CN111083114A - Logistics warehouse network safety system and construction method - Google Patents
Logistics warehouse network safety system and construction method Download PDFInfo
- Publication number
- CN111083114A CN111083114A CN201911131641.XA CN201911131641A CN111083114A CN 111083114 A CN111083114 A CN 111083114A CN 201911131641 A CN201911131641 A CN 201911131641A CN 111083114 A CN111083114 A CN 111083114A
- Authority
- CN
- China
- Prior art keywords
- service
- protocol
- access information
- information
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000010276 construction Methods 0.000 title claims abstract description 12
- 238000012544 monitoring process Methods 0.000 claims abstract description 39
- 238000000034 method Methods 0.000 claims abstract description 20
- 230000003068 static effect Effects 0.000 claims description 13
- DWSYCUKCNSVBRA-UHFFFAOYSA-N 4-(5-methylsulfonyltetrazol-1-yl)phenol Chemical compound CS(=O)(=O)C1=NN=NN1C1=CC=C(C=C1)O DWSYCUKCNSVBRA-UHFFFAOYSA-N 0.000 claims description 12
- 101710167643 Serine/threonine protein phosphatase PstP Proteins 0.000 claims description 12
- 230000002265 prevention Effects 0.000 claims description 12
- 230000002776 aggregation Effects 0.000 claims description 7
- 238000004220 aggregation Methods 0.000 claims description 7
- 230000008569 process Effects 0.000 claims description 4
- 238000009826 distribution Methods 0.000 claims description 3
- 238000012216 screening Methods 0.000 claims description 3
- 239000000284 extract Substances 0.000 claims description 2
- 238000007726 management method Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000002708 enhancing effect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000005520 cutting process Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/08—Logistics, e.g. warehousing, loading or distribution; Inventory or stock management
- G06Q10/087—Inventory or stock management, e.g. order filling, procurement or balancing against orders
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/02—Arrangements for optimising operational condition
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Business, Economics & Management (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Economics (AREA)
- Operations Research (AREA)
- Physics & Mathematics (AREA)
- Marketing (AREA)
- Entrepreneurship & Innovation (AREA)
- Quality & Reliability (AREA)
- Strategic Management (AREA)
- Tourism & Hospitality (AREA)
- Human Resources & Organizations (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Development Economics (AREA)
- Finance (AREA)
- Accounting & Taxation (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method for constructing a network security system of a logistics warehouse, which comprises the following steps: step 1, constructing a redundant network architecture, and accessing safety equipment in the redundant network architecture; step 2, planning the address in the network architecture, comprising: an internal network address, an equipment address and an inter-equipment interconnection address; configuring a network protocol of a redundant network architecture; step 3, building a comprehensive server in a redundant network architecture; installing an internal DNS service in the integrated server, deploying and collecting the service and collecting access information; and 4, deploying monitoring service and alarm service in the integrated server, adding a special operation characteristic library, matching access information in the collected service through the special operation characteristic library, and monitoring and alarming the matched access information to generate monitoring information and alarm information. By adopting the construction method of the safety system, the internal and external network risks can be effectively reduced, the volume of the back-end service is reduced, and the operation efficiency of the internal service can be obviously improved.
Description
Technical Field
The invention relates to the technical field of logistics warehouse networks, in particular to a logistics warehouse network safety system and a construction method.
Background
With the explosive development of the logistics industry, many logistics companies are beginning to build and use their own warehouses for goods transfer and storage. The most applied is warehouse logistics, which is an important form of logistics, and is mainly to use storehouses and sites for keeping and delivering goods. The storage is an important form of logistics, is a key point of logistics operation, and plays an important role in promoting the health development of enterprises. Modern warehouse logistics is greatly different from a traditional warehouse, and the modern warehouse logistics uses modern technology to carry out logistics activities such as inventory and sorting on articles in tangible and intangible places, so that the cost is reduced to the limit, the whole logistics chain is optimized, and the operation efficiency of the e-commerce enterprise is improved. The reliability and the security of the warehouse network must be considered while using informatization, so that the safety of the warehouse network becomes a problem which must be considered in the industry in the operation process of enterprises.
At present, self-built warehouses of each family have different characteristics, for example, companies with smaller scales exist for leasing, manual warehousing and sorting, and an intelligent warehousing system is used for realizing intelligent sorting, packaging, keeping and distribution. Due to environmental limitations of warehouses, the network security layout of each house is very different, and the warehouse network mode is roughly the following two modes.
External access is restricted, an extranet environment in a warehouse is restricted in a local division area, and external access is effectively prevented by cutting off the external access. In this way, the office efficiency of warehouse personnel and information transmission are necessarily affected, and a lot of scheduling information and goods information cannot be remotely received if an intelligent warehouse is used. This approach, while the most straightforward and efficient one, is not the preferred solution for modern warehouses.
The open external access, which fully covers the warehouse in a public network environment, will undoubtedly be unpredictable. Although many functions can be easily implemented, the security is much reduced.
Disclosure of Invention
Aiming at the existing problems, the logistics warehouse network security system and the construction method thereof are provided, and the aims of enhancing the security of the warehouse network and improving the usability are achieved in a network device and internal service mode. And an intrusion prevention device and a behavior manager are added in the aspect of network equipment, and different security strategies are adopted for different areas by using VLAN isolation areas. And a feature library with the same operation is established on the internal service, and the operation record is monitored and the administrator is informed of confirmation when the same operation occurs, so that the purposes of threat perception and later defense are achieved.
The technical scheme adopted by the invention is as follows: a method for constructing a logistics warehouse network security system comprises the following steps:
step 2, planning the address in the network architecture, comprising: an internal network address, an equipment address and an inter-equipment interconnection address; configuring a network protocol of a redundant network architecture;
step 3, building a comprehensive server in a redundant network architecture; installing an internal DNS service in the integrated server, and deploying a collection service in the internal DNS server to collect access information;
and 4, deploying monitoring service and alarm service in the integrated server, adding a special operation characteristic library, matching access information in the collected service through the special operation characteristic library, and monitoring and alarming the matched access information to generate monitoring information and alarm information.
Further, the network architecture constructed in step 1 includes: the system comprises a router, a firewall, a core switch, a convergence switch, a wireless controller, an AP, an intranet PC and an integrated server.
Further, the security device in step 1 further includes an AC behavior manager, and the AC behavior manager is accessed between the core switch and the firewall in a transparent mode.
Further, the security device in step 1 further includes an IPS intrusion prevention device, and the IPS intrusion prevention device is hung on the core switch.
Further, the specific method for planning the intranet address in step 2 is as follows: and planning the IP address of the intranet PC, and dividing the internal network into different vlans respectively, wherein each vlan corresponds to a different application group.
Further, the step 2 of configuring the network protocol specifically includes the steps of:
step 2.1, configuring a static routing protocol between the router and the external network;
step 2.2, an OSPF dynamic protocol is configured among the router, the firewall and the core switch;
2.3, stacking configuration is carried out among the core switches;
step 2.4, configuring a static routing protocol, an MSTP protocol and a vlan protocol between the core switch and the aggregation switch;
step 2.5, configuring MSTP protocol and vlan protocol between the core switch and the wireless controller;
step 2.6, configuring an 802.11n protocol between the wireless controller and the AP;
step 2.7, the integrated server accesses the core switch by adopting an LACP protocol;
and 2.8, the intranet PC is accessed into the planned VLAN through the VLAN protocol.
Further, the specific process of step 3 is as follows:
step 3.1, installing an internal DNS service in the integrated server;
step 3.2, deploying collection service on an internal DNS server, collecting access information, classifying and integrating the access information for subsequent calling and screening; the access information comprises a header file, an access IP and an IP of an accessed server.
Further, the step 4 specifically includes:
step 4.1, deploying monitoring service and alarm service and adding a special operation characteristic library in the integrated server;
step 4.2, matching the access information through a special operation feature library, and extracting the access information of the operation information in the satisfied feature library;
step 4.3, the collecting service extracts detailed access records and monitoring information corresponding to the access IP at the accessed server side of the access information according to the extracted access information and uploads the detailed access records and monitoring information to the collecting service;
and 4.4, after the access information of the feature library is matched, correspondingly alarming the information meeting the feature library.
Further, the construction method further comprises the following steps: and displaying the information items of the monitoring records and the information items corresponding to the alarm on a display screen to complete the display of the safety information.
The invention provides a constructed logistics warehouse network security system based on the method for constructing the logistics warehouse network security system, which is characterized by comprising the following steps: the system comprises a router, a firewall, a core switch, a convergence switch, an integrated server, an AP, an intranet PC, an AC behavior manager and IPS intrusion prevention equipment;
a static routing protocol is configured between the router and an external network; OSPF dynamic protocol is configured among the router, the firewall and the core switch; stacking configuration is carried out among the core switches; a static routing protocol, an MSTP protocol and a vlan protocol are configured between the core switch and the aggregation switch; MSTP protocol and vlan protocol are configured between the core switch and the wireless controller; an 802.11n protocol is configured between the wireless controller and the AP; the integrated server is accessed to the core switch by adopting an LACP protocol; the intranet PC is accessed to the convergence switch through the VLAN;
the AC behavior manager is accessed between the core switch and the firewall by adopting a transparent mode; the IPS intrusion prevention device is hung beside a core switch;
the integrated server is accessed to the core switch, and an internal DNS service, a monitoring service, an alarm service and a special operation characteristic library are installed on the integrated server; the internal DNS server is also provided with a collection service for collecting access information, a special operation characteristic library is used for matching the access information, and a monitoring service and an alarm service are used for carrying out corresponding monitoring and alarm operation on the matched access information.
Compared with the prior art, the beneficial effects of adopting the technical scheme are as follows:
1. the invention adds new safety equipment on the traditional network architecture and uses a more redundant and reliable network structure, thereby greatly reducing the network risk inside and outside;
2. the invention solves the security risk brought by the external DNS by using a mode of building the DNS inside. The DNS service is matched with the collection service to collect the access information of the user, so that the method does not omit the access information of the user;
3. the access information is screened from the operation feature library of the collection service to extract the access record of the corresponding user IP and the monitoring information is uploaded to the collection service, so that the availability of the monitoring information is improved;
4. the back-end service monitoring information is uploaded to the collection service, so that the volume of the back-end service is reduced, and the operating efficiency of the internal service can be obviously improved.
Drawings
Fig. 1 is a diagram of the physical topology of the network of the present invention.
Fig. 2 is a diagram illustrating a logistics warehouse network protocol according to the present invention.
FIG. 3 is a matching graph of access information and a library of special operational characteristics in accordance with the present invention.
Fig. 4 is a graph of the internal user and information traffic flow of the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
The invention provides a method for constructing a logistics warehouse network security system, which achieves the purposes of enhancing the security of a warehouse network and improving the usability in a mode of network equipment and internal service, and comprises the following specific steps:
step 2, planning the address in the network architecture, comprising: an internal network address, an equipment address and an inter-equipment interconnection address; configuring a network protocol of a redundant network architecture;
step 3, building a comprehensive server in a redundant network architecture; installing an internal DNS service in the integrated server, and deploying a collection service in the internal DNS server to collect access information;
and 4, deploying monitoring service and alarm service in the integrated server, adding a special operation characteristic library, matching access information in the collected service through the special operation characteristic library, and monitoring and alarming the matched access information to generate monitoring information and alarm information.
And 5, displaying the monitoring information and the alarm information on display equipment.
The specific method comprises the following steps:
as shown in fig. 1, the redundant configuration network device constructed in step 1 includes: the system comprises a router, a firewall, a core switch, a convergence switch, a wireless controller, an AP, an intranet PC and an integrated server.
The complete device for accessing the network architecture in step 1 comprises: AC behavior controllers and IPS intrusion prevention devices. The AC behavior manager is accessed between the core switch and the firewall by using a transparent mode to realize full network monitoring; the core switch is hung and configured with IPS intrusion prevention equipment, so that external attacks can be effectively protected.
And 2, planning the internal network address, the equipment address and the equipment interconnection address:
planning an internal network address: planning the IP address of the intranet PC, planning 4 intranet network address segments, which are respectively: vlan10 wireless network 172.16.39.0/24 address segment, vlan20 internal services 172.16.40.0/24, vlan30 financial association 172.16.42.0/24, vlan40 business association 172.16.45.0/24;
planning the equipment address: the planning equipment management address IP is an 172.16.11.0/24 address segment address. The core switch-172.16.11.254 and the firewall 01-172.16.11.253 are sequentially planned from the gateway address to the bottom;
planning the interconnection address between the devices: the heartbeat address between the firewalls is planned to be 1.1.1.0/30, two addresses of 1.1.1.1 and 1.1.1.2 are used, and the interconnection address section 1.1.2.0/30 is planned in a mode that the interconnection addresses in sequence are downward and respectively use the third address + 1.
As shown in fig. 2, the protocols between network devices in the network architecture are configured,
a static routing protocol is configured between the router and the external network, and the next hop address is configured as an external network gateway.
An OSPF dynamic routing protocol is configured among the router, the firewall and the core switch, the OSPF dynamic protocol uses an interconnection address as an open address segment, and the vlan address is accessed into the OSPF dynamic protocol in a mode of introducing a direct connection route through the switch, wherein the firewall uses a transparent mode to reduce the use of a route switching function of the firewall, and a special effect is achieved.
Stacking configuration is carried out among the core switches, a plurality of switching devices of the same series and the same type are used for configuring core switch stacking, and stacking is compared with other redundancy protocols, for example: VRRP and the like can realize rapid service switching and realize 100% no packet loss, and the only defect is that equipment of the same series and the same type must be used for stacking operation, and the management states of the stacked equipment are unified.
The network protocol between the core switch and the aggregation switch adopts a static routing protocol + MSTP protocol + VLAN protocol, the static routing protocol points to the core switch to realize the management of the aggregation switch, the MSTP protocol can carry out priority differentiation on different VLANs to prevent two-layer network loops, the VLAN protocol is configured according to the planned VLANs, and different service sections are differentiated to realize more accurate isolation of the inside and the outside.
An 802.11n protocol is configured between the wireless controller and the AP, the transmission rate is increased to a greater extent, and 2.4G and 5G are simultaneously supported;
the intranet PC and the convergence switch are accessed into a VLAN planned in advance by using a VLAN protocol;
the integrated server adopts LACP (link convergence control protocol) protocol to access the core switch.
Step 3, building an integrated server access core switch, installing an internal DNS service on the integrated server in an internal server network segment, and configuring an IP address of the internal DNS server on a DHCP of a switch gateway; and deploying collection service on the internal DNS server, wherein the collection service collects user access information by associating the DNS service, and classifies and integrates the access information, so that later-stage calling and screening are facilitated.
The access information comprises a header file, an access IP and an accessed server IP, wherein the header file is mainly an instruction for acquiring or modifying the authority.
Step 4, deploying monitoring service and alarm service on the integrated server; and adding a special operation characteristic library, and perfecting the characteristic library on the basis of special operation steps and risk items. The dangerous operation records in the characteristic operation library comprise: an accessed IP, a specially marked dangerous IP, an instruction for special behavior (such as extracting or modifying a permission operation to acquire a root permission), and a dangerous degree value.
The comprehensive server screens the access IP and the accessed IP in the user access information: firstly, matching collected user access information by using a special operation feature library, extracting information meeting the operation information in the feature library, feeding the extracted information meeting the feature library back to an accessed server by using a collection service, extracting detailed access records and monitoring information corresponding to an access IP (Internet protocol) from the accessed server, and uploading the detailed access records and monitoring information to the collection service; and finally, after the feature library is matched with the access information, performing corresponding alarm operation on the access information meeting the feature library, and informing corresponding maintenance personnel.
Wherein, the standard meeting the characteristic library is as follows: the header file in the access information contains an instruction of a special behavior in the feature library or a dangerous IP with the access IP being a special mark, and satisfying one of the conditions means that the access information satisfies dangerous operation information of the feature library, as shown in fig. 3, the access information includes dangerous operation and does not include dangerous operation.
Step 5, a monitoring information display page is added, WEB page display design is carried out on the operation related to network security information, an information alarm icon and an operation alarm chart are listed, and real-time alarm information is added to refresh columns; and the display information is connected with a company display screen to complete the display of the safety information, thereby achieving the overall network safety layout.
The invention provides a logistics warehouse network security system according to the construction method of the logistics warehouse network security system, which comprises the following steps: the system comprises a router, a firewall, a core switch, a convergence switch, an integrated server, an AP and an intranet PC;
a static routing protocol is configured between the router and an external network; OSPF dynamic protocol is configured among the router, the firewall and the core switch; stacking configuration is carried out among the core switches; a static routing protocol, an MSTP protocol and a vlan protocol are configured between the core switch and the aggregation switch; MSTP protocol and vlan protocol are configured between the core switch and the wireless controller; an 802.11n protocol is configured between the wireless controller and the AP; the integrated server is accessed to the core switch by adopting an LACP protocol;
the intranet PC is accessed to a preset VLAN (virtual local area network) by using a VLAN protocol, and is respectively a wireless network segment, an internal service network segment, a financial related network segment and a service related network segment; the AC behavior manager is accessed between the core switch and the firewall by adopting a transparent mode; the IPS intrusion prevention device is hung beside a core switch; the intranet PC is accessed to the convergence switch through the VLAN;
the integrated server is accessed to the core switch, and an internal DNS service, a monitoring service, an alarm service and a special operation characteristic library are installed on the integrated server; the internal DNS server is also provided with a collection service for collecting access information, a special operation characteristic library is used for matching the access information, and a monitoring service and an alarm service are used for carrying out corresponding monitoring and alarm operation on the matched access information.
The display equipment is accessed to the comprehensive server and used for displaying the information items of the monitoring records and the information items corresponding to the alarm information.
The invention is not limited to the foregoing embodiments. The invention extends to any novel feature or any novel combination of features disclosed in this specification and any novel method or process steps or any novel combination of features disclosed. Those skilled in the art to which the invention pertains will appreciate that insubstantial changes or modifications can be made without departing from the spirit of the invention as defined by the appended claims.
All of the features disclosed in this specification, or all of the steps in any method or process so disclosed, may be combined in any combination, except combinations of features and/or steps that are mutually exclusive.
Any feature disclosed in this specification may be replaced by alternative features serving equivalent or similar purposes, unless expressly stated otherwise. That is, unless expressly stated otherwise, each feature is only an example of a generic series of equivalent or similar features.
Claims (10)
1. A method for constructing a logistics warehouse network security system is characterized by comprising the following steps:
step 1, constructing a redundant network architecture, and accessing safety equipment in the redundant network architecture;
step 2, planning the address in the network architecture, comprising: an internal network address, an equipment address and an inter-equipment interconnection address; configuring a network protocol of a redundant network architecture;
step 3, building a comprehensive server in a redundant network architecture; installing an internal DNS service in the integrated server, and deploying a collection service in the internal DNS server to collect access information;
and 4, deploying monitoring service and alarm service in the integrated server, adding a special operation characteristic library, matching access information in the collected service through the special operation characteristic library, and monitoring and alarming the matched access information to generate monitoring information and alarm information.
2. The method according to claim 1, wherein the network architecture constructed in step 1 comprises: the system comprises a router, a firewall, a core switch, a convergence switch, a wireless controller, an AP, an integrated server and an intranet PC.
3. The method according to claim 2, wherein the security device in step 1 further comprises an AC behavior manager, and the AC behavior manager accesses between the core switch and the firewall in a transparent mode.
4. The building method according to claim 3, wherein the security device in step 1 further comprises an IPS intrusion prevention device, and the IPS intrusion prevention device is hung beside a core switch.
5. The construction method according to claim 2, wherein the specific method for planning the intranet address in step 2 is as follows: and planning the IP address of the intranet PC, and dividing the internal network into different vlans respectively, wherein each vlan corresponds to a different application group.
6. The construction method according to claim 5, wherein the step 2 of configuring the network protocol specifically comprises the steps of:
step 2.1, configuring a static routing protocol between the router and the external network;
step 2.2, an OSPF dynamic protocol is configured among the router, the firewall and the core switch;
2.3, stacking configuration is carried out among the core switches;
step 2.4, configuring a static routing protocol, an MSTP protocol and a vlan protocol between the core switch and the aggregation switch;
step 2.5, configuring MSTP protocol and vlan protocol between the core switch and the wireless controller;
step 2.6, configuring an 802.11n protocol between the wireless controller and the AP;
step 2.7, the integrated server accesses the core switch by adopting an LACP protocol;
and 2.8, the intranet PC is accessed into the planned VLAN through the VLAN protocol.
7. The construction method according to one of claims 1 to 6, wherein the step 3 comprises the following specific processes:
step 3.1, installing an internal DNS service in the integrated server;
step 3.2, deploying collection service on an internal DNS server, collecting access information, classifying and integrating the access information for subsequent calling and screening; the access information comprises an access IP, an accessed server IP and a header file.
8. The construction method according to claim 7, wherein the step 4 specifically comprises:
step 4.1, deploying monitoring service, alarm service and adding a special operation characteristic library in the integrated server, wherein the special operation characteristic library is dangerous;
step 4.2, matching the access information through the special operation feature library, and extracting the access information of the special operation in the satisfied feature library;
step 4.3, the collecting service extracts detailed access records and monitoring information corresponding to the access IP at the accessed server side of the access information according to the extracted access information and uploads the detailed access records and monitoring information to the collecting service;
and 4.4, after the feature library is matched with the access information, correspondingly alarming the information meeting the feature library.
9. The build method of claim 8, further comprising: and displaying the information items of the monitoring records and the information items corresponding to the alarm on a display screen to complete the display of the safety information.
10. A physical distribution warehouse network security system constructed based on the physical distribution warehouse network security system construction method according to any one of claims 1 to 9, comprising: the system comprises a router, a firewall, a core switch, a convergence switch, an integrated server, an AP, an intranet PC, an AC behavior manager and IPS intrusion prevention equipment;
a static routing protocol is configured between the router and an external network; OSPF dynamic protocol is configured among the router, the firewall and the core switch; stacking configuration is carried out among the core switches; a static routing protocol, an MSTP protocol and a vlan protocol are configured between the core switch and the aggregation switch; MSTP protocol and vlan protocol are configured between the core switch and the wireless controller; an 802.11n protocol is configured between the wireless controller and the AP; the integrated server is accessed to the core switch by adopting an LACP protocol; the intranet PC is accessed to the convergence switch through the VLAN;
the AC behavior manager is accessed between the core switch and the firewall by adopting a transparent mode; the IPS intrusion prevention device is hung beside a core switch;
the integrated server is accessed to the core switch, and an internal DNS service, a monitoring service, an alarm service and a special operation characteristic library are installed on the integrated server; the internal DNS server is also provided with a collection service for collecting access information, a special operation characteristic library is used for matching the access information, and a monitoring service and an alarm service are used for carrying out corresponding monitoring and alarm operation on the matched access information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911131641.XA CN111083114B (en) | 2019-11-19 | 2019-11-19 | Logistics warehouse network safety system and construction method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911131641.XA CN111083114B (en) | 2019-11-19 | 2019-11-19 | Logistics warehouse network safety system and construction method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111083114A true CN111083114A (en) | 2020-04-28 |
| CN111083114B CN111083114B (en) | 2021-09-24 |
Family
ID=70311176
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911131641.XA Active CN111083114B (en) | 2019-11-19 | 2019-11-19 | Logistics warehouse network safety system and construction method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111083114B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111935295A (en) * | 2020-08-17 | 2020-11-13 | 河南中普国鼎科技有限公司 | Intelligent logistics transportation account checking service system |
| CN115174301A (en) * | 2022-07-06 | 2022-10-11 | 广东石油化工学院 | Campus network based on MSTP + VRRP networking technology |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101924776A (en) * | 2010-09-16 | 2010-12-22 | 网宿科技股份有限公司 | Method and system for domain name resolution server to resist flooding attacks of DNS (Domain Name System) request reports |
| CN103269389A (en) * | 2013-06-03 | 2013-08-28 | 北京奇虎科技有限公司 | Method and device for detecting and repairing malicious DNS setting |
| US20160057166A1 (en) * | 2014-07-18 | 2016-02-25 | Empow Cyber Security Ltd. | Cyber-security system and methods thereof for detecting and mitigating advanced persistent threats |
| CN105450619A (en) * | 2014-09-28 | 2016-03-30 | 腾讯科技(深圳)有限公司 | Method, device and system of protection of hostile attacks |
| CN106790088A (en) * | 2016-12-23 | 2017-05-31 | 华北理工大学 | A kind of network security enforcement system and method based on big data platform |
| WO2019067810A1 (en) * | 2017-09-29 | 2019-04-04 | Stratus Digital Systems | Transient transaction server dns strategy |
| CN109995794A (en) * | 2019-04-15 | 2019-07-09 | 深信服科技股份有限公司 | A kind of security protection system, method, equipment and storage medium |
-
2019
- 2019-11-19 CN CN201911131641.XA patent/CN111083114B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101924776A (en) * | 2010-09-16 | 2010-12-22 | 网宿科技股份有限公司 | Method and system for domain name resolution server to resist flooding attacks of DNS (Domain Name System) request reports |
| CN103269389A (en) * | 2013-06-03 | 2013-08-28 | 北京奇虎科技有限公司 | Method and device for detecting and repairing malicious DNS setting |
| US20160057166A1 (en) * | 2014-07-18 | 2016-02-25 | Empow Cyber Security Ltd. | Cyber-security system and methods thereof for detecting and mitigating advanced persistent threats |
| CN105450619A (en) * | 2014-09-28 | 2016-03-30 | 腾讯科技(深圳)有限公司 | Method, device and system of protection of hostile attacks |
| CN106790088A (en) * | 2016-12-23 | 2017-05-31 | 华北理工大学 | A kind of network security enforcement system and method based on big data platform |
| WO2019067810A1 (en) * | 2017-09-29 | 2019-04-04 | Stratus Digital Systems | Transient transaction server dns strategy |
| CN109995794A (en) * | 2019-04-15 | 2019-07-09 | 深信服科技股份有限公司 | A kind of security protection system, method, equipment and storage medium |
Non-Patent Citations (3)
| Title |
|---|
| YING LIU: ""DNSAM: A DNS DATA REAL-TIME ANALYSIS AND MONITORING SYSTEM"", 《ICIC INTERNATIONAL》 * |
| 陈耿: ""基于DNS的恶意软件追踪与监测"", 《万方》 * |
| 魏佳代: ""基于校园DNS日志的用户访问行为分析"", 《计算机科学》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111935295A (en) * | 2020-08-17 | 2020-11-13 | 河南中普国鼎科技有限公司 | Intelligent logistics transportation account checking service system |
| CN111935295B (en) * | 2020-08-17 | 2023-06-02 | 河南中普国鼎科技有限公司 | Intelligent logistics transportation account checking service system |
| CN115174301A (en) * | 2022-07-06 | 2022-10-11 | 广东石油化工学院 | Campus network based on MSTP + VRRP networking technology |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111083114B (en) | 2021-09-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Abir et al. | Iot-enabled smart energy grid: Applications and challenges | |
| CN105493450B (en) | The method and system of service exception in dynamic detection network | |
| EP2845350B1 (en) | Method and apparatus for providing tenant information for network flows | |
| CN103067192B (en) | A kind of analytical system of network traffics and method | |
| US20170264639A1 (en) | Active deception system | |
| US20170310706A1 (en) | Tunneling For Network Deceptions | |
| CN105207853B (en) | A kind of LAN method for managing and monitoring | |
| CN107077472A (en) | Distributed processing system(DPS) | |
| WO2017189071A1 (en) | Context-aware knowledge system and methods for deploying deception mechanisms | |
| CN107846409A (en) | A kind of smart city network integration and safety management system | |
| CN103166794A (en) | Information security management method with integration security control function | |
| US20190173909A1 (en) | Method and device for robust detection, analytics, and filtering of data/information exchange with connected user devices in a gateway-connected user-space | |
| CN100486180C (en) | Local network safety management method based on IEEE 802.1X protocol | |
| CN111083114B (en) | Logistics warehouse network safety system and construction method | |
| CN103338128A (en) | Information security management system with integrated security management and control function | |
| EA016898B1 (en) | Policy-based networking utility service | |
| CN107222462A (en) | A kind of LAN internals attack being automatically positioned of source, partition method | |
| CN206686205U (en) | The multiple-protection network architecture | |
| CN103166788B (en) | A kind of collection control Control management system | |
| CN104955042A (en) | Data central processing method and system applicable to Internet of Things | |
| CN107547228A (en) | A kind of safe operation management platform based on big data realizes framework | |
| US20170230280A1 (en) | Home automation device having an alternative communication link with a remote computer server | |
| CN103796343B (en) | M2M gateway devices and its application process | |
| CN206962850U (en) | The security protection system and power information system of Electricity Information Network | |
| CN105162639A (en) | Virtual network fault positioning device based on Kernel-based virtual machine (KVM) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A Logistics Warehouse Network Security System and Construction Method Granted publication date: 20210924 Pledgee: Bohai Bank Co.,Ltd. Chengdu Branch Pledgor: Hongtu Intelligent Logistics Co.,Ltd.|LAHUOBAO NETWORK TECHNOLOGY CO.,LTD. Registration number: Y2024510000089 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right |