Method for realizing industrial firewall dynamically tracked by Ethernet/Ip protocolTechnical Field
The invention belongs to the technical field of industrial firewall deep protection, and particularly relates to a method for realizing an industrial firewall for Ethernet/Ip protocol dynamic tracking.
Background
at present, the protection of Ethernet/Ip in the industrial protection wall is mainly field protection and session tracking protection of Tcp/Ip, the field protection is mainly divided into two parts, and the field rationality check and the field specific numerical value matching are carried out. One way is that the whole protection process is mainly based on the rules issued by the firewall configuration CMP management terminal and the Tcp/Ip session connection tracking realized in the firewall system.
The SA firewall receives a management data packet from the firewall configuration CMP based on an IP-free communication mode, analyzes rules in the data packet into a protection wall, and performs filtering detection on data passing through the firewall. The TCP/Ip session is tracked by using a connection tracking function supported by the system. In another way, the protection wall protection Ethernet/Ip in the existing scheme needs to perform the following operations:
Step one, a firewall is accessed to a protection network: and the firewall is accessed to the industrial network according to the field requirement and the design use instruction.
Step two, the management end configures rules: configuring issuing rules according to Ethernet/Ip specification, including whether to start rationality detection, field value matching and filtering behavior control
step three, issuing management rules: the management end issues the rule to the firewall, and the firewall analyzes and loads the rule into the firewall;
Step four, starting Tcp/Ip session tracking: starting Tcp/Ip session tracking by using the existing connection tracking technology;
step five, firewall analysis and matching: when Ethernet/Ip protocol communication starts, the protective wall analyzes, detects and matches the Ethernet/Ip communication packet according to the rule issued by the firewall configuration CMP management terminal;
Step six, protection result feedback: and feeding back the protection result to the management stock for dynamic display according to the protection behavior configuration issued by the management end.
the above prior art has significant disadvantages: only the most basic protection is carried out in the Ethernet/Ip communication process, the protected information is very basic data which can be easily obtained by an attacker, and a server and even the whole industrial network are still very vulnerable.
accordingly, the prior art is deficient and needs improvement.
disclosure of Invention
The technical problem to be solved by the invention is to provide a method for realizing an industrial firewall for dynamic tracking of an Ethernet/Ip protocol aiming at the defects of the prior art.
The technical scheme of the invention is as follows:
A method for realizing an industrial firewall dynamically tracked by an Ethernet/Ip protocol comprises the following steps:
step 102: determining whether the data packet is an Ethernet/Ip protocol data packet;
Step 104: judging whether the TCP/IP connection tracking session record is met, if so, performing step 106, and if not, directly discarding the data packet;
Step 106: whether the field value to be configured is legal or not, if the field value is matched, the step 108 is carried out, if the field value is not matched, discarding or releasing is carried out according to the behavior mode in the issued rule, and the log is reported to a firewall configuration CMP management end;
Step 108: continuing to process the data packet passed through in the step 106, if the data packet is found to be legal, performing the step 112, and if the data packet is not found, performing the step 110;
Step 110: if the data packet is a request packet of the Session handle dynamic negotiation, the firewall is passed; if the data packet is a response packet of the SessionHandle dynamic negotiation, intercepting the negotiated SessionHandle value and adding the intercepted SessionHandle value into the corresponding HASH linked list in the step 108;
Step 112: and if the data packet is the SessionHandle dynamic negotiation canceling packet, intercepting the SessionHandle in the data packet, finding the corresponding node in the linked list in the step 108 and removing the SessionHandle from the linked list.
the method, wherein the step 102 comprises: whether the data packet is an Ethernet/Ip protocol data packet is determined according to whether the port is 44818.
the method, wherein the step 104 comprises: and carrying out TCP/IP connection tracking session according to the IP address, the port number and the SEQ serial number information in the TCP/IP.
the method, wherein the step 106 comprises: and configuring rules issued by the CMP management end according to the firewall, and checking the reasonability based on the protocol specification and judging whether the field values configured by the matching rules are legal or not.
The method, wherein the step 106 further comprises: the plausibility check is in accordance with the legal scope of the field values specified in the Ethernet/Ip specification.
the method, wherein the step 106 further comprises: the matching rule issues a rule for the user to allow only certain type of packet of the Ethernet/Ip protocol to pass through.
The method, wherein the step 106 further comprises: the behavior mode is a behavior rule for performing release or discard after intercepting or matching the data packet defined by the user.
The method, wherein the step 108 comprises: and continuing to process the data packet passing through the step 106, intercepting the IP and the port in the data packet, performing HASH on the four-tuple information, searching whether the Session handle corresponding to the HASH value exists in the Session handle storage linked list after the HASH value is obtained, and determining that the data packet is legal if the Session handle corresponding to the HASH value exists.
The method, wherein the step 112 further comprises: if other data packets appear, the data packets are considered to be in accordance with the rules of the protective wall and the SessionHandle session tracking, and the firewall is released.
By adopting the scheme, aiming at the scenes that the system response is slow and the man-machine interaction real-time performance is poor when the data of the multiple test nodes in the network production line debugging and testing service is uploaded, the response processing pressure of the field measurement software is relieved by adopting an asynchronous data collection and storage mode, so that the debugging and testing efficiency is improved. The Ethernet/Ip protocol dynamic session tracking provided by the invention can further improve the protection level on the basis of field and TCP session state protection at present, effectively intercept illegal attacks aiming at Ethernet/Ip protocol communication in an industrial network, maintain the normal operation of industrial control equipment and avoid major loss caused by the attacks; the innovation points of the invention are as follows: aiming at the SessionHandle field with higher complexity in the Ethernet/Ip protocol, the firewall realizes dynamic session tracking based on the application layer protocol layer, and forms a double-path tracking mode by combining the tracking mode and TCP session state tracking, so that the attack difficulty of an attacker is increased in a complex manner, the common protection mode of the Ethernet/Ip protocol communication is broken, and the Ethernet/Ip protocol communication in the industrial control network is fully protected.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
Detailed Description
the invention is described in detail below with reference to the figures and the specific embodiments.
Example 1
The invention relates to a method for dynamically tracking an application layer session in the Ethernet/Ip protocol communication process under an industrial network environment. In an industrial network environment, the protection wall only analyzes and filters Ethernet/Ip data flow passing through a firewall according to a predefined access control strategy and a predefined security protection strategy, and detects the rationality of the content of a data packet through deep inspection DPI. Ethernet/IP is far from sufficient as an important and sophisticated industrial communication protocol to do this only.
The Ethernet/Ip application layer session dynamic tracking method provided by the invention is based on the use of the Session handle field in the Ethernet/Ip protocol, the field has high realization complexity, and can accurately control the application layer session, and the method mainly comprises the following two steps:
first is the acquisition of the SessionHandle. In the process of monitoring session communication, communication data packets are filtered and screened, once a request data packet and a response data packet of a consultation SessionHandle client are detected, the SessionHandle of the response packet is intercepted and added into a linked list taking a HASH value calculated by data packet tuple information as a linked list node. The SessionHandle is removed from the linked list depending on whether the package is cancelled for the SessionHandle.
Followed by the use of SessionHandle. After the SessionHandle is obtained, the SessionHandle tracking is carried out on all the next data packets except for normal protection, and all protocol communication data packets are continuously matched according to the SessionHandle values stored in the linked list, so that dynamic tracking is realized.
The method of the invention can solve the problems of poor protection strength and small protection coverage of the Ethernet/Ip protocol.
On the basis of the above contents, as shown in fig. 1, the present invention provides a method for implementing an industrial firewall for dynamic tracking of Ethernet/Ip protocol, which includes the following steps:
step 102: determining whether the data packet is an Ethernet/Ip protocol data packet;
step 104: judging whether the TCP/IP connection tracking session record is met, if so, performing step 106, and if not, directly discarding the data packet; the judgment is realized by utilizing a kernel Conntrack module;
Step 106: whether the field value to be configured is legal or not, if the field value is matched, the step 108 is carried out, if the field value is not matched, discarding or releasing is carried out according to the behavior mode in the issued rule, and the log is reported to a firewall configuration CMP management end; the behavior mode is as follows: and (3) issuing rules, such as that the user decides to release or discard the abnormal data packet and blocks whether the unauthorized normal data packet is released or discarded. Is the behavior rule of what kind of processing is performed after the user-defined data packet is intercepted or matched.
Step 108: continuing to process the data packet passed through in the step 106, if the data packet is found to be legal, performing the step 112, and if the data packet is not found, performing the step 110;
step 110: if the data packet is a request packet of the Session handle dynamic negotiation, the firewall is passed; if the data packet is a response packet of the SessionHandle dynamic negotiation, intercepting the negotiated SessionHandle value and adding the intercepted SessionHandle value into the corresponding HASH linked list in the step 108;
Step 112: and if the data packet is the SessionHandle dynamic negotiation canceling packet, intercepting the SessionHandle in the data packet, finding the corresponding node in the linked list in the step 108 and removing the SessionHandle from the linked list.
the method, wherein the step 102 comprises: whether the data packet is an Ethernet/Ip protocol data packet is determined according to whether the port is 44818.
The method, wherein the step 104 comprises: and carrying out TCP/IP connection tracking session according to the IP address, the port number and the SEQ serial number information in the TCP/IP.
The method, wherein the step 106 comprises: and according to the rule issued by the CMP management terminal, carrying out protocol specification-based rationality check and whether the field value configured by the matching rule is legal or not. The rationality check is: legal scope according to field values specified in the Ethernet/Ip specification; the matching rule is as follows: a user issues a rule, and a firewall matches the rule, for example, the user issues a rule which only allows a certain type of packet of an Ethernet/Ip protocol to pass through;
The method, wherein the step 108 comprises: and continuing to process the data packet passing through the step 106, intercepting the IP and the port in the data packet, performing HASH on the four-tuple information, searching whether the Session handle corresponding to the HASH value exists in the Session handle storage linked list after the HASH value is obtained, and determining that the data packet is legal if the Session handle corresponding to the HASH value exists.
The method, wherein the step 112 further comprises: if other data packets appear, the data packets are considered to be in accordance with the rules of the protective wall and the SessionHandle session tracking, and the firewall is released.
the system corresponding to the method adopts a modularized and componentized design principle, changes the prior processing method of the firewall protection protocol, configures CMP rule input and issue components based on the firewall to realize the rule control aiming at the protocol, loads the rule into the firewall based on the rule analysis component of the firewall, analyzes the Ethernet/Ip protocol passing through the firewall based on the protocol analysis component of the firewall to obtain the required tuple information and the dynamic SessionHandle value; the protocol session management component based on the firewall realizes the dynamic tracking of the protocol session based on the Session handle; based on the protocol matching component, carrying out specific processing on the communication data packet which does not conform to the rule or the Session handle session tracking; uploading the non-compliant data packet information to a firewall configuration CMP management terminal based on a log uploading component of the firewall; configuring a log processing component of CMP through a firewall, and processing and analyzing logs uploaded by the firewall into character strings in a specific format; and configuring a log display component of the CMP through a firewall, and displaying log information to a corresponding interface at any time, so that a user can check and configure the log information.
By adopting the scheme, aiming at the scenes that the system response is slow and the man-machine interaction real-time performance is poor when the data of the multiple test nodes in the network production line debugging and testing service is uploaded, the response processing pressure of the field measurement software is relieved by adopting an asynchronous data collection and storage mode, so that the debugging and testing efficiency is improved. The Ethernet/Ip protocol dynamic session tracking provided by the invention can further improve the protection level on the basis of field and TCP session state protection at present, effectively intercept illegal attacks aiming at Ethernet/Ip protocol communication in an industrial network, maintain the normal operation of industrial control equipment and avoid major loss caused by the attacks; the innovation points of the invention are as follows: aiming at the SessionHandle field with higher complexity in the Ethernet/Ip protocol, the firewall realizes dynamic session tracking based on the application layer protocol layer, and forms a double-path tracking mode by combining the tracking mode and TCP session state tracking, so that the attack difficulty of an attacker is increased in a complex way, the common protection mode of the Ethernet/Ip protocol communication is broken, and the Ethernet/Ip protocol communication in the industrial control network is fully protected.
It will be understood that modifications and variations can be made by persons skilled in the art in light of the above teachings and all such modifications and variations are intended to be included within the scope of the invention as defined in the appended claims.