CN111935212A - Security router and Internet of things security networking method based on security router - Google Patents
Security router and Internet of things security networking method based on security router Download PDFInfo
- Publication number
- CN111935212A CN111935212A CN202010606677.5A CN202010606677A CN111935212A CN 111935212 A CN111935212 A CN 111935212A CN 202010606677 A CN202010606677 A CN 202010606677A CN 111935212 A CN111935212 A CN 111935212A
- Authority
- CN
- China
- Prior art keywords
- terminal
- fingerprint identification
- equipment
- security
- communication packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 66
- 230000006855 networking Effects 0.000 title claims abstract description 21
- 238000004891 communication Methods 0.000 claims abstract description 82
- 238000005516 engineering process Methods 0.000 claims abstract description 27
- 238000012545 processing Methods 0.000 claims description 37
- 238000004458 analytical method Methods 0.000 claims description 18
- 230000005540 biological transmission Effects 0.000 claims description 12
- 230000000903 blocking effect Effects 0.000 claims description 10
- 238000002955 isolation Methods 0.000 claims description 9
- 238000001514 detection method Methods 0.000 claims description 7
- 230000008569 process Effects 0.000 claims description 7
- 230000003068 static effect Effects 0.000 claims description 6
- 230000007246 mechanism Effects 0.000 abstract description 4
- 230000006870 function Effects 0.000 description 9
- 238000011161 development Methods 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008447 perception Effects 0.000 description 2
- 230000005641 tunneling Effects 0.000 description 2
- 101100392078 Caenorhabditis elegans cat-4 gene Proteins 0.000 description 1
- 241001362551 Samba Species 0.000 description 1
- 238000007792 addition Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- YHVACWACSOJLSJ-UHFFFAOYSA-N n-methyl-n-(1-oxo-1-phenylpropan-2-yl)nitrous amide Chemical compound O=NN(C)C(C)C(=O)C1=CC=CC=C1 YHVACWACSOJLSJ-UHFFFAOYSA-N 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Medical Informatics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides a security router and a security networking method of the Internet of things based on the security router, which comprises the following steps: s1, judging whether the terminal equipment is new access equipment or not, if so, executing a step S2, otherwise, executing a step S3; s2, performing terminal fingerprint identification on the terminal equipment by adopting an active equipment fingerprint identification method and/or a passive fingerprint identification method; s3, performing terminal fingerprint identification on the terminal equipment by adopting a passive equipment fingerprint identification method; and S4, judging whether the terminal equipment is credible or not according to the fingerprint identification result, and if so, forwarding a communication packet of the terminal equipment. According to the invention, a fingerprint identification mechanism of the terminal access equipment is adopted, and relatively comprehensive fingerprint identification is carried out by adopting a hybrid terminal fingerprint identification technology when the terminal is accessed for the first time or accessed after time-out, so that the accuracy of the fingerprint of the terminal access equipment is improved; after the access is successful, passive fingerprint identification is adopted, so that the communication efficiency is improved, and the problem of considering both communication safety and communication speed is better solved.
Description
Technical Field
The invention belongs to the technical field of routers, and particularly relates to a security router and a security networking method of the Internet of things based on the security router.
Background
With the rise and rapid development of the internet of things industry, various types of equipment can be accessed into the internet of things. This means that the internet of things has stronger data acquisition capacity and control capacity for the real world. The increasing data acquisition capacity and control capacity make the influence degree on real life increase day by day. Therefore, the safety problem of the internet of things is gradually emphasized by people while the internet of things is rapidly developed. Currently, the solution strategy for the security of the internet of things in the industry mainly has three points: the application layer solves authentication authorization, data protection and the like by the security service; the network layer establishes safe connection between the server and the terminal; the terminal of the sensing layer has a reliable and safe operating environment.
The correct identification of the terminal identity of the sensing layer is an important precondition for the successful execution of the security policy of the internet of things.
The basic architecture of the internet of things comprises three logic layers, namely a perception layer, a network transmission layer and a processing application layer. The transport layer is a traditional network including the internet and a mobile network, and the final connection form of the mobile network is through the internet, so the transport layer is a communication network taking the internet as a core. The processing application layer is actually a data processing center, and when the data volume is large, a cloud computing platform can support large data processing, so that the processing application layer of the internet of things generally refers to the cloud platform. The network transmission layer and the processing application layer of the Internet of things belong to components in a traditional information system, so that the traditional information security protection technology can be basically used at present. The perception layer of the internet of things is the fundamental element for distinguishing the traditional information system and the internet of things system, and is also the key part for combining the virtual world and the real physical world.
In the aspect of the safety problem of the internet of things, the safety problem of the sensing layer is a technical bottleneck of the safety of the whole internet of things system. For the sensing layer of the internet of things, when the processing capacity of the sensing node is close to that of a traditional information system, such as an intelligent mobile terminal, traditional information security protection technologies can be used, and the traditional information security protection technologies comprise an operating system security technology, an intrusion detection technology, an access control technology and the like. However, for devices such as webcams, common sensors, and RFID, a suitable information security protection mechanism is still lacking at present. Although cryptologists have designed lightweight cryptographic algorithms, in practical use, the cryptographic algorithms are not only a problem of one algorithm, but also require technologies such as key management (key establishment, key update), identity authentication (determination that the identity of the opposite party of communication is real), data integrity protection (protection for ensuring that data is not modified, especially against malicious modification), data confidentiality (ensuring that data content is not obtained by eavesdroppers), and data freshness (data replay attack for detecting attackers, especially replay attack on control instruction data). Therefore, the challenge of the internet of things security technology is also the bottleneck of the current technology, and the communication security problem exists in the last kilometer of the internet of things system, namely from the terminal sensing node to the internet of things gateway node of the access network. If the problem is solved, the safety problem of the Internet of things system is integrally solved, and end-to-end safety protection of data in the application of the Internet of things industry is provided.
Under the existing technical conditions, the method for identifying the identity of the intelligent terminal is not very safe and reliable; moreover, the existing terminal equipment identification scheme is mainly realized by a switch and analytic services, has high cost and large equipment volume and power consumption, and is not suitable for application requirements of low cost, small volume and low power consumption.
In addition, although some existing network systems may implement device identity identification for access devices by using a trusted authentication method, the implementation is relatively complex, and deployment and application of products managed by terminals without UI interfaces, WEB interfaces, and the like are too complex or difficult to implement.
Disclosure of Invention
The object of the present invention is to provide a secure router;
another object of the present invention is to provide a method for secure networking of internet of things based on a secure router.
In order to achieve the purpose, the invention adopts the following technical scheme:
a safety router-based Internet of things safety networking method comprises the following steps:
s1, judging whether the terminal equipment is new access equipment or not, if so, executing a step S2, otherwise, executing a step S3;
s2, performing terminal fingerprint identification on the terminal equipment by adopting an active equipment fingerprint identification method and/or a passive fingerprint identification method;
s3, performing terminal fingerprint identification on the terminal equipment by adopting a passive equipment fingerprint identification method;
and S4, judging whether the terminal equipment is credible or not according to the fingerprint identification result, and if so, forwarding a communication packet of the terminal equipment.
In the foregoing method for networking a security router in the internet of things, in step S2, if the terminal device is a static IP address, the method for identifying fingerprints of active devices is adopted, and includes:
s201, on-line detection is carried out on target terminal equipment by sequentially sending various data packets of different types to a network;
s202, multiple fingerprint parameter information comparison processes including address comparison, port comparison and terminal operating system comparison are executed on the target terminal device based on the white list and the black list.
In the foregoing method for networking a security router in the internet of things, in step S2, if the terminal device is a dynamic IP address, a passive fingerprint identification method is adopted, which includes:
s211, capturing and analyzing a DHCP request packet actively initiated by the terminal equipment;
s212, acquiring fingerprint information of the terminal equipment, including MAC address parameter information, manufacturer parameter information in the Option and equipment model parameter information, based on the DHCP request packet, and comparing the fingerprint information with a black list and a white list.
In the foregoing method for secure networking of the internet of things of the secure router, if the terminal device is a new access device, step S4 includes,
if the comparison completely conforms to the white list, executing communication packet forwarding, and if the terminal equipment is a dynamic IP address, simultaneously allocating the IP address to the terminal equipment;
if one or more items of specified parameter information are in the blacklist, blocking and discarding the communication packet;
if the port comparison does not accord with the white list and other items accord with each other, executing communication packet forwarding and prompting processing;
if one or more specified parameters are not in the white list and the black list at the same time, putting the communication packet into an isolation area to wait for the processing of the superior device;
and after the upper-level equipment is confirmed to be credible, adding the fingerprint information of the corresponding terminal equipment into the white list.
In the foregoing method for secure networking of an internet of things of a secure router, in step S3, the method for fingerprinting by using a passive device includes:
s31, capturing the communication packet, and analyzing the IP address, the MAC address and the TTL value in the packet header of the IP address;
s32, analyzing DF marking bits, TCP window sizes, sizes and TCP extension options of SYN in a transmission layer TCP packet;
s33, comparing the analysis data in the steps S31 and S32 with the white list.
In the foregoing method for secure networking of the internet of things of the secure router, if the terminal device is a non-new access device, step S4 includes,
if the comparison in the step S33 completely conforms, forwarding the communication packet;
if the communication packet does not conform to the blacklist, comparing the analysis data with the blacklist, and if one or more items of parameter information specified in the analysis data are in the blacklist, blocking and discarding the communication packet;
if one or more items of parameter information specified in the analyzed data are not in the white list and the black list at the same time, putting the communication packet into an isolation area to wait for the processing of the superior equipment;
and after the upper-level equipment is confirmed to be credible, adding the fingerprint information of the corresponding terminal equipment into the white list.
In the internet of things security networking method of the security router, the new access device comprises a terminal device which is accessed for the first time, a terminal device which is accessed again after timeout and a terminal device which lacks fingerprint information.
In the method for secure networking of the internet of things of the secure router, in step S4, the communication packet is forwarded by:
s41, encrypting the communication packet by adopting an SSL VPN technology;
and S42, uploading the encrypted communication packet to a superior device by adopting a national secret VPN encryption tunnel.
A security router comprises a network processor based on MIPS framework, the network processor comprises a terminal equipment security judgment module and a security encryption module, the terminal equipment security judgment module comprises an active terminal fingerprint identification module, a passive terminal fingerprint identification module and an identification processing module, wherein,
the active terminal fingerprint identification module is used for carrying out fingerprint identification on the new access equipment;
the passive fingerprint identification module is used for carrying out fingerprint identification on new access equipment or non-new access equipment;
the identification processing module is used for processing the communication packet of the terminal equipment according to the fingerprint identification result;
and the security encryption module is used for encrypting and forwarding the communication packet of the trusted device identified by the fingerprint to the superior device.
In the above security router, the security encryption module encrypts the communication packet by SSL VPN technology, and the encrypted communication packet is uploaded to the upper level device through the national security VPN encryption tunnel.
The invention has the advantages that: by adopting the network processor based on the MIPS framework as the core processing unit of the security router, the hardware engine with the MIPS framework can accelerate the VPN function, the Guomcipher VPN function can be better realized, the SM2/SM3/SM4 Guomcipher algorithm is supported, the VPN special channel of an enterprise based on various networks can be accessed, the data transmission in a secure tunnel is realized, the data is prevented from being illegally accessed and tampered, and the higher security of the network application is provided;
a fingerprint identification mechanism of the terminal access equipment is adopted, and when the terminal is accessed for the first time or accessed after time-out, a hybrid terminal fingerprint identification technology is adopted to carry out relatively comprehensive fingerprint identification, so that the accuracy of the fingerprint of the terminal access equipment is improved; after the access is successful, passive fingerprint identification is adopted, so that the communication efficiency is improved, and the problem of considering both the communication safety and the communication speed is better solved;
the device has higher safety functions of automatic identification and authentication of terminal access device characteristics, VPN encryption transmission and the like, simultaneously, the power consumption and the volume of the product are well controlled, the size of the device is close to that of an identity card, and the device is very suitable for terminal access application scenes with higher requirements on safety and power consumption miniaturization, such as monitoring video networks in security places, data acquisition and transmission of environment-friendly terminals and the like.
Drawings
Fig. 1 is a flowchart of a fingerprint identification method for an accessed terminal device according to the present invention;
FIG. 2 is a flowchart of an active terminal fingerprint identification method of the present invention;
fig. 3 is a flowchart of a passive terminal fingerprint identification method according to the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
The following describes the techniques to be used in this embodiment:
1. the router technology is as follows:
routers function to move information from a source location to a destination location through an interconnected network. A router is a main node device in the internet, and decides forwarding of data through routing. The forwarding policy is called routing. As a hub for interconnecting different networks, the router system forms the main context of the Internet based on TCP/IP, the processing speed of the router system is one of the main bottlenecks of network communication, and the reliability of the router system directly influences the quality of network interconnection.
The rapid development of network technology continuously promotes the improvement of router performance, and in practical application, the router becomes more and more intelligent and has stronger service capability. The performance of the router plays a leading role in the early stage of the historical development of the router, and with the rapid development of the IP network and the service, the service performance plays an increasingly important role in the network. At present, besides continuously improving the product performance, the development of the router enters a brand new period due to internal factors such as more intelligent product service, simpler and more convenient operation and maintenance deployment and the like.
2. SSL VPN technique
The SSL VPN refers to a novel VPN technology which adopts an SSL protocol to encrypt an IP data link so as to realize remote access.
3. Tunnel technique
Tunneling is a means of transferring data between networks through the use of the infrastructure of the internetwork, and involves the entire process of data encapsulation, transmission and unpacking. The data (or payload) communicated using the tunnel may be data frames or packets of different protocols. The tunneling protocol re-encapsulates the data frames or packets of these other protocols in a new header for transmission. The encapsulated data packet is routed between the two endpoints of the tunnel through the common internet, and the new header provides routing information to enable the encapsulated payload data to be communicated over the internet. Once the network endpoint is reached, the data will be unpacked and forwarded to the final destination.
4. National cryptographic technique
The national password is a domestic password algorithm identified by the national password administration. There are mainly SM1, SM2, SM3, SM 4. The key length and the packet length are both 128 bits. SM1 is symmetric encryption. The encryption strength is comparable to AES. The algorithm is not disclosed, and when the algorithm is called, the algorithm needs to be called through an interface of the encryption chip. SM2 is asymmetric encryption, based on ECC. The algorithm is disclosed. Since the algorithm is based on ECC, the signature speed and the key generation speed are faster than those of RSA. The security strength of the ECC 256 bits (one of the ECC 256 bits is adopted by the SM 2) is higher than that of the RSA 2048 bits, but the operation speed is faster than that of the RSA. SM3 message digest, the algorithm is published, and the check result is 256 bits. SM4 packet data algorithm for wireless local area network standard. Symmetric encryption, key length and packet length are 128 bits. Since the packet size for SM1 and SM4 encryption/decryption is 128 bits, when encrypting/decrypting a message, if the message length is too long, it is necessary to perform the packet, and if the message length is not sufficient, it is necessary to perform padding.
5. MIPS framework
The MIPS architecture (Microprocessor with interleaved stages architecture), a processor architecture that takes the form of a Reduced Instruction Set (RISC), was developed and licensed by MIPS technologies in 1981 and is widely used in many electronic products, network devices, personal entertainment devices, and commercial devices. The MIPS architecture supports 64 bits.
It is basically characterized in that: 1) contains a large number of registers, instruction numbers and characters; 2) visual pipeline delay time slot. These characteristics enable MIPS architectures to provide the highest performance per square millimeter and the lowest power consumption in today's SoC designs.
6. Terminal fingerprint identification technology
Terminal device fingerprint refers to a characteristic or unique device identification that can be used to uniquely identify the device. The terminal fingerprint identification technology is a technology for identifying the equipment type, the operating system, the manufacturer information and the like so as to judge the terminal equipment information.
Specifically, the security router of this embodiment includes a network processor based on MIPS architecture, the network processor includes a terminal device security judgment module and a security encryption module, the terminal device security judgment module includes an active terminal fingerprint identification module, a passive terminal fingerprint identification module and an identification processing module, wherein,
the active terminal fingerprint identification module is used for carrying out fingerprint identification on the new access equipment;
the passive fingerprint identification module is used for carrying out fingerprint identification on new access equipment or non-new access equipment;
the identification processing module is used for processing the communication packet of the terminal equipment according to the fingerprint identification result;
and the security encryption module is used for encrypting and forwarding the communication packet of the trusted device identified by the fingerprint to the superior device.
The upper level device can be an upper level security access gateway or other upper level server.
The new access device here refers to a terminal device that is accessed for the first time, a terminal device that is accessed again after timeout, and a terminal device that lacks fingerprint information.
Further, the security encryption module encrypts the communication packet through an SSL VPN technology, and the encrypted communication packet is uploaded to the superior device through a national security VPN encryption tunnel.
The traditional router generally adopts a scheme of using a CPU, a CPU + ASIC or an ASIC as a processor, and has strong safety performance and functions, a large number of interfaces, large power consumption and large volume.
The network processor based on the MIPS architecture adopted in this embodiment has a powerful multi-core processor, and has an ethernet switch with multiple ports, and numerous interfaces such as RGMII, PCIe, USB, SD-XC, and the like. In the aspect of network processing, specific network address translation technology (NAT), QOS function, SAMBA and Virtual Private Network (VPN) hardware accelerators can meet the requirements of applications such as high-speed 802.11ac, LTE cat4/5, edge, wireless hot spot, VPN, access control and the like. In addition, the length, the width and the area of the processor chip are only about 1.6 square centimeters, and the requirement of the mini-type security encryption router can be completely met in the aspect of functions.
By adopting the high-performance network processor as the core processing unit of the security router, the hardware engine with the high-performance network processor can accelerate the VPN function, the Guomcipher VPN function can be better realized, the SM2/SM4/SM3 Guomcipher algorithm is supported, the VPN special channel of an enterprise based on various networks can be accessed, the data transmission in a security tunnel is realized, the data is prevented from being illegally accessed and tampered, and the higher security of network application is provided.
Further, the internet of things security networking method based on the security router comprises the following steps:
s1, judging whether the terminal equipment is new access equipment or not, if so, executing a step S2, otherwise, executing a step S3;
s2, performing terminal fingerprint identification on the terminal equipment by adopting an active equipment fingerprint identification method and/or a passive fingerprint identification method;
s3, performing terminal fingerprint identification on the terminal equipment by adopting a passive equipment fingerprint identification method;
and S4, judging whether the terminal equipment is credible according to the fingerprint identification result, and if so, forwarding the communication packet of the terminal equipment.
In step S2, if the terminal device is a static IP address, an active device fingerprint identification method is first adopted, which includes:
s201, on-line detection is carried out on target terminal equipment by sequentially sending various data packets of different types to a network;
s202, multiple fingerprint parameter information comparison processes including address comparison, port comparison and terminal operating system comparison are executed on the target terminal device based on the white list and the black list.
If the terminal equipment is a dynamic IP address, a passive fingerprint identification method is adopted, and the method comprises the following steps:
s211, capturing and analyzing a DHCP request packet actively initiated by the terminal equipment;
s212, fingerprint information such as terminal equipment MAC address parameter information, manufacturer parameter information in the Option, equipment model parameter information and the like is obtained based on the DHCP request packet, and the fingerprint information is compared with a blacklist and a white list.
When the terminal device is a new access device, step S4 includes:
if the comparison completely conforms to the white list, executing communication packet forwarding, and if the terminal equipment is a dynamic IP address, simultaneously allocating the IP address to the terminal equipment;
if one or more items of specified parameter information are in the blacklist, blocking and discarding the communication packet;
if the port comparison does not accord with the white list and other items accord with each other, executing communication packet forwarding and prompting processing;
if one or more specified parameters are not in the white list and the black list at the same time, putting the communication packet into an isolation area to wait for the processing of the superior device;
and after the upper-level equipment is confirmed to be credible, adding the fingerprint information of the corresponding terminal equipment into the white list.
In step S3, the method for passive device fingerprinting includes:
s31, capturing the communication packet, and analyzing the IP address, the MAC address and the TTL value in the packet header of the IP address;
s32, analyzing DF marking bits, TCP window sizes, sizes and TCP extension options of SYN in a transmission layer TCP packet;
s33, comparing the analysis data in the steps S31 and S32 with the white list.
If the terminal device is a non-new access device, step S4 includes,
if the comparison in the step S33 completely conforms, forwarding the communication packet;
if the communication packet does not conform to the blacklist, comparing the analysis data with the blacklist, and if one or more items of parameter information specified in the analysis data are in the blacklist, blocking and discarding the communication packet;
if one or more items of parameter information specified in the analyzed data are not in the white list and the black list at the same time, putting the communication packet into an isolation area to wait for the processing of the superior equipment;
and after the upper-level equipment is confirmed to be credible, adding the fingerprint information of the corresponding terminal equipment into the white list.
The information on one or more parameters is determined by those skilled in the art according to specific situations, and is not limited herein. For example, the MAC address and the IP address are important fingerprint parameters, and when any one of the two parameters is in the blacklist, the communication packet is blocked and discarded; and when only the port accords with the blacklist and the important parameters such as the MAC address, the IP address and the like are in the white list, forwarding the communication packet and prompting for processing or putting the communication packet into an isolation area to wait for the processing of the superior equipment according to the fingerprint parameters in the white list.
The following embodiments are described with reference to specific scenarios:
as shown in fig. 1, the method for the secure router to identify the fingerprint of the accessed terminal device is as follows:
1. when the security router is deployed for the first time, a black and white list of the terminal equipment is established in advance by means of automatic identification manual examination or manual input, wherein the white list is required to be set, and basic information can be shown in table 1;
2. the terminal equipment with static IP address accesses the network:
2.1 the security router firstly adopts the active device fingerprint identification technology (adopting ICMP, NMAP and the like) to respectively execute the functions of on-line device detection, port scanning, terminal device operating system identification and the like, thereby analyzing and acquiring the information of a terminal device source IP, a source MAC, each open port, an operating system and the like. Many devices also contain characteristic information such as device type (model), manufacturer, device ID number, etc. When the terminal equipment is identified by network access for the first time, the security router records and stores the information;
2.2 the safety router compares the white list with the information actively identified before, and forwards the communication information between the subsequent terminal and the superior server under the condition that the obtained information is consistent;
2.3 to further improve the accuracy of identification, the security router adopts the light-weight passive device fingerprint identification technology to capture and analyze the communication packet in the process of starting communication between the terminal device and the superior server. Such as TCP, UDP passive analysis, TTL value analysis, HTTP analysis, MAC OUI analysis, etc. Because the passive technical system achieves the purpose of identifying the device fingerprint under the condition of not sending any data, the realization mechanism can collect more detailed information under the condition of not influencing the network, and the security router records and stores the information when the terminal device is firstly accessed to the network for identification;
2.4 for newly accessed terminal equipment or a communication packet of the terminal equipment detected after timeout, the hybrid terminal access identification needs to be carried out, and once the communication packet after the identification is carried out (without timeout), in order to take account of the communication forwarding rate and the safety of communication data, a passive terminal identification method is only adopted for carrying out the hybrid terminal access identification;
2.5 the safe router judges whether the device is credible according to the black list and the white list of the device in the whole terminal device identification, the communication packet of the white list is directly forwarded, and the black list communication packet is directly blocked, discarded and alarmed. And temporarily putting the information of the newly accessed terminal equipment or the equipment which is detected after time-out and is out of the black-and-white list, and reporting the unknown terminal access event to the superior equipment. Waiting for authorization processing of the superior equipment, and if the authorization processing is not credible, overtime or the number of the superior equipment reaches the upper limit, performing discarding processing;
3. the terminal equipment with dynamic IP address accesses the network:
3.1 the terminal equipment of dynamic IP address accesses the network, will initiate DHCP to find out the request first actively, the safe router discerns and analyzes the information such as source MAC address, manufacturer information, apparatus model in the Option in the DHCP request packet. The security router judges whether the device is credible for access according to the black and white lists of the device, and the captured information conforms to the white list information and is judged to be credible for access. The security router allocates an IP address to the terminal equipment;
3.2 the subsequent router executes the processing method of accessing the terminal device similar to the static IP address to the network, performs the fingerprint identification of the lightweight passive device, and judges whether the device is credible according to the black and white lists of the device, the communication packet of the white list is directly forwarded to the target network, and the black list communication packet is directly subjected to blocking and discarding processing, alarming and the like.
Table 1 white list terminal device basic fingerprint information
As shown in fig. 2, the active terminal fingerprint identification process is as follows:
1) the safety router defaults to sequentially send four different types of data packets, namely ping scanning, TCP SYN ping scanning, TCP ACK ping scanning and ICMP timing ping scanning to the network according to the IP section of the white list terminal so as to detect whether the target terminal device is on line or not. If the reply of one packet is received, the target terminal equipment is judged to be started, and four different types of data packets are used to avoid judgment errors caused by firewalls or packet loss;
2) the safety router adopts the libpcap to carry out packet returning and packet capturing, analyzes the IP address, the MAC address and the like, compares the IP address, the MAC address and the like with the white list, records the result to carry out next-step identification if the IP address, the MAC address and the like are consistent with the white list, compares the IP address, the MAC address and the like with the white list, records the comparison result and abnormal information, carries out subsequent identification and comparison of multi-parameter information, does not carry out forwarding when one parameter is consistent with the white list, does not carry out packet loss blocking operation when one parameter is matched with the black list, and effectively improves the identification accuracy;
3) the security router starts to acquire terminal fingerprint port parameters, and according to the detected IP address and MAC address of the terminal parameters, three kinds of scanning of TCP FIN, Xmas and NULL scanning are adopted to send corresponding detection packets to target terminal equipment;
4) the security router adopts the libpcap to carry out packet capturing of the returned packet, if the opposite side RST returned packet is received, the port is closed, and if the RST returned packet is not received, the port is opened or shielded;
5) the safety router analyzes the IP address, the MAC address, the port state and the like of the packet and compares the IP address, the MAC address, the port state and the like with the white list to determine whether the IP address, the MAC address, the port state and the like completely conform to the white list, if the IP address, the MAC address, the port state and the like conform to the white list, the result is recorded and is identified in the next step, if the IP address, the MAC address, the port state and;
6) and the safety router acquires the UDP port parameters of the terminal and detects the IP and MAC of the terminal according to the detected parameters. Carrying out UDP port scanning by adopting UDP scanning, and sending a detection packet to a UDP port of target terminal equipment;
7) the security router adopts the libpcap to carry out packet capturing of the returned packet, if the returned ICMP port unacable is received, the port is closed, and if the returned ICMP port unacable is not received, the port is opened or shielded;
8) the safety router analyzes the IP address, the MAC address, the port state and the like of the return packet and compares the IP address, the MAC address, the port state and the like with the white list to determine whether the IP address, the MAC address, the port state and the like completely conform to the white list, if the IP address, the MAC address, the port state and the like conform to the white list, the safety router records the result and carries out next-step identification, and if the IP address, the MAC address, the;
9) the security router employs Nmap to identify different operating systems and devices using TCP/IP protocol stack fingerprinting. Specific TCP, UDP and ICMP data packets are sent to target terminal equipment according to IP and MAC of the white list terminal, and the return value is captured, analyzed and returned to generate a system fingerprint, and compared with a fingerprint sample library;
10) the safety router compares the matched system with the corresponding white list terminal operating system to determine whether the matched system completely accords with the corresponding white list terminal operating system, records the result if the matched system completely accords with the corresponding white list terminal operating system, compares the result with a black list if the matched system does not accord with the corresponding white list terminal operating system, and records the comparison result and abnormal information;
11) and executing corresponding processing according to the comparison result:
if the comparison completely conforms to the white list, executing communication packet forwarding;
if one or more items of specified parameter information are in the blacklist, blocking and discarding the communication packet, and giving an alarm;
if the port comparison does not accord with the white list and other items accord with each other, executing communication packet forwarding and prompting processing;
if one or more specified parameters are not in the white list and the black list at the same time, putting the communication packet into an isolation area to wait for the processing of the superior device;
and after the upper-level equipment is confirmed to be credible, adding the fingerprint information of the corresponding terminal equipment into the white list.
As shown in fig. 3, the passive device fingerprint identification process is as follows:
1) the communication packet of the terminal equipment which is distributed with the IP terminal equipment and the static IP enters the security router;
2) the security router adopts libpcap to carry out communication packet capturing of the terminal logging-in equipment, and analyzes the IP address, the MAC address and the TTL value in the packet header of the IP address;
3) the security router analyzes and records DF marking bit, TCP window size, size of TCP SYN packet, TCP extension option of SYN in transmission layer TCP packet;
4) if the dynamic IP address terminal equipment is accessed to the network, the security router captures and analyzes a DHCP request packet through the lipcap, and obtains information such as a source MAC address, manufacturer information in option, equipment model and the like;
5) comparing the analysis data with a white list, if the analysis data completely conforms to the white list, forwarding the communication packet, otherwise, comparing the analysis data with a black list, and if one or more items of parameter information specified in the analysis data are in the black list, blocking and discarding the communication packet;
if one or more items of parameter information specified in the analyzed data are not in the white list and the black list at the same time, putting the communication packet into an isolation area to wait for the processing of the superior equipment;
and after the upper-level equipment is confirmed to be credible, adding the fingerprint information of the corresponding terminal equipment into the white list.
The security router of the embodiment supports various safe and reliable management means, and performs automatic identification and authentication on the terminal equipment. And identifying the fingerprint of the terminal equipment by applying a hybrid terminal fingerprint identification technology, comparing the fingerprint with a black and white list, and encrypting and transmitting the communication packet of the trusted equipment after the safe router identifies the white list terminal equipment. By adopting the method, the encryption and the safety isolation of the uploaded data of the sensing layer are improved, and the attack caused by terminal counterfeiting and abnormal data is prevented.
The specific embodiments described herein are merely illustrative of the spirit of the invention. Various modifications or additions may be made to the described embodiments or alternatives may be employed by those skilled in the art without departing from the spirit or ambit of the invention as defined in the appended claims.
Although the terms terminal device, active device fingerprinting method, passive device fingerprinting method, target terminal device, etc. are used more often herein, the possibility of using other terms is not excluded. These terms are used merely to more conveniently describe and explain the nature of the present invention; they are to be construed as being without limitation to any additional limitations that may be imposed by the spirit of the present invention.
Claims (10)
1. A safety networking method of the Internet of things based on a safety router is characterized in that: the method comprises the following steps:
s1, judging whether the terminal equipment is new access equipment or not, if so, executing a step S2, otherwise, executing a step S3;
s2, performing terminal fingerprint identification on the terminal equipment by adopting an active equipment fingerprint identification method and/or a passive fingerprint identification method;
s3, performing terminal fingerprint identification on the terminal equipment by adopting a passive equipment fingerprint identification method;
and S4, judging whether the terminal equipment is credible or not according to the fingerprint identification result, and if so, forwarding a communication packet of the terminal equipment.
2. The method for internet of things security networking of a security router of claim 1, wherein in step S2, if the terminal device is a static IP address, an active device fingerprint identification method is adopted, including:
s201, on-line detection is carried out on target terminal equipment by sequentially sending various data packets of different types to a network;
s202, multiple fingerprint parameter information comparison processes including address comparison, port comparison and terminal operating system comparison are executed on the target terminal device based on the white list and the black list.
3. The method for networking security router of internet of things of claim 2, wherein in step S2, if the terminal device is a dynamic IP address, a passive fingerprint identification method is adopted, including:
s211, capturing and analyzing a DHCP request packet actively initiated by the terminal equipment;
s212, acquiring fingerprint information of the terminal equipment, including MAC address parameter information, manufacturer parameter information in the Option and equipment model parameter information, based on the DHCP request packet, and comparing the fingerprint information with a black list and a white list.
4. The method for secure networking of the internet of things of a secure router according to claim 3, wherein if the terminal device is a new access device, the step S4 includes,
if the comparison completely conforms to the white list, executing communication packet forwarding, and if the terminal equipment is a dynamic IP address, simultaneously allocating the IP address to the terminal equipment;
if one or more items of specified parameter information are in the blacklist, blocking the communication packet;
if the port comparison does not accord with the white list and other items accord with each other, executing communication packet forwarding and prompting processing;
and if the specified one or more parameters are not in the white list and the black list at the same time, putting the communication packet into the isolation area to wait for the processing of the upper-level equipment.
5. The method for networking security router of internet of things of claim 4, wherein in step S3, the method for fingerprinting passive devices comprises:
s31, capturing the communication packet, and analyzing the IP address, the MAC address and the TTL value in the packet header of the IP address;
s32, analyzing DF marking bits, TCP window sizes, sizes and TCP extension options of SYN in a transmission layer TCP packet;
s33, comparing the analysis data in the steps S31 and S32 with the white list.
6. The method for secure networking of the internet of things of a secure router according to claim 5, wherein if the terminal device is a non-new access device, the step S4 includes,
if the comparison in the step S33 completely conforms, forwarding the communication packet;
if the communication packet does not meet the preset rule, comparing the analysis data with the blacklist, and if one or more items of parameter information specified in the analysis data are in the blacklist, blocking the communication packet;
if one or more items of parameter information specified in the analysis data are not in the white list and the black list at the same time.
7. The method as claimed in claim 6, wherein the new access device includes a terminal device that is accessed for the first time, a terminal device that is accessed again after timeout, and a terminal device that lacks fingerprint information.
8. The method for secure networking of the internet of things of a secure router according to claim 1, wherein in step S4, the communication packet is forwarded by:
s41, encrypting the communication packet by adopting an SSL VPN technology;
and S42, uploading the encrypted communication packet to a superior device by adopting a national secret VPN encryption tunnel.
9. A security router is characterized in that the security router comprises a network processor based on MIPS framework, the network processor comprises a terminal equipment security judgment module and a security encryption module, the terminal equipment security judgment module comprises an active terminal fingerprint identification module, a passive terminal fingerprint identification module and an identification processing module, wherein,
the active terminal fingerprint identification module is used for carrying out fingerprint identification on the new access equipment;
the passive fingerprint identification module is used for carrying out fingerprint identification on new access equipment or non-new access equipment;
the identification processing module is used for processing the communication packet of the terminal equipment according to the fingerprint identification result;
and the security encryption module is used for encrypting and forwarding the communication packet of the trusted device identified by the fingerprint to the superior device.
10. The security router of claim 9, wherein the security encryption module encrypts the communication packet by SSL VPN technology, and the encrypted communication packet is uploaded to the upper level device through the VPN encryption tunnel.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010606677.5A CN111935212B (en) | 2020-06-29 | 2020-06-29 | Security router and Internet of things security networking method based on security router |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010606677.5A CN111935212B (en) | 2020-06-29 | 2020-06-29 | Security router and Internet of things security networking method based on security router |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111935212A true CN111935212A (en) | 2020-11-13 |
| CN111935212B CN111935212B (en) | 2023-05-09 |
Family
ID=73317716
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010606677.5A Active CN111935212B (en) | 2020-06-29 | 2020-06-29 | Security router and Internet of things security networking method based on security router |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111935212B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114417336A (en) * | 2022-01-24 | 2022-04-29 | 北京新桥信通科技股份有限公司 | Application system side safety management and control method and system |
| CN114513536A (en) * | 2022-01-18 | 2022-05-17 | 成都网域探行科技有限公司 | Internet of things safety management analysis method |
| CN114531270A (en) * | 2021-12-31 | 2022-05-24 | 网络通信与安全紫金山实验室 | Defense method and device for segmented routing label detection |
| CN115499204A (en) * | 2022-09-15 | 2022-12-20 | 杭州安恒信息技术股份有限公司 | Honeypot attack tracing method, device, equipment and storage medium |
| CN115913664A (en) * | 2022-10-31 | 2023-04-04 | 深圳市欧瑞博科技股份有限公司 | Method, system and device for controlling intelligent access of equipment |
| CN116032577A (en) * | 2022-12-19 | 2023-04-28 | 北京成鑫盈通科技有限公司 | System, method, medium and terminal for realizing end-to-end data security transmission of terminal equipment |
| CN117579390A (en) * | 2024-01-16 | 2024-02-20 | 四川高速公路建设开发集团有限公司 | Variable information board safety protection method, system and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9807092B1 (en) * | 2013-07-05 | 2017-10-31 | Dcs7, Llc | Systems and methods for classification of internet devices as hostile or benign |
| CN107995226A (en) * | 2017-12-27 | 2018-05-04 | 山东华软金盾软件股份有限公司 | A kind of device-fingerprint recognition methods based on passive flux |
| CN108173834A (en) * | 2017-12-25 | 2018-06-15 | 北京计算机技术及应用研究所 | Terminal fingerprints technology identifies " all-purpose card " network terminal |
| CN108173692A (en) * | 2017-12-28 | 2018-06-15 | 山东华软金盾软件股份有限公司 | It is a kind of based on the whole network equipment sensory perceptual system being actively and passively combined and cognitive method |
| CN108200023A (en) * | 2017-12-25 | 2018-06-22 | 锐捷网络股份有限公司 | Unaware authentication method and device |
| CN109347785A (en) * | 2018-08-13 | 2019-02-15 | 锐捷网络股份有限公司 | A terminal type identification method and device |
-
2020
- 2020-06-29 CN CN202010606677.5A patent/CN111935212B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9807092B1 (en) * | 2013-07-05 | 2017-10-31 | Dcs7, Llc | Systems and methods for classification of internet devices as hostile or benign |
| CN108173834A (en) * | 2017-12-25 | 2018-06-15 | 北京计算机技术及应用研究所 | Terminal fingerprints technology identifies " all-purpose card " network terminal |
| CN108200023A (en) * | 2017-12-25 | 2018-06-22 | 锐捷网络股份有限公司 | Unaware authentication method and device |
| CN107995226A (en) * | 2017-12-27 | 2018-05-04 | 山东华软金盾软件股份有限公司 | A kind of device-fingerprint recognition methods based on passive flux |
| CN108173692A (en) * | 2017-12-28 | 2018-06-15 | 山东华软金盾软件股份有限公司 | It is a kind of based on the whole network equipment sensory perceptual system being actively and passively combined and cognitive method |
| CN109347785A (en) * | 2018-08-13 | 2019-02-15 | 锐捷网络股份有限公司 | A terminal type identification method and device |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114531270A (en) * | 2021-12-31 | 2022-05-24 | 网络通信与安全紫金山实验室 | Defense method and device for segmented routing label detection |
| CN114531270B (en) * | 2021-12-31 | 2023-11-03 | 网络通信与安全紫金山实验室 | Defensive method and device for detecting segmented routing labels |
| CN114513536A (en) * | 2022-01-18 | 2022-05-17 | 成都网域探行科技有限公司 | Internet of things safety management analysis method |
| CN114513536B (en) * | 2022-01-18 | 2023-12-08 | 成都网域探行科技有限公司 | Internet of things safety management analysis method |
| CN114417336A (en) * | 2022-01-24 | 2022-04-29 | 北京新桥信通科技股份有限公司 | Application system side safety management and control method and system |
| CN115499204A (en) * | 2022-09-15 | 2022-12-20 | 杭州安恒信息技术股份有限公司 | Honeypot attack tracing method, device, equipment and storage medium |
| CN115913664A (en) * | 2022-10-31 | 2023-04-04 | 深圳市欧瑞博科技股份有限公司 | Method, system and device for controlling intelligent access of equipment |
| CN116032577A (en) * | 2022-12-19 | 2023-04-28 | 北京成鑫盈通科技有限公司 | System, method, medium and terminal for realizing end-to-end data security transmission of terminal equipment |
| CN117579390A (en) * | 2024-01-16 | 2024-02-20 | 四川高速公路建设开发集团有限公司 | Variable information board safety protection method, system and storage medium |
| CN117579390B (en) * | 2024-01-16 | 2024-04-05 | 四川高速公路建设开发集团有限公司 | Variable information board safety protection method, system and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111935212B (en) | 2023-05-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111935212B (en) | Security router and Internet of things security networking method based on security router | |
| Kumar et al. | SAFETY: Early detection and mitigation of TCP SYN flood utilizing entropy in SDN | |
| US8060927B2 (en) | Security state aware firewall | |
| US12218937B2 (en) | Packet processing method and apparatus, device, and computer-readable storage medium | |
| US11558354B2 (en) | Efficient protection for a virtual private network | |
| US20050160289A1 (en) | System and method for intrusion prevention in a communications network | |
| US8671451B1 (en) | Method and apparatus for preventing misuse of a group key in a wireless network | |
| CN102655509B (en) | Network attack identification method and device | |
| CN111988289B (en) | EPA Industrial Control Network Security Testing System and Method | |
| CA2506418C (en) | Systems and apparatuses using identification data in network communication | |
| Lei et al. | SecWIR: Securing smart home IoT communications via wi-fi routers with embedded intelligence | |
| CN112954683B (en) | Domain name resolution method, device, electronic device and storage medium | |
| CN112615866A (en) | Pre-authentication method, device and system for TCP connection | |
| CN106453376A (en) | Stateless scanning filtering method based on TCP packet feature | |
| US12213202B2 (en) | Systems and methods for detecting and attacking a VPN | |
| US20240396914A1 (en) | Systems and methods for network traffic fingerprinting and associated security actions | |
| Jones et al. | Pptp vpn: An analysis of the effects of a ddos attack | |
| AlAali et al. | Cybersecurity threats and solutions of IoT network layer | |
| Patel et al. | A snort-based secure edge router for smart home | |
| Nigam et al. | Man-in-the-middle-attack and proposed algorithm for detection | |
| Felix | TCP/IP stack transport layer performance, privacy, and security issues | |
| CN118749185A (en) | Context-based security over interfaces in NG-RAN environments and O-RAN environments in mobile networks | |
| Wang et al. | Off-Path TCP Hijacking in Wi-Fi Networks: A Packet-Size Side Channel Attack | |
| Ji et al. | First-Packet Matching-Based Strategy for Preventing 5G IPv6 Source Address Spoofing | |
| Liu et al. | Avoiding VPN Bottlenecks: Exploring Network-Level Client Identity Validation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |