[0022] All features disclosed in this specification, or all disclosed steps in a method or process, may be combined in any way except mutually exclusive features and/or steps.
[0023] Any feature disclosed in this specification (including any accompanying claims, abstract and drawings), unless expressly stated otherwise, may be replaced by other equivalent or alternative features serving a similar purpose. That is, unless expressly stated otherwise, each feature is but one example of a series of equivalent or similar features.
[0024] An integrated network security service system should meet the user's needs for application services and security and confidentiality, ensure the service quality of communication services, and ensure the security and confidentiality performance of the network system. It includes five basic technical systems: classified and isolated networks, integrated business services, service quality assurance, integrated security protection and integrated network management. The classification and isolation network technology system provides relatively independent routing switching and transmission services for business, control and management information; the integrated business service technology system realizes the session connection control of business, provides a variety of application services, and has the ability to expand application business; service The quality assurance system provides good communication quality assurance for real-time services such as voice and video by comprehensively using various measures, and improves the overall service performance of the system; the comprehensive security protection technology system is integrated into all levels of business, network and management, and various security protection The measures are interrelated and coordinated to ensure the security of services and networks; the integrated network management technology system is responsible for the comprehensive, unified and effective management of networks, equipment and services.
[0025] 1) The classified and isolated network technology system combines the technical advantages of IP and MPLS to realize large-capacity, high-bandwidth packet routing switching to support comprehensive services such as voice, video and data; Service data, signaling messages and network management information are classified and processed in various links such as access, routing switching, relay transmission, QoS assurance, and security and confidentiality to achieve classification and isolation of service, control, and management information in the network; classified and isolated information Data has independent bandwidth resources in the network, as well as independent routing switching and QoS guarantee measures; there are independent transmission channels between terminals and switching nodes and between switching nodes, and various types of data go their own ways without interfering with each other; The business system builds a relatively independent network environment. On a unified network infrastructure platform, the business layer can be further divided into multiple business sub-layers to form multiple independent subnets of different scales and topologies. Application services between subnets can be independent without affecting each other, or they can communicate with each other under controlled conditions. For example, the real-time service subnet carries real-time services such as voice and video; the data service subnet A carries point-to-point computer communication services; the data service subnet B carries Web browsing services. The system establishes an independent transmission channel for each subnet, allocates independent addresses and bandwidth resources, and carries out independent routing exchange and QoS guarantee.
[0026] 2) The comprehensive service service technology system refers to the NGN architecture model, follows the design idea of the separation of service, control and bearer, provides comprehensive service capabilities of voice, video and data services, and supports mobile access and multicast services: the control layer is mainly completed Session connection control, realizes basic telephone call and session connection functions; the business layer mainly provides services such as business, authentication, policy, database, etc.; the access sublayer of the transport layer mainly realizes broadband such as multimedia terminals, computer LAN, broadband dial-up, broadband wireless, etc. User access, as well as access to the telephone network and mobile network; the bearer sublayer of the transport layer provides independent bearer services for signaling and services; the integrated service service technology system makes services independent of the network, providing fast, flexible and effective future create a favorable environment for the provision of new business.
[0027] Connection control is the core function of the integrated business service system, and mainly completes the following functions: Session connection control function: completes the basic and enhanced session connection process.
[0028] Number or address resolution function: Complete the analysis of the phone number or other address information called by the user, perform route analysis according to the number, find the called node or redirect.
[0029] Interworking function: complete the conversion and process control of the existing network signaling or protocol through the signaling gateway.
[0030] Media gateway control: It is responsible for controlling the link status, time slot resources and multiplexing functions of the media gateway, and controlling the sending and receiving of user signaling and services of the terminal accessing the media gateway.
[0031] Protocol (signaling) adaptation function: Responsible for adapting and transmitting existing network protocols.
[0032] Service management: Complete the record of service status, including user number or address, communication time, failure reason, etc., and provide relevant data of service management to the network management system.
[0033] The integrated network security service architecture performs unified session connection control for various services. In a packet network, call control is generally implemented using the SIP protocol. The SIP protocol is simple and flexible, has strong expansibility, and has the capabilities of terminal detection, online detection, support for mobility, and multicast. It is designated as the control protocol of the third-generation network and has been widely used. In order to realize the integration of network security and network services, the system draws on the basic design ideas and processes of the SIP protocol, and combines the requirements of the control layer function expansion to optimize and supplement the SIP protocol, integrate into the security design, and form a dedicated secure session connection protocol. (abbreviation: SCLP protocol), the specific content includes: (1) Service access control function: session control verifies the legality of both parties in communication, and controls the network entrance to open or close transmission channels and routing switching services for the service.
[0034] (2) Service transmission path establishment control function: Session control applies to the network to establish a transmission path carrying service data. According to the QoS requirements of the service, it mainly includes three basic types of paths: paths with connection and QoS guarantee, suitable for real-time services; paths with connection and no QoS guarantee, suitable for instant messaging and P2P services; no connection, best effort For the path, it is suitable for general data services. In addition, according to the QoS requirements of the service, a transmission path with QoS characteristics such as minimum delay, maximum bandwidth or minimum overhead can also be established for service applications.
[0035] (3) Name-address relationship mapping function: During the session connection process, the mapping relationship between terminal ID, user ID, service ID and network address is determined, and the user port is provided for name-address conversion to realize name-address separation. The network address can be automatically assigned to the user port for routing addressing when each session is connected, and it will become invalid after the service ends.
[0036] (4) Key distribution bearer function: The session control signaling can carry the relevant key distribution protocol data, and the key distribution is completed during the session establishment process, so as to reduce the session establishment time of the confidential service and improve the key distribution efficiency and security. .
[0037] (5) QoS admission control function: realizes service admission according to the current network resource situation and QoS requirements of the service. Execute related QoS policies, such as resource preemption for high-priority users.
[0038] (6) Security protection function: complete the legality identification of the call connection protocol message to ensure the security of the control layer.
[0039] 3) Service quality assurance technology system Under the integrated network security service architecture, through information classification and isolation, the network carries different services on mutually independent exchange and transmission channels. According to business QoS requirements, various QoS technologies can be comprehensively used on each channel to provide effective service quality assurance; and through the unified deployment of QoS policies, various service quality assurance measures can cooperate with each other and operate effectively.
[0040] End-to-end connected services are the basic conditions for ensuring real-time service QoS. The system establishes an end-to-end connected, quality-assured transmission channel for both communication parties. The service data flow performs data exchange and transmission on this path, thereby ensuring that the service data flow arrives in sequence with relatively stable transmission characteristics.
[0041] Categorized and differentiated services are the corresponding differentiated services for data at the business, control and management levels. Each layer can perform its own differentiated services based on data characteristics such as message class, data type and priority. Through the corresponding queue scheduling algorithm, all kinds of data flows occupy system resources according to the pre-scheduled agreement.
[0042] In order to ensure that the data traffic actually carried by the network conforms to the pre-agreed resource allocation and prevent abnormal traffic from occupying network resources, the system monitors and restricts the data flow in the network. Traffic policing discards overloaded traffic by configuring policies to ensure that high-priority service data streams such as voice and video are normally forwarded and processed.
[0043] QoS routing is an important condition for realizing business service quality assurance and improving the overall service performance of the network. According to the usage of network resources, QoS routing dynamically discovers the optimal path that meets the requirements of QoS. QoS routing provides a routing basis for traffic engineering and realizes the reasonable distribution of business traffic in the network, thereby reducing the probability of network congestion, enhancing network throughput performance, and improving network resource utilization.
[0044] Statistical resource allocation is to achieve reasonable and effective control and utilization of system resources through QoS measurement and statistics. The objects of QoS measurement and statistics include traffic, bit error rate, packet loss rate, and abnormal packets. Various QoS parameters are generated according to the measurement and statistical results to realize the control of system resources.
[0045] QoS admission control is to carry out admission control on the session connection of the service according to the current resource situation of the network and the QoS requirements of the service, so as to prevent the service traffic exceeding the carrying capacity from entering the network. The system mainly focuses on the comprehensive use of various technologies. Through unified design and unified management, the QoS technology is transformed into an end-to-end business transmission platform to meet the requirements of business service quality.
[0046] 4) Integrated security protection technology system The integrated network security service architecture is based on solving network security problems from the system system. Various security and confidentiality measures are effectively integrated into each device and layer in the network, and cooperate closely with each other to enhance security protection performance, improve network resource utilization, ensure business service quality, and achieve unified control and management. The comprehensive security protection system mainly includes information classification and isolation, network boundary protection, application service access control, and data encryption protection: (1) Information classification and isolation of network user ports, network relay ports, and management ports are strictly distinguished by their attributes. The user terminal accesses from the user port, and its signaling messages and management information can only be forwarded to the connection controller and network management agent of the access node, while service data can only be exchanged and forwarded at the service level. User terminals cannot access devices or addresses at other levels in the network. The network switching equipment conducts independent routing and switching of services, control and management data without affecting each other. Independent transmission channels are established on the trunk line for business, control and management data, each channel has independent bandwidth resources, and the channels are isolated from each other.
[0047] (2) Network boundary protection The network boundary is the key point of the system security protection system design, which will be realized through the User Security Access Protocol (referred to as the USAP protocol). The USAP protocol is responsible for validating the access of user terminals to prevent illegal terminal access. The identification process is periodically maintained.
[0048]The USAP protocol isolates the service, signaling and management data transmission links on the subscriber line, and corresponds to the transmission channel on the network trunk line. The transmission link of user service data is established in real time under the connection control of the control layer, and dismantled after the service ends. The data encapsulated and carried by the USAP protocol on the user line has the security protection capability of integrity and anti-replay, which can prevent the insertion of attack packets from the user line.
[0049] Through the USAP protocol, the terminal identification and the network address can be separated. The address of the user terminal in the network (that is, the routing address of the user port of the switching device) is only presented inside the network, and is automatically assigned by the network during each communication. The USAP establishes and maintains the binding relationship between the service and the terminal ID and network address, and the switching device is responsible for completing the conversion between the terminal ID and the network address according to the binding relationship. Because the network is transparent to users, the security of the network boundary is effectively guaranteed.
[0050] The security between network nodes will be realized through the Node Security Interconnection Protocol (abbreviation: NSIP protocol). The interconnection between nodes must be authenticated to prevent illegal node access. At the same time, the data encapsulated and carried by the NSIP protocol on the trunk line has the security protection capability of integrity and anti-replay.
[0051] (3) Application service admission control The application service is controlled by the session connection, and the network refuses to bear the service data for which the call connection is not completed. During the session connection process, the connection control of the control layer verifies the authenticity of the signaling to prevent signaling attacks by illegal terminals or nodes. In order to ensure service security, the system establishes an end-to-end transmission path for service data under the control of session connection. The path in the network can be selected by the source node according to the QoS characteristics of the link, or the specified route or policy route can be configured through the network management. The user's service data is transmitted, exchanged and forwarded on the transmission path, and data outside the transmission path is refused to enter.
[0052] (4) Data encryption protection The encryption protection of business data and system information is an important means to ensure business and network security. End-to-end encryption is implemented for user business data, and the password does not fall during the network transmission process to ensure the confidentiality of communication services. Encrypting and protecting all data on the trunk line, not only secondary encryption and protection of business data, which enhances the confidentiality of the business, but also encryption and protection of signaling and network protocol messages between nodes, which enhances the security of the network system. protective ability.
[0053] 5) Integrated network management technology system The network management system realizes the unified management of the network, equipment, business and users, and adopts the management methods of hierarchical management, level-by-level summarization and centralized control to realize partitioned and decentralized management. The network management system includes subsystems such as network resource management, application service management, and user attribute management, and provides management functions such as configuration management, fault management, performance management, topology management, service management, security management, and QoS management.
[0054] The present invention is not limited to the foregoing specific embodiments. The present invention extends to any new features or any new combination disclosed in this specification, as well as any new method or process steps or any new combination disclosed.
