Method for building globle network safety system in tracing to the source in each sub domain

Abstract

The invention discloses a method for constructing a domain-divided traceability global network security system, comprising: dividing the Internet into network security domains; forming the network security domain into a virtual safety network area, and other parts of the Internet except the network security domain form a non-virtual network security domain; Safety network area; adopt different security access and admission policies according to the source of the flow entering the security domain; monitor the security status of the node, and send a source tracing notification to the attack flow; the security control point performs a security check on the node according to the source tracing notification, , to judge whether the traceability is successful, if successful, send a response message of successful traceability, if not, the security control point that sends the traceability notification takes corresponding security measures. The present invention can provide a clear security boundary and a reasonable means of dividing security domains for the security defense of the Internet, taking into account both security and efficiency, and the traceability method can provide application-layer attack protection that cannot be achieved by traditional architectures, and is a defense against DDoS attacks architecture.

Description

technical field [0001] The invention relates to a computer Internet global network security framework based on the TCP / IP protocol, in particular to a domain-based traceability global network security framework. Background technique [0002] The emergence and widespread use of the Internet has changed the traditional concepts of work, communication, commerce and security. At the same time, because of the openness of its resources, the security of the Internet has become a very challenging problem. [0003] Traditional network security protection mainly isolates the internal network that needs to be defended from the external network by setting up security tools such as firewalls (FW) at network boundary points. Such as figure 1 As shown, this closed and isolated defense architecture has many defects and deficiencies. It not only cannot prevent attacks from inside the network, but also cannot effectively defend against application-layer attacks from the external network. In...

AI Technical Summary

Problems solved by technology

[0004] The solutions proposed by these manufacturers have solved part of the security threats from the intranet to a certain extent, but it is still difficult to defend against new types of attacks from the business layer. External security black holes on the Internet still exist, and at the same time, too strict security access restrictions have It may hinder the deployment of new Internet services, and its frequent authentication and maintenance will greatly increase the security overhead, and the user's rights, privacy, and freedom will also be severely damaged

[0005] Especially for the Internet that crosses different jurisdictional boundaries, it is difficult to form a unified standard for the regulatory control between different network areas due to technical, interest, and geographical constraints. There are major difficulties and defects in transition and inter-domain security control supervision

Images