CN-121984726-A - Method, device and equipment for security reinforcement of system boundary router

Abstract

The application relates to the technical field of 5G communication network security, and discloses a method, a device and equipment for security reinforcement of a system boundary router, wherein the method comprises the steps of constructing a service configuration mapping table; in the session establishment stage, the session management function generates and transmits a target security policy to the user plane function according to the service configuration mapping table, when the user plane function receives the data stream, the user plane function matches and writes an identifier in a preset field of a data packet header of the data stream according to the target security policy, and encapsulates and transmits the data stream to the data center gateway, and the data center gateway intelligently adjusts the service state of the uplink data packet according to the identifier. The application can overcome the defect of the security policy of static configuration and improve the security of the system.

Inventors

• CHEN MINGJIE
• QI BING
• WU MENG

Assignees

• 中国移动通信集团辽宁有限公司
• 中国移动通信集团有限公司

Dates

Publication Date

20260505

Application Date

20260115

Claims (10)

1. 1. A method for security reinforcement of a system border router is characterized by comprising the following steps, Constructing a service configuration mapping table; In the session establishment stage, the session management function generates and issues a target security policy to a user plane function according to the service configuration mapping table; when the user plane function receives a data stream, matching and writing an identifier in a preset field of a data packet head of the data stream according to the target security policy, and packaging and transmitting the data stream to the data center gateway; And the data center gateway intelligently adjusts the business service state of the uplink data packet according to the identifier.
2. 2. The method of system border router security reinforcement as claimed in claim 1 wherein said step of building a service configuration mapping table includes, When the 5G terminal equipment is key service user equipment, enabling to limit the access of unauthorized equipment and preferentially processing key service data streams; When 5G terminal equipment is target equipment, enabling firewall rules with the highest security level, encrypting and limiting access to a preset port, monitoring the behavior of the target equipment, and detecting whether preset security conditions are met; When the service data stream is a key service data stream, a special bandwidth and a preset priority are allocated, and a data packet depth safety detection strategy is started to identify and filter abnormal traffic; when the accessed data network is a target service scene, a preset identity authentication and authority control strategy is started, and network resources are distributed preferentially; when the service quality is a high-priority video stream, enabling a video service with higher bandwidth and lower time delay and a firewall strategy with higher priority; when the service quality is the data flow of the Internet of things equipment, enabling a transmission service with lower bandwidth and a special flow filtering strategy; When the service quality is standard internet traffic, enabling a transmission service of a standard bandwidth and a default firewall policy; When the network slice is an enterprise-specific network slice, enabling a firewall policy and intrusion detection of a highest security level; When the network slice is a virtual reality/augmented reality application slice, enabling a high bandwidth transmission service and a lowest delay path selection strategy; when the network slice is a public internet slice, a standard security policy and a preset traffic priority policy are enabled.
3. 3. The method of system border router security reinforcement as claimed in claim 1 wherein said step of building a service configuration mapping table further comprises, Acquiring a security event log in real time; judging whether the security event log meets a preset condition or not; and closing the port of the non-key service when the security event log meets the preset condition.
4. 4. The method for security reinforcement of a system border router according to any one of claims 1-3, further comprising the step of, When the data packet field is processed, adding a sub-industry field for representing the industry category to which the service belongs in the Options field, and adding a preset position identification bit; Preferentially analyzing the sub-industry field and the preset position identification bit in the Options field; When a preset position identification bit in an Options field meets a first identification condition, starting a data packet depth security detection strategy, and starting a security strategy corresponding to the sub-industry field; and when the preset position identification bit in the Options field meets a second identification condition, starting a data packet standard security detection strategy, and starting a security strategy corresponding to the sub-industry field.
5. 5. The method of system border router security reinforcement as described in claim 4 further comprising the step of, When the data center gateway processes the downlink data packet received from the external network, the data center gateway automatically inherits the service configuration of the uplink data, and dynamically adjusts the service state of the downlink data packet.
6. 6. The method of system border router security reinforcement as claimed in claim 4, further comprising the step of, when the user plane function receives a data stream, And according to the target security policy, if no identifier is matched, enabling a security policy configured by default.
7. 7. A system border router security reinforcement device, characterized by being applied to the method of any one of claims 1 to 6, comprising session management functions, user plane functions and data center gateways; The session management function sends uplink data to the user plane function; the user plane function receives and analyzes the uplink data and encapsulates the uplink data; and the data center gateway receives the packaged uplink data and dynamically adjusts the business service state of the uplink data packet.
8. 8. A computer device comprising a memory, a processor and a computer program stored on the memory, the processor executing the computer program to perform the steps of the method of any one of claims 1 to 6.
9. 9. A computer-readable storage medium, characterized in that it stores a computer program which, when executed by a processor, implements the steps of the method of any one of claims 1 to 6.
10. 10. A computer program product comprising a computer program which, when executed by a processor, implements the steps of the method of any one of claims 1 to 6.

Description

Method, device and equipment for security reinforcement of system boundary router Technical Field The present application relates to the field of 5G communication network security technologies, and in particular, to a method, an apparatus, and a device for security reinforcement of a system border router. Background In the prior art, a boundary router is used as a first defense line of a network and is responsible for managing data flow between an internal network and an external network, and the security of the boundary router is very important. In a 5G network, a data center gateway (DATA CENTER GATEWAY, DC GW) serves as a 5G system border router, communicates with user plane functions (User Plane Function, UPF) through an N6 interface, and is responsible for transmitting user data to a data center or the internet, and main functions include packet forwarding, quality of service (QoS), traffic management, and security control. The data center gateway is used as a key device of a network boundary, so that the security between the internal network and the external network is ensured, and the continuously changing network traffic and diversified service requirements are required to be processed. However, in the current 5G network, the data center gateway is used as a boundary device of the network, mainly depends on a security policy configured statically, and cannot dynamically adjust its protection measures according to real-time network requirements, qoS parameters, or slicing characteristics, so that there is a significant disadvantage in security management. Aiming at the related technology, the inventor finds that the existing 5G system boundary router has the problems that the router is difficult to adapt to a complex network environment, potential security threat cannot be effectively prevented, and the system security is poor. Disclosure of Invention In order to improve the security of a system, the application provides a method, a device and equipment for reinforcing the security of a system border router. In a first aspect, the present application provides a method for security reinforcement of a system border router. The application is realized by the following technical scheme: A method for security reinforcement of a system border router comprises the following steps, Constructing a service configuration mapping table; In the session establishment stage, the session management function generates and issues a target security policy to a user plane function according to the service configuration mapping table; when the user plane function receives a data stream, matching and writing an identifier in a preset field of a data packet head of the data stream according to the target security policy, and packaging and transmitting the data stream to the data center gateway; And the data center gateway intelligently adjusts the business service state of the uplink data packet according to the identifier. The present application may be further configured in a preferred example in that the step of constructing a service configuration mapping table comprises, When the 5G terminal equipment is key service user equipment, enabling to limit the access of unauthorized equipment and preferentially processing key service data streams; When 5G terminal equipment is target equipment, enabling firewall rules with the highest security level, encrypting and limiting access to a preset port, monitoring the behavior of the target equipment, and detecting whether preset security conditions are met; When the service data stream is a key service data stream, a special bandwidth and a preset priority are allocated, and a data packet depth safety detection strategy is started to identify and filter abnormal traffic; when the accessed data network is a target service scene, a preset identity authentication and authority control strategy is started, and network resources are distributed preferentially; when the service quality is a high-priority video stream, enabling a video service with higher bandwidth and lower time delay and a firewall strategy with higher priority; when the service quality is the data flow of the Internet of things equipment, enabling a transmission service with lower bandwidth and a special flow filtering strategy; When the service quality is standard internet traffic, enabling a transmission service of a standard bandwidth and a default firewall policy; When the network slice is an enterprise-specific network slice, enabling a firewall policy and intrusion detection of a highest security level; When the network slice is a virtual reality/augmented reality application slice, enabling a high bandwidth transmission service and a lowest delay path selection strategy; when the network slice is a public internet slice, a standard security policy and a preset traffic priority policy are enabled. The present application may be further configured in a preferred example such that the step of constructing a serv