Intrusion prevention method and system based on virtual local area network switching

Abstract

Embodiments of the invention discloses an intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and a system thereof. The method comprises the following steps: receiving a data message by a boundary switch; identifying whether a sender host and a receiver host belong to the same VLAN and belong to the preset protection VLAN; if the sender host and a receiver host belong to the same VLAN, carrying out forwarding processing to the data message; if the sender host and a receiver host do not belong to the same VLAN and the sender host or the receiver host belongs to the preset protection VLAN, requesting the IPS to carry out data content safety protection processing of an application layer on the data message and carrying out forwarding processing on the data message which has went through the safety protection processing. According to the embodiments of the invention, in a network boundary including a two layer network environment which comprises a plurality of VLANs, data content detection and protection of the application layer can be realized so as to guarantee security of a VLAN user. A system overhead can be reduced and a network breakpoint risk can be reduced too.

Description

technical field [0001] The present invention relates to communication technology, in particular to an intrusion prevention method and system based on virtual local area network (Virtual Local Area Network, hereinafter referred to as: VLAN) exchange. Background technique [0002] VLAN is an end-to-end logical network built on the basis of switched local area networks and using network management software that can span different network segments and networks. In VLAN, information only arrives where it should arrive, preventing most intrusion methods based on network monitoring. For example: sensitive departments such as the financial department, personnel department, and production department of an enterprise involve a lot of sensitive data. The information on the network does not want too many people to be able to access it casually. By applying VLAN technology on the switch, it can be well realized. these functions. Through years of development, VLAN technology has been wi...

AI Technical Summary

Problems solved by technology

This deployment method based on switch redirection has the following problems: switch redirection will consume certain access control list (Access Control List, hereinafter referred to as: ACL) resources of the switch, and, as a security gateway, originally only need to protect VLAN and external network However, in this case, all data traffic in the VLAN is also processed, which puts a lot of pressure on the processing performance of the security gateway, and there is a great risk of network breakpoints;

[0011] Firewalls, abnormal traffic cleaning equipment, and security gateway products are not suitable for Layer 2 network environments where the network boundary includes multiple VLANs; IDS only detects and analyzes network traffic and alerts attack traffic, but does not block attack traffic and cannot Protect devices in a VLAN

Images