[go: up one dir, main page]

WO2021253366A1 - Switch encryption system - Google Patents

Switch encryption system Download PDF

Info

Publication number
WO2021253366A1
WO2021253366A1 PCT/CN2020/096954 CN2020096954W WO2021253366A1 WO 2021253366 A1 WO2021253366 A1 WO 2021253366A1 CN 2020096954 W CN2020096954 W CN 2020096954W WO 2021253366 A1 WO2021253366 A1 WO 2021253366A1
Authority
WO
WIPO (PCT)
Prior art keywords
module
message
processing
encryption system
switch
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2020/096954
Other languages
French (fr)
Chinese (zh)
Inventor
匡俊华
邓微微
高伟
陈胤先
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bii Information Security Technology Development Co Ltd
Bii Technology Development Co Ltd
Original Assignee
Bii Information Security Technology Development Co Ltd
Bii Technology Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bii Information Security Technology Development Co Ltd, Bii Technology Development Co Ltd filed Critical Bii Information Security Technology Development Co Ltd
Publication of WO2021253366A1 publication Critical patent/WO2021253366A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the present invention relates to the technical field of network security, and in particular to a switch encryption system.
  • Highly integrated industrial gateways are based on general-purpose chips such as CPU and GPU and semi-custom FPGAs. They are large in size, high in power consumption, reliable and confidential, and cannot meet the customization requirements of specific industrial applications;
  • the industrial gateway equipment on the market that solves the problems faced by the current industrial network is mainly foreign products, which are expensive, and the products do not have independent intellectual property rights, which are easy to be "stuck" by foreign countries.
  • the present invention proposes a switch encryption system, which can overcome the above shortcomings of the prior art.
  • a switch encryption system which includes:
  • the CPU control and management system is used for the software and hardware initialization of the entire system, security configuration management, planning and scheduling, and user authentication and authentication services.
  • the CPU control and management system includes an initialization module, a security module, a scheduling module, and authentication.
  • Authentication module ;
  • a core chip network stream processing system is used to receive network data streams from 4 Gigabit interfaces and 4 10 Gigabit interfaces, the core chip network stream processing system includes a packet header analysis module, 2 Layer switch module, Layer 3 switch module, status check module, whitelist strategy search module, blacklist strategy search module, flow classification and flow control module, input and output module, among them,
  • the interface between the CPU control management system and the core chip network stream processing system is a PCI-E bus, and a dedicated hardware communication protocol and a control protocol are used for interconnection.
  • the packet header analysis module is used to analyze the information field of the message L2-L5 and check the legality of the message.
  • the user sets the filtering rule based on the message information field, where , L2-L5 are different levels of the network protocol.
  • the layer 2 switching module is used to support MAC address learning and searching, and forwarding in transparent mode;
  • the layer 3 switching module is used to support searching of subnet tables, host routing tables, and user tables, based on user authentication And the number of sessions is limited, routing mode forwarding.
  • the state check module is used to look up the state table according to the L3 and L4 packet header information of the message, wherein when the state table is found, the state transition check is performed according to the protocol; when the state table is not found, the current packet is considered to be the first Package, the status check module does not do any processing, and passes it to the lower-level module.
  • the whitelist policy search module is used to perform a policy matching search comparison for the complete message of the status check module through a 9-tuple, and record the corresponding comparison result to perform a whitelist action.
  • the 9-tuple Including interface, source MAC, destination MAC, VLAN, EthernetType, IP protocol, source IP, destination IP, and port.
  • the blacklist policy search module is used to perform a policy matching search comparison for the complete message of the status check module through a 9-tuple, and at the same time perform comparison according to the content field of the message application layer, and record the corresponding comparison As a result, the blacklist action is executed.
  • the flow classification and flow control module is used to classify the packet data flow according to users and policy rules, and perform bandwidth management and traffic shaping processing on each classification.
  • the input and output module includes an input module and an output module.
  • the input module is used to perform buffer processing according to the type of the input message, push the entire message into the packet buffer, extract the header information of the message, and send the packet ID of the message to the subsequent module for further processing;
  • the output module It is used to perform actions and modify message content according to the results of all the previous hardware processing, read the messages in the packet buffer through the packet ID, and output them through the Ethernet interface after the processing is completed.
  • the output module is used to perform actions and modify message content according to the results of all previous hardware processing, read the message in the packet buffer through the packet ID, and output it through the Ethernet interface after the processing is completed.
  • the beneficial effects of the present invention through the system, the self-developed industrial gateway product that solves the problems faced by the industrial control network in the industry 4.0 era, fills the technical gap in the field of industrial control gateways with independent intellectual property rights in China; realizes data transformation, data filtering, and arithmetic processing , Historical data storage, statistical processing, alarm processing, service request and other basic functions; using high-performance industrial-grade communication processor, its computing power and computing efficiency can be directly customized according to the algorithm needs, compared with similar products at home and abroad, small in size and power Low consumption, high reliability, strong confidentiality, high computing performance and faster computing efficiency; the chip adopts software multi-level detection and hardware multi-protection mechanisms to improve stability, and fully meets industrial standards and the needs of industrial users; based on self The research chip realizes intelligent gateway hardware equipment with extended functions such as SDN/NFV.
  • the product can have multiple Gigabit and 10 Gigabit secure switching capabilities, the overall throughput capacity is greater than 20Gbps, and the network delay reaches the microsecond level; it is effective for various security
  • the black and white list of threats is flexibly controlled, autonomously filtered, and security checked, avoiding remote malicious code, worm DoS and other network attacks; it also has the capabilities of intrusion monitoring, traffic prediction, and intelligent scheduling to achieve data aggregation, data distribution, and control flow data Adaptive transmission provides secure service information communication functions for industrial control networks.
  • Fig. 1 is a functional block diagram of a switch encryption system according to an embodiment of the present invention.
  • a switch encryption system includes:
  • the CPU control and management system is used for the software and hardware initialization of the entire system, security configuration management, planning and scheduling, and user authentication and authentication services.
  • the CPU control and management system includes an initialization module, a security module, a scheduling module, and authentication.
  • Authentication module ;
  • a core chip network stream processing system is used to receive network data streams from 4 Gigabit interfaces and 4 10 Gigabit interfaces, the core chip network stream processing system includes a packet header analysis module, 2 Layer switch module, Layer 3 switch module, status check module, whitelist strategy search module, blacklist strategy search module, flow classification and flow control module, input and output module, among them,
  • the interface between the CPU control management system and the core chip network stream processing system is a PCI-E bus, and a dedicated hardware communication protocol and a control protocol are used for interconnection.
  • the packet header analysis module is used to analyze the information field of the message L2-L5, and perform a message legality check.
  • the MATCH rule of the L2-L5 information field the user is based on the message information
  • the domain carries on the filtering rule setting, among them, L2-L5 are different levels of the network protocol.
  • the layer 2 switching module is used to support MAC address learning and searching, and forwarding in transparent mode;
  • the layer 3 switching module is used to support subnet tables, host routing tables, and user tables The search is based on the user's authentication and the number of sessions is limited, and the routing mode is forwarded.
  • the state check module is used to look up the state table according to the L3 and L4 header information of the message, wherein when the state table is found, the state transition check is performed according to the protocol; when the state table is not found When the current package is considered to be the first package, the status checking module does not do any processing and passes it to the lower-level module.
  • the whitelist policy search module is used to perform a policy matching search comparison for the complete message of the status check module through a 9-tuple, and record the corresponding comparison result to execute the whitelist Action
  • the 9-tuple includes interface, source MAC, destination MAC, VLAN, EthernetType, IP, protocol, source IP, destination IP, and port.
  • the blacklist policy search module is used to perform a strategy matching search comparison for the complete message of the status check module through a 9-tuple, and at the same time perform comparison according to the message application layer content field , And record the corresponding comparison results, and execute the blacklist action.
  • the flow classification and flow control module is used to classify the packet data flow according to users and policy rules, and perform bandwidth management and traffic shaping processing for each classification.
  • the input/output module includes an input module and an output module.
  • the input module is used to perform buffer processing according to the type of the input message, push the entire message into the packet buffer, extract the header information of the message, and send the packet ID of the message to the Subsequent modules continue processing;
  • the output module is used to perform actions and modify message content based on the results of all previous hardware processing, read the messages in the packet buffer through the packet ID, and output them through the Ethernet interface after processing.
  • the output module is used to perform actions and modify message content according to the results of all previous hardware processing, read the messages in the packet buffer through the packet ID, and after the processing is completed Output through the Ethernet interface.
  • the security switch module adopts a self-developed dedicated hardware architecture and a domestic independent encryption protocol, and provides high-performance main industrial control network security functions including:
  • the entire security industrial switch module is divided into two major subsystems, namely the CPU control management subsystem and the core chip network stream processing subsystem.
  • the interface between the core chip processing subsystem and the CPU subsystem is the PCI-E bus, which uses dedicated hardware communication protocols and control protocols for interconnection.
  • the control and management subsystem of the CPU is responsible for the software and hardware initialization of the entire system, security configuration management, planning and scheduling, and user authentication and authentication services.
  • the core chip network stream processing subsystem is responsible for receiving network data streams from 4 Gigabit interfaces and 4 10 Gigabit interfaces to achieve 20Gbps data parallel processing performance. The process is as follows:
  • Protocol analysis, deep filtering and security inspection based on each network level (Ethernet, VLAN, ARP, IP, IGMP, ICMP, TCP/UDP);
  • the chip directly sends log and statistical information to a dedicated log server based on the content and session;
  • the chip completes all functional preprocessing and final action execution processing, and performs the exchange output module encryption part using the domestically made SM7 encryption algorithm, which is designed and implemented in FPGA.
  • the self-developed industrial gateway product that solves the problems faced by industrial control networks in the industry 4.0 era through this system, fills the technical gap in the field of industrial control gateways with independent intellectual property rights in China;
  • Basic functions such as data transformation, data filtering, arithmetic processing, historical data storage, statistical processing, alarm processing, service request, etc.; adopting high-performance industrial-grade communication processor, its computing power and computing efficiency can be directly customized according to algorithm requirements, and are compatible with domestic and foreign Compared with similar products, it has small size, low power consumption, high reliability, strong confidentiality, high computing performance and faster computing efficiency;
  • the chip adopts software multi-level detection and hardware multi-protection mechanisms to improve stability, and fully meets industrial standards And the needs of industrial users; based on self-developed chips to achieve smart gateway hardware devices with extended functions such as SDN/NFV, the product can have multiple gigabit and 10 gigabit secure switching capabilities, the overall throughput capacity is greater than 20Gbps, and the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed is a switch encryption system. The system comprises: a CPU control management system, comprising an initialization module, a security module, a scheduling module, and an authentication module; and a core chip network flow processing system, comprising a packet header analysis module, a 2-layer switching module, a 3-layer switching module, a state checking module, a whitelist strategy searching module, a blacklist strategy searching module, a flow classification and flow control module, and an input/output module. The system achieves basic functions such as data transformation, data filtering, arithmetic processing, history data storage, statistical processing, alarm processing, and service request; the stability of a chip is improved by using a software multi-stage detection and hardware multiple protection mechanism, thereby completely meeting the requirements of industry-level standards and industrial users; the present invention has the capabilities of intrusion monitoring, flow prediction, intelligent scheduling and the like, achieves data convergence, data shunting, and adaptive transmission of control flow data, and provides a secure service information communication function for industrial control networks.

Description

一种交换机加密系统A switch encryption system 技术领域Technical field

本发明涉及网络安全技术领域,具体来说,涉及一种交换机加密系统。The present invention relates to the technical field of network security, and in particular to a switch encryption system.

背景技术Background technique

近年来,随着工控网络日益发展,技术、新应用的不断推出,各种工控网络协议的不断完善的同时,工控网络信息安全威胁的问题日渐突出,例如之前出现的震网病毒及最近出现的西门子分布式控制系统SPPA-T3000漏洞,直接威胁并影响到工控网络的设备、机密和整体运维的可靠性和安全性。在5G和工业互联网快速部署的情况下,工控网络的安全问题将更为突出。目前我国工控网络使用的是传统的安全解决方案,存在以下问题:In recent years, with the continuous development of industrial control networks, the continuous introduction of technologies and new applications, and the continuous improvement of various industrial control network protocols, the problem of industrial control network information security threats has become increasingly prominent, such as the previous Stuxnet virus and the recent emergence The vulnerability of Siemens distributed control system SPPA-T3000 directly threatens and affects the reliability and security of equipment, confidentiality, and overall operation and maintenance of industrial control networks. With the rapid deployment of 5G and Industrial Internet, the security issues of industrial control networks will become more prominent. At present, my country's industrial control network uses traditional security solutions, and there are the following problems:

基于安全服务器平台实现网络安全,无法满足工控网络实时性要求;而普通硬件网关无法满足工业控制网络对于多业务传输的高带宽大容量需求;The realization of network security based on the secure server platform cannot meet the real-time requirements of industrial control networks; while ordinary hardware gateways cannot meet the high-bandwidth and large-capacity requirements of industrial control networks for multi-service transmission;

目前市面上的商用工业网关(如Easy ProfiBus)虽然能够完成工业现场设备的维护、管理以及信息转发,但是解决问题相对单一,无法解决工业网络差异化需求;Although commercial industrial gateways on the market (such as Easy ProfiBus) can complete the maintenance, management, and information forwarding of industrial field devices, the problem is relatively single and cannot solve the differentiated needs of industrial networks;

高度集成化的工业网关以CPU、GPU等通用型芯片以及半定制的FPGA为核心,体积大、功耗高、可靠性和保密性无法满足特定工业应用的定制化需求;Highly integrated industrial gateways are based on general-purpose chips such as CPU and GPU and semi-custom FPGAs. They are large in size, high in power consumption, reliable and confidential, and cannot meet the customization requirements of specific industrial applications;

市场上解决当前工业网络所面临问题的工业网关设备主要以国外产品为主,价格昂贵,且产品不具备自主知识产权,很容易被国外“卡脖子”。The industrial gateway equipment on the market that solves the problems faced by the current industrial network is mainly foreign products, which are expensive, and the products do not have independent intellectual property rights, which are easy to be "stuck" by foreign countries.

发明内容Summary of the invention

针对相关技术中的上述技术问题,本发明提出一种交换机加密系统,能够克服现有技术的上述不足。In view of the above technical problems in the related art, the present invention proposes a switch encryption system, which can overcome the above shortcomings of the prior art.

为实现上述技术目的,本发明的技术方案是这样实现的:In order to achieve the above technical objectives, the technical solution of the present invention is achieved as follows:

一种交换机加密系统,该系统包括:A switch encryption system, which includes:

CPU控制管理系统,所述CPU控制管理系统用于整个系统的软硬件初始化,安全配置管理,计划调度和用户认证鉴权服务,所述CPU控制管理系统包括初始化模块、安全模块、调度模块、认证鉴权模块;The CPU control and management system is used for the software and hardware initialization of the entire system, security configuration management, planning and scheduling, and user authentication and authentication services. The CPU control and management system includes an initialization module, a security module, a scheduling module, and authentication. Authentication module;

核心芯片网络流处理系统,所述核心芯片网络流处理系统用于接收从4个千兆接口和4个万兆接口进入的网络数据流,所述核心芯片网络流处理系统包括包头分析模块、2层交换模块、3层交换模块、状态检查模块、白名单策略查找模块、黑名单策略查找模块、流分类与流量控制模块、输入输出模块,其中,A core chip network stream processing system, the core chip network stream processing system is used to receive network data streams from 4 Gigabit interfaces and 4 10 Gigabit interfaces, the core chip network stream processing system includes a packet header analysis module, 2 Layer switch module, Layer 3 switch module, status check module, whitelist strategy search module, blacklist strategy search module, flow classification and flow control module, input and output module, among them,

所述CPU控制管理系统、核心芯片网络流处理系统之间的接口是PCI-E总线,采用专用硬件通信协议和控制协议进行互联。The interface between the CPU control management system and the core chip network stream processing system is a PCI-E bus, and a dedicated hardware communication protocol and a control protocol are used for interconnection.

进一步的,所述包头分析模块用于解析报文L2-L5的信息域,并进行报文合法性检查,根据L2-L5信息域的MATCH规则,用户基于报文信息域进行过滤规则设置,其中,L2-L5为网络协议的不同层级。Further, the packet header analysis module is used to analyze the information field of the message L2-L5 and check the legality of the message. According to the MATCH rule of the L2-L5 information field, the user sets the filtering rule based on the message information field, where , L2-L5 are different levels of the network protocol.

进一步的,所述2层交换模块用于支持MAC地址的学习与查找,透明模式的转发;所述3层交换模块用于支持子网表、主机路由表和用户表的查找,基于用户的认证和会话数量限制,路由模式的转发。Further, the layer 2 switching module is used to support MAC address learning and searching, and forwarding in transparent mode; the layer 3 switching module is used to support searching of subnet tables, host routing tables, and user tables, based on user authentication And the number of sessions is limited, routing mode forwarding.

进一步的,所述状态检查模块用于根据报文的L3和L4包头信息查找状态表,其中,当找到状态表时,按照协议做状态迁移检查;当未找到状态表时,认为当前包是首包,状态检查模块不做任何处理,传递给下级模块。Further, the state check module is used to look up the state table according to the L3 and L4 packet header information of the message, wherein when the state table is found, the state transition check is performed according to the protocol; when the state table is not found, the current packet is considered to be the first Package, the status check module does not do any processing, and passes it to the lower-level module.

进一步的,所述白名单策略查找模块用于对于状态检查模块完整的报文,通过9元组进行策略匹配查找比对,并记录相应的比对结果,执行白名单动作,所述9元组包括接口、源MAC、目的MAC、VLAN、EthernetType、IP协议、源IP、目的IP、端口。Further, the whitelist policy search module is used to perform a policy matching search comparison for the complete message of the status check module through a 9-tuple, and record the corresponding comparison result to perform a whitelist action. The 9-tuple Including interface, source MAC, destination MAC, VLAN, EthernetType, IP protocol, source IP, destination IP, and port.

进一步的,所述黑名单策略查找模块用于对于状态检查模块完整的报文,通过9元组进行策略匹配查找比对,同时根据报文应用层内容字段进行比对,并记录相应的比对结果,执行黑名单动作。Further, the blacklist policy search module is used to perform a policy matching search comparison for the complete message of the status check module through a 9-tuple, and at the same time perform comparison according to the content field of the message application layer, and record the corresponding comparison As a result, the blacklist action is executed.

进一步的,所述流分类与流量控制模块用于按照用户、策略规则对报文数据流进行分类,并对各分类进行带宽管理和流量整形处理。Further, the flow classification and flow control module is used to classify the packet data flow according to users and policy rules, and perform bandwidth management and traffic shaping processing on each classification.

进一步的,所述输入输出模块包括输入模块、输出模块。Further, the input and output module includes an input module and an output module.

进一步的,所述输入模块用于根据输入的报文类型进行缓存处理,把报文整个推入包缓存,提取报文头部信息,打上报文的包ID送到后续模块继续处理;输出模块用于根据前级所有硬件处理的结果,进行执行动作和修改报文内 容的操作,通过包ID读取包缓存内报文,处理完成后通过以太网接口输出。Further, the input module is used to perform buffer processing according to the type of the input message, push the entire message into the packet buffer, extract the header information of the message, and send the packet ID of the message to the subsequent module for further processing; the output module It is used to perform actions and modify message content according to the results of all the previous hardware processing, read the messages in the packet buffer through the packet ID, and output them through the Ethernet interface after the processing is completed.

进一步的,所述输出模块用于根据前级所有硬件处理的结果,进行执行动作和修改报文内容的操作,通过包ID读取包缓存内报文,处理完成后通过以太网接口输出。Further, the output module is used to perform actions and modify message content according to the results of all previous hardware processing, read the message in the packet buffer through the packet ID, and output it through the Ethernet interface after the processing is completed.

本发明的有益效果:通过该系统,解决了工业4.0时代工控网络所面临问题的自研工业网关产品,填补了国内自主知识产权工控网关领域的技术空白;实现了数据变换、数据过滤、运算处理、历史数据存储、统计处理、报警处理、服务请求等基础功能;采用高性能工业级通信处理器,其计算能力和计算效率可直接根据算法需要定制,与国内外同类产品相比体积小、功耗低、可靠性高、保密性强、计算性能高和计算效率更快;芯片采用软件多级检测和硬件多重保护机制来提高稳定性,完全满足了工业级标准和工业用户的需求;基于自研芯片实现具备SDN/NFV等扩展功能的智能网关硬件设备,该产品可具备多个千兆和万兆的安全交换能力,整体吞吐能力大于20Gbps,网络延迟达到微秒级;有效针对各种安全威胁的黑白名单灵活控制、自主过滤和安全检查,规避了远程恶意代码、蠕虫DoS等网络攻击;兼具入侵监测、流量预测与智能调度等能力,实现了数据汇聚、数据分流和控制流数据的自适应传输,为工控网络提供安全的服务信息通信功能。The beneficial effects of the present invention: through the system, the self-developed industrial gateway product that solves the problems faced by the industrial control network in the industry 4.0 era, fills the technical gap in the field of industrial control gateways with independent intellectual property rights in China; realizes data transformation, data filtering, and arithmetic processing , Historical data storage, statistical processing, alarm processing, service request and other basic functions; using high-performance industrial-grade communication processor, its computing power and computing efficiency can be directly customized according to the algorithm needs, compared with similar products at home and abroad, small in size and power Low consumption, high reliability, strong confidentiality, high computing performance and faster computing efficiency; the chip adopts software multi-level detection and hardware multi-protection mechanisms to improve stability, and fully meets industrial standards and the needs of industrial users; based on self The research chip realizes intelligent gateway hardware equipment with extended functions such as SDN/NFV. The product can have multiple Gigabit and 10 Gigabit secure switching capabilities, the overall throughput capacity is greater than 20Gbps, and the network delay reaches the microsecond level; it is effective for various security The black and white list of threats is flexibly controlled, autonomously filtered, and security checked, avoiding remote malicious code, worm DoS and other network attacks; it also has the capabilities of intrusion monitoring, traffic prediction, and intelligent scheduling to achieve data aggregation, data distribution, and control flow data Adaptive transmission provides secure service information communication functions for industrial control networks.

附图说明Description of the drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the drawings needed in the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some of the present invention. Embodiments, for those of ordinary skill in the art, without creative work, other drawings can be obtained based on these drawings.

图1是根据本发明实施例所述的一种交换机加密系统的原理框图。Fig. 1 is a functional block diagram of a switch encryption system according to an embodiment of the present invention.

具体实施方式detailed description

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art fall within the protection scope of the present invention.

如图1所示,根据本发明实施例所述的一种交换机加密系统,包括:As shown in Figure 1, a switch encryption system according to an embodiment of the present invention includes:

CPU控制管理系统,所述CPU控制管理系统用于整个系统的软硬件初始化,安全配置管理,计划调度和用户认证鉴权服务,所述CPU控制管理系统包括初始化模块、安全模块、调度模块、认证鉴权模块;The CPU control and management system is used for the software and hardware initialization of the entire system, security configuration management, planning and scheduling, and user authentication and authentication services. The CPU control and management system includes an initialization module, a security module, a scheduling module, and authentication. Authentication module;

核心芯片网络流处理系统,所述核心芯片网络流处理系统用于接收从4个千兆接口和4个万兆接口进入的网络数据流,所述核心芯片网络流处理系统包括包头分析模块、2层交换模块、3层交换模块、状态检查模块、白名单策略查找模块、黑名单策略查找模块、流分类与流量控制模块、输入输出模块,其中,A core chip network stream processing system, the core chip network stream processing system is used to receive network data streams from 4 Gigabit interfaces and 4 10 Gigabit interfaces, the core chip network stream processing system includes a packet header analysis module, 2 Layer switch module, Layer 3 switch module, status check module, whitelist strategy search module, blacklist strategy search module, flow classification and flow control module, input and output module, among them,

所述CPU控制管理系统、核心芯片网络流处理系统之间的接口是PCI-E总线,采用专用硬件通信协议和控制协议进行互联。The interface between the CPU control management system and the core chip network stream processing system is a PCI-E bus, and a dedicated hardware communication protocol and a control protocol are used for interconnection.

在本发明的一个具体实施例中,所述包头分析模块用于解析报文L2-L5的信息域,并进行报文合法性检查,根据L2-L5信息域的MATCH规则,用户基于报文信息域进行过滤规则设置,其中,L2-L5为网络协议的不同层级。In a specific embodiment of the present invention, the packet header analysis module is used to analyze the information field of the message L2-L5, and perform a message legality check. According to the MATCH rule of the L2-L5 information field, the user is based on the message information The domain carries on the filtering rule setting, among them, L2-L5 are different levels of the network protocol.

在本发明的一个具体实施例中,所述2层交换模块用于支持MAC地址的学习与查找,透明模式的转发;所述3层交换模块用于支持子网表、主机路由表和用户表的查找,基于用户的认证和会话数量限制,路由模式的转发。In a specific embodiment of the present invention, the layer 2 switching module is used to support MAC address learning and searching, and forwarding in transparent mode; the layer 3 switching module is used to support subnet tables, host routing tables, and user tables The search is based on the user's authentication and the number of sessions is limited, and the routing mode is forwarded.

在本发明的一个具体实施例中,所述状态检查模块用于根据报文得L3和L4包头信息查找状态表,其中,当找到状态表时,按照协议做状态迁移检查;当未找到状态表时,认为当前包是首包,状态检查模块不做任何处理,传递给下级模块。In a specific embodiment of the present invention, the state check module is used to look up the state table according to the L3 and L4 header information of the message, wherein when the state table is found, the state transition check is performed according to the protocol; when the state table is not found When the current package is considered to be the first package, the status checking module does not do any processing and passes it to the lower-level module.

在本发明的一个具体实施例中,所述白名单策略查找模块用于对于状态检查模块完整的报文,通过9元组进行策略匹配查找比对,并记录相应的比对结果,执行白名单动作,所述9元组包括接口、源MAC、目的MAC、VLAN、EthernetType、IP仂、议、源IP、目的IP、端口。In a specific embodiment of the present invention, the whitelist policy search module is used to perform a policy matching search comparison for the complete message of the status check module through a 9-tuple, and record the corresponding comparison result to execute the whitelist Action, the 9-tuple includes interface, source MAC, destination MAC, VLAN, EthernetType, IP, protocol, source IP, destination IP, and port.

在本发明的一个具体实施例中,所述黑名单策略查找模块用于对于状态检查模块完整的报文,通过9元组进行策略匹配查找比对,同时根据报文应用层内容字段进行比对,并记录相应的比对结果,执行黑名单动作。In a specific embodiment of the present invention, the blacklist policy search module is used to perform a strategy matching search comparison for the complete message of the status check module through a 9-tuple, and at the same time perform comparison according to the message application layer content field , And record the corresponding comparison results, and execute the blacklist action.

在本发明的一个具体实施例中,所述流分类与流量控制模块用于按照用户、策略规则对报文数据流进行分类,并对各分类进行带宽管理和流量整形处理。In a specific embodiment of the present invention, the flow classification and flow control module is used to classify the packet data flow according to users and policy rules, and perform bandwidth management and traffic shaping processing for each classification.

在本发明的一个具体实施例中,所述输入输出模块包括输入模块、输出模块。In a specific embodiment of the present invention, the input/output module includes an input module and an output module.

在本发明的一个具体实施例中,所述输入模块用于根据输入的报文类型进行缓存处理,把报文整个推入包缓存,提取报文头部信息,打上报文的包ID送到后续模块继续处理;输出模块用于根据前级所有硬件处理的结果,进行执行动作和修改报文内容的操作,通过包ID读取包缓存内报文,处理完成后通过以太网接口输出。In a specific embodiment of the present invention, the input module is used to perform buffer processing according to the type of the input message, push the entire message into the packet buffer, extract the header information of the message, and send the packet ID of the message to the Subsequent modules continue processing; the output module is used to perform actions and modify message content based on the results of all previous hardware processing, read the messages in the packet buffer through the packet ID, and output them through the Ethernet interface after processing.

在本发明的一个具体实施例中,所述输出模块用于根据前级所有硬件处理的结果,进行执行动作和修改报文内容的操作,通过包ID读取包缓存内报文,处理完成后通过以太网接口输出。In a specific embodiment of the present invention, the output module is used to perform actions and modify message content according to the results of all previous hardware processing, read the messages in the packet buffer through the packet ID, and after the processing is completed Output through the Ethernet interface.

为了方便理解本发明的上述技术方案,以下对本发明的上述技术方案进行详细说明。In order to facilitate the understanding of the above-mentioned technical solution of the present invention, the above-mentioned technical solution of the present invention will be described in detail below.

安全交换机模块采用自主研发的专用硬件架构和国产自主的加密协议,提供高性能的主要工控网络安全功能包括:The security switch module adopts a self-developed dedicated hardware architecture and a domestic independent encryption protocol, and provides high-performance main industrial control network security functions including:

支持IPv4和IPv6混合的工控网络环境;Supports a mixed industrial control network environment of IPv4 and IPv6;

用户行为访问控制;User behavior access control;

用户安全配置管理;User security configuration management;

用户安全鉴权和授权;User security authentication and authorization;

支持基于黑白名单策略的工控协议控制和安全过滤;Support industrial control protocol control and security filtering based on black and white list strategy;

登录和报警;Login and alarm;

防止攻击威胁处理等;Prevention of attacks and threats, etc.;

提供专用带外安全管理配置接口。Provide a dedicated out-of-band security management configuration interface.

同时基于全定制化的硬件设计架构,满足性能需求:支持高性能多个千兆以太网接口,整个产品吞吐量支持20Gbps,网络延迟小于1ms,支持可保护节点数至1000个。At the same time, it is based on a fully customized hardware design architecture to meet performance requirements: it supports high-performance multiple Gigabit Ethernet interfaces, the entire product throughput supports 20Gbps, the network delay is less than 1ms, and supports up to 1,000 protected nodes.

整个安全工业交换机模块分两个大的子系统,分别是CPU控制管理子系统 和核心芯片网络流处理子系统。核心芯片处理子系统和CPU子系统之间的接口是PCI-E总线,采用专用硬件通信协议和控制协议进行互联。The entire security industrial switch module is divided into two major subsystems, namely the CPU control management subsystem and the core chip network stream processing subsystem. The interface between the core chip processing subsystem and the CPU subsystem is the PCI-E bus, which uses dedicated hardware communication protocols and control protocols for interconnection.

CPU的控制管理子系统负责整个系统的软硬件初始化,安全配置管理,计划调度和用户认证鉴权等服务。核心芯片网络流处理子系统,负责接收从4个千兆接口和4个万兆接口进入的网络数据流,实现20Gbps的数据并行处理性能,过程如下:The control and management subsystem of the CPU is responsible for the software and hardware initialization of the entire system, security configuration management, planning and scheduling, and user authentication and authentication services. The core chip network stream processing subsystem is responsible for receiving network data streams from 4 Gigabit interfaces and 4 10 Gigabit interfaces to achieve 20Gbps data parallel processing performance. The process is as follows:

(1)基于各个网络层次(以太网,VLAN,ARP,IP,IGMP,ICMP,TCP/UDP)的协议解析,深层过滤和安全检查;(1) Protocol analysis, deep filtering and security inspection based on each network level (Ethernet, VLAN, ARP, IP, IGMP, ICMP, TCP/UDP);

(2)进行网络数据的交换和输入输出处理;(2) Perform network data exchange and input and output processing;

(3)进行白名单策略的匹配处理;(3) Perform matching processing of the whitelist strategy;

(4)进行会话连接状态的安全处理;(4) Perform security processing of the session connection status;

(5)进行工控协议的识别和匹配预处理;(5) Perform identification and matching preprocessing of industrial control protocols;

(6)进行工控协议的内容匹配和安全过滤控制处理;(6) Perform content matching and security filtering control processing of industrial control protocols;

(7)进行黑名单的策略匹配控制出来;(7) Perform blacklist strategy matching and control;

(8)进行网络攻击防御和安全过滤处理;(8) Conduct network attack defense and security filtering processing;

(10)支持基于策略的监控和镜像功能;(10) Support strategy-based monitoring and mirroring functions;

(11)芯片直接根据内容和会话发送日志和统计信息到专用日志服务器;(11) The chip directly sends log and statistical information to a dedicated log server based on the content and session;

(12)芯片完成所有功能预处理和最终动作执行处理,并进行交换输出模块加密部分采用国产自主的SM7加密算法,在FPGA中设计实现。(12) The chip completes all functional preprocessing and final action execution processing, and performs the exchange output module encryption part using the domestically made SM7 encryption algorithm, which is designed and implemented in FPGA.

综上所述,借助于本发明的上述技术方案,通过该系统,解决了工业4.0时代工控网络所面临问题的自研工业网关产品,填补了国内自主知识产权工控网关领域的技术空白;实现了数据变换、数据过滤、运算处理、历史数据存储、统计处理、报警处理、服务请求等基础功能;采用高性能工业级通信处理器,其计算能力和计算效率可直接根据算法需要定制,与国内外同类产品相比体积小、功耗低、可靠性高、保密性强、计算性能高和计算效率更快;芯片采用软件多级检测和硬件多重保护机制来提高稳定性,完全满足了工业级标准和工业用户的需求;基于自研芯片实现具备SDN/NFV等扩展功能的智能网关硬件设备,该产品可具备多个千兆和万兆的安全交换能力,整体吞吐能力大于20Gbps,网络延迟达到微秒级;有效针对各种安全威胁的黑白名单灵活控制、 自主过滤和安全检查,规避了远程恶意代码、蠕虫DoS等网络攻击;兼具入侵监测、流量预测与智能调度等能力,实现了数据汇聚、数据分流和控制流数据的自适应传输,为工控网络提供安全的服务信息通信功能。In summary, with the help of the above-mentioned technical solution of the present invention, the self-developed industrial gateway product that solves the problems faced by industrial control networks in the industry 4.0 era through this system, fills the technical gap in the field of industrial control gateways with independent intellectual property rights in China; Basic functions such as data transformation, data filtering, arithmetic processing, historical data storage, statistical processing, alarm processing, service request, etc.; adopting high-performance industrial-grade communication processor, its computing power and computing efficiency can be directly customized according to algorithm requirements, and are compatible with domestic and foreign Compared with similar products, it has small size, low power consumption, high reliability, strong confidentiality, high computing performance and faster computing efficiency; the chip adopts software multi-level detection and hardware multi-protection mechanisms to improve stability, and fully meets industrial standards And the needs of industrial users; based on self-developed chips to achieve smart gateway hardware devices with extended functions such as SDN/NFV, the product can have multiple gigabit and 10 gigabit secure switching capabilities, the overall throughput capacity is greater than 20Gbps, and the network delay reaches micro Second-level; flexible control, autonomous filtering and security inspection of black and white lists effective against various security threats, avoiding remote malicious code, worm DoS and other network attacks; combining intrusion monitoring, traffic forecasting and intelligent scheduling capabilities to achieve data aggregation , Data shunting and adaptive transmission of control flow data, providing safe service information communication functions for industrial control networks.

以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The foregoing descriptions are only preferred embodiments of the present invention and are not intended to limit the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included in the present invention. Within the scope of protection.

Claims (10)

一种交换机加密系统,其特征在于,包括:A switch encryption system, characterized in that it comprises: CPU控制管理系统,所述CPU控制管理系统用于整个系统的软硬件初始化,安全配置管理,计划调度和用户认证鉴权服务,所述CPU控制管理系统包括初始化模块、安全模块、调度模块、认证鉴权模块;The CPU control and management system is used for the software and hardware initialization of the entire system, security configuration management, planning and scheduling, and user authentication and authentication services. The CPU control and management system includes an initialization module, a security module, a scheduling module, and authentication. Authentication module; 核心芯片网络流处理系统,所述核心芯片网络流处理系统用于接收从4个千兆接口和4个万兆接口进入的网络数据流,所述核心芯片网络流处理系统包括包头分析模块、2层交换模块、3层交换模块、状态检查模块、白名单策略查找模块、黑名单策略查找模块、流分类与流量控制模块、输入输出模块,其中,A core chip network stream processing system, the core chip network stream processing system is used to receive network data streams from 4 Gigabit interfaces and 4 10 Gigabit interfaces, the core chip network stream processing system includes a packet header analysis module, 2 Layer switch module, Layer 3 switch module, status check module, whitelist strategy search module, blacklist strategy search module, flow classification and flow control module, input and output module, among them, 所述CPU控制管理系统、核心芯片网络流处理系统之间的接口是PCI-E总线,采用专用硬件通信协议和控制协议进行互联。The interface between the CPU control management system and the core chip network stream processing system is a PCI-E bus, and a dedicated hardware communication protocol and a control protocol are used for interconnection. 根据权利要求1所述的一种交换机加密系统,其特征在于,所述包头分析模块用于解析报文L2-L5的信息域,并进行报文合法性检查,根据L2-L5信息域的MATCH规则,用户基于报文信息域进行过滤规则设置,其中,L2-L5为网络协议的不同层级。The switch encryption system according to claim 1, wherein the packet header analysis module is used to analyze the information field of the message L2-L5, and perform a message legality check, according to the MATCH of the L2-L5 information field Rules, users set filtering rules based on the message information domain, where L2-L5 are different levels of the network protocol. 根据权利要求1所述的一种交换机加密系统,其特征在于,所述2层交换模块用于支持MAC地址的学习与查找,透明模式的转发;所述3层交换模块用于支持子网表、主机路由表和用户表的查找,基于用户的认证和会话数量限制,路由模式的转发。The switch encryption system according to claim 1, wherein the layer 2 switching module is used to support MAC address learning and search, and forwarding in transparent mode; the layer 3 switching module is used to support subnet tables , Host routing table and user table lookup, based on user authentication and number of sessions limit, routing mode forwarding. 根据权利要求1所述的一种交换机加密系统,其特征在于,所述状态检查模块用于根据报文的L3和L4包头信息查找状态表,其中,当找到状态表时,按照协议做状态迁移检查;当未找到状态表时,认为当前包是首包,状态检查模块不做任何处理,传递给下级模块。The switch encryption system according to claim 1, wherein the state checking module is used to look up the state table according to the L3 and L4 header information of the message, wherein, when the state table is found, the state transition is performed according to the protocol Check; when the status table is not found, the current package is considered to be the first package, and the status check module does not do any processing and passes it to the lower-level module. 根据权利要求1所述的一种交换机加密系统,其特征在于,所述白名单策略查找模块用于对于状态检查模块完整的报文,通过9元组进行策略匹配查找比对,并记录相应的比对结果,执行白名单动作,所述9元组包括接口、源MAC、目的MAC、VLAN、EthernetType、IP协议、源IP、目 的IP、端口。The switch encryption system according to claim 1, wherein the whitelist policy search module is used to perform a 9-tuple policy matching search comparison for the complete message of the status check module, and record the corresponding The result of the comparison is to perform a whitelist action. The 9-tuple includes interface, source MAC, destination MAC, VLAN, EthernetType, IP protocol, source IP, destination IP, and port. 根据权利要求1所述的一种交换机加密系统,其特征在于,所述黑名单策略查找模块用于对于状态检查模块完整的报文,通过9元组进行策略匹配查找比对,同时根据报文应用层内容字段进行比对,并记录相应的比对结果,执行黑名单动作。The switch encryption system according to claim 1, wherein the blacklist policy search module is used to perform policy matching search and comparison for the complete messages of the status check module through 9-tuples, and at the same time according to the message The application layer content fields are compared, and the corresponding comparison results are recorded, and the blacklist action is executed. 根据权利要求1所述的一种交换机加密系统,其特征在于,所述流分类与流量控制模块用于按照用户、策略规则对报文数据流进行分类,并对各分类进行带宽管理和流量整形处理。The switch encryption system according to claim 1, wherein the flow classification and flow control module is used to classify the packet data flow according to users and policy rules, and perform bandwidth management and traffic shaping for each classification deal with. 根据权利要求1所述的一种交换机加密系统,其特征在于,所述输入输出模块包括输入模块、输出模块。The switch encryption system according to claim 1, wherein the input/output module includes an input module and an output module. 根据权利要求8所述的一种交换机加密系统,其特征在于,所述输入模块用于根据输入的报文类型进行缓存处理,把报文整个推入包缓存,提取报文头部信息,打上报文的包ID送到后续模块继续处理;输出模块用于根据前级所有硬件处理的结果,进行执行动作和修改报文内容的操作,通过包ID读取包缓存内报文,处理完成后通过以太网接口输出。The switch encryption system according to claim 8, wherein the input module is used to perform buffer processing according to the type of the input message, push the whole message into the packet buffer, extract the header information of the message, and mark it with The packet ID of the message is sent to the subsequent module for processing; the output module is used to perform actions and modify the contents of the message according to the results of all the hardware processing at the previous level, read the message in the packet buffer through the package ID, and after the processing is completed Output through the Ethernet interface. 根据权利要求8所述的一种交换机加密系统,其特征在于,所述输出模块用于根据前级所有硬件处理的结果,进行执行动作和修改报文内容的操作,通过包ID读取包缓存内报文,处理完成后通过以太网接口输出。The switch encryption system according to claim 8, wherein the output module is used to execute actions and modify the content of the message according to the results of all previous hardware processing, and read the packet buffer through the packet ID The internal message is output through the Ethernet interface after processing.
PCT/CN2020/096954 2020-06-16 2020-06-19 Switch encryption system Ceased WO2021253366A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010546067.0A CN111797371A (en) 2020-06-16 2020-06-16 Switch encryption system
CN202010546067.0 2020-06-16

Publications (1)

Publication Number Publication Date
WO2021253366A1 true WO2021253366A1 (en) 2021-12-23

Family

ID=72804380

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/096954 Ceased WO2021253366A1 (en) 2020-06-16 2020-06-19 Switch encryption system

Country Status (2)

Country Link
CN (1) CN111797371A (en)
WO (1) WO2021253366A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114205193A (en) * 2022-01-11 2022-03-18 沈阳麦克奥迪能源科技有限公司 Energy efficiency thing networking gateway of remote debugging configuration
CN114363018A (en) * 2021-12-20 2022-04-15 北京六方云信息技术有限公司 Industrial data transmission method, device, equipment and storage medium
CN114745176A (en) * 2022-04-11 2022-07-12 中国南方电网有限责任公司 Data transmission control method, device, computer equipment and storage medium
CN115484127A (en) * 2022-09-27 2022-12-16 成都成电光信科技股份有限公司 FC and Ethernet hybrid switching device and method based on system on chip
CN115549944A (en) * 2022-07-22 2022-12-30 江苏安方电力科技有限公司 A low-speed data exchange device for internal and external network isolation
CN116405281A (en) * 2023-04-04 2023-07-07 扬州万方科技股份有限公司 A real-time information detection network exchange system
CN116743500A (en) * 2023-08-10 2023-09-12 北京天融信网络安全技术有限公司 Industrial firewall system, message processing method and industrial control system
CN119603678A (en) * 2024-11-26 2025-03-11 国网宁夏电力有限公司 A broadband and narrowband integrated wireless data security access gateway and implementation method
CN120321193A (en) * 2025-06-19 2025-07-15 上海欣诺通信技术股份有限公司 A flow processing system, a flow processing method and a flow processing cluster

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113505349A (en) * 2021-07-24 2021-10-15 山东三未信安信息科技有限公司 Mini PCI-E password card operation method under embedded uboot
CN114584338B (en) * 2021-12-31 2024-03-26 网络通信与安全紫金山实验室 White box switch safety protection method and device based on Nftables and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104320332A (en) * 2014-11-13 2015-01-28 济南华汉电气科技有限公司 Multi-protocol industrial communication safety gateway and communication method with gateway applied
US20160149917A1 (en) * 2014-11-21 2016-05-26 Citrix Systems, Inc. Security profile management in a machine-to-machine messaging system
CN106411820A (en) * 2015-07-29 2017-02-15 中国科学院沈阳自动化研究所 Industrial communication flow transmission safety control method based on SDN architecture
CN108494672A (en) * 2018-04-17 2018-09-04 上海振华重工(集团)股份有限公司 A kind of industrial communication gateway, industrial data security isolation system and method

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100358280C (en) * 2003-06-18 2007-12-26 联想(北京)有限公司 A network security appliance and realizing method thereof
CN101321163B (en) * 2008-07-03 2010-12-29 江苏华丽网络工程有限公司 Integrated hardware implementing method for multi-layer amalgamation and parallel processing network access equipment
CN104917776A (en) * 2015-06-23 2015-09-16 北京威努特技术有限公司 Industrial control network safety protection equipment and industrial control network safety protection method
CN108809864B (en) * 2018-06-15 2020-09-01 中国电子科技集团公司第四十一研究所 Multi-line card high-density TAP switch based on FPGA
CN109120602B (en) * 2018-07-25 2020-12-25 中国人民公安大学 IPv6 attack tracing method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104320332A (en) * 2014-11-13 2015-01-28 济南华汉电气科技有限公司 Multi-protocol industrial communication safety gateway and communication method with gateway applied
US20160149917A1 (en) * 2014-11-21 2016-05-26 Citrix Systems, Inc. Security profile management in a machine-to-machine messaging system
CN106411820A (en) * 2015-07-29 2017-02-15 中国科学院沈阳自动化研究所 Industrial communication flow transmission safety control method based on SDN architecture
CN108494672A (en) * 2018-04-17 2018-09-04 上海振华重工(集团)股份有限公司 A kind of industrial communication gateway, industrial data security isolation system and method

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114363018A (en) * 2021-12-20 2022-04-15 北京六方云信息技术有限公司 Industrial data transmission method, device, equipment and storage medium
CN114363018B (en) * 2021-12-20 2023-09-22 北京六方云信息技术有限公司 Industrial data transmission method, device, equipment and storage medium
CN114205193A (en) * 2022-01-11 2022-03-18 沈阳麦克奥迪能源科技有限公司 Energy efficiency thing networking gateway of remote debugging configuration
CN114745176A (en) * 2022-04-11 2022-07-12 中国南方电网有限责任公司 Data transmission control method, device, computer equipment and storage medium
CN115549944A (en) * 2022-07-22 2022-12-30 江苏安方电力科技有限公司 A low-speed data exchange device for internal and external network isolation
CN115484127A (en) * 2022-09-27 2022-12-16 成都成电光信科技股份有限公司 FC and Ethernet hybrid switching device and method based on system on chip
CN116405281A (en) * 2023-04-04 2023-07-07 扬州万方科技股份有限公司 A real-time information detection network exchange system
CN116743500A (en) * 2023-08-10 2023-09-12 北京天融信网络安全技术有限公司 Industrial firewall system, message processing method and industrial control system
CN119603678A (en) * 2024-11-26 2025-03-11 国网宁夏电力有限公司 A broadband and narrowband integrated wireless data security access gateway and implementation method
CN120321193A (en) * 2025-06-19 2025-07-15 上海欣诺通信技术股份有限公司 A flow processing system, a flow processing method and a flow processing cluster

Also Published As

Publication number Publication date
CN111797371A (en) 2020-10-20

Similar Documents

Publication Publication Date Title
WO2021253366A1 (en) Switch encryption system
CN105282169B (en) Ddos attack method for early warning based on SDN controller threshold values and its system
CN102317876B (en) There is the communication module of Network Isolation and the filtrator that communicates
US9276907B1 (en) Load balancing in a network with session information
CN104580222B (en) Ddos attack Distributed Detection and response method based on comentropy
CN104486336A (en) Device for safely isolating and exchanging industrial control networks
CN105141604A (en) Method and system for detecting network security threat based on trusted business flow
CN104683352A (en) An industrial communication isolation gatekeeper with dual-channel ferry
CN108933731B (en) Intelligent gateway based on big data analysis
CN101958883B (en) Bloom Filter and open-source kernel-based method for defensing SYN Flood attack
CN110943913A (en) Industrial safety isolation gateway
CN105245555B (en) One kind is used for electric power serial server communication protocol security protection system
US8856947B1 (en) Intrusion detection and prevention processing within network interface circuitry
CN105488396B (en) A kind of intelligent grid service security gateway system based on data stream association analytical technology
CN112995238A (en) Method for reducing DDoS attack, programmable switch and SDN controller
CN203968148U (en) A kind of network security management system with intrusion detection
US11677668B1 (en) Transparent application-layer/os deeper packet inspector
WO2022267490A1 (en) Attack identification method, apparatus and system, and computer readable storage medium
CN204578564U (en) A kind of Secure isolation equipment
CN105376256A (en) A method for controlling user access to virtual machines based on Openflow
CN116405281A (en) A real-time information detection network exchange system
CN119030804A (en) A hardware firewall, data filtering method and product
CN114978604A (en) A security gateway system for software-defined business awareness
CN105656905A (en) Network egress side security authentication system
TWM504990U (en) System for guarding against on network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20941160

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20941160

Country of ref document: EP

Kind code of ref document: A1