Method and device for filtering IP (Internet Protocol) message

A technology of IP message and filtering method, which is applied in the field of information security and encryption to achieve the effect of improving configuration efficiency, reducing impact, and reducing coupling

Active Publication Date: 2015-05-06
中电科网络安全科技股份有限公司
View PDF4 Cites 1 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0006] 1) After configuring the IPSEC security policy, in order to ensure that the IP packets processed by IPSEC pass the firewall inspection, it is also necessary to configure the firewall policy in the FORWARD chain to release the IP packets corresponding to the IPSEC security policy, which brings double workload to the administrator ;

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device for filtering IP (Internet Protocol) message
  • Method and device for filtering IP (Internet Protocol) message
  • Method and device for filtering IP (Internet Protocol) message

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0075] Embodiment 1: An IP packet filtering method includes:

[0076] Step 1. It is conducive to the netfilter packet filtering mechanism of Linux. When the IPtables module is initialized, set the default policy of OUTPUT chain to "Allow" and the default policy of INPUT chain to "Discard", and add a firewall policy to the INPUT chain to allow IPSEC encapsulated secret The notification message enters the gateway, and the key agreement message is allowed to enter the gateway;

[0077] Step 2. Set the default policy of the FORWARD chain to "discard", create a new rule chain named "SECPOLICY", add a policy in the FORWARD chain to jump to this chain, and load all firewall policies configured by the administrator on the chain. This allows filtering of IP packets that are not processed by IPSEC in and out of the gateway.

[0078] Step 3. Use the policy matching function provided by the xt_policy module to add the following two firewall policies at the end of the FORWARD chain:

[0079] 1) T...

Embodiment 2

[0081] Embodiment two: such as figure 2 As shown, on the basis of Embodiment 1, the specific process of filtering IP packets that enter and exit the gateway without IPSEC processing in the step 2 includes:

[0082] Step 21: Receive a clear IP message that passes through the gateway. The IP message does not have a matching IPSEC security policy and does not need IPSEC processing;

[0083] Step 22: After routing processing, enter the firewall FORWARD chain, check the firewall policy under its sub-chain SECPOLICY, and determine whether to pass or discard the IP packet;

[0084] Step 23: If the firewall policy is to allow, the IP packet is forwarded.

Embodiment 3

[0085] Embodiment 3: On the basis of Embodiment 1 or 2, such as image 3 As shown, the specific process of filtering the IP packets after the IPSEC decryption in the inbound direction in the step 3 includes:

[0086] Step 311: Receive an IPSEC cipher message from the remote gateway;

[0087] Step 312: Enter the firewall INPUT chain after routing processing. Since it is checked that the IPSEC cipher text is an ESP / AH protocol packet, it is allowed to pass;

[0088] Step 313, according to the triplet information: the message destination address, SPI security parameter index, and security protocol number (AH or ESP) to find the security association, and perform IPSEC decryption processing. The decrypted clear message destination address is the gateway Internal network;

[0089] Step 314, after routing processing, enter the firewall FORWARD chain, check that the decrypted plain notification text matches the IPSEC policy in the IN direction, and release the IP message;

[0090] Step 315: Th...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention belongs to the technical field of information security and cryptography, and relates to a method and a device for implementing IP message filtration through cooperation of IPSECVPN and IPtables technologies. The invention provides a gateway device integrating IPSECVPN and an fire wall module, which implements IP message filtration through a method of cooperation of IPSECVPN security policy and fire wall policy. The coupling of the IPSECVPN security policy configuration and the fire wall policy configuration is reduced, so that the two policy configurations respectively perform functions thereof. By adopting the design, data transmission on INPUT link, OUTPUT link and FORWARD link is implemented through the policy configurations. The method and the device for filtering IP (Internet Protocol) message provided by the invention are mainly applied to the field of message data filtration.

Description

Technical field [0001] The invention relates to the technical field of information security and cryptography, and relates to a method and device for realizing IP message filtering through the cooperation of IPSEC VPN and IPtables technology. Background technique [0002] IPSEC is an open IP layer security framework protocol formulated by the Internet Engineering Task Force (IETF), which provides transparent security services for IP network communications, protects TCP / IP communications from eavesdropping and tampering, and can effectively resist network attacks while maintaining easy Usability. [0003] IPSEC technology has been widely popularized and applied to gateway equipment. The gateway equipment works at the gateway position of the local local area network and the remote local area network with which it communicates. It uses IPSEC tunnel technology, encryption technology and authentication technology to build a virtual private network on the public network ( Namely VPN), da...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): H04L29/06H04L12/883H04L12/46
Inventor 胡川
Owner 中电科网络安全科技股份有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap