[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN111083109A - Switch linkage firewall protection and improvement method - Google Patents

Switch linkage firewall protection and improvement method Download PDF

Info

Publication number
CN111083109A
CN111083109A CN201911114039.5A CN201911114039A CN111083109A CN 111083109 A CN111083109 A CN 111083109A CN 201911114039 A CN201911114039 A CN 201911114039A CN 111083109 A CN111083109 A CN 111083109A
Authority
CN
China
Prior art keywords
packet
switch
grabbing
capturing
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911114039.5A
Other languages
Chinese (zh)
Inventor
李明明
王瑞琦
耿洁宇
赵毅
冯勇
宋仁杰
闫娇
王方
胡健
潘巍
翟玲玲
宋志勇
李新静
谢杨
赵博文
赵志文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Zhumadian Power Supply Co of State Grid Henan Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
Zhumadian Power Supply Co of State Grid Henan Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, Zhumadian Power Supply Co of State Grid Henan Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201911114039.5A priority Critical patent/CN111083109A/en
Publication of CN111083109A publication Critical patent/CN111083109A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2517Translation of Internet protocol [IP] addresses using port numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/302Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Evolutionary Computation (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a switch linkage firewall protection and improvement method, which realizes network monitoring through a packet capturing tool, utilizes a static IP to carry out bidirectional binding on an MAC and the IP under the condition of not changing an IPV4 protocol by using a mating port mirroring technology, simultaneously uses a VLAN to reduce a local area network, improves retrieval efficiency, finds the source of a threat event, is linked with a switch, blocks the path of the threat event, makes up the defects of the traditional firewall and provides network security depth protection.

Description

Switch linkage firewall protection and improvement method
The technical field is as follows:
the invention relates to the field of computer network security, in particular to a switch linkage firewall protection and improvement method.
Background art:
with the proliferation of viruses, worms, trojans, backdoors, and mixed threats, security threats at the application and network layers are becoming commonplace. Traditional firewalls only block or allow specific IP addresses and ports, the protection is quite limited, and hackers have developed numerous methods to bypass firewall policies, including: and discovering the port opened by the firewall by using the port scanner, and traversing the firewall by the attack and detection program through the port opened by the firewall. Tools such as MSN, QQ and the like can communicate through 80 ports, software such as SoftEther and the like can package all TCP/IP communication into HTTPS data packets to be sent, and a traditional state detection firewall is used for simply and directly preventing the failure.
The invention content is as follows:
the technical problem to be solved by the invention is as follows: the method overcomes the defects of the prior art, realizes network monitoring through a packet capturing tool, utilizes static IP to carry out bidirectional binding on MAC and IP under the condition of not changing an IPV4 protocol by using a matching port mirror image technology, simultaneously uses VLAN to reduce a local area network, improves retrieval efficiency, finds the source of a threat event, is linked with a switch, and blocks the switch linkage firewall protection and promotion method of the path of the threat event.
The technical scheme of the invention is as follows: a method for improving the protection of a linked firewall of a switch comprises the following steps: step one, setting bypass monitoring on a switch in the same network segment with a network security protection server; the switch supports port mirroring, copies one copy of all data passing through the switch by using the port mirroring of the switch and sends the copy of the data to a network security protection server port;
acquiring a data packet by using a packet capturing tool for analysis to obtain an MAC and IP pair of a destination and a source address; which comprises the following steps: (1) acquiring a packet capturing process parameter; (2) acquiring a packet capturing time limiting condition; (3) controlling packet capturing action according to the packet capturing process parameters and the packet capturing time limit conditions;
step three, verifying whether the obtained MAC and IP are reasonable or not; if the mapping pairs are reasonable, the mapping pairs are stored in a linked list; if the MAC address is not reasonable, the ports corresponding to the unreasonable MAC addresses are monitored independently;
step four, the acquired source IP address forms a known IP address library, a PC terminal IP list which is acquired by NAMP technology and is not provided with protection software is compared, an MAC address corresponding to the IP is acquired by a sniffing tool, and a plurality of IP addresses of the same MAC address are normalized;
step five, a network sniffing tool discovers a terminal newly accessed to the network, and is used for providing a protocol source IP in a bypass monitoring rule for analysis of bypass monitoring and comparing a source IP list with all PC server lists in a local area network;
step six, when the comparison is unsuccessful, an alarm is sent out, meanwhile, the port corresponding to the switch is found by using the MAC address, and the host machine with fraud is quickly found out;
and step seven, the network security protection server is linked with the switch to block the path of the cheating host.
Further, in the second step, the packet capturing process parameters include: (1) a first grabbing time length from a grabbing start time point to a current time point; (2) a second capturing duration from the time point of capturing the last data packet to the current time point; (3) the current total number of packets to grab.
Further, in the second step, the packet capturing time limit condition includes a preset capturing duration time or a preset capturing interval time.
Further, in the second step, the packet capturing process parameters and the packet capturing time limit condition control packet capturing actions, including: if the first grabbing time length is longer than the preset grabbing duration time, stopping grabbing the packet; otherwise, continuing to grab the packet; or; if the second grabbing time length is longer than the preset grabbing interval time, stopping grabbing the packet; otherwise, the packet grabbing is continued.
Further, in the third step, when the MAC and the IP are verified, the ARP needs to be analyzed, and a filter rule are set so that only the ARP data packet is subjected to protocol analysis; the resolved ARP packet includes a hardware type, a protocol type, a hardware address length, a protocol length, an operation code, a source MAC address, a source IP address, a target MAC address, and a target IP address.
Further, the content of analyzing all the data packets arriving at the network security protection server in the network at regular time includes whether login data, request data or heartbeat data exist between the client PC terminal and the network security protection server.
The invention has the beneficial effects that:
1. the invention realizes the network monitoring through a packet capturing tool, utilizes the static IP to carry out bidirectional binding on the MAC and the IP under the condition of not changing an IPV4 protocol by using a matching port mirror image technology, simultaneously uses the VLAN to reduce the local area network, improves the retrieval efficiency, finds the source of the threat event, is linked with a switch, blocks the path of the threat event, makes up the defects of the traditional firewall and provides the network security deep protection.
2. According to the invention, the packet capturing process parameters and the packet capturing time limiting conditions are obtained, and the packet capturing action is controlled according to the packet capturing process parameters and the packet capturing time limiting conditions, so that the packet capturing action is better controlled under the time limiting conditions, and the data analysis processing work under different requirements is met.
3. The invention realizes the monitoring of the network system through the packet capturing tool, the matching port mirroring technology utilizes the static IP to carry out the bidirectional binding of the MAC and the IP under the condition of not changing the IPV4 protocol, and simultaneously, the VLAN is used for reducing the local area network, thereby improving the retrieval efficiency and the efficiency of defending ARP spoofing without generating burden on the network.
Description of the drawings:
fig. 1 is a schematic diagram of a method for improving firewall protection in conjunction with a switch.
The specific implementation mode is as follows:
example (b): see fig. 1.
The switch linkage firewall protection and improvement method realizes network monitoring through a packet capturing tool, utilizes static IP to carry out bidirectional binding on MAC and IP under the condition of not changing an IPV4 protocol by using a matching port mirror image technology, simultaneously uses VLAN to reduce a local area network, improves retrieval efficiency, finds the source of a threat event, links with a switch, blocks the path of the threat event, makes up the defects of the traditional firewall and provides network security deep protection.
The present application will be described in detail with reference to the drawings and examples.
Step one, setting bypass monitoring on a switch in the same network segment with a network security protection server; the switch supports port mirroring, copies one copy of all data passing through the switch by using the port mirroring of the switch and sends the copy of the data to a network security protection server port;
acquiring a data packet by using a packet capturing tool for analysis to obtain an MAC and IP pair of a destination and a source address; which comprises the following steps:
1. acquiring a packet capturing process parameter;
the packet capturing process parameters comprise: (1) a first grabbing time length from a grabbing start time point to a current time point; (2) a second capturing duration from the time point of capturing the last data packet to the current time point; (3) the current total number of packets to grab.
2. Acquiring a packet capturing time limit condition;
the packet capturing time limit condition comprises preset capturing duration time or preset capturing interval time.
3. Controlling packet capturing action according to the packet capturing process parameters and the packet capturing time limit conditions;
the packet capturing process parameters and the packet capturing time limit conditions control packet capturing actions, and the packet capturing actions comprise: if the first grabbing time length is longer than the preset grabbing duration time, stopping grabbing the packet; otherwise, continuing to grab the packet; or; if the second grabbing time length is longer than the preset grabbing interval time, stopping grabbing the packet; otherwise, the packet grabbing is continued.
Step three, verifying whether the obtained MAC and IP are reasonable or not; if the mapping pairs are reasonable, the mapping pairs are stored in a linked list; and if the MAC address is not reasonable, the port corresponding to the unreasonable MAC address is monitored independently.
When MAC and IP are verified, ARP needs to be analyzed, and only ARP data packets need to be subjected to protocol analysis by setting a filter and a filtering rule; the resolved ARP packet includes a hardware type, a protocol type, a hardware address length, a protocol length, an operation code, a source MAC address, a source IP address, a target MAC address, and a target IP address.
And step four, the acquired source IP address forms a known IP address library, a PC terminal IP list which is acquired by NAMP technology and is not provided with protection software is compared, the MAC address corresponding to the IP is acquired by a sniffing tool, and a plurality of IP addresses of the same MAC address are normalized.
The content of analyzing all data packets arriving at the network security protection server in the network regularly comprises whether login data, request data or heartbeat data exist between the client PC terminal and the network security protection server.
Step five, a network sniffing tool discovers a terminal newly accessed to the network, and is used for providing a protocol source IP in a bypass monitoring rule for analysis of bypass monitoring and comparing a source IP list with all PC server lists in a local area network;
step six, when the comparison is unsuccessful, an alarm is sent out, meanwhile, the port corresponding to the switch is found by using the MAC address, and the host machine with fraud is quickly found out;
and step seven, the network security protection server is linked with the switch to block the path of the cheating host.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and all simple modifications, equivalent variations and modifications made to the above embodiment according to the technical spirit of the present invention still fall within the scope of the technical solution of the present invention.

Claims (6)

1. A method for improving the protection of a linked firewall of a switch comprises the following steps: step one, setting bypass monitoring on a switch in the same network segment with a network security protection server; the switch supports port mirroring, copies one copy of all data passing through the switch by using the port mirroring of the switch and sends the copy of the data to a network security protection server port;
acquiring a data packet by using a packet capturing tool for analysis to obtain an MAC and IP pair of a destination and a source address; which comprises the following steps: (1) acquiring a packet capturing process parameter; (2) acquiring a packet capturing time limiting condition; (3) controlling packet capturing action according to the packet capturing process parameters and the packet capturing time limit conditions;
step three, verifying whether the obtained MAC and IP are reasonable or not; if the mapping pairs are reasonable, the mapping pairs are stored in a linked list; if the MAC address is not reasonable, the ports corresponding to the unreasonable MAC addresses are monitored independently;
step four, the acquired source IP address forms a known IP address library, a PC terminal IP list which is acquired by NAMP technology and is not provided with protection software is compared, an MAC address corresponding to the IP is acquired by a sniffing tool, and a plurality of IP addresses of the same MAC address are normalized;
step five, a network sniffing tool discovers a terminal newly accessed to the network, and is used for providing a protocol source IP in a bypass monitoring rule for analysis of bypass monitoring and comparing a source IP list with all PC server lists in a local area network;
step six, when the comparison is unsuccessful, an alarm is sent out, meanwhile, the port corresponding to the switch is found by using the MAC address, and the host machine with fraud is quickly found out;
and step seven, the network security protection server is linked with the switch to block the path of the cheating host.
2. The method for improving the protection of the linked firewall of the switch as claimed in claim 1, wherein: in the second step, the packet capturing process parameters include: (1) a first grabbing time length from a grabbing start time point to a current time point; (2) a second capturing duration from the time point of capturing the last data packet to the current time point; (3) the current total number of packets to grab.
3. The method for improving the protection of the linked firewall of the switch as claimed in claim 1, wherein: and step two, the packet capturing time limit condition comprises preset capturing duration time or preset capturing interval time.
4. The method for improving the protection of the linked firewall of the switch as claimed in claim 1, wherein: in the second step, the packet capturing process parameters and the packet capturing time limit conditions control packet capturing actions, including: if the first grabbing time length is longer than the preset grabbing duration time, stopping grabbing the packet; otherwise, continuing to grab the packet; or; if the second grabbing time length is longer than the preset grabbing interval time, stopping grabbing the packet; otherwise, the packet grabbing is continued.
5. The method for improving the protection of the linked firewall of the switch as claimed in claim 1, wherein: step three, the ARP needs to be analyzed when the MAC and the IP are verified, and only the ARP data packet is subjected to protocol analysis by setting a filter and a filtering rule; the resolved ARP packet includes a hardware type, a protocol type, a hardware address length, a protocol length, an operation code, a source MAC address, a source IP address, a target MAC address, and a target IP address.
6. The method for improving the protection of the linked firewall of the switch as claimed in claim 1, wherein: and step four, the content of analyzing all the data packets arriving at the network security protection server in the network regularly comprises whether login data, request data or heartbeat data exist between the client PC terminal and the network security protection server.
CN201911114039.5A 2019-11-14 2019-11-14 Switch linkage firewall protection and improvement method Pending CN111083109A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911114039.5A CN111083109A (en) 2019-11-14 2019-11-14 Switch linkage firewall protection and improvement method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911114039.5A CN111083109A (en) 2019-11-14 2019-11-14 Switch linkage firewall protection and improvement method

Publications (1)

Publication Number Publication Date
CN111083109A true CN111083109A (en) 2020-04-28

Family

ID=70310984

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911114039.5A Pending CN111083109A (en) 2019-11-14 2019-11-14 Switch linkage firewall protection and improvement method

Country Status (1)

Country Link
CN (1) CN111083109A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112688938A (en) * 2020-12-22 2021-04-20 太原微木智能装备有限公司 Network performance measurement system and method based on attack and defense mode
CN113132385A (en) * 2021-04-20 2021-07-16 广州锦行网络科技有限公司 Method and device for preventing gateway ARP spoofing
CN114513508A (en) * 2021-12-28 2022-05-17 深圳铸泰科技有限公司 Equipment blocking method and system based on switch linkage in Internet of things

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101370019A (en) * 2008-09-26 2009-02-18 北京星网锐捷网络技术有限公司 Method and switchboard for preventing packet cheating attack of address analysis protocol
WO2009033402A1 (en) * 2007-09-06 2009-03-19 Huawei Technologies Co., Ltd. Method and device of preventing arp address from being cheated and attacked
KR101489178B1 (en) * 2013-09-12 2015-02-03 숭실대학교산학협력단 Device and method for arp spoofing detection
CN104601570A (en) * 2015-01-13 2015-05-06 国家电网公司 Network security monitoring method based on bypass monitoring and software packet capturing technology
CN106506653A (en) * 2016-11-15 2017-03-15 汉柏科技有限公司 Packet snapping method and device
CN107222462A (en) * 2017-05-08 2017-09-29 汕头大学 A kind of LAN internals attack being automatically positioned of source, partition method
CN109951459A (en) * 2019-03-06 2019-06-28 山东信天辰信息安全技术有限公司 A kind of ARP spoofing attack detection method based on local area network

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009033402A1 (en) * 2007-09-06 2009-03-19 Huawei Technologies Co., Ltd. Method and device of preventing arp address from being cheated and attacked
CN101370019A (en) * 2008-09-26 2009-02-18 北京星网锐捷网络技术有限公司 Method and switchboard for preventing packet cheating attack of address analysis protocol
KR101489178B1 (en) * 2013-09-12 2015-02-03 숭실대학교산학협력단 Device and method for arp spoofing detection
CN104601570A (en) * 2015-01-13 2015-05-06 国家电网公司 Network security monitoring method based on bypass monitoring and software packet capturing technology
CN106506653A (en) * 2016-11-15 2017-03-15 汉柏科技有限公司 Packet snapping method and device
CN107222462A (en) * 2017-05-08 2017-09-29 汕头大学 A kind of LAN internals attack being automatically positioned of source, partition method
CN109951459A (en) * 2019-03-06 2019-06-28 山东信天辰信息安全技术有限公司 A kind of ARP spoofing attack detection method based on local area network

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112688938A (en) * 2020-12-22 2021-04-20 太原微木智能装备有限公司 Network performance measurement system and method based on attack and defense mode
CN112688938B (en) * 2020-12-22 2023-09-29 太原微木智能装备有限公司 Network performance measurement system and method based on attack and defense modes
CN113132385A (en) * 2021-04-20 2021-07-16 广州锦行网络科技有限公司 Method and device for preventing gateway ARP spoofing
CN114513508A (en) * 2021-12-28 2022-05-17 深圳铸泰科技有限公司 Equipment blocking method and system based on switch linkage in Internet of things

Similar Documents

Publication Publication Date Title
US10929538B2 (en) Network security protection method and apparatus
Izhikevich et al. {LZR}: Identifying unexpected internet services
EP1817685B1 (en) Intrusion detection in a data center environment
JP6083009B1 (en) SDN controller
EP3297248B1 (en) System and method for generating rules for attack detection feedback system
CN110493195B (en) Network access control method and system
Bailey et al. Data reduction for the scalable automated analysis of distributed darknet traffic
US20060282893A1 (en) Network information security zone joint defense system
CN112738071B (en) Method and device for constructing attack chain topology
US9178851B2 (en) High availability security device
GB2502254A (en) Discovery of IP addresses of nodes in a botnet
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
CN111083109A (en) Switch linkage firewall protection and improvement method
KR101553264B1 (en) System and method for preventing network intrusion
CN107204965B (en) Method and system for intercepting password cracking behavior
JP6256773B2 (en) Security system
WO2011012056A1 (en) Method, system and equipment for detecting botnets
Gallopeni et al. A practical analysis on mirai botnet traffic
CN111818077A (en) Industrial control mixed honeypot system based on SDN technology
JP6592196B2 (en) Malignant event detection apparatus, malignant event detection method, and malignant event detection program
CN110912887A (en) Bro-based APT monitoring system and method
Khosravifar et al. An experience improving intrusion detection systems false alarm ratio by using honeypot
WO2009064114A2 (en) Protection method and system for distributed denial of service attack
Mane Detect and deactivate P2P Zeus bot
CN117040839A (en) Data server safety protection system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200428

RJ01 Rejection of invention patent application after publication