CN104717205A - Industrial control firewall control method based on message reconstitution - Google Patents
Industrial control firewall control method based on message reconstitution Download PDFInfo
- Publication number
- CN104717205A CN104717205A CN201510057327.7A CN201510057327A CN104717205A CN 104717205 A CN104717205 A CN 104717205A CN 201510057327 A CN201510057327 A CN 201510057327A CN 104717205 A CN104717205 A CN 104717205A
- Authority
- CN
- China
- Prior art keywords
- firewall
- management platform
- industry control
- compartment wall
- fire compartment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 230000001143 conditioned effect Effects 0.000 claims description 30
- 230000005540 biological transmission Effects 0.000 claims description 11
- 238000004891 communication Methods 0.000 claims description 8
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 238000005192 partition Methods 0.000 claims description 2
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 claims description 2
- 241000700605 Viruses Species 0.000 abstract description 4
- 238000004519 manufacturing process Methods 0.000 description 8
- 238000011144 upstream manufacturing Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 101000652292 Homo sapiens Serotonin N-acetyltransferase Proteins 0.000 description 2
- 102100030547 Serotonin N-acetyltransferase Human genes 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000008260 defense mechanism Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- 102000006479 Heterogeneous-Nuclear Ribonucleoproteins Human genes 0.000 description 1
- 108010019372 Heterogeneous-Nuclear Ribonucleoproteins Proteins 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses an industrial control firewall control method based on message reconstitution. A firewall management platform, an industrial control firewall and at least one industrial control device are included. The firewall management platform sends a first data message encrypted by a safety protecting module to the industrial control device. The industrial control firewall intercepts the first data message. The industrial control firewall judges whether the first data message meets a preset condition. When the first data message meets the preset condition, the industrial control firewall sends determined and received information to the firewall management platform. Connecting between the firewall management platform and the industrial control firewall is established. According to the industrial control firewall control method, the industrial control firewall has no IP addresses, the industrial control firewall becomes transparent device on a network, viruses and hacker software cannot find the device by scanning the network, and the safety of the firewall and the robustness of the industrial control network are greatly improved.
Description
Technical field
The present invention relates to a kind of industry control firewall control method, particularly relate to a kind of industry control firewall control method based on message reconstruct.
Background technology
Fire compartment wall is as Network Security Device, and the fail safe of self is extremely important, if the system of firewall box self is broken, concerning the network of its protection, is undoubtedly a disaster.Especially the industry control firewall box used in industrial control network, if due to fire compartment wall self under attack and affect real-time and the stability of industrial control network, will directly affect important industrial processes.Meanwhile, conveniently the management of fire compartment wall and configuration, all need to firewall configuration IP address, but under a fire compartment wall with IP address just equals that fire compartment wall is exposed to Cyberthreat.In order to protect fire compartment wall its own system; existing method normally firewall system self possesses network security defense mechanism; in the research and development and production process of fire compartment wall; just continuous vulnerability scanning, DoS (Denial of Service, i.e. denial of service) attack, Flood attack the robustness that modes such as (referring to that flow type Dos attacks) tests the network security defense mechanism of fire compartment wall self.But industry control fire compartment wall remains the object that industrial network threatens attack, industry control fire compartment wall is still configured with IP address in order to needing of managing, so virus and network attack means just can find this firewall box by scan for networks, thus break through the system of industry control fire compartment wall itself by attacking this IP address thus reach the object of attacking its downstream industrial control equipment.
Simultaneously, consider that industry control firewall applications is at industrial site, it is disposed and uses and should not have influence on the industrial processes run, but due to existing fire compartment wall defence principle, usually need to reconfigure industrial control unit (ICU) (as: PLC (Programmable Logic Controller, i.e. programmable logic controller (PLC)), DCS (Distributed Control System, i.e. dcs) and SCADA (SupervisoryControl And Data Acquisition, i.e. data acquisition and supervisor control) etc.) network configuration.Industry control firewall box is usually located between two networks, and make the message of industrial control unit (ICU) reception and transmission all through industry control fire compartment wall, industrial fireproof wall plays the effect of Network Isolation and protection.The industry control firewall box with IP address that interpolation one is new on network, all need to reconfigure the equipment component on original network, network message is made to arrive bipartite network via this fire compartment wall, network connection interruption can be caused when Install and configure industry control fire compartment wall, cause production control inside break period cannot communicate with operator station with engineer station, part real-time production data is lost.Just in case production development equipment fault needs engineer station and operator station intervention, interrupt network connection will cause factory to stop.Usual way is finished writing by the configuration script of all network equipments had influence on, and when night, plant produced was not busy, of short duration interrupt network connects, and firewall box is configured, then reactivates network.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of industry control firewall control method based on message reconstruct, can utilize the message reconfiguration technique between management platform and industry control fire compartment wall, reach the function of same industry control firewall management.
The present invention solves the problems of the technologies described above the technical scheme adopted to be to provide a kind of industry control firewall control method based on message reconstruct, comprise firewall management platform, industry control fire compartment wall and at least one industrial control equipment, wherein, it is the Intranet at described industrial control equipment place and the outer net at described firewall management platform place that described industry control fire compartment wall is arranged between described firewall management platform and described industrial control equipment and by network partition, the safety protection module ensureing communication security between described firewall management platform and described industry control fire compartment wall is provided with between described firewall management platform and described industry control fire compartment wall, wherein, described control method comprises the following steps: described firewall management platform sends the first data message encrypted by described safety protection module to described industrial control equipment, described industry control fire compartment wall intercepts described first data message, it is first pre-conditioned that described industry control fire compartment wall judges that whether described first data message meets, when described first data message meet first pre-conditioned time, stop the transmission of described first data message, when described first data message meet first pre-conditioned time, described industry control fire compartment wall judges that described first data message is whether satisfied second pre-conditioned, when described first data message meet second pre-conditioned time, described industry control fire compartment wall sends and acknowledges receipt of information to firewall management platform, set up the connection between described firewall management platform and described industry control fire compartment wall.
The above-mentioned industry control firewall control method based on message reconstruct, wherein, described first pre-conditionedly refers to that the port numbers of described first data message is designated ends slogan, and described second pre-conditionedly refers to that described first data message is specific data bag.
The above-mentioned industry control firewall control method based on message reconstruct, wherein, described industry control fire compartment wall judges that whether described first data message meets the second pre-conditioned step and comprise the kernel described first data message being sent to described industry control fire compartment wall, judges whether described first data message is specific data bag by an inboard engine.
The above-mentioned industry control firewall control method based on message reconstruct, wherein, described specific data handbag draws together IP head unit, UDP head unit, management frames head unit, firewall management platform information unit, check information unit, wherein, described IP head unit comprises the IP head that described firewall management platform mails to described industrial control equipment; Described UDP head unit comprises the UDP head of the designated port mailing to described industrial control equipment; Described management frames head unit comprises the field that is used to indicate described specific data Packet type and is used to indicate the bag sequence number that current firewall management platform mails to described industrial control equipment; The field of the version number of the described firewall management platform that the field of the model of the described firewall management platform that described firewall management platform information unit comprises the field representing the described firewall management platform communicated with described industry control fire compartment wall, current and described industry control fire compartment wall communicates and current and described industry control fire compartment wall communicate; Whether described check information unit comprises for verifying described specific data bag correctly complete.
The above-mentioned industry control firewall control method based on message reconstruct, wherein, the described information that acknowledges receipt of comprises IP head unit, UDP head unit, management frames head unit, firewall management platform information unit, check information unit, wherein, described IP head unit comprises described industry control fire compartment wall and simulates the packet header that described industrial control equipment sends to described firewall management platform; Described UDP head unit comprises described industry control fire compartment wall and simulates described industrial control equipment and use described designated ends slogan can give the corresponding ports of described firewall management platform; Described management frames head unit comprises the field that is used to indicate described specific data Packet type and is used to indicate the bag sequence number that current firewall management platform mails to described industrial control equipment; Described firewall management platform information unit comprise represent communicate with described industry control fire compartment wall the field of described firewall management platform, the field of model of the described industry control fire compartment wall of current and described firewall management Platform communication and the version number of the described industry control fire compartment wall of current and described firewall management Platform communication field; Whether described check information unit comprises for acknowledging receipt of information described in verifying correctly complete.
The above-mentioned industry control firewall control method based on message reconstruct, wherein, to send the step of the first data message encrypted by described safety protection module to described industrial control equipment at described firewall management platform before, also comprise: described firewall management platform sends the second data message encrypted by described safety protection module to described industry control fire compartment wall; Described industry control fire compartment wall intercepts described second data message; Described industry control fire compartment wall judges whether described second data message meets pre-conditioned; When described second data message do not meet described pre-conditioned time, stop the transmission of described second data message; When described second data message meet described pre-conditioned time, in certain hour threshold value, the TCP of the IP/ port of enable corresponding firewall management platform is connected to the finger daemon of the safety protection module of described industry control fire compartment wall.
The above-mentioned industry control firewall control method based on message reconstruct, wherein, described pre-conditioned comprise described firewall management platform be first time accept management or authorized, described industry control fire compartment wall judges whether described second data message meets pre-conditioned step and comprise: the kernel described second data message being sent to described industry control fire compartment wall, judges whether described second data message represents that described firewall management platform accepts management or authorized first time by an inboard engine.
The above-mentioned industry control firewall control method based on message reconstruct, wherein, also comprises: after described time threshold, forbids setting up new connection; Only set up the destination address conversion of two layers and three layers according to the MAC/IP of described industrial control equipment and source address is changed.
The above-mentioned industry control firewall control method based on message reconstruct, wherein, described second data message comprises IP head unit, UDP head unit, management frames head unit, safety protection module information unit, check information unit, wherein, described IP head unit comprises the IP head that described firewall management platform mails to described industrial control equipment; Described UDP head unit comprises the UDP head of the designated port mailing to described industrial control equipment; Described management frames head unit comprises the field that is used to indicate described specific data Packet type and is used to indicate the bag sequence number that current firewall management platform mails to described industrial control equipment; Described security information module information unit comprise represent the described firewall management platform communicated with described industry control fire compartment wall field, represent field that to carry out with described industry control fire compartment wall being connected and represent that described firewall management platform uses designated port to connect the field of described industry control fire compartment wall; Whether described check information unit comprises for verifying described second data message correctly complete.
The above-mentioned industry control firewall control method based on message reconstruct, wherein, described safety protection module adopts the secret key mode of pre-share or CA certificate authentication mode, and the secret key mode of described pre-share comprises symmetric cryptography mode, Diffie-Hellman secret key exchange encrypt channel and RSA authentication public key mode.
The present invention contrasts prior art following beneficial effect: the industry control fire compartment wall that the present invention uses, owing to there is no IP address, industry control fire compartment wall becomes a transparent equipment on network, namely virus and hacker software all cannot find this equipment by scan for networks, greatly strengthen the fail safe of fire compartment wall itself and the robustness of industry control network; And because the method makes industry control fire compartment wall not have IP address, do not need when Install and configure to reconfigure network in industrial control network, plug and play, do not interrupt industrial control network, production process is not almost affected, adds the stability in the use of industry control fire compartment wall and reliability.
Accompanying drawing explanation
Fig. 1 is industry control firewall management network topology structure schematic diagram of the present invention;
Fig. 2 is the flow chart of an embodiment of the industry control firewall control method based on message reconstruct of the present invention;
Fig. 3 is the flow chart of another embodiment of the industry control firewall control method based on message reconstruct of the present invention.
Embodiment
Below in conjunction with drawings and Examples, the invention will be further described.
Industry control Firewall Network topological structure schematic diagram is illustrated in fig. 1 shown below, comprise: firewall management platform (hereinafter referred to as MP) 11, make of 3 industrial control equipment AD1 (131), AD2 (132) and AD3 (133) in industry control fire compartment wall (hereinafter referred to as FW) 12 and multiple industrial control equipment (hereinafter referred to as AD) 13, figure and illustrate.The IP address of MP is assumed to be 192.168.0.50, and the IP address of AD1 (131), AD2 (132) and AD3 (133) is respectively 192.168.0.20,192.168.0.21,192.168.0.22, and FW does not have IP address.Network connection is divided into interior web area and outer web area by FW, correspond to AD1 (131), AD2 (132) and the network area at AD3 (133) place and the network area at MP place respectively, communication between MP and AD needs by FW, and needs to set up safety protection module (hereinafter referred to as SSH) connection to prevent the communication between MP and FW monitored between MP and FW.Detailed description operation principle is as follows:
FW does not have IP address, but needs to be found in SSH encryption channel between MP to FW, makes MP can normal management FW.First, MP is 6689 to its downstream Intranet device A D1 (131) (i.e. 192.168.0.20) transmitting terminal slogan, and (port numbers 6689 is citing, and not necessarily needs to be 6689) SSH encryption UDP message, namely discovery bag.User Data Protocol (the User Datagram Protocol of encryption, hereinafter referred to as UDP) message is via FW, whether FW is 6689 intercepted data messages according to port numbers: if port numbers is not 6689, FW let slip this UDP message, transparent transmission is issued to AD1 (131); If port is 6689, FW this data message is delivered to kernel to determine whether that discovery wraps, if FW returns " receiving discovery " message to MP.
After the UDP message encrypted above is sent to kernel, judge whether it is that discovery wraps by an inboard engine, namely the PRE_ROUTING point in NETFILTER places a hook function, if meeting port numbers is 6689, decipher this message immediately, determine whether that discovery wraps according to message content, if discovery bag, FW needs to be further processed at interior this bag of checking.Whole discovery message judges that flow and method is as shown in Figure 2, and concrete steps are as follows:
Step S211: firewall management platform sends the first data message encrypted by safety protection module at least one industrial control equipment;
Step S212: industry control fire compartment wall intercepts the first data message;
Step S213: it is first pre-conditioned that industry control fire compartment wall judges that whether the first data message meets;
Step S215: when the first data message meet first pre-conditioned time, stop the transmission of the first data message;
Step S214: when the first data message meet first pre-conditioned time, it is second pre-conditioned that industry control fire compartment wall judges that whether the first data message meets;
Step S216: when the first data message meet second pre-conditioned time, industry control fire compartment wall send acknowledge receipt of information to firewall management platform;
Step S217: set up the connection between firewall management platform and industry control fire compartment wall.
FW needs structure respond packet for discovery bag, and returns to MP.In fact discovery bag the inside includes the information of MP, also contains some security mechanisms, avoids Replay Attack, man-in-the-middle attack etc.The information of FW is further comprises in discovery passback bag.
Discovery packet format is as follows:
| IP head | UDP head | management frame head | MP information | md5checksum|
?IP head: MP mail to the IP head of upstream device
?UDP head: the UDP head mailing to upstream device 6689 port
?manages frame head: this frame head form comprises
ο payload type, is used to refer to this Packet type, is discovery bag or MCR bag.
ο 64bit seq_num, be used to refer to current MP mail to downstream device which bag, together with MP identifier unique identification this wrap, avoid Replay Attack
?MP information: content comprises
ο MP identifier, represents the MP communicated with FW, and the overall situation is unique
ο MP Model Name, the current MP model communicated with FW
ο MP Version, the current MP version number communicated with FW
?Checksum: be used for checking payload whether correct
Discovery respond packet form is as follows:
| IP head | UDP head | management frame head | FW information | md5checksum|
?IP head: FW simulate downstream AD and send to packet header of MP
?UDP head: FW simulate downstream AD use source port 6689 can give MP corresponding ports
?manages frame head: wrap consistent with the discovery received
?FW information: content comprises
ο FW identifier, this FW of unique identification, its upstream network interface MAC Address available
ο FW Model Name, the current FW model communicated with MP
ο FW Version, the current FW version number communicated with MP
?Checksum: whether correctly completely verify this bag
With reference to accompanying drawing 3, before FW and MP connects, send management request bag, to ensure the fail safe of connection establishment, concrete steps are as follows:
Step S311: firewall management platform sends the second data message encrypted by safety protection module to industry control fire compartment wall;
Step S312: industry control fire compartment wall intercepts the second data message;
Step S313: it is pre-conditioned that industry control fire compartment wall judges whether the second data message meets;
Step S314: when the second data message do not meet described pre-conditioned time, stop the transmission of the second data message;
Step S316: when the second data message meet described pre-conditioned time, in certain hour threshold value, IP: the TCP of port of enable corresponding firewall management platform is connected to the finger daemon of the safety protection module of industry control fire compartment wall.
The management of FW can realize by setting up a SSH channel encrypted with MP.Increase one deck Single Packet Authentication before the foundation of SSH passage, ensure the fail safe of connection establishment.Principle is as follows: MP sends management request (MCR) bag to FW, whether FW decryption verification is the MP authorized, namely MP is before carrying out SSH connection request, need transmission UDP bag by the checking of FW, after FW is verified, in follow-up 10 seconds, the TCP of the IP:PORT (port) of enable corresponding MP is connected to the SSHD (finger daemon of SSH) of FW.After connecting, can by corresponding user's space instrument configure FW.It is all by corresponding built-in engine in kernel that the intercepting and capturing principle of MCR bag is wrapped similar to discovery, then is caught by hook function.In the process of MCR bag subsequently, need to ensure that the connection request that the MP within follow-up 10 seconds sends successfully can arrive SSHD local on FW.The process processing MCR in kernel is as follows:
Whether ?determines whether that first time accepts management, or be the MP authorized;
?if First Contact Connections, or the MP authorized, continues.Otherwise return NF_ACCEPT, this bag of FW transparent transmission is to AD;
?obtain to set up TCP connect PORT (port);
?to set up destination address conversion (the Destination Network Address Translation of two layers and three layers according to this package informatin (MAC:IP of upstream device), hereinafter referred to as DNAT), source address conversion (Source Network Address Translation, hereinafter referred to as SNAT) rule, ensure to connect from the TCP of the IP:PORT with corresponding MP to arrive the privately owned SSHD port of the machine;
?start timed task, after 10 seconds, forbid setting up new connection, but DNAT, SNAT still exist;
?discharge this MCR bag internal memory, return NF_STOLEN, ICP/IP protocol stack without the need to process this bag.
MCR bag, except containing setting up except the information of SSH connection, also needs certain security mechanism, avoids Replay Attack, man-in-the-middle attack.By encrypted payloads (hereinafter referred to as payload), avoid leakage of information and man-in-the-middle attack.This bag of sequence number (sequence number) unique identification simultaneously in MCR packet header, avoids Replay Attack.MCR packet format is as follows:
| IP head | UDP head | management frame head | SSH information | md5checksum|
?first three protocol header wrap consistent with discovery, skip over.
?SSH INFO: content comprises
ο MP identifier, represents the MP communicated with FW, and the overall situation is unique, ensures that this MP has been found that FW
ο FW identifier, expression will be connected with this FW
ο connectivity port, MP will use that port to connect FW
?Checksum: be used for checking payload whether correct
Now, in follow-up 10 seconds, MP connects by initiating SSH to downstream device A D, just can be connected on FW.SSH passage can configure FW with user's space instrument corresponding on FW.The key mode of current employing is wildcard mode, and the encryption of UDP bag adopts symmetric cryptography mode as AES, DES etc.Diffie-Hellman secret key exchange encrypt channel is adopted, RSA authentication public key mode in SSH process of establishing.After connection establishment, connected by SSH and the PKI of MP is passed to FW, ensure that this FW can only allow corresponding MP to manage.Follow-uply can adopt CA certificate authentication mode, avoid reconstruct message to be intercepted and captured by hacker the possibility cracked in way in the transmission.
The present invention contrasts prior art following beneficial effect: the industry control fire compartment wall that the present invention uses, owing to there is no IP address, industry control fire compartment wall becomes a transparent equipment on network, namely virus and hacker software all cannot find this equipment by scan for networks, greatly strengthen the fail safe of fire compartment wall itself and the robustness of industry control network; And because the method makes industry control fire compartment wall not have IP address, do not need when Install and configure to reconfigure network in industrial control network, plug and play, do not interrupt industrial control network, production process is not almost affected, adds the stability in the use of industry control fire compartment wall and reliability.
Although the present invention discloses as above with preferred embodiment; so itself and be not used to limit the present invention, any those skilled in the art, without departing from the spirit and scope of the present invention; when doing a little amendment and perfect, therefore protection scope of the present invention is when being as the criterion of defining with claims.
Claims (10)
1. the industry control firewall control method based on message reconstruct, comprise firewall management platform, industry control fire compartment wall and at least one industrial control equipment, wherein, it is the Intranet at described industrial control equipment place and the outer net at described firewall management platform place that described industry control fire compartment wall is arranged between described firewall management platform and described industrial control equipment and by network partition, the safety protection module ensureing communication security between described firewall management platform and described industry control fire compartment wall is provided with between described firewall management platform and described industry control fire compartment wall, it is characterized in that, described control method comprises the following steps:
Described firewall management platform sends the first data message encrypted by described safety protection module to described industrial control equipment;
Described industry control fire compartment wall intercepts described first data message;
It is first pre-conditioned that described industry control fire compartment wall judges that whether described first data message meets;
When described first data message meet first pre-conditioned time, stop the transmission of described first data message;
When described first data message meet first pre-conditioned time, described industry control fire compartment wall judges that described first data message is whether satisfied second pre-conditioned;
When described first data message meet second pre-conditioned time, described industry control fire compartment wall sends and acknowledges receipt of information to firewall management platform;
Set up the connection between described firewall management platform and described industry control fire compartment wall.
2. the industry control firewall control method based on message reconstruct according to claim 1, it is characterized in that, described first pre-conditionedly refers to that the port numbers of described first data message is designated ends slogan, and described second pre-conditionedly refers to that described first data message is specific data bag.
3. the industry control firewall control method based on message reconstruct according to claim 2, it is characterized in that, described industry control fire compartment wall judges that whether described first data message meets the second pre-conditioned step and comprise the kernel described first data message being sent to described industry control fire compartment wall, judges whether described first data message is specific data bag by an inboard engine.
4. the industry control firewall control method based on message reconstruct according to claim 2, it is characterized in that, described specific data handbag draws together IP head unit, UDP head unit, management frames head unit, firewall management platform information unit, check information unit, wherein
Described IP head unit comprises the IP head that described firewall management platform mails to described industrial control equipment;
Described UDP head unit comprises the UDP head of the designated port mailing to described industrial control equipment;
Described management frames head unit comprises the field that is used to indicate described specific data Packet type and is used to indicate the bag sequence number that current firewall management platform mails to described industrial control equipment;
The field of the version number of the described firewall management platform that the field of the model of the described firewall management platform that described firewall management platform information unit comprises the field representing the described firewall management platform communicated with described industry control fire compartment wall, current and described industry control fire compartment wall communicates and current and described industry control fire compartment wall communicate;
Whether described check information unit comprises for verifying described specific data bag correctly complete.
5. the industry control firewall control method based on message reconstruct according to claim 2, it is characterized in that, the described information that acknowledges receipt of comprises IP head unit, UDP head unit, management frames head unit, firewall management platform information unit, check information unit, wherein
Described IP head unit comprises described industry control fire compartment wall and simulates the packet header that described industrial control equipment sends to described firewall management platform;
Described UDP head unit comprises described industry control fire compartment wall and simulates described industrial control equipment and use described designated ends slogan can give the corresponding ports of described firewall management platform;
Described management frames head unit comprises the field that is used to indicate described specific data Packet type and is used to indicate the bag sequence number that current firewall management platform mails to described industrial control equipment;
Described firewall management platform information unit comprise represent communicate with described industry control fire compartment wall the field of described firewall management platform, the field of model of the described industry control fire compartment wall of current and described firewall management Platform communication and the version number of the described industry control fire compartment wall of current and described firewall management Platform communication field;
Whether described check information unit comprises for acknowledging receipt of information described in verifying correctly complete.
6. the industry control firewall control method based on message reconstruct according to claim 1, is characterized in that, before sending the step of the first data message encrypted by described safety protection module, also comprises at described firewall management platform to described industrial control equipment:
Described firewall management platform sends the second data message encrypted by described safety protection module to described industry control fire compartment wall;
Described industry control fire compartment wall intercepts described second data message;
Described industry control fire compartment wall judges whether described second data message meets pre-conditioned;
When described second data message do not meet described pre-conditioned time, stop the transmission of described second data message;
When described second data message meet described pre-conditioned time, in certain hour threshold value, the TCP of the IP/ port of enable corresponding firewall management platform is connected to the finger daemon of the safety protection module of described industry control fire compartment wall.
7. the industry control firewall control method based on message reconstruct according to claim 6, it is characterized in that, described pre-conditioned comprise described firewall management platform be first time accept management or authorized, described industry control fire compartment wall judges whether described second data message meets pre-conditioned step and comprise: the kernel described second data message being sent to described industry control fire compartment wall, judges whether described second data message represents that described firewall management platform accepts management or authorized first time by an inboard engine.
8. the industry control firewall control method based on message reconstruct according to claim 6, is characterized in that, also comprise:
After described time threshold, forbid setting up new connection; Only set up the destination address conversion of two layers and three layers according to the MAC/IP of described industrial control equipment and source address is changed.
9. the industry control firewall control method based on message reconstruct according to claim 6, it is characterized in that, described second data message comprises IP head unit, UDP head unit, management frames head unit, safety protection module information unit, check information unit, wherein
Described IP head unit comprises the IP head that described firewall management platform mails to described industrial control equipment;
Described UDP head unit comprises the UDP head of the designated port mailing to described industrial control equipment;
Described management frames head unit comprises the field that is used to indicate described specific data Packet type and is used to indicate the bag sequence number that current firewall management platform mails to described industrial control equipment;
Described security information module information unit comprise represent the described firewall management platform communicated with described industry control fire compartment wall field, represent field that to carry out with described industry control fire compartment wall being connected and represent that described firewall management platform uses designated port to connect the field of described industry control fire compartment wall;
Whether described check information unit comprises for verifying described second data message correctly complete.
10. the industry control firewall control method based on message reconstruct according to claim 1, it is characterized in that, described safety protection module adopts the secret key mode of pre-share or CA certificate authentication mode, and the secret key mode of described pre-share comprises symmetric cryptography mode, Diffie-Hellman secret key exchange encrypt channel and RSA authentication public key mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510057327.7A CN104717205A (en) | 2015-02-04 | 2015-02-04 | Industrial control firewall control method based on message reconstitution |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510057327.7A CN104717205A (en) | 2015-02-04 | 2015-02-04 | Industrial control firewall control method based on message reconstitution |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104717205A true CN104717205A (en) | 2015-06-17 |
Family
ID=53416168
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510057327.7A Pending CN104717205A (en) | 2015-02-04 | 2015-02-04 | Industrial control firewall control method based on message reconstitution |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104717205A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105827613A (en) * | 2016-04-14 | 2016-08-03 | 广东电网有限责任公司电力科学研究院 | Test method and system for information security of transformer substation industrial control equipment |
| CN106899616A (en) * | 2017-04-20 | 2017-06-27 | 四川电科智造科技有限公司 | A kind of safety regulation collocation method without IP fire walls |
| CN108259478A (en) * | 2017-12-29 | 2018-07-06 | 中国电力科学研究院有限公司 | Safety protecting method based on industry control terminal device interface HOOK |
| WO2018156428A1 (en) | 2017-02-22 | 2018-08-30 | Honeywell International Inc. | Transparent firewall for protecting field devices |
| CN109167774A (en) * | 2018-08-23 | 2019-01-08 | 西安理工大学 | A kind of data message and the data flow secure interaction method on firewall |
| CN109257357A (en) * | 2018-09-26 | 2019-01-22 | 杭州安恒信息技术股份有限公司 | Industry control network safety protecting method and device based on OPC service |
| CN111552668A (en) * | 2020-07-09 | 2020-08-18 | 南京云信达科技有限公司 | High-performance cross-domain copying method based on zfs file system |
| CN112104661A (en) * | 2020-09-18 | 2020-12-18 | 北京珞安科技有限责任公司 | Dynamic control method and system for industrial control equipment firewall |
| CN112769850A (en) * | 2021-01-19 | 2021-05-07 | 英赛克科技(北京)有限公司 | Network message filtering method, electronic equipment and storage medium |
| CN113364808A (en) * | 2021-06-30 | 2021-09-07 | 北京天融信网络安全技术有限公司 | Industrial control firewall testing method, device, equipment and storage medium |
| CN113810361A (en) * | 2021-07-15 | 2021-12-17 | 赛姆科技(广东)有限公司 | Rapid deployment management method of IP-free firewall |
| CN114115099A (en) * | 2021-11-08 | 2022-03-01 | 浙江高信技术股份有限公司 | PLC system supporting network security |
| CN115981274A (en) * | 2022-12-16 | 2023-04-18 | 安全邦(北京)信息技术有限公司 | Safety protection system of industrial control system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1286430A (en) * | 1999-08-26 | 2001-03-07 | 网观科技(加拿大)有限公司 | Fireproof wall for interconnecting network |
| US20070266426A1 (en) * | 2006-05-12 | 2007-11-15 | International Business Machines Corporation | Method and system for protecting against denial of service attacks using trust, quality of service, personalization, and hide port messages |
| CN101283539A (en) * | 2005-10-05 | 2008-10-08 | 拜尔斯安全公司 | network security device |
| CN101345711A (en) * | 2008-08-13 | 2009-01-14 | 成都市华为赛门铁克科技有限公司 | Packet processing method, fire wall equipment and network security system |
| US20100281311A1 (en) * | 2009-04-30 | 2010-11-04 | International Business Machines Corporation | Method and system for reconstructing error response messages under web application environment |
| CN103036870A (en) * | 2012-10-26 | 2013-04-10 | 青岛海天炜业自动化控制系统有限公司 | Industrial firewall without industrial protocol (IP) distributed type depth check arithmetic based on industrial protocol object linking and embedding for process control (OPC) classic |
-
2015
- 2015-02-04 CN CN201510057327.7A patent/CN104717205A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1286430A (en) * | 1999-08-26 | 2001-03-07 | 网观科技(加拿大)有限公司 | Fireproof wall for interconnecting network |
| CN101283539A (en) * | 2005-10-05 | 2008-10-08 | 拜尔斯安全公司 | network security device |
| US20070266426A1 (en) * | 2006-05-12 | 2007-11-15 | International Business Machines Corporation | Method and system for protecting against denial of service attacks using trust, quality of service, personalization, and hide port messages |
| CN101345711A (en) * | 2008-08-13 | 2009-01-14 | 成都市华为赛门铁克科技有限公司 | Packet processing method, fire wall equipment and network security system |
| US20100281311A1 (en) * | 2009-04-30 | 2010-11-04 | International Business Machines Corporation | Method and system for reconstructing error response messages under web application environment |
| CN103036870A (en) * | 2012-10-26 | 2013-04-10 | 青岛海天炜业自动化控制系统有限公司 | Industrial firewall without industrial protocol (IP) distributed type depth check arithmetic based on industrial protocol object linking and embedding for process control (OPC) classic |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105827613B (en) * | 2016-04-14 | 2019-02-12 | 广东电网有限责任公司电力科学研究院 | A kind of test method and system for substation's industrial control equipment information security |
| CN105827613A (en) * | 2016-04-14 | 2016-08-03 | 广东电网有限责任公司电力科学研究院 | Test method and system for information security of transformer substation industrial control equipment |
| EP3586491A4 (en) * | 2017-02-22 | 2020-12-30 | Honeywell International Inc. | TRANSPARENT FIREWALL FOR PROTECTING FIELD DEVICES |
| WO2018156428A1 (en) | 2017-02-22 | 2018-08-30 | Honeywell International Inc. | Transparent firewall for protecting field devices |
| CN110326268A (en) * | 2017-02-22 | 2019-10-11 | 霍尼韦尔国际公司 | Transparent fireproof wall for the equipment that keeps the scene intact |
| CN106899616A (en) * | 2017-04-20 | 2017-06-27 | 四川电科智造科技有限公司 | A kind of safety regulation collocation method without IP fire walls |
| CN106899616B (en) * | 2017-04-20 | 2020-01-17 | 四川电科智造科技有限公司 | Security rule configuration method of IP-free firewall |
| CN108259478A (en) * | 2017-12-29 | 2018-07-06 | 中国电力科学研究院有限公司 | Safety protecting method based on industry control terminal device interface HOOK |
| CN109167774A (en) * | 2018-08-23 | 2019-01-08 | 西安理工大学 | A kind of data message and the data flow secure interaction method on firewall |
| CN109167774B (en) * | 2018-08-23 | 2021-04-06 | 西安理工大学 | A data message and a data flow security mutual access method on a firewall |
| CN109257357A (en) * | 2018-09-26 | 2019-01-22 | 杭州安恒信息技术股份有限公司 | Industry control network safety protecting method and device based on OPC service |
| CN111552668B (en) * | 2020-07-09 | 2020-10-23 | 南京云信达科技有限公司 | High-performance cross-domain copying method based on zfs file system |
| CN111552668A (en) * | 2020-07-09 | 2020-08-18 | 南京云信达科技有限公司 | High-performance cross-domain copying method based on zfs file system |
| CN112104661A (en) * | 2020-09-18 | 2020-12-18 | 北京珞安科技有限责任公司 | Dynamic control method and system for industrial control equipment firewall |
| CN112104661B (en) * | 2020-09-18 | 2022-10-21 | 北京珞安科技有限责任公司 | Dynamic control method and system for industrial control equipment firewall |
| CN112769850A (en) * | 2021-01-19 | 2021-05-07 | 英赛克科技(北京)有限公司 | Network message filtering method, electronic equipment and storage medium |
| CN112769850B (en) * | 2021-01-19 | 2022-11-22 | 英赛克科技(北京)有限公司 | Network message filtering method, electronic equipment and storage medium |
| CN113364808A (en) * | 2021-06-30 | 2021-09-07 | 北京天融信网络安全技术有限公司 | Industrial control firewall testing method, device, equipment and storage medium |
| CN113364808B (en) * | 2021-06-30 | 2022-09-16 | 北京天融信网络安全技术有限公司 | Industrial control firewall testing method, device, equipment and storage medium |
| CN113810361A (en) * | 2021-07-15 | 2021-12-17 | 赛姆科技(广东)有限公司 | Rapid deployment management method of IP-free firewall |
| CN114115099A (en) * | 2021-11-08 | 2022-03-01 | 浙江高信技术股份有限公司 | PLC system supporting network security |
| CN114115099B (en) * | 2021-11-08 | 2024-01-02 | 浙江高信技术股份有限公司 | PLC system supporting network security |
| CN115981274A (en) * | 2022-12-16 | 2023-04-18 | 安全邦(北京)信息技术有限公司 | Safety protection system of industrial control system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104717205A (en) | Industrial control firewall control method based on message reconstitution | |
| US11134064B2 (en) | Network guard unit for industrial embedded system and guard method | |
| US6115376A (en) | Medium access control address authentication | |
| US8191119B2 (en) | Method for protecting against denial of service attacks | |
| CN110996318A (en) | Safety communication access system of intelligent inspection robot of transformer substation | |
| CN102571497B (en) | A kind of method, Apparatus and system of ipsec tunnel fault detect | |
| US12088569B1 (en) | Protocol free encrypting device | |
| JPWO2017030186A1 (en) | Security system and communication control method | |
| CN106209883A (en) | Based on link selection and the multi-chain circuit transmission method and system of broken restructuring | |
| CN102546661B (en) | A kind of method and system preventing IPv6 gateway neighbours spoofing attack | |
| CN212850561U (en) | Network safety isolation device for realizing intranet information safety | |
| CN111988289B (en) | EPA Industrial Control Network Security Testing System and Method | |
| CN116055254A (en) | A secure and trusted gateway system, control method, medium, device and terminal | |
| JP6932375B2 (en) | Communication device | |
| CN107277058B (en) | Interface authentication method and system based on BFD protocol | |
| Ertaul et al. | Security of software defined networks (SDN) | |
| CN110213233A (en) | Defend the emulation platform and method for building up of power grid distributed denial of service attack | |
| Tippenhauer et al. | Vbump: Securing ethernet-based industrial control system networks with vlan-based traffic aggregation | |
| CN100428748C (en) | A Multi-Party Communication Method Based on Double Identity | |
| Belenguer et al. | A low-cost embedded IDS to monitor and prevent Man-in-the-Middle attacks on wired LAN environments | |
| CN118611904A (en) | A novel power software and hardware terminal equipment security access device, module and method | |
| EP4181431A1 (en) | Service transmission method and apparatus, network device, and storage medium | |
| Sun et al. | simulation and safety Analysis of 6to4 Tunnel Technology Based on eNsP | |
| CN118677647B (en) | IPv6 neighbor discovery protocol security protection method and system based on SDN and P4 technology | |
| JP6847488B1 (en) | Authentication method in IP communication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150617 |
|
| WD01 | Invention patent application deemed withdrawn after publication |