and other computers. Next, the network datagrams are fed to the input of unit 6 of the second device, where service information and the network datagram of the IP protocol are extracted from them, and then the label set in the "options and filling" field is checked. To this end, in block 6, steps are taken to calculate the label value using the address of the sender S ₁ and receiver R ₁ , the number of the embedded protocol T ₁ , key K of the second device. Then, the calculated label is compared with the value of the "options and padding" field of the network datagram. If they match, the network datagram is transmitted to block 7. Block 7 of the second device transmits the network datagram when it enters the operating system driver for receiving by application programs.

Thus, in this method, the level of information security of computer networks is increased by blocking the actions of an attacker to forge computer addresses of the sender and recipient of network datagrams while reducing the computational cost of processing network datagrams, thereby achieving the technical result.

Claims (1)

A method for processing datagrams of network traffic to delimit access to information and computing resources of computer networks, which consists in using a gateway computer with a firewall installed on the communication channels of the protected network with other networks and protecting the client part of the firewall to protect computer networks protected computers, by which, upon detection of a network datagram P ₁ , the addresses of the sender S ₁ and receiver R _{1 of the} datagram are analyzed, as well as the number of the encapsulated protocol T ₁ , characterized in that after making a decision by the firewall to pass the network datagram inside the protected computer network, a security label is written into the network datagram indicating the correctness of the network datagram, and on the receiver side, the correctness of this label is checked inside the computer network, 64 is used to form the security label -bit cryptographic key K, set by the user and stored on the client part of the firewall and the gateway computer, forming a label about is derived by calculating the MD4 hash function over the result of concatenation of the bit values of the sender address S ₁ , the recipient address R ₁ , the nested protocol number T ₁ and the cryptographic key K, and the result of the hash function is divided into four 32-bit parts L1, L2 and B1, B2, and as a security label, the bitwise sum of the values L1, L2, B1, B2 (Y = L1⊕L2⊕B1⊕B2) is used, the security label is written in the "options and filling" field of the header structure of the IP network datagram.

Images