CN114268457A - Multi-protocol multi-service public network security access method - Google Patents
Multi-protocol multi-service public network security access method Download PDFInfo
- Publication number
- CN114268457A CN114268457A CN202111394957.5A CN202111394957A CN114268457A CN 114268457 A CN114268457 A CN 114268457A CN 202111394957 A CN202111394957 A CN 202111394957A CN 114268457 A CN114268457 A CN 114268457A
- Authority
- CN
- China
- Prior art keywords
- server
- file
- module
- instruction
- protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 238000002955 isolation Methods 0.000 claims abstract description 58
- 238000006243 chemical reaction Methods 0.000 claims abstract description 35
- 238000001514 detection method Methods 0.000 claims abstract description 20
- 230000002155 anti-virotic effect Effects 0.000 claims abstract description 16
- 238000004891 communication Methods 0.000 claims description 10
- 238000010248 power generation Methods 0.000 claims description 7
- 239000000284 extract Substances 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 description 7
- 230000006399 behavior Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 4
- 238000012550 audit Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000000246 remedial effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of public network security access, in particular to a multi-protocol multi-service public network security access method; the power station system is divided into a centralized control center system and a power plant equipment system according to functions, and encryption equipment, a service server, a data acquisition server, a switch, load balancing equipment, a core firewall, a database auditing system, an anti-virus gateway, an intrusion detection system, a public network front server, a forward isolation device, a reverse isolation device, a protocol conversion server and a fortress machine are arranged in the centralized control center system and the power plant equipment system; the invention can effectively solve the problem that the prior art can not meet the requirement of multi-protocol multi-service safety access of a power grid system to a public network.
Description
Technical Field
The invention relates to the technical field of public network security access, in particular to a multi-protocol multi-service public network security access method.
Background
The conventional security access area is mainly used for a system with a single service and a single protocol and is usually deployed on a data acquisition side, but in a wind power centralized control system, network security protection is required to be performed on a centralized control side and a station side, namely, the security access area system is required to be installed, and obviously, the conventional security access area system cannot meet the requirements. In addition, when the data in the security access area passes through the isolation device, the original data packet needs to be converted into a private protocol, however, the problems that the wind power centralized control service servers are numerous and protocols of the service servers are inconsistent are solved, and the conventional security access area system needs to convert the private protocol of the service data in each service server, so that the original communication protocol is changed, and the networking mode becomes complicated.
Disclosure of Invention
Solves the technical problem
Aiming at the defects in the prior art, the invention provides a multi-protocol multi-service public network security access method, which can effectively solve the problem that the prior art can not meet the requirement of multi-protocol multi-service security access of a power grid system to a public network.
Technical scheme
In order to achieve the purpose, the invention is realized by the following technical scheme:
a multi-protocol multi-service public network security access method comprises the following steps:
the method comprises the following steps that (1) a power station system is divided into a centralized control center system and a power generation field equipment system according to functions;
step (2), configuring a first encryption device, a first service server, a first data acquisition server, a first switch, a first load balancing device, a first core firewall, a first database auditing system, a first antivirus gateway, a first intrusion detection system, a first public network front-end server, a first forward isolation device, a first reverse isolation device and a first protocol conversion server in the centralized control center system, connecting the first service server and the first data acquisition server to the first switch in a parallel manner, connecting the first switch to the rear end of the first protocol conversion server, connecting the front end of the first protocol conversion server to the first forward isolation device and the first reverse isolation device in a parallel relationship respectively, connecting the front ends of the first forward isolation device and the first reverse isolation device in a parallel relationship to the rear end of the first public network front-end server respectively, connecting the front end of the first public network front-end server to first encryption equipment, arranging first load balancing equipment at two ends of the first switch, arranging a first core firewall at the rear end of the first encryption equipment, arranging a first antivirus gateway at the front end of the first encryption equipment, and arranging a first database auditing system and a first intrusion detection system in the first service server, the first data acquisition server, the first public network front-end server and the first protocol conversion server;
step (3), configuring a second encryption device, a second service server, a second data acquisition server, a second switch, a second load balancing device, a second core firewall, a second database auditing system, a second antivirus gateway, a second intrusion detection system, a second public network front-end server, a second forward isolation device, a second reverse isolation device and a second protocol conversion server in the power plant equipment system, connecting the second service server and the second data acquisition server to the second switch in parallel, connecting the second switch to the rear end of the second protocol conversion server, connecting the front end of the second protocol conversion server to the second forward isolation device and the second reverse isolation device in parallel respectively, connecting the front ends of the second forward isolation device and the second reverse isolation device in parallel to the rear end of the second public network front-end server respectively, connecting the front end of the second public network front-end server to second encryption equipment, arranging second load balancing equipment at two ends of the second switch, arranging a second core firewall at the rear end of the second encryption equipment, arranging a second antivirus gateway at the front end of the second encryption equipment, and arranging a second database auditing system and a second intrusion detection system in the second service server, the second data acquisition server, the second public network front-end server and the second protocol conversion server;
step (4), a channel selection module for connecting a plurality of channels of the power station system is further arranged on the second switch;
and (5) a plurality of fourth encryption devices are connected to the channel selection module in parallel, a near-end router is further arranged at the rear end of each fourth encryption device, a far-end router is arranged at the rear end of each near-end router, a third encryption device is arranged at the rear end of each far-end router, a third switch is arranged at the rear end of each third encryption device, and a third service server and a third data acquisition server are connected to the rear end of each third switch in parallel.
Furthermore, in the step (1), a public network data communication channel is arranged between the centralized control center system and the power generation field equipment system.
Furthermore, in the step (2) and the step (3), the first protocol conversion server is further connected with a control module; a first instruction receiving module, a first file generating module and a first file sending module which are connected in sequence are arranged in the first protocol conversion server; a first file receiving module, a first analysis module and a first instruction sending module which are connected in sequence are arranged in the first public network front server; a second instruction receiving module, a second file generating module and a second file sending module which are connected in sequence are arranged in the second public network front server; and a second file receiving module, a second analysis module and a second instruction sending module which are connected in sequence are arranged in the second protocol conversion server.
Furthermore, the control module generates a control instruction and sends the control instruction to the first instruction receiving module, then the first file generating module generates an instruction file based on the control instruction received by the first instruction receiving module, then the first file sending module sends the instruction file to the first file receiving module through the first forward isolation device, then the first parsing module generates a standard remote control message based on the instruction file received by the first file receiving module, then the first instruction sending module sends the remote control message to the second instruction receiving module through the first encryption device and the second encryption device, then the second file generating module generates the instruction file based on the remote control message received by the second instruction receiving module, then the second file sending module sends the instruction message to the second file receiving module through the second reverse isolation device, and then the second parsing module parses and extracts the instruction file based on the instruction file received by the second file receiving module And finally, the second instruction sending module distributes the control instruction extracted by the second analysis module to corresponding equipment according to a standard protocol.
Furthermore, the second file receiving module receives external data, the second parsing module parses and converts the external data into a private protocol based on the instruction file received by the second file receiving module, the second instruction sending module sends the private protocol to the second instruction receiving module through the second forward isolation device, the second file generating module converts the private protocol received by the second instruction receiving module into the previous standard protocol data based on the private protocol received by the second instruction receiving module, the second file sending module sends the standard protocol data to the first file receiving module through the first encryption device and the second encryption device, the first parsing module converts the standard protocol data received by the first file receiving module into the private protocol based on the first file receiving module, and the first instruction sending module sends the private protocol to the first instruction receiving module through the first reverse isolation device, and finally, the first file sending module distributes the protocol file to a corresponding first service server or a corresponding first data acquisition server.
Furthermore, in the step (5), a power grid data network channel is arranged between the far-end router and the near-end router.
Furthermore, bastion machines are arranged in the centralized control center system and the power plant equipment system.
Further, the fort machines each comprise a prime machine and a standby machine.
Advantageous effects
Compared with the known public technology, the technical scheme provided by the invention has the following beneficial effects:
the power station system is separated in a modularization mode, so that communication between all service servers in the power station system does not need to be subjected to data conversion independently, data transmission between a centralized control center system and a power generation field equipment system is realized through a standard communication protocol used by the power station system, in addition, a channel selection module for connecting a plurality of channels of the power station system is further arranged on the second switch, a user can expand a newly-added service server through the channel selection module, bidirectional identity verification is realized through encryption equipment, and meanwhile, the system is monitored, protected and adjusted in real time through load balancing equipment, a core firewall, a database auditing system, an anti-virus gateway and an intrusion detection system, so that the power grid system can realize access public network with multi-protocol and multi-service safety.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
FIG. 1 is a schematic diagram of a control relationship connection according to the present invention;
FIG. 2 is a flow chart of data download in the present invention;
fig. 3 is a flowchart of data upload in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The present invention will be further described with reference to the following examples.
Examples
A secure access method for a multi-protocol multi-service public network according to this embodiment is described with reference to fig. 1 to 3: the method comprises the following steps:
the method comprises the following steps that (1) a power station system is divided into a centralized control center system and a power generation field equipment system according to functions; and a public network data communication channel is arranged between the centralized control center system and the power generation field equipment system.
Step (2), configuring a first encryption device, a first service server, a first data acquisition server, a first switch, a first load balancing device, a first core firewall, a first database auditing system, a first antivirus gateway, a first intrusion detection system, a first public network front-end server, a first forward isolation device, a first reverse isolation device and a first protocol conversion server in a centralized control center system, connecting the first service server and the first data acquisition server to the first switch in a parallel manner, connecting the first switch to the rear end of the first protocol conversion server, connecting the front end of the first protocol conversion server to the first forward isolation device and the first reverse isolation device in a parallel relationship respectively, connecting the front ends of the first forward isolation device and the first reverse isolation device in a parallel relationship to the rear end of the first public network front-end server respectively, the front end of a first public network front-end server is connected to first encryption equipment, first load balancing equipment is arranged at two ends of a first switch, a first core firewall is arranged at the rear end of the first encryption equipment, a first anti-virus gateway is arranged at the front end of the first encryption equipment, and a first database auditing system and a first intrusion detection system are arranged in a first service server, a first data acquisition server, the first public network front-end server and a first protocol conversion server.
Step (3), configuring a second encryption device, a second service server, a second data acquisition server, a second switch, a second load balancing device, a second core firewall, a second database auditing system, a second antivirus gateway, a second intrusion detection system, a second public network front-end server, a second forward isolation device, a second reverse isolation device and a second protocol conversion server in the power plant equipment system, connecting the second service server and the second data acquisition server to the second switch in a parallel manner, connecting the second switch to the rear end of the second protocol conversion server, connecting the second forward isolation device and the second reverse isolation device in a parallel relationship to the front end of the second protocol conversion server respectively, connecting the front ends of the second forward isolation device and the second reverse isolation device in a parallel relationship to the rear end of the second public network front-end server respectively, the front end of the second public network front server is connected to a second encryption device, second load balancing devices are arranged at two ends of a second switch, a second core firewall is arranged at the rear end of the second encryption device, a second antivirus gateway is arranged at the front end of the second encryption device, and a second database auditing system and a second intrusion detection system are arranged in a second service server, a second data acquisition server, the second public network front server and a second protocol conversion server.
It is worth noting that: the first protocol conversion server is also connected with a control module; a first instruction receiving module, a first file generating module and a first file sending module which are connected in sequence are arranged in the first protocol conversion server; a first file receiving module, a first analysis module and a first instruction sending module which are connected in sequence are arranged in the first public network front server; a second instruction receiving module, a second file generating module and a second file sending module which are connected in sequence are arranged in the front server of the second public network; and a second file receiving module, a second analysis module and a second instruction sending module which are connected in sequence are arranged in the second protocol conversion server.
Wherein, the first core firewall and the second core firewall have the functions of: fine-grained (IP address, TCP/UDP port, ICMP type, etc.) control is carried out on the network data flow, legal network data transmission is allowed, and illegal network communication is refused; explicit allow/deny access to data streams may be provided based on session state information; the control port and the connection are terminated after the session is inactive for a certain time or the session is finished; limiting the number of connections and concurrency of a certain IP; illegal detection and access can be prevented; and the internal port is shielded, and scanning detection and illegal attack from an external network are prevented.
Wherein the first load balancing device and the second load balancing device act as: managing the access server and the flow returned by the server, and intelligently distributing the flow of the access server to the optimal server through various static and dynamic load sharing algorithms; the flow can be gradually distributed to the newly accessed server, thereby avoiding the situation that the system resource occupation is too high due to the fact that some processes of the server are not loaded completely or the application response is slow, and realizing the smooth access of the server; the running state of the server is regularly detected in real time, and when a server fault is found, the server is moved out of the queue shared by the flow, so that the running stability of the server is ensured. The acceleration and the unloading of the SSL protocol greatly improve the service processing capacity of the server and can not bring performance bottleneck to the service.
The first database auditing system and the second database auditing system have the functions of: the method ensures that the service system and the network information data are not damaged, divulged and stolen by users, and various technical means are used for monitoring the database operation behavior, the network behavior and the communication content in the network environment in real time so as to be convenient for centralized collection, analysis, alarm and processing; the global control and scheduling capability of the information resources of the service system can be comprehensively realized; constantly monitoring for access to important resources; after a security event occurs, an attacker can be traced step by step according to detailed audit and database audit records; finding out the real reasons causing the safety event and the performance fluctuation; the method helps users strengthen network behavior supervision and meet compliance requirements of internal control or external policies and the like.
Wherein, the first anti-virus gateway and the second anti-virus gateway are used for: fine-grained (IP address, TCP/UDP port, ICMP type, etc.) control is carried out on the network data flow, legal network data transmission is allowed, and illegal network communication is refused; explicit allow/deny access to data streams may be provided based on session state information; the control port and the connection are terminated after the session is inactive for a certain time or the session is finished; shielding the internal port to prevent scanning detection and illegal attack from the external network; and intercepting the virus attack event, recording the source and destination information of the event one by one, and assisting a user to know the virus attack details by a visualization technology.
Wherein, the first intrusion detection system and the second intrusion detection system have the following functions: the method comprises the steps of monitoring network transmission in real time, automatically detecting suspicious behaviors, analyzing intrusion signals from the outside and the inside of the network, sending out a warning before the system is damaged, responding to an attack in real time, providing remedial measures and providing safety guarantee for the network system to the greatest extent. The intrusion detection system consists of two parts: the system comprises a detector and a safety control center, wherein the safety control center is installed on a server, and the detector is independent hardware. The detector is responsible for intercepting and capturing data streams on the network, performing real-time protocol analysis and realizing safety rules. The safety control center is responsible for controlling the detector, generating safety rules, receiving alarm and log information and providing a network safety audit report. Attack behavior can be monitored: port scanning, brute force attack, Trojan backdoor attack, denial of service attack, cache overflow attack, IP fragment attack, network worm attack and the like; when an attack behavior is detected, recording an attack source IP, an attack type, an attack purpose and attack time, and providing an alarm when serious invasion occurs; abundant reports can be generated regularly, so that people can further know the safety state of the whole network; the total flow in the current network and the clockwise flow in a certain time period can be known in real time.
Among them, the first forward direction isolation device (second forward direction isolation device) possesses the following functions: 1) the safe data exchange in a non-network mode between the two safe areas is realized, and the internal and external processing systems of the safety isolation device are ensured not to be communicated at the same time; 2) a transparent working mode, namely, virtualizing an IP address and hiding an MAC address of a host; 3) comprehensive message filtering and access control based on MAC, IP, transmission protocol, transmission port and communication direction; 4) support for NAT; 5) penetration resistant TCP connections: the TCP connection is forbidden to be directly established between the two application gateways of the internal network and the external network, the internal network card and the external network card of the isolation device are in non-network connection inside the device, and only the unidirectional transmission of data is allowed to be realized in a physical mode.
Wherein, the first reverse isolation device (second reverse isolation device) has all functions of the first forward isolation device (second forward isolation device) and also has the following functions: firstly, a data sending end in a safety area III signs a signature on data needing to be sent and then sends the signature to a reverse special isolating device; after receiving the data, the special isolation device performs signature verification, and performs content filtering, validity checking and other processing on the data; and thirdly, the processed data is forwarded to a receiving program in the safety zone I/II.
And (4) a channel selection module for connecting a plurality of channels of the power station system is further arranged on the second switch.
Step (5), a plurality of fourth encryption devices are connected to the channel selection module in parallel, a near-end router is further arranged at the rear end of each fourth encryption device, a far-end router is arranged at the rear end of each near-end router, a third encryption device is arranged at the rear end of each far-end router, a third switch is arranged at the rear end of each third encryption device, and a third service server and a third data acquisition server are connected to the rear end of each third switch in parallel; and a power grid data network channel is arranged between the far-end router and the near-end router.
It is worth noting that: and bastion machines are arranged in the centralized control center system and the power plant equipment system.
(ii) a And the fort machines comprise a main force machine and a standby machine, namely, the standby machine can automatically take over service only when the main machine fails, so that the operation reliability of the power station system is improved.
The process that the centralized control center system issues data to the power plant equipment system comprises the following steps:
step1, the control module generates a control command and sends the control command to the first command receiving module.
And Step2, the first file generation module generates an instruction file based on the control instruction received by the first instruction receiving module.
Step3, the first file sending module sends the instruction file to the first file receiving module through the first forward isolating device.
And Step4, the first parsing module generates a remote control message of a standard protocol based on the instruction file received by the first file receiving module.
And Step5, the first instruction sending module sends the remote control message to the second instruction receiving module through the first encryption device and the second encryption device.
And Step6, the second file generating module generates an instruction file based on the remote control message received by the second instruction receiving module.
And Step7, the second file sending module sends the instruction message to the second file receiving module through the second reverse isolation device.
And Step8, the second parsing module parses the command file received by the second file receiving module and extracts the control command.
And Step9, the second instruction sending module distributes the control instruction extracted by the second parsing module to the corresponding device according to the standard specification.
The process of uploading data from the power plant equipment system to the centralized control center system comprises the following steps:
step1, the second file receiving module receives the external data.
And Step2, the second parsing module parses the instruction file received by the second file receiving module and converts the instruction file into a private protocol.
Step3, the second instruction sending module sends the private protocol to the second instruction receiving module via the second forward isolation device.
Step4, the second file generation module converts the private protocol received by the second instruction receiving module into the previous standard protocol data.
And Step5, the second file sending module sends the standard protocol data to the first file receiving module through the first encryption device and the second encryption device.
Step6, the first parsing module converts the standard protocol data received by the first file receiving module into a private protocol.
Step7, the first instruction sending module sends the private protocol to the first instruction receiving module through the first reverse isolation device.
Step8, the first file generation module converts the private protocol received by the first instruction receiving module into a corresponding protocol file.
Step10, the first file sending module distributes the protocol file to the corresponding first service server or first data acquisition server.
In the description of the present invention, it is to be understood that the terms "center", "longitudinal", "lateral", "length", "width", "thickness", "upper", "lower", "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", "clockwise", "counterclockwise", and the like, indicate orientations and positional relationships based on those shown in the drawings, and are used only for convenience of description and simplicity of description, and do not indicate or imply that the equipment or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be considered as limiting the present invention.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.
Claims (8)
1. A multi-protocol multi-service public network security access method is characterized in that: the method comprises the following steps:
the method comprises the following steps that (1) a power station system is divided into a centralized control center system and a power generation field equipment system according to functions;
step (2), configuring a first encryption device, a first service server, a first data acquisition server, a first switch, a first load balancing device, a first core firewall, a first database auditing system, a first antivirus gateway, a first intrusion detection system, a first public network front-end server, a first forward isolation device, a first reverse isolation device and a first protocol conversion server in the centralized control center system, connecting the first service server and the first data acquisition server to the first switch in a parallel manner, connecting the first switch to the rear end of the first protocol conversion server, connecting the front end of the first protocol conversion server to the first forward isolation device and the first reverse isolation device in a parallel relationship respectively, connecting the front ends of the first forward isolation device and the first reverse isolation device in a parallel relationship to the rear end of the first public network front-end server respectively, connecting the front end of the first public network front-end server to first encryption equipment, arranging first load balancing equipment at two ends of the first switch, arranging a first core firewall at the rear end of the first encryption equipment, arranging a first antivirus gateway at the front end of the first encryption equipment, and arranging a first database auditing system and a first intrusion detection system in the first service server, the first data acquisition server, the first public network front-end server and the first protocol conversion server;
step (3), configuring a second encryption device, a second service server, a second data acquisition server, a second switch, a second load balancing device, a second core firewall, a second database auditing system, a second antivirus gateway, a second intrusion detection system, a second public network front-end server, a second forward isolation device, a second reverse isolation device and a second protocol conversion server in the power plant equipment system, connecting the second service server and the second data acquisition server to the second switch in parallel, connecting the second switch to the rear end of the second protocol conversion server, connecting the front end of the second protocol conversion server to the second forward isolation device and the second reverse isolation device in parallel respectively, connecting the front ends of the second forward isolation device and the second reverse isolation device in parallel to the rear end of the second public network front-end server respectively, connecting the front end of the second public network front-end server to second encryption equipment, arranging second load balancing equipment at two ends of the second switch, arranging a second core firewall at the rear end of the second encryption equipment, arranging a second antivirus gateway at the front end of the second encryption equipment, and arranging a second database auditing system and a second intrusion detection system in the second service server, the second data acquisition server, the second public network front-end server and the second protocol conversion server;
step (4), a channel selection module for connecting a plurality of channels of the power station system is further arranged on the second switch;
and (5) a plurality of fourth encryption devices are connected to the channel selection module in parallel, a near-end router is further arranged at the rear end of each fourth encryption device, a far-end router is arranged at the rear end of each near-end router, a third encryption device is arranged at the rear end of each far-end router, a third switch is arranged at the rear end of each third encryption device, and a third service server and a third data acquisition server are connected to the rear end of each third switch in parallel.
2. The multi-protocol multi-service public network security access method according to claim 1, wherein in step (1), a public network data communication channel is provided between the centralized control center system and the power generation field equipment system.
3. The multi-protocol multi-service public network security access method according to claim 1, wherein in the steps (2) and (3), the first protocol conversion server is further connected with a control module;
a first instruction receiving module, a first file generating module and a first file sending module which are connected in sequence are arranged in the first protocol conversion server;
a first file receiving module, a first analysis module and a first instruction sending module which are connected in sequence are arranged in the first public network front server;
a second instruction receiving module, a second file generating module and a second file sending module which are connected in sequence are arranged in the second public network front server;
and a second file receiving module, a second analysis module and a second instruction sending module which are connected in sequence are arranged in the second protocol conversion server.
4. The method according to claim 3, wherein the control module generates a control command and sends the control command to the first command receiving module,
then the first file generation module generates an instruction file based on the control instruction received by the first instruction receiving module,
then the first file sending module sends the instruction file to the first file receiving module through the first forward isolating device,
then the first analysis module generates a remote control message of a standard protocol based on the instruction file received by the first file receiving module,
then the first command sending module sends the remote control message to the second command receiving module through the first encryption device and the second encryption device,
then the second file generating module generates an instruction file based on the remote control message received by the second instruction receiving module,
then the second file sending module sends the instruction message to the second file receiving module through the second reverse isolation device,
then the second analysis module analyzes and extracts the control instruction based on the instruction file received by the second file receiving module,
and finally, the second instruction sending module distributes the control instruction extracted by the second analysis module to corresponding equipment according to a standard protocol.
5. The method of claim 3, wherein said second file receiving module receives external data,
then the second analysis module analyzes and converts the instruction file received by the second file receiving module into a private protocol,
then the second instruction sending module sends the private protocol to the second instruction receiving module through the second forward isolation device,
the second file generation module then converts the private protocol received by the second instruction receiving module into the previous standard protocol data,
then the second file sending module sends the standard protocol data to the first file receiving module through the first encryption device and the second encryption device,
the first parsing module then converts to a private protocol based on the standard protocol data received by the first file receiving module,
then the first instruction sending module sends the private protocol to the first instruction receiving module through the first reverse isolation device,
the first file generation module then converts the private protocol received by the first instruction receiving module into a corresponding protocol file,
and finally, the first file sending module distributes the protocol file to the corresponding first service server or the corresponding first data acquisition server.
6. The method according to claim 1, wherein in step (5), a grid data network channel is provided between the far-end router and the near-end router.
7. The method of claim 1, wherein bastion machines are installed in both the centralized control center system and the power plant facility system.
8. The method of claim 7, wherein the bastion machines each comprise a prime mover and a standby mover.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111394957.5A CN114268457A (en) | 2021-11-23 | 2021-11-23 | Multi-protocol multi-service public network security access method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111394957.5A CN114268457A (en) | 2021-11-23 | 2021-11-23 | Multi-protocol multi-service public network security access method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114268457A true CN114268457A (en) | 2022-04-01 |
Family
ID=80825494
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111394957.5A Pending CN114268457A (en) | 2021-11-23 | 2021-11-23 | Multi-protocol multi-service public network security access method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114268457A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115296935A (en) * | 2022-10-08 | 2022-11-04 | 华诺网络科技有限公司 | Information security data processing method and system |
| CN115802341A (en) * | 2023-01-30 | 2023-03-14 | 北京亚信兴源科技有限公司 | Communication method and device for 5G system, electronic device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110020122A1 (en) * | 2009-07-24 | 2011-01-27 | Honeywell International Inc. | Integrated condition based maintenance system for wind turbines |
| CN111901372A (en) * | 2020-06-11 | 2020-11-06 | 北京华电天仁电力控制技术有限公司 | Access device of centralized wind power monitoring system |
| CN213661660U (en) * | 2020-09-29 | 2021-07-09 | 华能大理风力发电有限公司 | Multi-protocol multi-service public network security access area system |
-
2021
- 2021-11-23 CN CN202111394957.5A patent/CN114268457A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110020122A1 (en) * | 2009-07-24 | 2011-01-27 | Honeywell International Inc. | Integrated condition based maintenance system for wind turbines |
| CN111901372A (en) * | 2020-06-11 | 2020-11-06 | 北京华电天仁电力控制技术有限公司 | Access device of centralized wind power monitoring system |
| CN213661660U (en) * | 2020-09-29 | 2021-07-09 | 华能大理风力发电有限公司 | Multi-protocol multi-service public network security access area system |
Non-Patent Citations (1)
| Title |
|---|
| 李涛: "某风电工控网络安全防护设计", 网络安全技术与应用, no. 5, pages 2 - 3 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115296935A (en) * | 2022-10-08 | 2022-11-04 | 华诺网络科技有限公司 | Information security data processing method and system |
| CN115296935B (en) * | 2022-10-08 | 2022-12-20 | 华诺网络科技有限公司 | Information security data processing method and system |
| CN115802341A (en) * | 2023-01-30 | 2023-03-14 | 北京亚信兴源科技有限公司 | Communication method and device for 5G system, electronic device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11271778B2 (en) | Multi-perimeter firewall in the cloud | |
| US10530831B2 (en) | Threat protection for real-time communications gateways | |
| US8874766B2 (en) | System and method for flexible network access control policies in a network environment | |
| EP2036305B1 (en) | Communication network application activity monitoring and control | |
| US9015855B2 (en) | Secure tunneling platform system and method | |
| CN103607399B (en) | Private IP network network safety monitoring system and method based on darknet | |
| US10091167B2 (en) | Network traffic analysis to enhance rule-based network security | |
| US20160337372A1 (en) | Network system, controller and packet authenticating method | |
| MXPA05002559A (en) | System and method for remotely monitoring wirless networks. | |
| CN111385326B (en) | Rail transit communication system | |
| US20210152529A1 (en) | System and method for creating a secure hybrid overlay network | |
| WO2016202007A1 (en) | Device operation and maintenance method and system | |
| CN114268457A (en) | Multi-protocol multi-service public network security access method | |
| EP3811590A1 (en) | System and method for creating a secure hybrid overlay network | |
| Neu et al. | Lightweight IPS for port scan in OpenFlow SDN networks | |
| TW202137735A (en) | Programmable switching device for network infrastructures | |
| CN117376989A (en) | Wireless network resource management system capable of accessing network on line | |
| CN112383573B (en) | Security intrusion playback equipment based on multiple attack stages | |
| Khosravifar et al. | An experience improving intrusion detection systems false alarm ratio by using honeypot | |
| KR101881061B1 (en) | 2-way communication apparatus capable of changing communication mode and method thereof | |
| JP2006099590A (en) | Access controller, access control method and access control program | |
| CN116827646A (en) | Terminal flow agent and access control method based on eBPF | |
| CN205510295U (en) | Multi -region section video surveillance management system | |
| CN110581843B (en) | Mimic Web gateway multi-application flow directional distribution method | |
| CN111131793A (en) | Video network access safety device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220401 |