RU205636U1 - MULTI-SERVICE ROUTER WITH NETWORK CONNECTION CONTROL AND CURRENT NETWORK MASKING - Google Patents

Abstract

The utility model relates to a multiservice router with control of parameters of network connections and masking of a computer network. The technical result is to reduce the resource intensity of protection and increase the efficiency, safety and secrecy of the communication channel in the Internet, as well as the safety and secrecy of the parameters of the local area network (LAN), which are segments of the data transmission system. For this purpose, a module for managing the parameters of the LAN structure is additionally introduced into the specified router; block for changing the parameters of the LAN network layer; a module for managing network connections and a block for changing parameters for network connections. In particular, the reduction in the resource intensity of protection is ensured due to the absence of unreasonable changes in the IP addresses of the external interfaces of routers and the IP addresses of the LAN nodes of the data transmission network. 5 ill.

Description

The proposed utility model relates to the field of data transmission networks and routable networks with packet switching, in particular, to modular scalable structures for building fast Ethernet routers, and can be used to implement secure (secure) information exchange through public communication networks, such as Internet, as well as for masking LAN parameters from network intelligence and managing network connections with an attacker.

Known analogue "Protection system for connected computer networks" by RF patent No. 2152691 IPC G06F 12/14, publ. 07/10/2000, which consists in the fact that the device contains the first network motherboard and the second network motherboard, each of the specified first and second network motherboards has a network interface adapter for exchange with the specified first and second computer networks, respectively, each of the specified network motherboards additionally has a transfer adapter for exchanging with the transfer adapter of another network motherboard, the specified transfer adapters are paired and identical, each of the network motherboards has network software to prevent the transmission of routing service information between the network interface adapters and the transfer adapter of each network motherboards, each network motherboard additionally contains protocol conversion software that prevents upper layer protocol information and source and destination address information from passing between the specified network interface ad an apter and said transfer adapter of each network motherboard, and at least one of the network motherboards has application interface middleware for providing application-level exchange services to computers connected to said at least one network motherboard.

The disadvantage of this device is the low secrecy of information directions when organizing communication between computer networks via public communication networks, such as the Internet.

You know a device for protecting a communication channel of a computer network according to RF patent No. 2306599, IPC G06F 21/00, publ. 09/10/2007, which consists in the fact that the device contains a local protection segment (LSP), the first and second input / outputs of which are connected respectively to the LAN and a router connected to the Internet, and containing an address base storage unit (BHBA), a processor , an encoding / decoding unit (CD), information input and output, the inputs “password” and “conversion type” of which are connected to the corresponding ports of the processor; the first and second network adapter (CA). The control input BVA is connected to the "address" port of the processor, and the x-bit output of the address selection unit is connected to the x-bit input of the BHBA. In the BHBA, the m-bit output is connected to the m-bit input of the BOCHTA. The control input and the m-bit output of the BOKHTA are connected, respectively, to the port "request of the current address" and the m-bit port "current address" of the processor. In the first CA, the n-bit output and input are connected, respectively, to the n-bit input "source packet" and the output "source packet" of the processor. Moreover, the "local area network" output of the first CA is the first input / output of the LSZ. In the second CA, the p-bit input and output are connected, respectively, to the p-bit output and the "information / notification" input of the processor, and the t-bit "control" port of the processor is connected to the t-bit control input of the second CA. The "Internet" output of the second CA is the second input / output of the LSS.

The disadvantages of this device are the narrow scope and relatively low noise immunity. The narrowness of the scope is due to the lack of support for routing protocols and, as a result, the inability to use the device for information exchange through public communication networks, such as the Internet, without an additional router. The relatively low noise immunity is due to the fact that the presence of intentional and unintentional interference in data transmission networks leads to packet losses during their transmission, which leads to failures in the process of receiving and transmitting message packets in the process of changing address information.

Known multiservice router for RF patent No. 186859, IPC H06L 12/701 (2013.01), publ. 06.02.2019 Bul. No. 4. The analogue refers to data transmission networks, in particular, to a modular, scalable structure for building routers for fast Ethernet networks. The multiservice router contains a switching unit and a route processor, interconnected by the first inputs / outputs, a ternary associative memory, the output of which is connected to the third input of the route processor; the first processor module, the first input / output of which is connected to the third input / output of the switching unit; a second processor module, the first input / output of which is connected to the second input / output of the switching unit; a high-speed packet data processing module with a non-blocking high-speed FPGA-based switching matrix (FPGA), the first output of which is connected to the second input of the first processor module, the second output to the second input of the second processor module, and the third output to the second input of the route processor; the first COM port, the input / output of which is connected to the third input / output of the first processor module; the second COM port, the input / output of which is connected to the third input / output of the second processor module; the first Ethernet port, the input / output of which is connected to the fourth input / output of the first processor module; a second Ethernet port, the input / output of which is connected to the fourth input / output of the second processor module; N SFP modules, the inputs / outputs of which are connected, respectively, to the N inputs / outputs of the route processor; a synchronization module, the first output of which is connected to the fifth input of a high-speed packet data processing module with a non-blocking high-speed FPGA-based switching matrix (FPGA), and the second output is connected to the fourth input of a high-speed packet data processing module with a non-blocking high-speed FPGA-based switching matrix (FPGA) ...

In this analogue, they support routing protocols, provide reliable and continuous determination of the current time and output signals synchronized with the assigned system time scale, which is achieved by ensuring the ability to synchronize devices. By filtering network packets and translating (translating) network addresses, the device allows you to hide the IP addresses of subscribers on subnets from each other.

The disadvantage of the analogue is the relatively low security and secrecy of the communication channel. This disadvantage is due to the fact that communication channels of remote segments of the data transmission network connected by such devices via the Internet are easily identified by analyzing traffic at a certain point on the Internet, since they are characterized by a high rate of exchange of message packets with the same addresses of external interfaces of routers. In this case, it becomes possible to determine the addresses of remote segments of the data transmission network and to reveal the structure of the distributed data transmission network. Such information is sufficient to disrupt information exchange, or to carry out destructive effects in relation to a distributed data transmission network, in particular, on the device itself.

The closest technical solution adopted for the prototype is the utility model "Multiservice router with masking of information directions", according to RF patent No. 191373, IPC H04L 12/701 (2013.01), H04L 12/54 (2013.01), publ. 08/02/2019 Bul. No. 22. The prototype relates to the field of data transmission networks and routable networks with packet switching, in particular, to modular scalable structures for building fast Ethernet routers, and can be used to implement secure (secure) information exchange over public communication networks such as the Internet. A multiservice router with masking of information directions contains a switching unit and a route processor interconnected by the first inputs / outputs, a ternary associative memory, the first output of which is connected to the third input of the route processor, a processor module, the first input / output of which is with the second input / output of the switching unit a high-speed packet data processing module with a non-blocking high-speed FPGA-based switching matrix (FPGA), the first output of which is connected to the second input of the processor module, the third output to the second input of the route processor; COM port, the input / output of which is connected to the third input / output of the processor module; Ethernet port, the input / output of which is connected to the fourth input / output of the processor module; N SPF modules, the inputs / outputs of which are connected, respectively, to the N inputs / outputs of the route processor; a synchronization module, the first output of which is connected to the fifth input of the module with a non-blocking high-speed FPGA-based switching matrix (FPGA), and the second output is connected to the fourth input with a non-blocking high-speed FPGA-based switching matrix (FPGA); information directions masking module; block for changing the parameters of the link layer (MAC addresses); block for changing network layer parameters (IP addresses); the first input of the information directions masking module is connected to the fifth output of the processor module; the second output of the module for masking information directions is connected to the second input of the unit for changing the parameters of the link layer (MAC addresses), the first output of which is connected to the second input of the ternary associative memory; the third output of the module for masking information directions is connected to the second input of the unit for changing the parameters of the network layer (IP-addresses), the first output of which is connected to the third input of the ternary associative memory; the fourth input of the information directions masking module is connected to the second output of the high-speed packet data processing module with a non-blocking high-speed FPGA-based switching matrix (FPGA).

In this prototype, the security and secrecy of the operation of the communication channel in the Internet is ensured by complicating the procedure for determining addresses and identifying the interconnections of remote segments of the distributed data transmission network when analyzing traffic at a certain point of the Internet by continuously changing the addresses of the external interfaces of routers that provide an exit in the transmitted message packets. sender and recipient of message packets to the Internet, which makes it almost impossible to determine, identify and open the structure of a distributed data transmission network. To ensure noise immunity of the device in the conditions of intentional and unintentional interference that lead to packet loss during their transmission, they provide continuous determination of the current time and the issuance of signals to synchronize the process of data transmission between routers that vary the addresses of their external interfaces.

The disadvantage of the prototype device is a relatively narrow field of application, relatively high resource intensity and relatively low security and secrecy of the data transmission network. The narrow scope of the prototype is due to the possibility of its use only for protection from an external intruder and the impossibility of using a data transmission network to protect local segments (local area networks, LAN), as well as the fact that changing IP addresses between routers that vary the addresses of their external interfaces, occurs within the same subnet. This limits the used range of restructuring of the changed parameters and can lead to the possibility of an attacker reconstructing the algorithm for changing their values, in particular, the IP addresses of the external interfaces of routers, and taking measures to overcome the protection system. The relatively high resource consumption of the prototype is associated with an unreasonable continuous change in the transmitted message packets of the addresses of the external interfaces of routers, regardless of the actions (inaction) of the attacker. The relatively low security and secrecy of the data transmission network is due to the fact that the parameters of the local segments of the data transmission network connected by such devices via the Internet are stationary, that is, they do not change in the prototype, and can be opened by an intruder. This turns out to be sufficient to disrupt information exchange, or to carry out destructive effects in relation to local segments of the data transmission network, in particular, on the device itself.

The objective of this utility model is to eliminate the above disadvantages. The technical result of the proposed utility model is to expand the scope, reduce the resource intensity of protection, increase the security and secrecy of the communication channel in the Internet, as well as the security and secrecy of the LAN parameters.

The technical result is provided by the fact that in a multiservice router with control of the parameters of network connections and masking of a computer network, containing a switching unit and a route processor, interconnected by the first inputs / outputs, a ternary associative memory, the first output of which is connected to the third input of the route processor, a processor module , the first input / output of which is with the second input / output of the switching unit, a high-speed packet data processing module with a non-blocking high-speed switching matrix based on FPGA (FPGA), the seventh output of which is connected to the second input of the processor module, the first output to the second input of the route processor; COM port, the first input / output of which is connected to the fourth input / output of the processor module; Ethernet port, the first input / output of which is connected to the third input / output of the processor module; N SPF modules, the inputs / outputs of which are connected, respectively, to the N inputs / outputs of the route processor; a synchronization module, the first output of which is connected to the sixth input of a module with a non-blocking high-speed FPGA-based switching matrix (FPGA), and the second output - to the fifth input with a non-blocking high-speed FPGA-based switching matrix (FPGA), a direction masking module, the first input of which connected to the seventh output of the processor module, the fourth output to the second input of the block for changing the parameters of the channel level, the first output of which is connected to the second input of the ternary associative memory, the third output of the information directions masking module is connected to the second input of the block for changing the parameters of the network layer, the first output of which is connected with the third input of the ternary associative memory, the second input of the information directions masking module is connected to the second output of the high-speed packet data processing module with a non-blocking high-speed FPGA-based switching matrix (FPGA); additionally, a module for controlling the parameters of the LAN structure was introduced; block for changing the parameters of the LAN network layer; network connection management module; block for changing the parameters of network connections. The first input of the LAN parameters control module is connected to the fifth output of the processor module. The second input is connected to the fourth output of the high-speed packet data processing module with a non-blocking high-speed FPGA-based switching matrix (FPGA). The third output of the module for controlling the LAN parameters is connected to the second input of the unit for changing the parameters of the LAN network layer, the first output of which is connected to the fifth input of the ternary associative memory. The first input of the network connection control module is connected to the sixth output of the processor module. The second input is connected to the third output of the high-speed packet data processing module with a non-blocking high-speed FPGA-based switching matrix (FPGA). The third output of the module for managing network connections is connected to the second input of the unit for changing the parameters of network connections, the first output of which is connected to the fourth input of the ternary associative memory.

All elements of a multiservice router with management of network connection parameters and masking of a computer network are made using digital technologies.

Comparison with the prototype shows that the claimed device is distinguished by the presence of new blocks and their connections between them. Thus, the claimed device meets the "novelty" criterion.

Comparison of the proposed solution with other technical solutions shows that the listed elements are known, however, their introduction in this connection with the rest of the elements leads to an expansion of the functionality of the device. This confirms the compliance of the technical solution with the criterion of "significant differences".

The introduction of the listed new elements in the specified connection with other elements leads to the preservation of the advantages of the prototype and the elimination of its shortcomings, forms a single, centrally controlled, protective mechanism, which provides by synchronous change of IP addresses of LAN nodes and IP addresses of external interfaces of routers within several subnets , at intervals of time, adaptively changing, depending on the characteristics of the functioning of the data transmission system and the actions of the attacker, the impossibility for him to identify both the information directions of the data transmission network and the parameters of its local segments. Also, the introduction of these new elements ensures that the attacker is kept in a long-term connection, which provides additional time for changing the IP addresses of LAN nodes and external interfaces of routers, without reducing the availability of information for clients of the data transmission network, as well as additional time for the security system to take additional protection measures, which confirms the compliance of the technical solution with the criterion "significant differences".

The declared utility model is illustrated by drawings:

fig. 1 is a block diagram of a multiservice router with masking of information directions, parameters of the LAN structure and management of network connections;

fig. 2 is an illustration of the principle of masking information directions by varying IP addresses;

fig. 3 is an illustration of the principle of masking information directions by varying IP addresses, with a new subnet number and a new value of the time parameter for their change;

fig. 4 is an illustration of the principle of ensuring the secrecy of LAN parameters by varying IP addresses within several subnets before and after their change;

fig. 5 is an illustration of the principle of managing network connections.

It is known that modern network security technologies concentrate on the protection of data transmission networks, based on the use of an assortment of prohibitive regulations and distance the object of protection from the attacker. So, firewalls, proxy servers, application level gateways and even intrusion detection systems, described, for example, in the book Andronchik A.N., Bogdanov V.V., Domukhovsky N.A., Kollerov A.S., Sinadsky N I.I., Khorkov D.A., Shcherbakov M.Yu. Information protection in computer networks. Practical course: textbook / A.N. Andronchik, V.V. Bogdanov, N.A. Domukhovsky and others; edited by N.I. Sinadsky. - Yekaterinburg: USTU-UPI, 2008. - 248 s, designed to prevent, prohibit and / or detect an intruder's access to protected information resources. However, the use of these tools to protect data transmission networks from network intelligence in order to anticipate destructive actions of an attacker does not allow ensuring the required level of their protection. This is due to the fact that the structure of most modern data transmission networks, determined by the scheme of their information directions and LAN parameters, is stationary throughout the entire time of their operation. This ensures the reliability of the information received about them by the attacker, based on the results of network reconnaissance, over a long period of time and provides the attacker with the opportunity to plan (choose the time and tools) to start a computer attack without the threat of compromising his actions.

Therefore, it is the stationarity of the parameters of data transmission networks that determines the presence of information security threats, described, for example, in the Information Security Threats Data Bank, on the FSTEC of Russia website www.fstec.ru, such as:

- the threat of detecting open ports and identifying services associated with them (098);

- Host detection threat (099);

- the threat of obtaining preliminary information about the object of protection (132);

- the threat of determining the topology of a computer network (104);

- the threat of defining the types of protected objects (103);

- threat of unauthorized access to virtual transmission channels (075);

- the threat of bringing the system into a state of "denial of service" (140);

- threat of illegal actions in communication channels (069), etc.

In this regard, in the guidance documents of the FSTEC, for example, in the FSTEC Order No. 21 dated 02/18/2013, the FSTEC Order No. 27 dated 02/15/2017, the FSTEC Order No. 239 dated 12/25/2017, "Methodological document. Protection measures in state information systems ", approved by the FSTEC of Russia on 11.02.2014, reflects recommendations that interpret the need for:

- hiding the architecture and configuration of the information (automated) system (ZIS.8);

- transfer of the information system or its devices (components) into a predetermined configuration that provides information protection in the event of failures (failures) in the information protection system of the information system (ZIS.29);

- elimination of the consequences of computer incidents (INC.4);

- taking measures to prevent the recurrence of computer incidents (INC.5);

- transfer of the information (automated) system to a safe state in the event of failures (failures) (ZIS.37);

- reproduction of false and (or) concealment of true individual IT and (or) structural and functional characteristics of the IS or its segments, ensuring the imposition of a false idea on the intruder about the true IT and (or) structural and functional characteristics of the IS (ZIS.28);

- management of network connections (ZIS.35).

Thus, a contradiction arises between the effectiveness of the protection of data transmission networks and the ability of attackers to open them, due to the static parameters of these networks. The proposed utility model is aimed at eliminating this contradiction.

The device works as follows. Routing in data networks is the process of determining the route of packets of messages in data networks. A distinction is made between static routes, which are set administratively, and dynamic routes, which are calculated using routing algorithms based on information about the topology and state of the network obtained using routing protocols (from other routers).

Internet routing is based on the TCP / IP family of protocols. In the case of routing IP packets, a router that transfers message packets of correspondent subscribers to a public communication network implements network address translation - NAT (from the English Network Address Translation) - a mechanism for dynamically replacing IP addresses passing through it to a public communication network. using message packets to the IP address of its external interface.

In the data transmission networks of telecom operators, it is possible to route not only IP packets, but also Ethernet frames by organizing virtual private networks (from the English Virtual Private Networks) of the link level (the so-called Layer 2 Virtual Private Networks, L2VPN). For this, the mechanism of multi-protocol label switching is MPLS (from the English multiprotocol label switching), which consists in transferring data from one network node to another using labels. MPLS is a scalable and protocol-independent communication mechanism. The decision to transfer a data packet to another network node is made only on the basis of the value of the assigned label without the need to analyze the data packet itself. Due to this, it is possible to create an “end-to-end” virtual channel, independent of the transmission medium and the used data transmission protocols.

The function of routing message packets in the device is performed by a specialized routing processor (1), in which the software functions for analyzing the contents of the message packet, translating network addresses, directing to the desired interface (9) in accordance with the routing table, which is formed by the processor module (5). Local configuration of the device is carried out through the COM port (8) and Ethernet port (7), connected directly to the processor module (5). To switch N SFP modules (9) to the route processor, a switching unit (PCI switch) is used, see unit 2 in FIG. 1. SFP (from the English Small Form-factor Pluggable) is an industry standard for modular compact transceivers (transceivers) used to connect a network device card (in particular, a router) to a cable communication line (optical fiber or unshielded twisted pair) and match electrical parameters of the joint (interface).

The routing table is formed during device initialization using the processor unit (5) static or dynamic routing. The generated table is stored in ternary associative memory (4), which is used in the device to increase its performance when searching in the routing table. When a message packet arrives through the SFP module (9), the route processor (1) analyzes the header of the message packet, and based on the analysis results, if a service packet of messages is detected, sends it to the processor module (5) through the module (3) high-speed packet data processing with non-blocking high-speed switching matrix based on programmable logic integrated circuits, FPGAs, or FPGAs (from the English Field-Programmable Gate Array), user-programmable gate arrays.

Otherwise, that is, if a transit (non-service message packet) is detected, the route processor (1) searches for routing information in the routing table stored in ternary associative memory (4) and, based on the search results, translates the message packet through the corresponding SFP module ( 9) to the network.

The synchronization module (6) is designed to ensure the device's noise immunity in the conditions of intentional and unintentional interference, by ensuring continuous determination of the current time and outputting 10 MHz and 1 Hz signals to the module (3) for high-speed packet data processing with a non-blocking high-speed switching matrix based on FPGA (FPGA ).

To achieve the technical result in terms of increasing the security and secrecy of the communication channel, the function of masking information directions is activated in the device, for which the module for masking information directions is initialized (12). At the same time, initialization can be carried out locally, transmitting control information through the COM port (8) and Ethernet port (7) by means of the processor module (5), the seventh output (5.7) of which is connected to the first input (12.1) of the information directions masking module (12) , or remotely, transmitting the service message packets received by the SFP module (9) through the route processor (1) and the high-speed packet data processing module (3) with a non-blocking high-speed FPGA-based switching matrix, the output (3.2) of which is connected to the input ( 12.2) of the module for masking information directions (12). The initialization of the module for masking information directions (12) consists in obtaining, decoding and applying by the device configuration information containing connectivity matrices of masked information directions by MAC addresses and IP addresses, to increase the effectiveness of protection in comparison with the prototype device, which are changed within several subnets. and the value of the parameter of the time of their change (in practice, the value of this parameter is chosen in the interval from 1 to 10 seconds). To reduce the resource intensity of protection caused by unreasonable constant changes in MAC addresses and IP addresses, the module for masking information directions (12) is initialized after each of the cases of detecting an attempt to unauthorized scanning of protected network resources, at the command received from the network security means of the data transmission system or the same on command from the security administrator.

The matrixes of connectivity of masked information directions decoded by the masking module (12) by MAC-addresses and IP-addresses, changed within several subnets, are stored, respectively, in the block (13) for changing the parameters of the link layer (MAC-addresses), the input (13.2) of which connected to the output (12.4) of the information directions masking module (12), and in the unit (14) for changing the network layer parameters (IP addresses), the input (14.2) of which is connected to the output (12.3) of the information directions masking module (12). These matrices are pointers for the variation of the addresses of the external (external) interface (s) of the router selected (selected) for organizing masking information directions, and their connectivity, that is, the logic of masking information directions, is available for reading from ternary associative memory (4), input (4.2) which is connected to the output (13.1) of the block (13) for changing the parameters of the link layer (MAC addresses), and the input (4.3) is connected to the output (14.1) of the block (14) for changing the parameters of the network layer (IP addresses). The module for masking information directions (12), the unit (13) for changing the parameters of the data link layer (MAC addresses) and the unit (14) for changing the parameters of the network layer (IP addresses) can be implemented using Soft microprocessors and (or) memory chips, for example such as FeRAM (Ferroelectric Random Access Memory) - non-volatile ferroelectric memory using a special ferroelectric film. The memory operates with ultra-low power consumption, high performance and virtually unlimited rewriting cycles.

For routers in which the module for masking information directions (12) is absent or not initialized, as well as for software analyzing the availability of network interfaces, or analyzing the traffic of message packets at some point in the public communication network, the masked information direction will be presented ("look like" ) as a set of changing information directions {MAC and (or) IP addresses) in accordance with the set value of the parameter of their change. An illustration of the principle of masking information directions by varying the IP addresses of interfaces within several subnets is shown in Fig. 2. FIG. 2, a illustrates an example of an unmasked information direction between router interfaces with IP addresses 213.196.77.15 and 210.196.76.18. Suppose that when initializing masking, each of the interacting routers performs masking of one interface - with IP addresses 213.196.77.15 and 210.196.76.18, respectively (see Fig. 2, a). Let the configuration file set the masking redundancy for each IP address equal to four, and the value of the time of their change parameter - 1 second. The matrix of connectivity of masked information directions by IP addresses is shown in FIG. 2, b. Then, after approximately 10 seconds, the ideal observer, instead of one information direction, "sees" 10 information directions shown in FIG. 2, c. To increase the security and secrecy of the communication channel, upon detection of unauthorized influences, the masking module of information directions (12) generates new values of IP addresses, but already with a different subnet number that is different from the previous one and a new value of the parameter of their change time, for example, 2 seconds. In this case, the matrix of connections of the masked information directions will have the form as shown in Fig. 3, a, and after about 20 seconds, an ideal observer, instead of one information direction, "sees" 10 information directions shown in FIG. 3, b.

To activate the function of masking LAN parameters in the device, which provides increased security and secrecy of LAN parameters, which is especially important for protecting against threats from an internal attacker, by replacing the static LAN parameters with dynamic ones, the LAN parameters control module is initialized (10). To reduce the resource intensity of protection, the initialization of the LAN parameters control module (10) is carried out synchronously with the information directions masking module (12) after fixing an attempt of destructive influences. The moment you start changing the parameters is the moment you receive a command from the network protection of the data transmission system or a command from the security administrator. To increase the secrecy of LAN parameters, changing the IP addresses of its nodes is carried out within several subnets, as well as changing the IP addresses of the router interfaces by the masking module of information directions (12).

In this case, the initialization of the LAN parameters control module (13) can be carried out locally, transmitting control information through the COM port (8) and Ethernet port (7) through the processor module (5), the fifth output (5.5) of which is connected to the first input (10.1) control of LAN parameters (10), or remotely, transmitting the service message packets received by the SFP module (9) through the route processor (1) and the module (3) high-speed packet data processing with non-blocking high-speed FPGA-based switching matrix (FPGA), output (3.4 ) which is connected to the input (10.2) of the LAN parameters control module (13). The initialization of the module for controlling the LAN parameters (13) consists in obtaining, decoding and using by the device configuration information containing the IP addresses of the LAN nodes and the value of the parameter of the time of their change.

An illustration of the principle of ensuring the secrecy of LAN parameters by varying IP addresses within several subnets after their first and subsequent changes is shown in Fig. 4. FIG. 4, a illustrates an example of information links between nodes and their IP addresses after the first change. Let, when initializing the function of masking LAN parameters, synchronously with masking the interface by each of the interacting routers, masking of the IP addresses of the nodes of the local segment of the data transmission network behind this router is carried out. Let the configuration file set the value of the change time parameter - 1 second, the same as for changing the IP address of the router interface. Then, after about 10 seconds, the ideal observer, instead of one information direction, "sees" the values of the LAN parameters (IP addresses of the LAN nodes) shown in FIG. 4, a, and in the case of identification of the next attempt of unauthorized influence, the ideal observer will "see" the values of the LAN parameters, such as those shown in Fig. 4, b. To increase the secrecy of the LAN parameters, after the security system fixes an attempt of another destructive action, the LAN parameters control module (13) generates new values of IP addresses, but already with a different subnet number, different from the previous one and a new value of the parameter of their change time, identical to the value parameter of the time of changing IP addresses, formed by the masking module of information directions (12).

The IP addresses decoded by the LAN parameters control module (13), the time of their change and the subnet number are stored, respectively, in the unit (16) for changing the parameters of the LAN network layer, the input (16.2) of which is connected to the output (10.3) of the LAN parameters control module (10). What is a pointer for the variation of the IP addresses of the LAN nodes, and the logic of masking the LAN structure is available for reading from ternary associative memory (4), the input (4.5) of which is connected to the output (16.1) of the block (16) for changing the parameters of the network layer (IP- host addresses, their lease time, subnet numbers). The LAN parameters control module (10) and the unit for changing the parameters of the LAN network layer (IP addresses of LAN nodes, their change time, subnet numbers) (16) can be implemented using Soft microprocessors and (or) memory chips, for example, such as FeRAM (Ferroelectric Random Access Memory) - ferroelectric non-volatile memory using a special ferroelectric film. The memory operates with ultra-low power consumption, high performance and virtually unlimited rewriting cycles.

When an attempt is made to carry out destructive actions on the components of the data transmission network, the function of keeping the intruder in the forced network connection is activated in the device. This function is activated by introducing a network connection control module (11), a block for changing network connection parameters (15) and their initialization into a multiservice router with control of network connection parameters and masking of a computer network.

For this, the network connection control module (11) is initialized. The initialization of the network connection control module (11) can be carried out locally by transmitting control information through the COM port (8) and Ethernet port (7) through the processor module (5), the sixth output (5.6) of which is connected to the first input (11.1) of the network control module connections (11), or remotely, transmitting the service message packets received by the SFP module (9) through the route processor (1) and the high-speed packet data processing module (3) with non-blocking high-speed FPGA-based switching matrix (FPGA), the output (3.3) of which connected to the input (11.2) of the network connection control module (11). Initialization of network connections (11), the control module is receiving, decoding and application device information containing W _nach initial value of the field "window size" service header of the response message TCP-packet destined for the identified intruder (in practice, this parameter is chosen in the range from 1 to 30 bytes) and W _{beats the} value of the "window size" field equal to zero to keep the network connection with the attacker at the final stage of establishing the network connection. An illustration of the principle of managing network connections is shown in FIG. five.

The values of the "window size" field of the service header of the TCP response packet of messages for the identified attacker decoded by the network connection control module (11) are stored in the block (15) for changing the parameters of network connections (the value of the "window size" field), the input (15.2) of which is connected to the output (11.3) of the network connection control module (11). These values are pointers for varying the values of the "window size" field of the service header of the TCP response packet of messages at the initial and final stages of establishing a network connection, in order to exclude the possibility of an intruder to compromise the firewall by the value of the "window size" field using specialized software and hold an attacker on a forced connection before the connection timed out. Their application logic is available for reading from ternary associative memory (4), the input (4.4) of which is connected to the output (15.2) of the block (15) for changing the parameters of network connections (values of the "window size" field).

This achieves a technical result in terms of increasing the effectiveness of protection, due to the fact that the attacker, after being detected by the means of protection and subsequent retention in a long-term forced connection, cannot use a part of the computing resource allocated for the stream held in a continuous connection. If it attempts to initialize another connection to the receiver of TCP packets (another attempt at unauthorized scanning or other malicious actions), due to the parallel use of information flows, this will ultimately lead to depletion of the attacker's resources (denial of service). At the same time, the data transmission system (server, recipient of message packets) does not maintain the connection state on its part and does not consume its computing resource. In addition, keeping an attacker in a long-term forced connection provides additional time required to complete data transfer in sessions established by authorized clients, without losses that may occur if these sessions are broken due to changes in the IP addresses of LAN nodes and external interfaces of routers by parameter management modules. LAN (10) and masking information directions (12), in case of detection of unauthorized activity of an attacker, which also increases the effectiveness of protection. Achieving the technical result in terms of increasing the security and secrecy of the communication channel and LAN parameters is also ensured by turning on and initializing the network connection control module (11) and the unit for changing the network connection parameters (15), which is explained as follows. Changes in the parameters of the network and link layer by the module for masking information directions (12) and the module for controlling the LAN parameters (10), after each attempt of unauthorized scanning, can be regarded by the attacker as the fact of the activity of the protection system, which will lead to its compromise and force the attacker to change the strategy of influence. Therefore, imitation of a communication channel with poor quality, increasing the duration of a forced session with an attacker, by changing the value of the "window size" parameter of the service header of a TCP packet of messages, as described, for example, in the article Maksimov R.V., Orekhov D.N., Sokolovsky S.P. Model and algorithm for the functioning of a client-server information system in the context of network intelligence // Control systems, communications and security. 2019. No. 4. P. 50-99, complicates or makes impossible a detailed analysis of network traffic and elements of the data transmission network by an intruder, which contributes to the increase in the security and secrecy of the functioning of both the units and modules of the device and the data transmission network as a whole. In addition, keeping the attacker in a forced connection, due to the introduction into the device of the network connection control module (11) and the unit for changing the parameters of network connections (15), allows the data transmission network, while this retention is carried out, for a long time, or in some cases during the entire period of its activity, to function either at all without the expenditure of computing resources for changing the parameters of the network and channel levels, implemented as protection measures carried out synchronously by the modules for controlling the LAN parameters (10) and masking information directions (12), or significantly reduce the number of these changes, in comparison with a device in which these elements are absent, which achieve a technical result in terms of reducing the resource intensity of protection. The use of the network connection control module (11) and the unit for changing the parameters of network connections (15), as separate security elements, without changing the parameters of information directions and parameters of the LAN by the modules for controlling the parameters of the LAN (10) and masking the information directions (12), that is, without providing dynamic changes in the parameters of the network and channel levels of the data transmission network and the parameters of the LAN network layer, after a long detailed study by the attacker of the network traffic and elements of the data transmission network, can lead, in the extreme, to its opening and identification of the parameters of interest to the attacker. Therefore, the achievement of the general technical result of the utility model is ensured only by the joint use of a network connection control module (11) with a unit for changing network connection parameters (15) and a LAN parameters control module (10) with a block for changing the parameters of the LAN network layer (16), as well as their connections with other blocks of the device.

The module for managing network connections (11), block (15) for changing the parameters of network connections (values of the "window size" field) can be implemented using Soft-microprocessors and (or) memory chips, for example, such as FeRAM (Ferroelectric Random Access Memory) - ferroelectric non-volatile memory using a special ferroelectric film. The memory operates with ultra-low power consumption, high performance and virtually unlimited rewriting cycles.

A multiservice router with control of network parameters and masking of a computer network is industrially applicable, since it can be implemented on the basis of an industrial computer with a simplified instruction set or industrial microprocessor equipment that allows the use of free software of the Unix family with open source code under the GNU GPL license (for example, single board computers Olimex, Intel, Raspberry Pi, Orange Pi, Nano Pi) for building routers and allowing the installation of a wide range of additional expansion cards.

Thus, thanks to a new set of essential features in the claimed utility model, the achievement of a technical result is achieved, which consists in expanding the scope, reducing the resource intensity of protection, increasing the security and secrecy of the communication channel in the Internet, as well as the security and secrecy of the LAN parameters.

Claims (1)

Multiservice router with control of network connection parameters and masking of a computer network, containing a switching unit and a route processor, interconnected by the first inputs / outputs, ternary associative memory, the first output of which is connected to the third input of the route processor, the processor module, the first input / output of which is connected with the second input / output of the switching unit, a high-speed packet data processing module with a non-blocking high-speed switching matrix based on FPGA (FPGA), the seventh output of which is connected to the second input of the processor module, the first output to the second input of the route processor; COM port, the first input / output of which is connected to the fourth input / output of the processor module, Ethernet port, the first input / output of which is connected to the third input / output of the processor module; N SPF modules, the inputs / outputs of which are connected, respectively, to the N inputs / outputs of the route processor; synchronization module, the first output of which is connected to the sixth input of the module with a non-blocking high-speed FPGA-based switching matrix (FPGA), and the second output is connected to the fifth input with a non-blocking high-speed FPGA-based switching matrix (FPGA), the information directions masking module, the first input of which is connected to the seventh output of the processor module, the fourth output is connected to the second input of the unit for changing the parameters of the channel level, the first output of which is connected to the second input of the ternary associative memory, the third output of the masking information directions is connected to the second input of the unit for changing the parameters of the network layer, the first output of which is connected with the third input of the ternary associative memory, the second input of the information directions masking module is connected to the second output of the high-speed packet data processing module with a non-blocking high-speed FPGA-based switching matrix, characterized in that it has additional In addition, a module for controlling the parameters of the LAN structure has been introduced; block for changing the parameters of the LAN network layer; network connection management module; block for changing parameters by network connections, the first input of the LAN parameters control module is connected to the fifth output of the processor module, the second input is connected to the fourth output of the high-speed packet data processing module with a non-blocking high-speed FPGA-based switching matrix (FPGA), the third output of the LAN parameters control module is connected to the second input of the unit for changing the parameters of the LAN network layer, the first output of which is connected to the fifth input of the ternary associative memory, the first input of the network connection control module is connected to the sixth output of the processor module, the second input is connected to the third output of the high-speed packet data processing module with a non-blocking high-speed switching matrix on FPGA base, the third output of the network connection control module is connected to the second input of the unit for changing the parameters of network connections, the first output of which is connected to the fourth input of ternary associative memory.

Images