CN110958262A - Ubiquitous Internet of Things security protection gateway system, method and deployment architecture for power industry - Google Patents

Abstract

Translated fromChinese

本申请公开了一种电力行业泛在物联网安全防护网关系统、方法及部署架构，本申请面向泛在电力物联网全场景安全防护应用场景，采用终端识别技术，通过主动探测和流量发现两种方式对网络中的物联网终端设备指纹信息进行识别，通过主动扫描识别网络中的物联网终端的资产状况并实现可视化呈现，可有效识别针对传统PC，哑终端、智能设备等多种终端；对识别物联网终端建立身份基线并进行审批，实现物联网终端的仿冒攻击防护，进而可以实现对物联网终端的安全态势评估，并有效给出防护建议和手段；通过对识别的物联网终端进行有效准入控制，可以有效解决海量IP设备的接入认证和安全管控问题，帮助用户构建安全可控的泛在电力物联网络。

The present application discloses a ubiquitous Internet of Things security protection gateway system, method and deployment architecture in the power industry. The application is oriented to the full-scenario security protection application scenario of the ubiquitous Internet of Things in the power industry, and adopts terminal identification technology, through active detection and traffic discovery. The fingerprint information of the Internet of Things terminal equipment in the network is identified by the method, and the asset status of the Internet of Things terminal in the network is recognized by active scanning and visualized, which can effectively identify various terminals such as traditional PCs, dumb terminals, and smart devices; Identify IoT terminals to establish an identity baseline and conduct approval to achieve counterfeiting attack protection for IoT terminals, which can then evaluate the security situation of IoT terminals, and effectively provide protection suggestions and means; Access control can effectively solve the access authentication and security management and control problems of massive IP devices, and help users build a safe and controllable ubiquitous power IoT network.

Description

Ubiquitous Internet of things safety protection gateway system, method and deployment architecture in power industry

Technical Field

The invention belongs to the technical field of ubiquitous power Internet of things safety protection, and particularly relates to a ubiquitous Internet of things safety protection gateway system, a ubiquitous Internet of things safety protection method and a ubiquitous Internet of things safety protection deployment architecture which are suitable for the power industry.

Background

With the rapid development of the internet of things and the IP of the infrastructure communication system, the tendency of the mass devices to be interconnected through the network is. In the industries of public security, traffic police, electric power energy and the like, a large number of internet of things terminals such as IP cameras, detectors, RFID and the like are deployed in all corners of a city on a large scale, and the current society gradually enters the internet of things era. Compared with the traditional Internet, the number of the terminals of the Internet of things is huge, the physical deployment range is wider, besides man-machine interconnection, a large number of devices are interconnected, how to ensure real-time visibility and whole-course controllability of the Internet of things is a brand new problem in the industry. The front-end equipment of the internet of things is dispersed in an unattended environment in a large quantity and is easily utilized by hackers, so that the front-end equipment penetrates into the whole network, a core service system cannot normally operate, and a large amount of confidential information is stolen. Therefore, establishing a perfect visualization and control mechanism of the internet of things terminal is an important content for building the security system of the internet of things.

The internet of things terminals accessed to the core network of an enterprise mainly comprise two types of non-intelligent terminals, namely a universal terminal (generally without data processing capacity, and only capable of reporting sensing data or receiving control data through a network) and intelligent terminal equipment (such as an industrial robot, a business all-in-one machine, an intelligent tablet and the like), wherein the equipment brings a new important challenge to safety after being accessed to the network, and safety risks are not limited to the following aspects:

(1) the Internet of things terminals are numerous, the asset condition is difficult to master, the risk of illegal access exists, and operation and maintenance means, event monitoring and reporting and emergency processing mechanisms are lacked;

(2) the internet of things terminals are installed in a scattered mode outdoors and are easy to touch and not managed, so that the safety risks of physical attack, tampering and counterfeiting exist;

(3) the Internet of things terminal generally has security risks such as weak passwords, bugs and a large number of open ports, and is easily infected by malicious codes to form a zombie host, so that a zombie network is formed;

(4) the terminal network protocols of the Internet of things are various and have a large number of loopholes, channels for the terminal to be infected with viruses, trojans or malicious codes to invade are increased, and the security risk of a network layer is increased;

based on the security threats, a hacker can perform large-scale damage after invading the device of the internet of things, and further threatens the core assets and services of an enterprise, such as:

(1) service destruction or strangulation for DDoS attack

Because the number of the internet of things terminals is huge, and because the internet of things terminals can continuously send data to the cloud, the internet of things terminals become a main source for an attacker to build a botnet at present and are becoming a main place initiated by the DDoS. If Mirai invades the camera, large-scale DDoS attack is launched to a DNS operator DYN, so that the whole American network access is interrupted in a large scale; proxym internet of things botnet discovered in 2 months in 2017, and more than ten thousand internet of things terminals can be controlled in 4 months.

(2) Counterfeit attacks

Because the terminal of the internet of things is difficult to physically control, the key business system of an enterprise can be directly threatened by taking the terminal of the internet of things as a springboard through falsely replacing the terminal of the internet of things. For example, in a certain industry red-blue confrontation, a hacker breaks through a core service server of the industry through an impersonation intrusion of an office access card system.

(3) Destruction of national key infrastructure

With the advance of national strategies such as industrial 4.0, two-way integration, smart cities, industrial internet and the like, in the construction of national key infrastructure, a huge number of internet of things terminals are widely used, such as smart cities, traffic (high speed, track, vehicle management), security (public security, frontier defense, customs, traffic police, military), electric power, industrial internet of things and the like. Because the internet of things equipment mostly adopts the same or similar software and hardware schemes, one equipment is broken, and all terminals can be covered by the whole army. Once the infrastructure of these customs nations is in danger, it will bring about important consequences, which may cause immeasurable economic loss and even social panic.

Disclosure of Invention

In order to overcome the defects in the prior art, the application provides a ubiquitous Internet of things safety protection gateway system, a ubiquitous Internet of things safety protection gateway method and a ubiquitous Internet of things safety protection gateway deployment architecture which are suitable for the power industry. The application is oriented to a ubiquitous power Internet of things full-scene safety protection application scene, fingerprint information of Internet of things terminal equipment in a network is identified by adopting a terminal identification technology through two modes of active detection and flow discovery, and the asset condition of the Internet of things terminal in the network is identified through active scanning and visual presentation, so that various terminals such as a traditional PC (personal computer), a dumb terminal and intelligent equipment can be effectively identified; an identity baseline is established and approved for identifying the terminal of the Internet of things, the terminal of the Internet of things is protected against counterfeit attacks, the security situation of the terminal of the Internet of things can be evaluated, and protection suggestions and means are effectively given; through carrying out effective access control on the identified Internet of things terminal, the access authentication and safety management and control problems of mass IP equipment can be effectively solved, and a user is helped to construct a safe and controllable ubiquitous power Internet of things network.

In order to achieve the above object, the first invention of the present application adopts the following technical solutions:

a ubiquitous Internet of things safety protection gateway system in the power industry is characterized in that terminal equipment of the Internet of things is respectively accessed to a core enterprise network through corresponding safety protection gateways of the Internet of things; the terminal equipment of the Internet of things supports three modes of bypass control, serial control and access authentication control to access the security protection gateway of the Internet of things; each Internet of things safety protection gateway comprises a system state module, a system management module, a network discovery module, a flow self-learning module, a terminal fingerprint detection module, a terminal fingerprint change perception identification module, a behavior perception module, a terminal access white list module, a safety rule module, a network protection module, a VPN configuration module, a centralized management module and a log audit module; the method is characterized in that:

all the Internet of things safety protection gateways are connected to the large visual screen through the visual centralized control platform;

the system state module is used for monitoring the state of the accessed terminal equipment of the Internet of things, counting sessions and recording blocking events;

the system management module is used for system setting and network setting;

the network discovery module is used for automatically discovering the terminal of the Internet of things and realizing visual presentation of equipment and network access;

the flow self-learning module is used for automatically discovering assets, connection relations, communication protocols and application layer access instructions according to network flow, automatically recommending security strategies and assisting an administrator to easily generate and maintain network security strategies;

the terminal fingerprint detection module is used for detecting the fingerprint information of the equipment, establishing a fingerprint base line for the terminal of the Internet of things according to the detection content and examining and approving the fingerprint base line, so that the access control of the terminal of the Internet of things is realized; the equipment fingerprint information comprises IP, MAC, an operating system, a software version and development port information;

the terminal fingerprint change perception identification module is used for monitoring the fingerprint information change condition of the accessed Internet of things terminal in real time, and when the fingerprint information of the accessed terminal changes, an isolation alarm is automatically adopted to inform an administrator or alarm display is carried out on a visual centralized control platform, or a blocking strategy is directly started to isolate a suspicious terminal for the first time;

the behavior perception module is used for interacting with a superior visual centralized control platform to provide the terminal of the Internet of things with vulnerability discovery, weak password risk and threat perception capabilities;

the terminal access white list module is used for removing the terminal with fingerprint information change and abnormal behavior from the trusted traffic through a white list mechanism, so that the aim of effective isolation is fulfilled;

the safety rule module is used for controlling the network behavior in real time and comprises a user-defined rule and a user-defined characteristic;

the network protection module is used for providing firewall policies, address binding, address translation, protocol management, address management, session management and security options;

the VPN configuration module is used for VPN basic configuration, tunnel configuration and tunnel monitoring, and data encryption transmission based on the Internet of things protocol is realized;

the centralized management module is used for deploying the Internet of things security protection gateway system in a large scale and carrying out centralized management, the whole network strategy is issued uniformly, the equipment condition is displayed uniformly, and the log alarm is displayed in a centralized manner.

The log auditing module is used for log configuration and log access, and is also used for recording and transmitting device management logs and system logs.

The invention further comprises the following preferred embodiments:

preferably, the system state module comprises a state monitoring module, a session statistics module and an event center module;

the state monitoring module realizes real-time monitoring on navigation information, network information, equipment information, interface information, license information and log information;

the navigation information comprises the number of discovered assets, the number of logs and the number of rules; the network information comprises a session number ip ranking, asset type statistics, network throughput, concurrent sessions and a protocol distribution diagram; the equipment information comprises system information, a CPU and an instrument panel used by a memory; the interface information comprises an interface name, an ip address, sending and receiving flow and a starting state; the license information comprises a module name, an effective period, a description and a state; the log information comprises time, type, level and detailed information of triggering the log;

the session counting module is used for counting session connections and visually displaying the connection ranking list;

the statistical information comprises the current concurrent connection number, the connection numbers of TCP, UDP and ICMP, the connection number of TCP connection in each state and the connection number of ICMP in non-response state; the connection ranking list shows the first ten of the connection numbers counted by the source address and the first ten of the connection numbers counted by the destination address;

the event center module is used for reporting a blocking event generated by the strategy center module, and if the equipment blocks an unlanded connection, the strategy center module generates a blocking event and records the blocking event; the event center module provides a corresponding processing mechanism for each event to solve the false blocking condition; the events have four states: unread, read, processed and ignored, and the statistical number of the four states can be inquired and screened; the event center module provides two modes of a processing mechanism and an ignoring mechanism; the event center module provides two processing mechanisms for each event, namely, a corresponding white list strategy is generated and the connection is put through; secondly, finding out a white list strategy related to the corresponding event from the strategy center module, and updating the existing strategy to put through the connection; the event center module provides two ignoring mechanisms with different degrees, namely that the event can be viewed no longer in the display of the main interface of the system, and the event can become visible again when being generated again; secondly, an event filter is added, such events will not be reported any more.

Preferably, the system management module comprises a system setting unit and a network setting unit;

the system setting unit is used for setting system information, setting administrator configuration information and maintaining the system;

the system information comprises date and time, system parameters, centralized management and switch linkage;

the administrator configuration information comprises the IP of the centralized management host, the threshold value of various monitoring information, the group character string of SNMP v1& v2c and the user information of SNMPv3, and is used for realizing the authorization management of the administrator account according to the authority;

the system maintenance comprises backup, recovery and upgrade;

the network setting unit is used for setting interfaces and routes;

the network equipment configurable by the ubiquitous Internet of things security protection gateway system comprises physical equipment, VLAN equipment, bridging equipment and redundant equipment;

when the ubiquitous Internet of things safety protection network relation system is used for routing, if no static route is matched with the current data packet, a default route is selected, and the default route is set through a network setting unit to realize a load balancing function; the default route has the lowest priority in the system routing rules, when a data packet arrives, the default route is firstly matched with routing rules such as static routes, if the matching is successful, the corresponding strategy route and the static route are selected, and if the matching is unsuccessful, the default route is carried out.

Preferably, the network discovery module comprises a behavior learning module, a network discovery display module and an asset management and control module;

the behavior learning module is used for displaying the learned flow characteristic information;

the network discovery display module is used for displaying the flow information forwarded by the protective equipment and displaying the data learned by the network behavior in a protocol or multicast mode;

the asset management and control module is used for fingerprint detection, anomaly detection and behavior learning analysis, and is used for detecting asset fingerprint information in a network and carrying out anomaly detection according to the fingerprint information so as to identify abnormal assets in real time and realize network blocking;

the assets comprise actively detected network assets and network assets learned through flow learning, and the views of all the views, approved views and unapproved views are viewed; the detection mode is divided into active detection and periodic detection, wherein the active detection is to manually input an ip or a network segment to be detected, and the asset in the network is found by clicking the active detection; periodic probing performs asset discovery by setting update intervals and probing network segments.

Preferably, the ubiquitous internet of things security protection network relationship system is provided with a customizable content white list management and control engine, and is used for configuring content white list rules facing to an internet of things communication protocol and supporting black list rules facing to attack protection features.

Preferably, in the security rule module, the custom rule is a configurable and customizable rule, and includes a filtering mechanism of a black list and a white list;

in a test mode, the user-defined rule only matches flow, an alarm log is printed, and no discarding action is performed;

the behavior learning interface automatically appears in the user-defined characteristic interface after analyzing the issued rules, and the user-defined characteristics are added by manually compiling characteristic grammar.

Preferably, the network protection module comprises a policy center module, an address binding module, an address translation module, a protocol management module, an address management module, a session management module and a security option module;

the strategy center module provides four firewall modes for a ubiquitous Internet of things security protection gateway system, wherein the four firewall modes are a full-pass mode, a debugging mode, a protection mode and a monitoring mode; the strategy center module carries out dynamic packet filtering based on state check, the packet filtering rule determines whether a specific network packet can pass through the security gateway, and the strategy center module provides related options to protect the network from being attacked; the protocol supported by the strategy center module comprises a basic protocol, an ICMP, a dynamic protocol and a protocol self-defined by a preset service group in the strategy center module;

the address binding module is used for checking and recording a binding log based on global IP/MAC and binding a default closing state of the address in the security protection gateway system of the ubiquitous Internet of things;

the address conversion module comprises an SNAT module, a port mapping module and an IP mapping module;

the SNAT module is used for converting a source address of the ip data packet into another address; the port mapping module is used for mapping the destination IP address and the port information into another IP address and a port number; the IP mapping module is used for mapping the destination IP address into another IP address;

the protocol management module is including adding custom protocol module, and the preset thing networking protocol of protocol management module is analytic deeply, including OPC, Modbus, IEC104, EIP and S7 agreement for custom protocol characteristic realizes instruction level access control, access control includes 3 aspects: terminal communication protocol level access control, terminal universal protocol content depth filtering and terminal external communication protocol depth filtering;

the address management module is used for carrying out centralized management on the IP addresses in the ubiquitous Internet of things safety protection system and adding, editing or deleting the IP addresses, the address groups and the address pools by a user according to requirements; the address group is a set of IP addresses and is used for adding, editing or deleting address group entries by a user according to requirements; the address pool is an IP address field and is used for adding, editing or deleting address pool entries according to requirements of a user;

the session management module is used for checking the local session and editing the session timeout time;

the safety option module is used for selecting safety protection functions, including a packet filtering rule and an anti-attack type; the packet filtering rules include packet filtering default allowance, strict state detection and fast mode; the anti-attack types comprise anti-address spoofing attack, anti-source routing attack, anti-Smurf attack, anti-LAND attack, anti-Winnuke attack, anti-Queso scanning, anti-SYN/FIN scanning, anti-NULL scanning and anti-FIN scanning.

Preferably, the VPN configuration module includes a VPN basic configuration module, a tunnel configuration module and a tunnel monitoring module;

the VPN basic configuration module is used for setting an IKE key cycle, a VPN key cycle, a pre-shared key and NAT port information and selecting whether to start a VPN function or not;

the tunnel configuration module comprises a VPN rule module, an IKE configuration module, a gateway tunnel setting module and a tunnel monitoring module;

the VPN rule module is used for providing a VPN rule, and the VPN rule is an intranet address of a protection network;

the IKE configuration module is used for adding, editing or deleting IKE configuration information by a user according to requirements, wherein the IKE configuration information comprises an IKE name, an opposite terminal address type, an opposite terminal address, an authentication mode and an equipment type;

the gateway tunnel setting module is used for configuring a gateway tunnel and establishing an encryption channel between two remote gateways, wherein the encryption channel only encrypts a data packet which accords with the quoted rule;

the tunnel monitoring module is used for listing a tunnel list currently established by the system, integrating the functions of starting and stopping tunnels and monitoring a single-address tunnel and a tunnel group.

Preferably, the ubiquitous internet of things security gateway system generates a log through a log server and a local log, and the log type includes: management logs, network protection, VPN, DPI, high availability, address monitoring, and all; the log level includes: emergency, alarm, critical, error, pre-warning, prompt, notify, debug, and all.

Preferably, the internet of things security protection gateway further comprises a wireless WIFI access module and a discovery and identification module of a network AP;

the wireless WIFI access module brings WIFI equipment into unified management, and full coverage of the Internet of things equipment is achieved;

the discovery and identification module of the network AP is used for defending phishing wifi and illegal access.

Preferably, the internet of things security protection gateway further comprises a third-party equipment linkage module, and the third-party equipment linkage module is used for linking the ubiquitous internet of things security protection gateway with third-party equipment besides existing network protection measures when assets are abnormal, and realizing management and control on the assets of the internet of things by sending abnormal information to the third-party network equipment.

Preferably, the internet of things security protection gateway further comprises a basic firewall module, which is used for integrated access control based on the traditional quintuple, protocol, asset and time;

the basic firewall module comprises three deployment modes of transparency, routing and mixing; the basic firewall module is internally provided with various internet of things protection models and can customize protection rules.

The application also discloses another invention, namely a method for realizing the safety protection network relation system of the ubiquitous Internet of things in the power industry, which comprises the following steps:

the fingerprint information of the terminal equipment of the Internet of things in the network is identified through two modes of active detection and flow discovery, so that terminal discovery, terminal network access flow visualization presentation and machine vision abnormity discovery are realized, and the condition of the terminal of the Internet of things in the network is comprehensively mastered.

Preferably, the implementation method comprises the following steps:

step 1: setting a network in a ubiquitous Internet of things security protection gateway system, and setting an interface and a route;

step 2: the ubiquitous Internet of things security protection gateway is linked with switch equipment to obtain the corresponding relation between terminal equipment hung on a switch and a switch port;

and step 3: adding an asset IP field address range of the terminal equipment of the Internet of things needing protection;

and 4, step 4: actively detecting the terminal of the Internet of things, collecting fingerprint information of terminal equipment of the Internet of things, forming a terminal equipment list and recommending the security strategy of a quasi-entry one-way guide type;

and 5: the method comprises the steps of discovering the flow of the terminal of the Internet of things, acquiring fingerprint information of the terminal of the Internet of things, combing and presenting network flow conditions, and recommending the security strategy of a quasi-entry one-way guide type;

step 6: modeling the business behavior analysis, constructing a behavior model of the Internet of things terminal, and presenting the business behavior of the Internet of things in a visual mode;

and 7: a white list mechanism is established, a white list is established for the fingerprint information of the terminal of the Internet of things, and the terminals are selected and approved to be accessed into a specific system or network for communication according to the fingerprint information attribute of the terminal;

and 8: the assets are intelligently classified and identified, and the assets of the terminal of the Internet of things are intelligently classified and identified according to the asset fingerprint information accumulated in the system and by combining an asset fingerprint discovery technology;

and step 9: network topology discovery, namely, drawing the connection relation of the assets of the internet of things terminal by analyzing network flow, and drawing a physical topological relation by linking with a switch, so that the visualization of the asset connection relation is realized;

step 10: the method comprises the steps that assets are switched on and off as required, intelligent arrangement of terminals of the Internet of things is realized by integrating non-proxy asset fingerprints, intelligent asset identification, asset anti-counterfeiting and business behavior analysis modeling technologies, fine-grained and omnibearing network isolation is realized on the basis, and on-demand switching of the assets is really realized;

step 11: the method comprises the steps of carrying out centralized management on the ubiquitous Internet of things safety protection gateway, monitoring the equipment state, collecting equipment logs, carrying out alarm strategy management and strategy management on the intrusion behavior of the Internet of things terminal equipment, maintaining data, carrying out equipment management and carrying out equipment information visual graph display.

Preferably, in step 6, deep parsing is performed on messages in the transmission process of the internet of things through three aspects of an entity and a network connection relation of the internet of things, an instruction operation of the terminal of the internet of things and an operation flow of the internet of things, message contents of different services are intelligently learned, and a time dimension, a packet length dimension and Payload contents are continuously learned and aggregated through a machine learning algorithm, so that a behavior model of the terminal of the internet of things is automatically established in an auxiliary manner;

when the service is abnormal, the fingerprint baseline and the behavior baseline of the Internet of things terminal are established and access approval is carried out by matching with the active and passive fingerprint learning technology, when the service is abnormal, namely the service behavior exceeds the range of the existing model, the ubiquitous Internet of things safety protection gateway system blocks and alarms the non-compliant service behavior according to configuration, so that the Internet of things terminal network behavior protection based on the service behavior is realized, and the security problems that the Internet of things terminal is counterfeited and attacked, and the Internet of things terminal is alarmed or the Internet of things terminal is blocked from being falsely used are realized.

Preferably, the fingerprint information attribute of the terminal in step 7 includes a process name, a file name, a publisher name and vendor information.

Preferably, the terminal assets of the internet of things in the step 8 comprise a general PC, network security equipment, video equipment, a printer and a card punch; the type of the terminal assets of the Internet of things can be customized according to the IP address, the MAC address, the open port, the access port and the operating system information of the assets.

Preferably, step 10 specifically comprises:

abnormal asset isolation: based on a fingerprint identification technology, the real-time discovery of asset fingerprint abnormity is realized by combining active and passive network discovery, and once the asset state abnormity is confirmed in a protection mode, the abnormal asset is listed in an abnormal asset blacklist to realize logic isolation;

and (3) checking business behavior compliance: based on the business behavior analysis modeling technology, the business behavior is issued to the data processing layer in a form of behavior rules, so that real-time blocking and alarming of abnormal business flow are realized;

the TCP RST function: aiming at the condition that the ubiquitous Internet of things security protection gateway cannot realize blocking in a bypass deployment mode, the TCPRST function supports the mode of traffic mirroring, realizes the network access blocking of abnormal assets in a mode of actively sending TCPRST, and enhances the adaptability of the gateway;

and (4) security policy: on the basis of the traditional quintuple policy, the management and control dimensionality of the security policy is expanded, the control dimensionality of interfaces, services, time and bandwidth is increased, and the fine-grained control of the network is realized by combining an asset intelligent classification and identification technology.

The beneficial effect that this application reached:

1. the application is oriented to a ubiquitous power Internet of things full-scene safety protection application scene, fingerprint information of Internet of things terminal equipment in a network is identified by adopting a terminal identification technology through two modes of active detection and flow discovery, and the asset condition of the Internet of things terminal in the network is identified through active scanning and visual presentation, so that various terminals such as a traditional PC (personal computer), a dumb terminal and intelligent equipment can be effectively identified;

2. the identity baseline is established and approved for identifying the terminal of the Internet of things, the terminal of the Internet of things is prevented from being counterfeited and attacked, the safety situation of the terminal of the Internet of things can be evaluated, and protection suggestions and means are given effectively;

3. according to the method and the system, the access authentication and safety control problems of massive IP equipment can be effectively solved by effectively controlling the access of the identified Internet of things terminal, and a user is helped to construct a safe and controllable ubiquitous power Internet of things network;

4. according to the method, a ubiquitous Internet of things safety protection gateway system is deployed in the field of the power industry, control and protection of dumb terminals are realized on each floor, and visual control of the Internet of things terminals is realized;

5. according to the method and the device, the equipment identity base line based on the terminal equipment fingerprint is established and the compliance equipment is approved, so that the equipment can be blocked when being used by others, and the safety of a service system is greatly improved;

6. according to the method and the device, the network layer legal white list is intelligently established based on flow self-learning, the open port of the terminal of the Internet of things is closed, on-off according to needs is realized, and the safety protection effect is greatly improved;

7. the application combines a ubiquitous Internet of things safety visual centralized control platform, and the safety situation of all terminal equipment connected to the whole unit for management and control is displayed in a three-dimensional mode.

Drawings

FIG. 1 is a diagram of a ubiquitous Internet of things security gateway system deployment architecture;

FIG. 2 is a schematic structural diagram of a ubiquitous Internet of things security protection network relationship system of the present invention;

fig. 3 is a schematic flow chart of a method for implementing a ubiquitous internet of things security protection network relationship system according to the present invention.

Detailed Description

The present application is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present application is not limited thereby.

As shown in fig. 1, in the ubiquitous internet of things security gateway system in the power industry, terminal devices of the internet of things are respectively accessed to a core enterprise network through corresponding security protection gateways of the internet of things; the terminal equipment of the Internet of things supports three modes of bypass control, serial control and access authentication control to access the security protection gateway of the Internet of things;

1. a bypass control mode: the mode is a proxy-free mode, and any plug-in is not required to be installed at the terminal of the Internet of things. The equipment bypass is deployed on the switch, so that identity baseline information of the Internet of things terminal and the dumb terminal can be established without changing the topology of a user network, and the access control of illegal access equipment can be realized; if the flow mirror of the switch is started to the security gateway of the Internet of things, the equipment can realize the attack facing the terminal of the Internet of things and the detection of abnormal flow.

2. A serial management and control mode: the ubiquitous Internet of things safety protection gateway is connected in series to a customer network, and has the advantages of being capable of achieving real-time blocking aiming at attacks and abnormal traffic compared with bypass deployment besides identity baseline establishment and control based on fingerprints; the method can simultaneously support the security management and control modes without agents and with agents.

3. Access authentication management and control mode: the ubiquitous Internet of things security protection gateway also comprises an optional authentication plug-in, and can realize bidirectional identity authentication and link transmission encryption aiming at an Internet of things terminal which can be provided with an open installation interface or a transplantation capability.

All the Internet of things safety protection gateways are connected to the large visual screen through the visual centralized control platform;

the visual centralized control platform can simultaneously realize centralized control and big data analysis visual perception of a plurality of ubiquitous Internet of things safety protection gateways and comprehensively present the security situation of dumb terminals in the network.

The ubiquitous Internet of things safety protection gateway system provided by the invention can be applied to a ubiquitous power Internet of things safety protection typical application scene, the Internet of things safety terminal is suitable for being deployed in any scene with a dumb terminal or an intelligent terminal, and a common deployment scene is an office environment and can be deployed at the boundaries of various office departments, floors and regions, so that safety guarantees such as identification, inspection and access are provided for network terminals in the departments, the floors and the regions.

As shown in fig. 2, each internet of things security protection gateway of the present application includes a system state module, a system management module, a network discovery module, a traffic self-learning module, a terminal fingerprint detection module, a terminal fingerprint change sensing and identifying module, a behavior sensing module, a terminal access white list module, a security rule module, a network protection module, a VPN configuration module, a centralized management module, and a log audit module;

the system state module is used for monitoring the state of the accessed terminal equipment of the Internet of things, counting sessions and recording blocking events;

the system management module is used for system setting and network setting;

the network discovery module is used for automatically discovering the terminal of the Internet of things and realizing visual presentation of equipment and network access;

the flow self-learning module is used for automatically discovering assets, connection relations, communication protocols and application layer access instructions according to network flow, automatically recommending security strategies and assisting an administrator to easily generate and maintain network security strategies;

the terminal fingerprint detection module is used for detecting the fingerprint information of the equipment, establishing a fingerprint base line for the terminal of the Internet of things according to the detection content and examining and approving the fingerprint base line, so that the access control of the terminal of the Internet of things is realized; the equipment fingerprint information comprises IP, MAC, an operating system, a software version and development port information;

the terminal fingerprint change perception identification module is used for monitoring the fingerprint information change condition of the accessed Internet of things terminal in real time, and when the fingerprint information of the accessed terminal changes, an isolation alarm is automatically adopted to inform an administrator or alarm display is carried out on a visual centralized control platform, or a blocking strategy is directly started to isolate a suspicious terminal for the first time;

the behavior perception module is used for interacting with a superior visual centralized control platform to provide the terminal of the Internet of things with vulnerability discovery, weak password risk and threat perception capabilities;

the terminal access white list module is used for removing the terminal with fingerprint information change and abnormal behavior from the trusted traffic through a white list mechanism, so that the aim of effective isolation is fulfilled; the ubiquitous Internet of things safety protection network relation system is provided with a customizable content blacklist and whitelist control engine, and is used for configuring content whitelist rules facing to an Internet of things communication protocol and supporting blacklist rules facing to attack protection features.

The safety rule module is used for controlling the network behavior in real time and comprises a user-defined rule and a user-defined characteristic;

the network protection module is used for providing firewall policies, address binding, address translation, protocol management, address management, session management and security options;

the VPN configuration module is used for VPN basic configuration, tunnel configuration and tunnel monitoring, and data encryption transmission based on the Internet of things protocol is realized;

the centralized management module is used for deploying the Internet of things security protection gateway system in a large scale and carrying out centralized management, the whole network strategy is issued uniformly, the equipment condition is displayed uniformly, and the log alarm is displayed in a centralized manner.

The log auditing module is used for log configuration and log access, and is also used for recording and transmitting device management logs and system logs.

In the embodiment of the application, the system state module comprises a state monitoring module, a session statistic module and an event center module;

the state monitoring module realizes real-time monitoring on navigation information, network information, equipment information, interface information, license information and log information;

the navigation information comprises the number of discovered assets, the number of logs and the number of rules; the network information comprises a session number ip ranking, asset type statistics, network throughput, concurrent sessions and a protocol distribution diagram; the equipment information comprises system information, a CPU and an instrument panel used by a memory; the interface information comprises an interface name, an ip address, sending and receiving flow and a starting state; the license information comprises a module name, an effective period, a description and a state; the log information comprises time, type, level and detailed information of triggering the log;

the session counting module is used for counting session connections and visually displaying the connection ranking list;

the connection statistics display of the system state monitoring can display state statistics information in a state table of a security protection network relation of the Internet of things, wherein the state statistics information comprises the current concurrent connection number, the connection numbers of TCP, UDP and ICMP, the connection number of TCP connection in each state and the connection number of ICMP in a non-response state; the connection ranking list shows the first ten of the connection numbers counted by the source address and the first ten of the connection numbers counted by the destination address;

the event center module is used for reporting a blocking event generated by the strategy center module, and if the equipment blocks an unlanded connection, the strategy center module generates a blocking event and records the blocking event; the event center module provides a corresponding processing mechanism for each event to solve the false blocking condition; the events have four states: unread, read, processed and ignored, and the statistical number of the four states can be inquired and screened; the event center module provides two modes of a processing mechanism and an ignoring mechanism; the event center module provides two processing mechanisms for each event, namely, a corresponding white list strategy is generated and the connection is put through; secondly, finding out a white list strategy related to the corresponding event from the strategy center module, and updating the existing strategy to put through the connection; the event center module provides two ignoring mechanisms with different degrees, one is that the event can be viewed by clicking an 'ignoring' icon no longer displayed on a main interface of the system, and the event can become visible again when being generated again; secondly, an event filter is added, such events will not be reported any more.

The system management module comprises a system setting unit and a network setting unit;

the system setting unit is used for setting system information, setting administrator configuration information and maintaining the system;

the system information comprises date and time, system parameters, centralized management and switch linkage;

the administrator configuration information comprises the IP of the centralized management host, the threshold value of various monitoring information, the group character string of SNMP v1& v2c and the user information of SNMPv3, and is used for realizing the authorization management of the administrator account according to the authority;

the centralized management module acquires monitoring information from a ubiquitous Internet of things safety protection network relation system through an SNMP protocol, and the method comprises the following steps: the system comprises a serial number of a system name version number, a CPU utilization rate, a memory utilization rate, a network interface state, a network connection state and the like, and meanwhile, when the running information of the ubiquitous Internet of things safety protection gateway system exceeds a threshold value, Trap alarm information is sent to the centralized management host through an SNMP protocol.

The TRAP information is sent to the centralized management module, and a comprehensive, easy-to-use and efficient tool and means for monitoring the use condition of the network resources in real time are provided for network management personnel. The ubiquitous Internet of things safety protection gateway system can be linked with the switch equipment to acquire the corresponding relation between the terminal equipment hung on the switch and the port of the switch. The administrator setting can realize that the administrator account is authorized to be managed according to the authority.

The system maintenance comprises functions of backup, recovery, upgrading and the like;

the network setting unit is used for setting interfaces and routes;

the network equipment configurable by the ubiquitous Internet of things security protection gateway system comprises physical equipment, VLAN equipment, bridging equipment and redundant equipment;

the ubiquitous Internet of things safety protection gateway system provides a load balancing function for a plurality of default routes, when routing is carried out, if no static route is matched with a current data packet, the default route is selected, and the default route is set through a network setting unit to realize the load balancing function; the default route has the lowest priority in the system routing rules, when a data packet arrives, the default route is firstly matched with routing rules such as static routes, if the matching is successful, the corresponding strategy route and the static route are selected, and if the matching is unsuccessful, the default route is carried out.

The network discovery module comprises a behavior learning module, a network discovery display module and an asset management and control module;

the behavior learning module is used for displaying the learned flow characteristic information;

the network discovery display module is used for displaying the flow information forwarded by the protective equipment and displaying the data learned by the network behavior in a protocol or multicast mode;

the asset management and control module is used for fingerprint detection, anomaly detection and behavior learning analysis, and is used for detecting asset fingerprint information in a network and carrying out anomaly detection according to the fingerprint information so as to identify abnormal assets in real time and realize network blocking;

the assets comprise actively detected network assets and network assets learned through flow learning, classified display of the assets can be achieved through selection, and all views, approved views and unapproved views are supported for viewing; the detection mode is divided into active detection and periodic detection, wherein the active detection is to manually input an ip or a network segment to be detected, and the asset in the network is found by clicking the active detection; periodic probing performs asset discovery by setting update intervals and probing network segments.

In the safety rule module, the self-defined rule is a configurable self-defined rule, and the safety rule module comprises a black list and a white list filtering mechanism;

in a test mode, the user-defined rule only matches flow, an alarm log is printed, and no discarding action is performed;

the behavior learning interface automatically appears in the user-defined characteristic interface after analyzing the issued rules, and the user-defined characteristics are added by manually compiling characteristic grammar.

The network protection module comprises a policy center module, an address binding module, an address conversion module, a protocol management module, an address management module, a session management module and a security option module;

the strategy center module provides four firewall modes for a ubiquitous Internet of things security protection gateway system, wherein the four firewall modes are a full-pass mode, a debugging mode, a protection mode and a monitoring mode; the strategy center module carries out dynamic packet filtering based on state check, the packet filtering rule determines whether a specific network packet can pass through the security gateway, and the strategy center module provides related options to protect the network from being attacked; the protocol supported by the policy center module comprises a basic protocol (such as HTTP, Telnet, SMTP and the like), an ICMP, a dynamic protocol (such as H.323, FTP, SQLNET and the like), and also comprises a preset service group and a self-defining protocol;

the address binding module is used for checking and recording a binding log based on global IP/MAC and binding a default closing state of the address in the security protection gateway system of the ubiquitous Internet of things;

the address conversion module comprises an SNAT module, a port mapping module and an IP mapping module;

the SNAT module is used for converting a source address of the ip data packet into another address; the port mapping module is used for mapping the destination IP address and the port information into another IP address and a port number; the IP mapping module is used for mapping the destination IP address into another IP address;

the protocol management module comprises an added custom protocol module, the system is also preset with some dynamic protocols, and a user can create, edit and delete dynamic protocol items according to requirements. The protocol management module presets a plurality of common internet of things protocol deep analyses, including OPC, Modbus, IEC104, EIP, S7 and other protocols, is used for self-defining protocol features, realizes instruction level access control, and provides more than 300 protocol variables, 24 arithmetic operators, logical operators and a standardized filtering language system with a plurality of data types. The access control includes 3 aspects: terminal communication protocol level access control, terminal universal protocol content depth filtering and terminal external communication protocol depth filtering.

1. Terminal communication protocol level access control: the ubiquitous Internet of things safety protection network relation system can perform access control on a white list or a black list of a special Internet of things protocol, and the system is preset with more than one hundred Internet of things protocols, so that the white list safety protection of the Internet of things protocols can be realized; a common PLC protection model is preset, so that the white list protection of the controller can be realized quickly; and the self-defined internet of things protocol white list safety protection based on the two-layer protocol number and the three-layer network port number is supported.

2. Deep filtering of contents of a terminal general protocol: the ubiquitous internet of things safety protection network relation system aims at safety protection of internet of things protocols, has basic functions such as white list access control and the like, needs to understand and control an application layer of the internet of things protocols, and can filter internet of things message instructions. And the deep filtering function based on common protocols, Internet of things protocols and industrial Internet special protocols, such as OPC/MODBUS and the like, is supported.

3. The terminal external communication protocol depth filtering: the ubiquitous Internet of things safety protection network relation system is internally provided with a plurality of protocols, and simultaneously provides a self-defined protocol depth filtering function to filter and support special customized protocols, proprietary protocols, improved protocols and the like, and an administrator can use a 'new generation rule definition language' provided by the system to check and filter bit-level contents of related data or protocol transmission contents. The rule definition language of the set supports analysis of more than 60 protocols such as TCP, UDP, HTTP, DNS and the like; the resolution of more than 300 protocol variables is supported, and the names of the protocol variables conform to the international standard; hundreds of function functions are provided for rule description, and the definition of complex rule functions is simplified; 24 arithmetic operators, logical operators and various data types are supported. The method can accurately express rich detection requirements similar to natural language, reduce false alarm and enhance the discovery of various diversified, complicated and concealed attacks.

The address management module is used for carrying out centralized management on the IP addresses in the ubiquitous Internet of things safety protection system and adding, editing or deleting the IP addresses, the address groups and the address pools by a user according to requirements; the address group is a set of IP addresses and is used for adding, editing or deleting address group entries by a user according to requirements; the address pool is an IP address field and is used for adding, editing or deleting address pool entries according to requirements of a user;

the session management module is used for checking the local session and editing the session timeout time;

the safety option module is used for selecting safety protection functions, including a packet filtering rule and an anti-attack type; the packet filtering rules include packet filtering default allowance, strict state detection and fast mode; the anti-attack types comprise anti-address spoofing attack, anti-source routing attack, anti-Smurf attack, anti-LAND attack, anti-Winnuke attack, anti-Queso scanning, anti-SYN/FIN scanning, anti-NULL scanning and anti-FIN scanning.

The VPN configuration module comprises a VPN basic configuration module, a tunnel configuration module and a tunnel monitoring module;

the VPN configuration module is used for data encryption transmission based on an Internet of things protocol; the ubiquitous Internet of things safety protection gateway system supports identity authentication of a national secret certificate, and meanwhile, a professional VPN module is integrated, so that professional tunnel encryption protection can be performed, data stealing and tampering are prevented, and confidentiality, integrity and usability of production and management data of a user are guaranteed. The VPN configuration module supports various general encryption and authentication protocols, including RSA series, AES series, DES series, SHA series, MD5 and the like, SM 1-SM 4 supporting the national secret standard, multiple tunnel modes of IPSec and SSL VPN, and can be in seamless connection with all VPN devices supporting the standard protocols. The encryption mode of the ubiquitous Internet of things security protection gateway system is a hardware encryption mode based on a national password chip card, and the security of the ubiquitous Internet of things security protection gateway system is better than that of the traditional software encryption.

The VPN basic configuration module is used for setting an IKE key cycle, a VPN key cycle, a pre-shared key and NAT port information and selecting whether to start a VPN function or not;

the tunnel configuration module comprises a VPN rule module, an IKE configuration module, a gateway tunnel setting module and a tunnel monitoring module;

the VPN rule module is used for providing a VPN rule, the VPN rule is an internal network address of a protection network, and when a source address and a destination address of a data packet accord with the protection network, the data packet can be encrypted and decrypted through the ipsec.

The VPN tunnels are established by the tunnel configuration module, and before establishing the VPN tunnels, it is necessary to make sure that each tunnel has two end points, one of which is the VPN being configured and the other of which is the remote VPN. Both ends of the tunnel must be configured accordingly to establish the tunnel normally. The user first inputs the information of the opposite end of the tunnel to be established. The opposite end is the end point of the tunnel, which is responsible for encrypting and decrypting the data packets. Remote VPNs are of two types, one being a gateway and one being a client.

The IKE configuration module is used for adding, editing or deleting IKE configuration information according to requirements by a user. The IKE configuration information comprises an IKE name, an opposite terminal address type, an opposite terminal address, an authentication mode and an equipment type.

The gateway tunnel setting module is used for configuring a gateway tunnel and establishing an encryption channel between two remote gateways, wherein the encryption channel only encrypts a data packet which accords with the quoted rule; the ubiquitous Internet of things security protection gateway system supports a tunnel established between a gateway type and a gateway type remote gateway and is used for protecting data communication between two subnets.

The tunnel monitoring module is used for listing a tunnel list currently established by the system, integrating the functions of starting and stopping tunnels and monitoring a single-address tunnel and a tunnel group.

The ubiquitous Internet of things safety protection gateway system generates logs through the log server and the local logs and provides strong log storage and auditing functions. The log server program provides rich inquiry, statistics and report functions, and can store huge amount of log information (limited by the capacity of a hard disk on the log server). The storage log can be covered or suspended after being full, and the user can be reminded through an E-mail. The log types and the log levels respectively provide 8 forms, and the log types and the log levels can be flexibly applied to different requirements. The log types include: management logs, network protection, VPN, DPI, high availability, address monitoring, and all; the log level includes: emergency, alarm, critical, error, pre-warning, prompt, notify, debug, and all. And the management log is inquired independently, so that the user name and the management action of the management can be checked.

The Internet of things safety protection gateway also comprises a wireless WIFI access module and a network AP discovery and identification module;

the wireless WIFI access module brings WIFI equipment into unified management, and full coverage of the Internet of things equipment is achieved;

the discovery and identification module of the network AP is used for defending phishing wifi and illegal access.

The internet of things equipment is limited by a deployment environment, most terminals adopt a wireless access mode, and for solving the problem of safe access of wireless equipment in the internet of things, a ubiquitous internet of things safety protection gateway supports a wireless access function, and a large amount of wifi equipment is also brought into unified management to realize full coverage of the internet of things equipment. Meanwhile, the discovery and identification functions of the network AP are supported, and risks such as phishing wifi and illegal access are effectively prevented. After the wireless wifi access is carried out, the ubiquitous Internet of things safety protection gateway shows that a wireless terminal and a common wired terminal do not have two things, and the functions of asset discovery, asset anti-misuse, business behavior analysis modeling and the like specific to the ubiquitous Internet of things safety protection gateway are also suitable, so that the safety of a wireless network is greatly improved.

The Internet of things safety protection gateway further comprises a third-party equipment linkage module, and is used for linking with third-party equipment besides existing network protection measures when assets are abnormal, and realizing management and control of the assets of the Internet of things by sending abnormal information to the third-party network equipment. Taking switch linkage as an example, the ubiquitous internet of things security protection gateway can acquire the MAC table of the corresponding switch through configuration and associate the MAC table with the discovered assets, so that the switch interface information connected with the assets of the internet of things can be discovered, and when the assets are detected to be abnormal, the corresponding switch interface can be opened and closed in a mode of linkage with the switch, physical network isolation is realized, and network security is enhanced.

The Internet of things safety protection gateway also comprises a basic firewall module used for integrated access control based on the traditional quintuple, protocol, asset and time;

the basic firewall module comprises three deployment modes of transparency, routing and mixing; the basic firewall module is internally provided with a plurality of internet of things protection models and can customize protection rules; the method can participate in VLAN network data transmission and support TRUNK and other modes.

As shown in fig. 3, the implementation method of the security protection network relationship system of the ubiquitous internet of things in the power industry of the present application includes the following contents:

the fingerprint information of the terminal equipment of the Internet of things in the network is identified through two modes of active detection and flow discovery, so that terminal discovery, terminal network access flow visualization presentation and machine vision abnormity discovery are realized, and the condition of the terminal of the Internet of things in the network is comprehensively mastered.

If the distribution and the activity state of the assets of the internet of things are presented, the fact that dumb terminal equipment information such as video monitoring, card punches, ETC and the like exists in the network is clearly distinguished, intelligent equipment information such as electricity selling terminals, ATM machines and the like can be compared with the self-reported statistical result according to the visual result, and the user can conveniently and comprehensively master the situation of the terminal of the internet of things in the network.

A method for realizing a ubiquitous Internet of things safety protection network relation system in the power industry comprises the following steps:

step 1: setting a network in a ubiquitous Internet of things security protection gateway system, and setting an interface and a route;

step 2: the ubiquitous Internet of things security protection gateway is linked with switch equipment to obtain the corresponding relation between terminal equipment hung on a switch and a switch port;

and step 3: adding an asset IP field address range of the terminal equipment of the Internet of things needing protection;

and 4, step 4: actively detecting the terminal of the Internet of things: the ubiquitous Internet of things safety protection gateway system can actively detect and discover equipment in a range according to an address range configured by management, collect fingerprint information (IP, MAC address, operating system, port opening state and the like) of the Internet of things terminal equipment, form a terminal equipment list and recommend an access name-allowed one-way guiding type safety strategy. The fingerprint of the terminal of the internet of things can contain a plurality of dimensionalities, such as an operating system and behavior characteristics of the terminal of the internet of things, the adopted technology can contain passive and active algorithms, the accuracy of the fingerprint baseline of the terminal of the internet of things is improved by compounding fingerprint information, and the false alarm rate and the missing report rate of the fingerprint are effectively reduced. The active detection mode has multiple innate advantages in the fingerprint identification process of the internet of things terminal, and specifically comprises the following steps: firstly, the fingerprint characteristics of the network equipment can be learned without any modification of the terminal and installation of any client software, so that the method is very suitable for learning and detecting dumb terminal equipment; and secondly, the terminal of the internet of things can be actively discovered only by the network access, namely the working flow of the terminal can be sensed without passing through gateway equipment.

And 5: and (3) discovering the flow of the terminal of the Internet of things: the ubiquitous Internet of things security protection gateway system can acquire Internet of things terminal fingerprint information (IP, MAC address, operating system, port open state and the like) according to flow learning of passing equipment; and automatically naming the terminal of the Internet of things, vividly combing and presenting the network flow condition from the perspective of assets and protocols, and recommending the security strategy of the quasi-entry one-way guide type. The active detection mode also has irreplaceable advantage in thing networking terminal fingerprint identification process, specifically includes: the method has the advantages that firstly, the terminal flow information is identified, the information such as the direction, the protocol, the port and the like of the terminal working flow can be learned, and the identifiable terminal information is more three-dimensional and richer compared with the identifiable terminal information of an active detection technology; secondly, an important basis for behavior baseline learning is that the behavior baseline needs to be generated according to the flow of normal work of the terminal, and the flow discovery technology can provide the conventional flow characteristics of daily work of the terminal.

The ubiquitous Internet of things safety protection network relation system discovers and identifies network assets in a non-agent mode in a comprehensive active mode and a comprehensive passive mode, generates a unique asset fingerprint code for each terminal in a comprehensive asset IP address, a hardware address, an operating system, an open port, an access port, a protocol fingerprint and other multi-dimensionality mode, can monitor the change of asset information in real time, discover abnormal and counterfeit assets in real time and give an alarm, and ensures the unique legality of the assets;

step 6: modeling business behavior analysis: by sensing and learning the behavior of the Internet of things terminal, a ubiquitous Internet of things safety protection gateway system can analyze big data of service scenes and data streams, can construct a behavior model of the Internet of things terminal, presents the business behavior of the Internet of things in a visual mode, and further achieves the safety target of management and control. The method comprises the steps of carrying out deep analysis on messages in the transmission process of the Internet of things through three aspects of an entity and a network connection relation of the Internet of things, instruction operation of the Internet of things terminal and an operation process of the Internet of things, carrying out intelligent learning on the message contents of different services, continuously learning and aggregating time dimension, packet length dimension and Payload contents through a machine learning algorithm, automatically and auxiliarily establishing a set of behavior models of the Internet of things terminal, establishing fingerprint baselines and behavior baselines of the Internet of things terminal and carrying out access approval by matching with a master and slave fingerprint learning technology when the services are abnormal, and blocking and alarming the unqualified service behaviors when the services are abnormal, namely the service behaviors exceed the range of the existing models, so that the network behavior protection of the Internet of things terminal based on the service behaviors is realized, and the detection of the attack for counterfeiting of the Internet, and alarming or blocking the security problem that the terminal of the Internet of things is falsely used.

And 7: a white list establishment mechanism: by establishing a white list for the fingerprint information of the terminal of the internet of things, an administrator can approve which terminals are allowed to be accessed to a specific system or network for communication according to the fingerprint information attributes of the terminal, such as information of common process names, file names, publisher names, manufacturers and the like. The white list mechanism is a core mechanism of a ubiquitous Internet of things security protection gateway system, and can be integrated with terminal discovery and behavior perception learning capabilities of the Internet of things security gateway system to effectively eliminate security threats.

And 8: intelligent classification and identification of assets: a large amount of asset fingerprint information is accumulated in actual installation and deployment of ubiquitous Internet of things safety protection gateways, and by combining an asset fingerprint discovery technology, intelligent classification can be carried out on Internet of things terminal assets, so that identification of various Internet of things terminal assets such as a universal PC (personal computer), network safety equipment, video equipment, a printer and a card punch is supported. Meanwhile, the ubiquitous Internet of things security protection gateway supports user-defined asset types, the asset types can be flexibly defined according to dimensions such as IP addresses, MAC addresses, open ports, access ports and operating system information of the assets, the ubiquitous Internet of things security protection gateway can intelligently classify the assets according to configuration, the priority is higher than the predefined types, and network management is facilitated.

And step 9: and (3) discovering the network topology: the ubiquitous Internet of things safety protection gateway realizes the drawing of the connection relation of the Internet of things terminal assets by analyzing network flow, and realizes the drawing of the physical topological relation by linking with the switch, thereby realizing the visualization of the asset connection relation. The connection management function is combined with the session tracking function of the ubiquitous Internet of things safety protection gateway, network flow is analyzed, a connection relation table of assets is maintained, and presentation, query and management of connection relations of all the assets are supported. The switch panel drawing acquires the state table information of the configured switch through an SNMP protocol, and realizes the physical connection relation drawing taking the switch as the center by combining the result of asset discovery.

Step 10: switching on and off assets as required: the ubiquitous Internet of things safety protection gateway integrates multiple technologies such as agent-free asset fingerprint, asset intelligent identification, asset anti-counterfeiting use, business behavior analysis modeling and the like, realizes intelligent arrangement of Internet of things terminals, realizes fine-grained and omnibearing network isolation on the basis, and really realizes on-off of assets according to needs. The method mainly comprises the following four aspects:

1. abnormal asset isolation: based on a fingerprint identification technology, the real-time discovery of asset fingerprint abnormity is realized by combining active and passive network discovery, and once the asset state abnormity is confirmed in a protection mode, the abnormal asset is listed in an abnormal asset blacklist to realize logic isolation.

2. And (3) checking business behavior compliance: based on the business behavior analysis modeling technology, the business behavior is issued to the data processing layer in a behavior rule form, and real-time blocking and alarming of abnormal business flow are achieved.

3. The TCP RST function: aiming at the condition that the ubiquitous Internet of things security protection gateway cannot realize blocking in a bypass deployment mode, the TCPRST function supports the mode of traffic mirroring, realizes the network access blocking of abnormal assets in the mode of actively sending the TCPRST, and enhances the adaptability of the gateway.

4. And (4) security policy: on the basis of the traditional quintuple policy, the management and control dimensionality of the security policy is expanded, control dimensionalities such as interfaces, services, time, bandwidth and the like are increased, and fine-grained control over the network is realized by combining an asset intelligent classification identification technology.

Step 11: centralized management is carried out on the ubiquitous Internet of things security protection gateway: aiming at the scene of large-scale deployment of the ubiquitous Internet of things security protection gateway, a user can select a centralized management system to customize a uniform security strategy. The system supports centralized management of various ubiquitous Internet of things security protection gateways, and the supported functions comprise:

1. and (3) monitoring the equipment state: the availability of the ubiquitous Internet of things safety protection gateway is monitored, the monitored indexes include interface flow rate and state, a CPU (central processing unit), a memory, a hard disk and the like, and the health state of equipment is actually mastered. The centralized management platform stores the monitoring data so as to facilitate the user to inquire the historical data.

2. Collecting device logs: and log collection and analysis of the ubiquitous Internet of things security protection gateway are supported.

3. And (4) alarming: the centralized management platform can extract the equipment state monitoring information concerned by the user. And alarming and action prompting are carried out aiming at the intrusion behavior of the terminal equipment of the Internet of things.

4. And (3) policy management: the centralized management platform can avoid client certificate and user name and password login equipment. The functions of batch upgrading, batch backup and recovery, batch strategy issuing and the like can be realized.

5. Data maintenance: the data stored in the centralized management platform can be exported regularly. And data recovery is supported, and data can be uploaded or downloaded through FTP.

6. Equipment management: the device information can be automatically populated via SNMP. Bulk device addition is supported.

7. Information display: the running conditions and statistical information of the whole, regional and single-point equipment can be presented in real time, and visual graphic display is provided.

The present applicant has described and illustrated embodiments of the present invention in detail with reference to the accompanying drawings, but it should be understood by those skilled in the art that the above embodiments are merely preferred embodiments of the present invention, and the detailed description is only for the purpose of helping the reader to better understand the spirit of the present invention, and not for limiting the scope of the present invention, and on the contrary, any improvement or modification made based on the spirit of the present invention should fall within the scope of the present invention.

Claims (18)

1. A ubiquitous Internet of things safety protection gateway system in the power industry is characterized in that terminal equipment of the Internet of things is respectively accessed to a core enterprise network through corresponding safety protection gateways of the Internet of things; the terminal equipment of the Internet of things supports three modes of bypass control, serial control and access authentication control to access the security protection gateway of the Internet of things; each Internet of things safety protection gateway comprises a system state module, a system management module, a network discovery module, a flow self-learning module, a terminal fingerprint detection module, a terminal fingerprint change perception identification module, a behavior perception module, a terminal access white list module, a safety rule module, a network protection module, a VPN configuration module, a centralized management module and a log audit module; the method is characterized in that:

all the Internet of things safety protection gateways are connected to the large visual screen through the visual centralized control platform;

the system state module is used for monitoring the state of the accessed terminal equipment of the Internet of things, counting sessions and recording blocking events;

the system management module is used for system setting and network setting;

the network discovery module is used for automatically discovering the terminal of the Internet of things and realizing visual presentation of equipment and network access;

the flow self-learning module is used for automatically discovering assets, connection relations, communication protocols and application layer access instructions according to network flow, automatically recommending security strategies and assisting an administrator to easily generate and maintain network security strategies;

the terminal fingerprint detection module is used for detecting the fingerprint information of the equipment, establishing a fingerprint base line for the terminal of the Internet of things according to the detection content and examining and approving the fingerprint base line, so that the access control of the terminal of the Internet of things is realized; the equipment fingerprint information comprises IP, MAC, an operating system, a software version and development port information;

the terminal fingerprint change perception identification module is used for monitoring the fingerprint information change condition of the accessed Internet of things terminal in real time, and when the fingerprint information of the accessed terminal changes, an isolation alarm is automatically adopted to inform an administrator or alarm display is carried out on a visual centralized control platform, or a blocking strategy is directly started to isolate a suspicious terminal for the first time;

the behavior perception module is used for interacting with a superior visual centralized control platform to provide the terminal of the Internet of things with vulnerability discovery, weak password risk and threat perception capabilities;

the terminal access white list module is used for removing the terminal with fingerprint information change and abnormal behavior from the trusted traffic through a white list mechanism, so that the aim of effective isolation is fulfilled;

the safety rule module is used for controlling the network behavior in real time and comprises a user-defined rule and a user-defined characteristic;

the network protection module is used for providing firewall policies, address binding, address translation, protocol management, address management, session management and security options;

the VPN configuration module is used for VPN basic configuration, tunnel configuration and tunnel monitoring, and data encryption transmission based on the Internet of things protocol is realized;

the centralized management module is used for deploying the Internet of things security protection gateway system in a large scale and carrying out centralized management, the whole network strategy is issued uniformly, the equipment condition is displayed uniformly, and the log alarm is displayed in a centralized manner;

the log auditing module is used for log configuration and log access, and is also used for recording and transmitting device management logs and system logs.

2. The electric power industry ubiquitous internet of things security gateway system of claim 1, wherein:

the system state module comprises a state monitoring module, a session statistic module and an event center module;

the state monitoring module realizes real-time monitoring on navigation information, network information, equipment information, interface information, license information and log information;

the navigation information comprises the number of discovered assets, the number of logs and the number of rules; the network information comprises a session number ip ranking, asset type statistics, network throughput, concurrent sessions and a protocol distribution diagram; the equipment information comprises system information, a CPU and an instrument panel used by a memory; the interface information comprises an interface name, an ip address, sending and receiving flow and a starting state; the license information comprises a module name, an effective period, a description and a state; the log information comprises time, type, level and detailed information of triggering the log;

the session counting module is used for counting session connections and visually displaying the connection ranking list;

the statistical information comprises the current concurrent connection number, the connection numbers of TCP, UDP and ICMP, the connection number of TCP connection in each state and the connection number of ICMP in non-response state; the connection ranking list shows the first ten of the connection numbers counted by the source address and the first ten of the connection numbers counted by the destination address;

the event center module is used for reporting a blocking event generated by the strategy center module, and if the equipment blocks an unlanded connection, the strategy center module generates a blocking event and records the blocking event; the event center module provides a corresponding processing mechanism for each event to solve the false blocking condition; the events have four states: unread, read, processed and ignored, and the statistical number of the four states can be inquired and screened; the event center module provides two modes of a processing mechanism and an ignoring mechanism; the event center module provides two processing mechanisms for each event, namely, a corresponding white list strategy is generated and the connection is put through; secondly, finding out a white list strategy related to the corresponding event from the strategy center module, and updating the existing strategy to put through the connection; the event center module provides two ignoring mechanisms with different degrees, namely that the event can be viewed no longer in the display of the main interface of the system, and the event can become visible again when being generated again; secondly, an event filter is added, such events will not be reported any more.

3. The electric power industry ubiquitous internet of things security gateway system of claim 1, wherein:

the system management module comprises a system setting unit and a network setting unit;

the system setting unit is used for setting system information, setting administrator configuration information and maintaining the system;

the system information comprises date and time, system parameters, centralized management and switch linkage;

the administrator configuration information comprises the IP of the centralized management host, the threshold value of various monitoring information, the group character string of SNMP v1& v2c and the user information of SNMPv3, and is used for realizing the authorization management of the administrator account according to the authority;

the system maintenance comprises backup, recovery and upgrade;

the network setting unit is used for setting interfaces and routes;

the network equipment configurable by the ubiquitous Internet of things security protection gateway system comprises physical equipment, VLAN equipment, bridging equipment and redundant equipment;

when the ubiquitous Internet of things safety protection network relation system is used for routing, if no static route is matched with the current data packet, a default route is selected, and the default route is set through a network setting unit to realize a load balancing function; the default route has the lowest priority in the system routing rules, when a data packet arrives, the default route is firstly matched with routing rules such as static routes, if the matching is successful, the corresponding strategy route and the static route are selected, and if the matching is unsuccessful, the default route is carried out.

4. The electric power industry ubiquitous internet of things security gateway system of claim 1, wherein:

the network discovery module comprises a behavior learning module, a network discovery display module and an asset management and control module;

the behavior learning module is used for displaying the learned flow characteristic information;

the network discovery display module is used for displaying the flow information forwarded by the protective equipment and displaying the data learned by the network behavior in a protocol or multicast mode;

the asset management and control module is used for fingerprint detection, anomaly detection and behavior learning analysis, and is used for detecting asset fingerprint information in a network and carrying out anomaly detection according to the fingerprint information so as to identify abnormal assets in real time and realize network blocking;

the assets comprise actively detected network assets and network assets learned through flow learning, and the views of all the views, approved views and unapproved views are viewed; the detection mode is divided into active detection and periodic detection, wherein the active detection is to manually input an ip or a network segment to be detected, and the asset in the network is found by clicking the active detection; periodic probing performs asset discovery by setting update intervals and probing network segments.

5. The electric power industry ubiquitous internet of things security gateway system of claim 1, wherein:

the ubiquitous Internet of things safety protection network relation system is provided with a customizable content blacklist and whitelist control engine, and is used for configuring content whitelist rules facing to an Internet of things communication protocol and supporting blacklist rules facing to attack protection features.

6. The electric power industry ubiquitous internet of things security gateway system of claim 1, wherein:

in the safety rule module, the self-defined rule is a configurable self-defined rule and comprises a black list and a white list filtering mechanism;

in a test mode, the user-defined rule only matches flow, an alarm log is printed, and no discarding action is performed;

the behavior learning interface automatically appears in the user-defined characteristic interface after analyzing the issued rules, and the user-defined characteristics are added by manually compiling characteristic grammar.

7. The electric power industry ubiquitous internet of things security gateway system of claim 1, wherein:

the network protection module comprises a policy center module, an address binding module, an address conversion module, a protocol management module, an address management module, a session management module and a security option module;

the strategy center module provides four firewall modes for a ubiquitous Internet of things security protection gateway system, wherein the four firewall modes are a full-pass mode, a debugging mode, a protection mode and a monitoring mode; the strategy center module carries out dynamic packet filtering based on state check, the packet filtering rule determines whether a specific network packet can pass through the security gateway, and the strategy center module provides related options to protect the network from being attacked; the protocol supported by the strategy center module comprises a basic protocol, an ICMP, a dynamic protocol and a protocol self-defined by a preset service group in the strategy center module;

the address binding module is used for checking and recording a binding log based on global IP/MAC and binding a default closing state of the address in the security protection gateway system of the ubiquitous Internet of things;

the address conversion module comprises an SNAT module, a port mapping module and an IP mapping module;

the SNAT module is used for converting a source address of the ip data packet into another address; the port mapping module is used for mapping the destination IP address and the port information into another IP address and a port number; the IP mapping module is used for mapping the destination IP address into another IP address;

the protocol management module is including adding custom protocol module, and the preset thing networking protocol of protocol management module is analytic deeply, including OPC, Modbus, IEC104, EIP and S7 agreement for custom protocol characteristic realizes instruction level access control, access control includes 3 aspects: terminal communication protocol level access control, terminal universal protocol content depth filtering and terminal external communication protocol depth filtering;

the address management module is used for carrying out centralized management on the IP addresses in the ubiquitous Internet of things safety protection system and adding, editing or deleting the IP addresses, the address groups and the address pools by a user according to requirements; the address group is a set of IP addresses and is used for adding, editing or deleting address group entries by a user according to requirements; the address pool is an IP address field and is used for adding, editing or deleting address pool entries according to requirements of a user;

the session management module is used for checking the local session and editing the session timeout time;

the safety option module is used for selecting safety protection functions, including a packet filtering rule and an anti-attack type; the packet filtering rules include packet filtering default allowance, strict state detection and fast mode; the anti-attack types comprise anti-address spoofing attack, anti-source routing attack, anti-Smurf attack, anti-LAND attack, anti-Winnuke attack, anti-Queso scanning, anti-SYN/FIN scanning, anti-NULL scanning and anti-FIN scanning.

8. The electric power industry ubiquitous internet of things security gateway system of claim 1, wherein:

the VPN configuration module comprises a VPN basic configuration module, a tunnel configuration module and a tunnel monitoring module;

the VPN basic configuration module is used for setting an IKE key cycle, a VPN key cycle, a pre-shared key and NAT port information and selecting whether to start a VPN function or not;

the tunnel configuration module comprises a VPN rule module, an IKE configuration module, a gateway tunnel setting module and a tunnel monitoring module;

the VPN rule module is used for providing a VPN rule, and the VPN rule is an intranet address of a protection network;

the IKE configuration module is used for adding, editing or deleting IKE configuration information by a user according to requirements, wherein the IKE configuration information comprises an IKE name, an opposite terminal address type, an opposite terminal address, an authentication mode and an equipment type;

the gateway tunnel setting module is used for configuring a gateway tunnel and establishing an encryption channel between two remote gateways, wherein the encryption channel only encrypts a data packet which accords with the quoted rule;

the tunnel monitoring module is used for listing a tunnel list currently established by the system, integrating the functions of starting and stopping tunnels and monitoring a single-address tunnel and a tunnel group.

9. The electric power industry ubiquitous internet of things security gateway system of claim 1, wherein:

the ubiquitous Internet of things security protection gateway system generates logs through a log server and local logs, wherein the log types comprise: management logs, network protection, VPN, DPI, high availability, address monitoring, and all; the log level includes: emergency, alarm, critical, error, pre-warning, prompt, notify, debug, and all.

10. The electric power industry ubiquitous internet of things security gateway system according to any one of claims 1 to 9, wherein:

the Internet of things safety protection gateway also comprises a wireless WIFI access module and a network AP discovery and identification module;

the wireless WIFI access module brings WIFI equipment into unified management, and full coverage of the Internet of things equipment is achieved;

the discovery and identification module of the network AP is used for defending phishing wifi and illegal access.

11. The electric power industry ubiquitous internet of things security gateway system according to any one of claims 1 to 9, wherein:

the Internet of things safety protection gateway further comprises a third-party equipment linkage module, and is used for linking with third-party equipment besides existing network protection measures when assets are abnormal, and realizing management and control of the assets of the Internet of things by sending abnormal information to the third-party network equipment.

12. The electric power industry ubiquitous internet of things security gateway system according to any one of claims 1 to 9, wherein:

the Internet of things safety protection gateway also comprises a basic firewall module used for integrated access control based on the traditional quintuple, protocol, asset and time;

the basic firewall module comprises three deployment modes of transparency, routing and mixing; the basic firewall module is internally provided with various internet of things protection models and can customize protection rules.

13. A method for realizing a ubiquitous Internet of things safety protection network relation system in the power industry is characterized by comprising the following steps:

the implementation method comprises the following steps:

the fingerprint information of the terminal equipment of the Internet of things in the network is identified through two modes of active detection and flow discovery, so that terminal discovery, terminal network access flow visualization presentation and machine vision abnormity discovery are realized, and the condition of the terminal of the Internet of things in the network is comprehensively mastered.

14. The method for implementing the security protection network relationship system of the ubiquitous internet of things in the power industry according to claim 13, wherein:

the implementation method comprises the following steps:

step 1: setting a network in a ubiquitous Internet of things security protection gateway system, and setting an interface and a route;

step 2: the ubiquitous Internet of things security protection gateway is linked with switch equipment to obtain the corresponding relation between terminal equipment hung on a switch and a switch port;

and step 3: adding an asset IP field address range of the terminal equipment of the Internet of things needing protection;

and 4, step 4: actively detecting the terminal of the Internet of things, collecting fingerprint information of terminal equipment of the Internet of things, forming a terminal equipment list and recommending the security strategy of a quasi-entry one-way guide type;

and 5: the method comprises the steps of discovering the flow of the terminal of the Internet of things, acquiring fingerprint information of the terminal of the Internet of things, combing and presenting network flow conditions, and recommending the security strategy of a quasi-entry one-way guide type;

step 6: modeling the business behavior analysis, constructing a behavior model of the Internet of things terminal, and presenting the business behavior of the Internet of things in a visual mode;

and 7: a white list mechanism is established, a white list is established for the fingerprint information of the terminal of the Internet of things, and the terminals are selected and approved to be accessed into a specific system or network for communication according to the fingerprint information attribute of the terminal;

and 8: the assets are intelligently classified and identified, and the assets of the terminal of the Internet of things are intelligently classified and identified according to the asset fingerprint information accumulated in the system and by combining an asset fingerprint discovery technology;

and step 9: network topology discovery, namely, drawing the connection relation of the assets of the internet of things terminal by analyzing network flow, and drawing a physical topological relation by linking with a switch, so that the visualization of the asset connection relation is realized;

step 10: the method comprises the steps that assets are switched on and off as required, intelligent arrangement of terminals of the Internet of things is realized by integrating non-proxy asset fingerprints, intelligent asset identification, asset anti-counterfeiting and business behavior analysis modeling technologies, fine-grained and omnibearing network isolation is realized on the basis, and on-demand switching of the assets is really realized;

step 11: the method comprises the steps of carrying out centralized management on the ubiquitous Internet of things safety protection gateway, monitoring the equipment state, collecting equipment logs, carrying out alarm strategy management and strategy management on the intrusion behavior of the Internet of things terminal equipment, maintaining data, carrying out equipment management and carrying out equipment information visual graph display.

15. The method for implementing the security protection network relationship of the ubiquitous internet of things in the power industry according to claim 14, wherein:

step 6, performing deep analysis on messages in the transmission process of the Internet of things through three aspects of an entity and network connection relation of the Internet of things, instruction operation of the Internet of things terminal and an operation flow of the Internet of things, intelligently learning message contents of different services, continuously learning and aggregating time dimension, packet length dimension and Payload content through a machine learning algorithm, and automatically assisting in building a behavior model of the Internet of things terminal;

when the service is abnormal, the fingerprint baseline and the behavior baseline of the Internet of things terminal are established and access approval is carried out by matching with the active and passive fingerprint learning technology, when the service is abnormal, namely the service behavior exceeds the range of the existing model, the ubiquitous Internet of things safety protection gateway system blocks and alarms the non-compliant service behavior according to configuration, so that the Internet of things terminal network behavior protection based on the service behavior is realized, and the security problems that the Internet of things terminal is counterfeited and attacked, and the Internet of things terminal is alarmed or the Internet of things terminal is blocked from being falsely used are realized.

16. The method for implementing the security protection network relationship of the ubiquitous internet of things in the power industry according to claim 14, wherein:

and 7, the fingerprint information attribute of the terminal comprises a process name, a file name, an issuer name and manufacturer information.

17. The method for implementing the security protection network relationship of the ubiquitous internet of things in the power industry according to claim 14, wherein:

8, the terminal assets of the Internet of things comprise a general PC, network security equipment, video equipment, a printer and a card punch; the type of the terminal assets of the Internet of things can be customized according to the IP address, the MAC address, the open port, the access port and the operating system information of the assets.

18. The method for implementing the security protection network relationship of the ubiquitous internet of things in the power industry according to claim 14, wherein:

the step 10 specifically comprises:

abnormal asset isolation: based on a fingerprint identification technology, the real-time discovery of asset fingerprint abnormity is realized by combining active and passive network discovery, and once the asset state abnormity is confirmed in a protection mode, the abnormal asset is listed in an abnormal asset blacklist to realize logic isolation;

and (3) checking business behavior compliance: based on the business behavior analysis modeling technology, the business behavior is issued to the data processing layer in a form of behavior rules, so that real-time blocking and alarming of abnormal business flow are realized;

the TCP RST function: aiming at the condition that the ubiquitous Internet of things security protection gateway cannot realize blocking in a bypass deployment mode, the TCPRST function supports the mode of traffic mirroring, realizes the network access blocking of abnormal assets in a mode of actively sending TCPRST, and enhances the adaptability of the gateway;

and (4) security policy: on the basis of the traditional quintuple policy, the management and control dimensionality of the security policy is expanded, the control dimensionality of interfaces, services, time and bandwidth is increased, and the fine-grained control of the network is realized by combining an asset intelligent classification and identification technology.

Images