CN103067355A

Movatterモバイル変換

Info

Publication number: CN103067355A
Application number: CN2012105281799A
Authority: CN
Inventors: 朱峥嵘; 陶超
Original assignee: Sangfor Network Technology Shenzhen Co Ltd
Current assignee: Sangfor Network Technology Shenzhen Co Ltd
Priority date: 2012-12-10
Filing date: 2012-12-10
Publication date: 2013-04-24

Abstract

The invention discloses a network guard method and a system based on a domain name. The method includes the following steps: a core security gateway sends security policies to an edge security gateway, and the edge security gateway obtains access data, matches the security policies, guards information safety of a user with specified domain name, records safeguarding information, and reports the safeguarding information to the core gateway. According to the network guard method based on the domain name, the core security gateway sends the security policies to the edge security gateway, and the edge security gateway obtains the access data, matches the security policies, guards the information safety of the user with the specified domain name, records the safeguarding information and reports the safeguarding information to the core gateway. The method has the advantages that the network guard can be conducted with accuracy to the domain name.

Description

Network protection method and system based on domain name

Technical field

The present invention relates to technical field of the computer network, relate in particular to a kind of network protection method and system based on domain name.

Background technology

Along with making constant progress of social informatization, the user also payes attention to unusually to the fail safe of the network information.The conventional security product can't satisfy the network protection requirement based on domain name.The conventional security product strategy all is with IP(Internet Protocol, Internet protocol) or the network port be that object is formulated, when a main frame carries a plurality of domain name, adopt traditional safety protecting method just can't accurately use domain name that attack is positioned, more can't take pointedly corresponding safeguard procedures; And the strategy according to IP protects all domain names that also can have influence on the whole main frame.In addition, traditional safety product also can't satisfy CDN(Content Delivery Network, content distributing network) network information requirement of shelter under this distributed deployment environment, because traditional safety product mostly is the method that adopts the single-point protection, this need to configure one by one to each node, and the configuration effort amount is large and layoutprocedure is very loaded down with trivial details; And the protection each other of each node also is independently, and the unification that is unfavorable for information gathers and integrates.

Summary of the invention

Main purpose of the present invention provides a kind of network protection method and system based on domain name, is intended to reach the purpose according to domain name real-time protection network security.

The invention discloses a kind of network protection method based on domain name, may further comprise the steps:

Step S01, core security gateway issue security strategy to the gras generally recognized as safe gateway;

Step S02, described gras generally recognized as safe gateway obtain visit data, mate described security strategy, protection designated domain name user's information security, and record security protection information also reports to described core security gateway.

Preferably, also comprise step after the described step S02:

Step S03, described core security gateway receive the described security protection information of also preserving, and described security protection information is classified and showed.

Preferably, described step S01 comprises:

Described core security gateway is according to the renewal of inherently safe strategy, the security strategy of the described gras generally recognized as safe gateway of real-time update.

Preferably, the described step S03 center full gateway of feeling at ease is classified and is showed described security protection information based on domain name and comprises:

Based on domain name, the described security protection information under the same domain name is divided into same class;

According to domain name, show sorted described security protection information.

Preferably, the visit data that the gras generally recognized as safe gateway obtains described in the described step S01 is, the user accesses the data that the node resource of the content node server nearest apart from self geographical position produces.

The present invention also discloses a kind of network-safeguard system based on domain name, comprises core security gateway and gras generally recognized as safe gateway;

Described core security gateway is used for, and issues security strategy to the gras generally recognized as safe gateway;

Described gras generally recognized as safe gateway is used for, and obtains visit data, mates described security strategy, protection designated domain name user's information security, and record security protection information also reports to described core security gateway.

Preferably, described core security gateway also is used for, and receives and preserve described security protection information, and described security protection information is classified and showed.

Preferably, described core security gateway also is used for, according to the renewal of inherently safe strategy, and the security strategy of the described gras generally recognized as safe gateway of real-time update.

Preferably, described core security gateway also is used for, and based on domain name, the described security protection information under the same domain name is divided into same class; According to domain name, show sorted described security protection information.

Preferably, the visit data that described gras generally recognized as safe gateway obtains is, the user accesses the data that the node resource of the content node server nearest apart from self geographical position produces.

The present invention issues security strategy to the gras generally recognized as safe gateway by the core security gateway; Described gras generally recognized as safe gateway obtains visit data, mate described security strategy, protection designated domain name user's information security, record security are protected information and are reported to the method for described core security gateway, have the beneficial effect that the domain name of being accurate to is implemented protected network safety.

Description of drawings

Fig. 1 is the distribute network application guard system deployment architecture schematic diagram that the present invention is based on domain name;

Fig. 2 is the network protection method one embodiment schematic flow sheet that the present invention is based on domain name;

Fig. 3 is the another embodiment schematic flow sheet of network protection method that the present invention is based on domain name;

Fig. 4 the present invention is based in the network protection method of domain name, the security protection daily record one example structure schematic diagram of gras generally recognized as safe gateway record;

Fig. 5 is the network-safeguard system one example structure schematic diagram that the present invention is based on domain name.

The realization of the object of the invention, functional characteristics and advantage are described further with reference to accompanying drawing in connection with embodiment.

Embodiment

Further specify technical scheme of the present invention below in conjunction with Figure of description and specific embodiment.Should be appreciated that specific embodiment described herein only in order to explain the present invention, is not intended to limit the present invention.

The present invention is based on the network protection method and system of domain name in conjunction with the distributed characteristics of CDN, adopt a core security gateway, the structure of a plurality of gras generally recognized as safe gateways, according to unified security strategy, based on domain name the network information is protected, and will protect the recorded information unification and be uploaded to the core security gateway, concentrate displaying by the core security gateway.

Please refer to Fig. 1, Fig. 1 is the distribute network application guard system deployment architecture schematic diagram that the present invention is based on domain name; Source station shown in Figure 1 refers to content distributed original site, and file newly-increased, that delete and change the website all carries out in the source station; The object of caching server crawl also all comes from the source station.Content node shown in Figure 1 is caching server, the site resource that content node directly provides the user to access.Network design shown in Figure 1 adopts the CDN deployment mode; Described CDN is a kind of new network building mode, by in existing Internet(the Internet) in increase the new network architecture of one deck, the content of website is published to network " edge " near the user, make the user can obtain required content nearby, solve the situation of Internet network congestion, improve the response speed of user's access websites; From the angle of broad sense, CDN has represented a kind of network service mode based on quality and order.

Based on above description, please refer to Fig. 2, Fig. 2 is the network protection method one embodiment schematic flow sheet that the present invention is based on domain name; As shown in Figure 2, the network protection method that the present invention is based on domain name may further comprise the steps:

In a preferred embodiment, domain name can be formulated security strategy as object, according to this security strategy configuration core security gateway; After configuration was finished, the core security gateway issued security strategy to each gras generally recognized as safe gateway, realizes the unification of each security gateway security strategy; Simultaneously, as long as the security strategy on the core security gateway has renewal, then this core security gateway just can be according to the security strategy on each gras generally recognized as safe gateway of renewal real-time update of inherently safe strategy; Like this, just realized the security strategy by the control core security gateway, just can upgrade automatically real-time security strategy to the effect of each gras generally recognized as safe gateway, and need not remove to arrange artificially each security gateway in the network by the keeper, realized the consistency of security strategy before each node server.

When the user passes through the browse request network server resources, name server is according to the geographical location information of user's access, the IP of the content node server that layback user self geographical position is nearest is convenient to user's accessed content node resource nearby to the user, saves the access time.When user's accessed content node resource, the gras generally recognized as safe gateway obtains user's visit data, and the coupling security strategy based on this user's domain name, is followed the trail of the security threat of this user's domain name, and this security threat is identified; To professional and the extent of injury of data security and keeper's corresponding configuration, alarm is tackled or sent to this security threat according to this security threat.Simultaneously; gras generally recognized as safe gateway record security protection information is usually said security protection daily record; analyze the safe condition of the domain name of the content node of current protection and protection; and the safety state information summarizing and reporting of current content node to the core security gateway, for the core security gateway respective handling is carried out in above-mentioned security protection daily record.

The present embodiment issues security strategy to the gras generally recognized as safe gateway by the core security gateway; Described gras generally recognized as safe gateway obtains visit data, mate described security strategy, protection designated domain name user's information security, record security are protected information and are reported to the method for described core security gateway, have the beneficial effect that the domain name of being accurate to is implemented protected network safety.

With reference to Fig. 3, Fig. 3 is the another embodiment schematic flow sheet of network protection method that the present invention is based on domain name; The difference of the present embodiment and the described embodiment of Fig. 2 is only to have increased step S03; The present embodiment only is described specifically step S03, and other the related steps of network protection method that the present invention is based on domain name please refer to the specific descriptions of above-described embodiment, do not repeat them here.

As shown in Figure 3, the network protection method that the present invention is based on domain name is obtained visit data at step S02, described gras generally recognized as safe gateway, mate described security strategy, protection designated domain name user's information security, record security protects information and reports to described core security gateway and also comprises step afterwards:

The present embodiment receives by the core security gateway and preserves described security protection information, to the method that described security protection information is classified and showed, has centralized collection and according to the beneficial effect of domain name displaying security protection daily record.

With reference to Fig. 5, Fig. 5 is the network-safeguard system one example structure schematic diagram that the present invention is based on domain name.As shown in Figure 5, the network-safeguard system that the present invention is based on domain name comprises:core security gateway 01 and gras generally recognized assafe gateway 02.

Core security gateway 01 is used for, and issues security strategy to the gras generally recognized as safe gateway.

In a preferred embodiment, domain name can be formulated security strategy as object, according to this security strategy configurationcore security gateway 01; After configuration was finished,core security gateway 01 issued security strategy to each gras generally recognized assafe gateway 02, realizes the unification of each security gateway security strategy; Simultaneously, as long as the security strategy on thecore security gateway 01 has renewal, then thiscore security gateway 01 just can be according to the security strategy on each gras generally recognized assafe gateway 02 of renewal real-time update of inherently safe strategy; Like this, just realized the security strategy by controlcore security gateway 01, just can upgrade automatically real-time security strategy to the effect of each gras generally recognized assafe gateway 02, and need not remove to arrange artificially each security gateway in the network by the keeper, realized the consistency of security strategy before each node server.

Gras generally recognized assafe gateway 02 is used for, and obtains visit data, mates described security strategy, protection designated domain name user's information security, and record security protection information also reports to described core security gateway.

When the user passes through the browse request network server resources, name server is according to the geographical location information of user's access, the IP of the content node server that layback user self geographical position is nearest is convenient to user's accessed content node resource nearby to the user, saves the access time.When user's accessed content node resource, gras generally recognized assafe gateway 02 obtains user's visit data, and the coupling security strategy based on this user's domain name, is followed the trail of the security threat of this user's domain name, and this security threat is identified; To professional and the extent of injury of data security and keeper's corresponding configuration, alarm is tackled or sent to this security threat according to this security threat.Simultaneously; gras generally recognized assafe gateway 02 record security protection information is usually said security protection daily record; analyze the safe condition of the domain name of the content node of current protection and protection; and the safety state information summarizing and reporting of current content node tocore security gateway 01, carry out respective handling forcore security gateway 01 pair of above-mentioned security protection daily record.

The present embodiment issues security strategy to the gras generally recognized as safe gateway by the core security gateway; Described gras generally recognized as safe gateway obtains visit data, mates described security strategy, protection designated domain name user's information security, and record security protection information also reports to described core security gateway, has the beneficial effect that the domain name of being accurate to is implemented protected network safety.

Please referring again to Fig. 5, the gateway of core security described in Fig. 5 01 also is used for, and receives and preserve described security protection information, and described security protection information is classified and showed.

The present embodiment receives and preserves described security protection information by the core security gateway, described security protection information is classified and showed, has centralized collection and according to the beneficial effect of domain name displaying security protection daily record.

When actual deployment, the present invention is based in the network-safeguard system of domain name, core gateway can be same physical entity with certain edge of table gateway.

The above only is the preferred embodiments of the present invention; be not so limit its claim; every equivalent structure or equivalent flow process conversion that utilizes specification of the present invention and accompanying drawing content to do; directly or indirectly be used in other relevant technical fields, all in like manner be included in the scope of patent protection of the present invention.

Claims

1. the network protection method based on domain name is characterized in that, may further comprise the steps:

2. the method for claim 1 is characterized in that, also comprises step after the described step S02:

3. method as claimed in claim 1 or 2 is characterized in that, described step S01 comprises:

4. method as claimed in claim 1 or 2 is characterized in that, the described step S03 center full gateway of feeling at ease is classified and showed described security protection information based on domain name and comprises:

5. method as claimed in claim 1 or 2 is characterized in that, the visit data that the gras generally recognized as safe gateway obtains described in the described step S01 is, the user accesses the data that the node resource of the content node server nearest apart from self geographical position produces.

6. the network-safeguard system based on domain name is characterized in that, comprises core security gateway and gras generally recognized as safe gateway;

7. system as claimed in claim 6 is characterized in that, described core security gateway also is used for, and receives and preserve described security protection information, and described security protection information is classified and showed.

8. such as claim 6 or 7 described systems, it is characterized in that, described core security gateway also is used for, according to the renewal of inherently safe strategy, and the security strategy of the described gras generally recognized as safe gateway of real-time update.

9. such as claim 6 or 7 described systems, it is characterized in that, described core security gateway also is used for, and based on domain name, the described security protection information under the same domain name is divided into same class; According to domain name, show sorted described security protection information.

10. system as claimed in claim 6 is characterized in that, the visit data that described gras generally recognized as safe gateway obtains is, the user accesses the data that the node resource of the content node server nearest apart from self geographical position produces.