CN101771619B - Network system for realizing integrated security services - Google Patents

Abstract

The invention discloses a network system for realizing integrated security services, which comprises the classification separation of data transmission, the security, confidentiality and the QoS (quality of service) guarantee of application services, the integrated security protection of the network system and network management. The network system has the advantage of integrated design of the data transmission, the security protection and application services, thereby constructing a high-efficient security network platform with the QoS guarantee capable of bearing various types of services. Integrated network security is to apply security protective measures in all aspects of network communication and make the security protective measures mutually cooperate and support to guarantee security performance and communication efficiency; and the integrated network services support integrated services such as voice, video, data and the like and guarantee security and QoS of various types of services.

Description

A network system that realizes integrated security services

technical field

The invention relates to a network system for realizing integrated security service.

Background technique

With the continuous development and evolution of the information society, people's communication needs have developed from a single voice or data communication to interactive multimedia information communication, and the network system has changed from an independent system with separate services to an integrated network with unified services for voice, video and data. develop. In recent years, IP technology has developed rapidly, and the construction of an integrated network with IP technology as the core has gained the consensus of the industry. However, issues such as security and QoS of common IP networks restrict the rapid development of integrated networks.

IP network has the following security problems:

The original intention of the IP protocol design is to follow the principles of openness and equality, and has not given too much consideration to network security, resulting in many security risks in the current IP protocol architecture. These security issues mainly come from the design, management, planning and application of IP technology. As far as IP technology itself is concerned, there are the following problems that affect network security:

1) The network treats the carried management information, control signaling, and service data equally, and there is no clear user and network interface, resulting in mutual influence. The normal operation of the network is easily affected and disturbed by user behavior, and even controlled by users.

2) There is no distinction between user IP address and network IP address. Any user terminal can directly send IP packets to any device in the network. It makes it possible for user terminals to attack network devices.

3) Users are free to access the network, and there is no effective source address verification. User terminals can forge source addresses to launch traffic impact or spoofing attacks on the network, but cannot be traced.

4) The user business lacks control and cannot be supervised, resulting in the out-of-control and proliferation of illegal applications.

5) IP packets are transmitted in plain text, and the information is easily eavesdropped, tampered with, counterfeited, and the complete source and destination address information in the IP header is easily used and analyzed illegally.

In traditional IP networks, various security and confidentiality devices are generally used to improve the security of the network and services. For example, security equipment such as network isolation, firewall, authentication service, intrusion detection, and vulnerability scanning, as well as security equipment such as link layer, network layer, and application layer. This kind of security protection system built by superimposition improves the security and confidentiality performance of the network and business to a certain extent, but there are also some problems:

Limited network performance: Superimposed security and confidentiality devices generate additional transmission and management overhead in the network, occupying part of bandwidth resources, increasing the forwarding delay of business data, and greatly affecting communication performance; and compared with network switching devices, security The packet forwarding rate of security devices is generally low, and the corresponding queue scheduling mechanism is lacking, so that the network switching and forwarding performance cannot be fully utilized, and communication bottlenecks are likely to occur, making it difficult to guarantee service QoS.

It is difficult to coordinate work between devices: each security device works independently in the network, and provides corresponding security functions at different levels. Due to the lack of an integrated security architecture, security gaps are formed between devices. For example, security measures at the physical layer and link layer (such as channel encryption devices) cannot solve the problem of address spoofing at the network layer, and security measures at the network layer (such as firewalls) cannot identify and filter malicious data at the application layer, while security measures at the application layer cannot Powerless against attacks against the underlying infrastructure. At the same time, there is a lack of necessary connection between the network switching equipment and the security and confidentiality equipment, which affect each other and cannot coordinate their work. There are also security gaps in the interconnection interfaces through external cables, which brings hidden dangers to network security.

Incomplete security protection: The security protection measures or strategies of each device vary in completeness and complexity depending on the functional positioning. On the one hand, some security functions overlap and communication efficiency is reduced. On the other hand, the security policies of each device are not easy to maintain Coordinated, mutually exclusive or omitted policies can easily cause network communication anomalies or security vulnerabilities. Under the traditional IP protocol system, it is difficult to effectively integrate security protection measures into all levels of the network, and it is impossible to conduct security monitoring on the entire process of business communication. In addition, the communication between devices adopts a common network protocol, and inherent security problems still exist, and its own security protection capabilities are weak.

Various types of equipment, different deployment and management methods, difficulties in network opening, use and maintenance: various types of security equipment with different functions not only reduce the reliability of network operation, but also consume a lot of funds. Security and confidentiality devices need to be deployed and planned according to different application environments, and the configuration, status management, and key management and distribution of various devices form a self-contained system. The policy configuration, use and maintenance operations are very complicated, requiring network planning, management and maintenance. Personnel with high professional skills. Faced with the continuous expansion of application services and endless security threats, it is necessary to constantly revise policies or upgrade equipment, and the continuous development and function expansion of the network are limited.

The NGN/IMS architecture can provide multi-service applications and flexible and convenient application expansion, and has become the basis for the convergence and evolution of fixed and mobile networks. The NGN/IMS architecture adopts a horizontal architecture that completely separates service, control, and bearer. It has the characteristics of centralized user attributes and access-independence, supports user mobility, and provides flexible IP multimedia services and standard open service interfaces. However, there are still some unresolved problems in the current architecture system:

1) QoS issues at the bearer layer: For IP QoS technology itself, InterServ and DiffServ service models provide technical support for QoS at different levels. With the development and application of MPLS technology, it provides an effective way to completely solve the problem of IP QoS. However, the current IP network is still dominated by data services. Due to the large scale, different systems, and different standards, it is difficult to effectively implement various QoS technologies in the IP network, and cannot exert its designed performance. Therefore, real-time services such as voice and video Satisfactory QoS performance cannot be obtained all the time. In addition, the NGN control layer lacks necessary and unified control over the bearer layer, which makes the QoS provided by different bearer networks inconsistent.

2) Security issues: NGN mainly uses the IP network as the bearer network, and there are inherent security issues in the IP network, especially the security of the control layer has a greater impact on communication services. The security measures involved in the current NGN architecture are far from enough, and it is necessary to solve the security problem of the control layer from the system.

3) End-to-end connection problem: The integration of multiple services enables different terminals to access the network. Due to differences in terminal identification in the network, for example, telephone terminals use phone numbers, computer terminals use IP addresses, and even some terminals use user numbers as identifications. How to establish sessions and realize interconnection between different terminals has become the first problem that needs to be solved. The NAT at the edge of the user network and the public network and user mobility make the end-to-end connection more complicated. Therefore, a unified session connection control mechanism is required to realize end-to-end connection, and a unified conversion mechanism is used to realize the mapping between the terminal identifier and the network address, so as to complete the routing addressing.

4) Network interconnection and interoperability issues: As NGN technology itself is constantly developing, the protocol itself also needs to be continuously improved and supplemented according to business needs. At present, the protocols with the same or similar functions have not yet been unified, and the compatibility between the protocols makes the interconnection and intercommunication of the network still have defects.

5) Network and business management issues: With the increase of business and user volume, network management becomes more and more complex. In addition to performance, configuration, fault and billing management, it should also have unified network security and QoS management mechanism. The management of user's service bandwidth, service QoS, service function, and service security level also needs to be strengthened.

Contents of the invention

In order to overcome the above-mentioned shortcomings of the prior art, the present invention provides a network system that realizes integrated security services. Through the integrated design of network security and network services, a network platform that can carry multiple services with guaranteed security and QoS is constructed.

The technical solution of the present invention is: a network system for realizing integrated security services, including an information classification and isolation system, an integrated business service system, a service quality assurance system, an integrated security protection system, and an integrated network management system;

The information classification and isolation system: provide independent routing and switching for various types of information in the network; in each link of user access, routing and switching, relay transmission, QoS guarantee, and security Carry out classification processing to realize the classification and isolation of business, control and management information in the network; the classified and isolated information data has independent bandwidth resources in the network, as well as independent routing and switching and QoS guarantee measures; between terminals and switching nodes and switching There are relatively independent transmission channels between nodes;

The integrated business service system: adopts the secure session connection protocol to realize the business access control function, the business transmission path establishment control function, the name address relationship mapping function, the key distribution bearer function, the QoS admission control function and the security protection function;

The service quality guarantee system: provide end-to-end connected services; provide differentiated services for data at the business, control and management levels; monitor the flow of data in the network; dynamically discover services that meet quality of service requirements through QoS routing The optimal path realizes traffic engineering; through QoS admission control, admission control is performed on the session connection of the business;

The comprehensive security protection system: including the adoption of information classification and isolation, network border protection, application service access control and data encryption protection measures, the information classification and isolation refers to the protection of network user ports, network relay ports, and management ports. attributes, so that user terminals access from user ports, their signaling messages and management information can only be forwarded to the connection controller and network management agent of the access node, and service data can only be exchanged and forwarded at the service level; The business, control and management data are routed and exchanged independently, and the trunk line establishes independent transmission channels for the business, control and management data, and the channels do not interfere with each other; the network boundary protection refers to the user security access protocol. The access of the user terminal is authenticated legally, the transmission link of the user service data is established in real time under the connection control of the control layer, and is removed after the service ends; the application service access control refers to that during the session connection process, the The connection control verifies the authenticity of the signaling, and establishes an end-to-end transmission path for business data under the session connection control;

The integrated network management system: adopts management methods of hierarchical management, level-by-level summary, and centralized control to realize divisional and decentralized management.

Compared with the prior art, the positive effect of the present invention is that the present invention builds a safe, credible and diversified service network platform through the integrated design of network security and network services.

Integrated network security is to integrate security protection measures into all levels of network communication, cooperate with each other, and support each other to ensure security performance and communication efficiency. Integrated network security is mainly reflected in: the classification and isolation of information isolates information such as business, control and management from each other, and all kinds of information have independent routing and exchange, transmission bandwidth, QoS guarantee and security protection measures in the network, which can effectively ensure the security of the network system. Its own security; the user's secure access performs access authentication on terminal equipment, realizes name-address conversion, and implements security protection such as integrity and anti-replay of business data, which can effectively improve the security protection capability of the network border; the secure interaction of nodes The network authenticates the legitimacy of interconnected nodes, and implements security protection such as integrity and anti-replay for data between nodes, which can effectively prevent illegal nodes from accessing the network; business access control authenticates user identities and permissions, and Control the session connection, type, flow, etc. of the business at the network entrance, which can effectively prevent illegal data from entering the network.

The integrated network service supports comprehensive services such as voice, video and data, and guarantees the QoS of various services. Under unified business session control, the network provides three bearer services: services with connections and QoS guarantees, applicable to real-time services; services with connections, applicable to instant messaging and P2P services; best-effort services, applicable For general data services; through information classification and isolation, the network can provide a relatively independent network environment for various services, the services are isolated from each other, and provide corresponding QoS guarantees according to the characteristics of various data; business session control assigns name and address mapping relationships, Cooperating with network routing and switching to realize name and address separation, on the one hand, it improves the security performance of the network and services, and on the other hand, it can support applications such as mobile and multicast.

Detailed ways

All features disclosed in this specification, or steps in all methods or processes disclosed, may be combined in any manner, except for mutually exclusive features and/or steps.

Any feature disclosed in this specification (including any appended claims, abstract and drawings), unless expressly stated otherwise, may be replaced by alternative features which are equivalent or serve a similar purpose. That is, unless expressly stated otherwise, each feature is one example only of a series of equivalent or similar features.

An integrated network security service system should meet the user's requirements for application services and security, ensure the service quality of communication services, and ensure the security and security performance of the network system. Including: five basic technical systems of classified and isolated networks, comprehensive business services, service quality assurance, comprehensive security protection and comprehensive network management. The classified and isolated network technology system provides relatively independent routing switching and transmission services for information such as business, control and management; the comprehensive business service technology system realizes business session connection control, provides multiple application services, and has the ability to expand application business; The quality assurance system provides good communication quality assurance for real-time services such as voice and video through the comprehensive use of various measures, and improves the overall service performance of the system; the comprehensive security protection technology system is integrated into all levels of business, network and management, and various security protection The measures are interrelated and coordinated to ensure the security of business and network; the comprehensive network management technology system is responsible for implementing comprehensive, unified and effective management of network, equipment and business.

1) Classification and isolation network technology system

Combining the technical advantages of IP and MPLS, it realizes large-capacity, high-bandwidth packet routing and switching to support integrated services such as voice, video and data; at the same time, in order to ensure network security and service quality, the system After transmission, QoS guarantee, security and confidentiality, etc., the business data, signaling messages and network management information are classified and processed to realize the classification and isolation of business, control and management information in the network; the classified and isolated information data has an independent Bandwidth resources, and independent routing switching and QoS guarantee measures; there are independent transmission channels between terminals and switching nodes and between switching nodes, all kinds of data go their own way without interfering with each other; build relatively independent networks for different business systems environment, on a unified network infrastructure platform, the business level can be further divided into multiple business sub-layers to form multiple independent sub-networks of different scales and topological structures. Application services between subnets can be independent without affecting each other, or can communicate with each other under controlled conditions. For example, the real-time service subnet carries real-time services such as voice and video; the data service subnet A carries point-to-point computer communication services; the data service subnet B carries Web browsing services, etc. The system establishes independent transmission channels for each subnet, allocates independent addresses and bandwidth resources, and performs independent routing switching and QoS guarantees.

2) Comprehensive business service technology system

Refer to the NGN architecture model, follow the design concept of separation of services, control and bearer, provide comprehensive service capabilities for voice, video and data services, and support mobile access and multicast services:

The control layer mainly completes session connection control and realizes basic telephone call and session connection functions; the business layer mainly provides services such as business, authentication, policy, and database; the access sublayer of the transport layer mainly realizes multimedia terminals, computer local area networks, broadband dial-up, Access to broadband wireless and other broadband users, as well as access to telephone networks and mobile networks; the bearer sublayer of the transport layer provides independent bearer services for signaling and services; , Flexible and effective provision of new services to create a favorable environment.

Connection control is the core function of the comprehensive business service system, which mainly completes the following functions:

Session connection control function: complete the basic and enhanced session connection process.

Number or address analysis function: complete the analysis of the phone number or other address information called by the user, perform routing analysis based on the number, find the called node or redirect.

Interworking function: through the signaling gateway to complete the conversion and process control of the existing network signaling or protocol.

Media gateway control: responsible for controlling the link status, time slot resources, and multiplexing functions of the media gateway, and controlling the sending and receiving of user signaling and services for terminals accessing the media gateway.

Protocol (signaling) adaptation function: responsible for adapting and transmitting existing network protocols.

Business management: Complete the record of business status, including user number or address, communication time, failure reason, etc., and provide relevant data of business management to the network management system.

The integrated network security service architecture implements unified session connection control for various services. In a packet network, call control is generally implemented using the SIP protocol. The SIP protocol is simple and flexible, has strong scalability, and has the capabilities of terminal detection, online detection, support for mobility, and multicast. It has been designated as the control protocol of the third-generation network and has been widely used. In order to realize the integration of network security and network services, the system learns from the basic design idea and process of the SIP protocol, and combines the requirements of the function expansion of the control layer to optimize and supplement the SIP protocol, integrate it into the security design, and form a dedicated secure session connection protocol (abbreviation: SCLP agreement), the specific contents include:

(1) Service access control function: Session control conducts legal authentication for both communication parties, and controls the network entrance to open or close the transmission channel and routing switching service for the service.

(2) Service transmission path establishment control function: session control applies to the network for establishment of a transmission path carrying service data. According to the QoS requirements of services, there are three basic types of paths: paths with connections and QoS guarantees, suitable for real-time services; paths with connections and no QoS guarantees, suitable for instant messaging and P2P services; connectionless, best-effort The path for is applicable to general data services. In addition, according to the QoS requirements of the business, a transmission path with QoS characteristics such as minimum delay, maximum bandwidth, or minimum overhead can be established for service applications.

(3) Name-address relationship mapping function: during the session connection process, determine the mapping relationship between terminal ID, user ID, service ID and network address, and provide it to the user port for name-address conversion to realize name-address separation. The network address can be automatically assigned to the user port for routing addressing when each session is connected, and it will be invalid after the end of the service.

(4) Key distribution bearer function: relevant key distribution protocol data can be carried in the session control signaling, and the key distribution is completed during the session establishment process, so as to reduce the session establishment time of confidential services and improve the key distribution efficiency and security .

(5) QoS admission control function: According to the current network resource situation and the QoS requirements of the service, the service admission is realized. Execute relevant QoS policies, such as resource preemption for high-priority users.

(6) Security protection function: Complete the legality identification of the call connection protocol message to ensure the security of the control layer.

3) Service quality assurance technical system

Under the integrated network security service architecture, through information classification and isolation, the network carries different services on mutually independent exchange transmission channels. According to the business QoS requirements, various QoS technologies can be comprehensively used on each channel to provide effective service quality assurance; and through the unified deployment of QoS policies, various service quality assurance measures can cooperate with each other and operate effectively.

End-to-end connected services are the basic conditions for guaranteeing real-time business QoS. The system establishes an end-to-end connected and quality-guaranteed transmission channel for both parties in communication. The business data flow is exchanged and transmitted on this path, so as to ensure that the business data flow arrives in order with relatively stable transmission characteristics.

Classified differentiated service is to provide corresponding differentiated services for data at the business, control and management levels. Each layer can provide its own differentiated services according to data characteristics such as message category, data type, and priority. Through the corresponding queue scheduling algorithm, various data flows occupy system resources according to the prior agreement.

In order to ensure that the data traffic actually carried by the network conforms to the resource allocation agreed in advance, and to prevent abnormal traffic from occupying network resources, the system monitors and restricts the data traffic in the network. Traffic policing discards overloaded traffic by configuring policies to ensure that high-priority service data streams such as voice and video are forwarded and processed normally.

QoS routing is an important condition for realizing business service quality assurance and improving overall network service performance. QoS routing dynamically discovers the optimal path that meets the quality of service requirements according to the usage of network resources. QoS routing provides the routing foundation for traffic engineering, and realizes the reasonable distribution of service traffic in the network, thereby reducing the probability of network congestion, enhancing network throughput performance, and improving the utilization rate of network resources.

Resource statistics allocation is to realize reasonable and effective control and utilization of system resources through QoS measurement and statistics. Objects of QoS measurement and statistics include traffic, bit error rate, packet loss rate, and abnormal packets. Generate various QoS parameters according to the measurement and statistical results to realize the control of system resources.

QoS admission control is to control the admission of service session connections according to the current network resource situation and service QoS requirements, so as to prevent service traffic exceeding the carrying capacity from entering the network. The system mainly focuses on the comprehensive use of various technologies, and through unified design and unified management, transforms QoS technology into an end-to-end business transmission platform to meet the requirements for business service quality.

4) Comprehensive security protection technology system

The integrated network security service architecture is based on solving network security problems from a systemic perspective. Various security and confidentiality measures are effectively integrated into each device and each layer in the network, and cooperate closely with each other to enhance security protection performance, improve network resource utilization, ensure business service quality, and achieve unified control and management. The comprehensive security protection system mainly includes information classification and isolation, network boundary protection, application business access control and data encryption protection, etc.:

(1) Information classification and isolation

The properties of network user ports, network relay ports, and management ports are strictly distinguished. When a user terminal accesses through a user port, its signaling messages and management information can only be forwarded to the connection controller and network management agent of the access node, while service data can only be exchanged and forwarded at the service level. User terminals cannot access devices or addresses at other levels in the network. Network switching equipment performs independent routing and switching of data such as business, control, and management without affecting each other. Separate transmission channels are established for service, control and management data on the trunk line, each channel has independent bandwidth resources, and the channels are isolated from each other.

(2) Network border protection

The network boundary is the focus of the system security protection system design, which will be realized through the User Security Access Protocol (abbreviation: USAP protocol). The USAP protocol is responsible for legality identification of user terminal access to prevent illegal terminal access. Periodic maintenance of the identification process.

The USAP protocol isolates the service, signaling, and management data transmission links on the user line, and corresponds to the transmission channel on the network trunk line. The transmission link of user service data is established in real time under the connection control of the control layer, and is removed after the service ends. The data encapsulated and carried by the USAP protocol on the user line has integrity and anti-replay security protection capabilities, which can prevent the insertion of attack packets from the user line.

The separation of terminal identification and network address can be realized through the USAP protocol. The address of the user terminal in the network (that is, the routing address of the user port of the switching device) only appears inside the network and is automatically assigned by the network every time it communicates. The USAP establishes and maintains the binding relationship between the service and the terminal identifier and network address, and the switching device is responsible for completing the conversion between the terminal identifier and the network address according to the binding relationship. Since the network is transparent to users, the security of the network boundary is effectively guaranteed.

The security between network nodes will be realized through the Node Security Interconnection Protocol (abbreviation: NSIP protocol). The interconnection between nodes must be legally authenticated to prevent illegal node access. At the same time, the data encapsulated and carried by the NSIP protocol on the trunk line has integrity and anti-replay security protection capabilities.

(3) Application business access control

Application services are controlled by session connections, and the network refuses to bear the service data of incomplete call connections. During the session connection process, the connection control of the control layer verifies the authenticity of the signaling to prevent signaling attacks from illegal terminals or nodes. In order to ensure business security, the system establishes an end-to-end transmission path for business data under the control of session connections. The path in the network can be selected by the source node according to the QoS characteristics of the link, or specified routing or policy routing can be configured through the network management. The user's business data is transmitted, exchanged and forwarded on the transmission path, and the data outside the transmission path is refused to enter.

(4) Data encryption protection

Encryption protection of business data and system information is an important means to ensure business and network security. End-to-end full encryption is implemented for user business data, and passwords are not dropped during network transmission to ensure the confidentiality of communication services. Encryption and protection of all data on the trunk line not only performs secondary encryption protection on business data to enhance the confidentiality of services, but also encrypts and protects inter-node signaling and network protocol messages to enhance the security of the network system protective ability.

5) Comprehensive network management technology system

The network management system realizes the unified management of the network, equipment, business and users, and adopts the management method of hierarchical management, level-by-level summary, and centralized control to realize zoning and decentralization management. The network management system includes subsystems such as network resource management, application service management, and user attribute management, and provides management functions such as configuration management, fault management, performance management, topology management, service management, security management, and QoS management.

The present invention is not limited to the foregoing specific embodiments. The present invention extends to any new feature or any new combination disclosed in this specification, and any new method or process step or any new combination disclosed.

Claims (1)

1. a network system that realizes the integrated safe service is characterized in that: comprise information classification isolated system, integrated service service system, service quality guarantee system, comprehensive safety protecting system and Integrated Network Management system;

Said information classification isolated system: for the various information in the network provides independently route switching; In user's access, route switching, relay transmission, QoS assurance, each safe and secret link business datum, signaling message and network management information are carried out classification processing, realize the classification isolation in network of business, control and management information; The information data that classification is isolated has independently bandwidth resources in network, and independently route switching and QoS safeguard measure; Has relatively independent transmission channel between terminal and switching node and between switching node;

Said integrated service service system: adopt the secured session connection protocol, realization service admittance control function, the professional transmission channel of realization are set up controlled function, address (ADDR relationship map function, key distribution bearing function, QoS accommodating control function and function of safety protection; Wherein: said address (ADDR relationship map function is meant in the session connection process, confirms the mapping relations of terminal iidentification, ID and service identification and the network address, and offers user port and carry out address (ADDR conversion, realizes that address (ADDR separates;

Said service quality guarantee system: the end-to-end service that connection is arranged is provided; Data to business, control and management layer are carried out Differentiated Services; Data flow in the network is carried out traffic policing; Dynamically find to satisfy the optimal path of QoS requirement through the QoS route, realize traffic engineering; Admit control that control is admitted in the session connection of business through QoS;

Said comprehensive safety protecting system: comprise the employing of information classification isolation, network boundary protection, applied business access control and protecting data encryption measure; Wherein: said information classification is isolated the attribute of the user port that is meant network, network trunk port, management port and is distinguished; User terminal is inserted from user port; What its signaling message and management information can only be transmitted to access node is connected controller and OAMAgent, and business datum can only exchange forwarding in service layer; The network switching equipment carries out independently route switching to business, control and management data, and trunk is set up independently transmission channel respectively for business, control and management data, and each interchannel does not disturb mutually; Said network boundary protection is meant through the user security access protocol, legitimacy is carried out in the access of user terminal differentiate, the transmission link of user service data is set up under the connection control of key-course in real time, removes after the service ending; Said applied business access control is meant that in the session connection process connection of key-course control is carried out authenticity verification to signaling, under session connection control, sets up transmission channel end to end for business datum;

Said Integrated Network Management system: adopt differentiated control, gather step by step, central controlled way to manage, realize the subregion decentralized management.