Internal and external network data real-time exchange system based on one-way light splitting and stateless end-to-end connection
Technical Field
The invention relates to the technical field of network communication, in particular to a stateless end-to-end connection internal and external network data real-time exchange system based on uplink and downlink separation of a one-way light splitting technology.
Background
With the rapid development of computer communication technology and the internet, more and more enterprises or government departments work through computer networks, and a large amount of information systems are built in the internal networks of the units and generate massive data. With the development of the mobile internet, in order to achieve the purposes of improving office efficiency, improving management level, improving decision-making capability, reducing cost and improving benefit, the office mode of the internal network becomes a very important part of the whole operation of an enterprise, and is very commonly applied to modern high-efficiency management enterprises. However, the internal network office mode brings new experience to office and introduces new network insecurity, so that the security requirements of enterprises on the internal network are higher and higher. The traditional internal and external network data real-time exchange mainly adopts VPN, namely a private network is established on a public network to carry out encryption communication. The method mainly comprises the steps of establishing a VPN server connected to a certain enterprise through the VPN, and accessing internal resources of the enterprise network through a single-row tunnel service. The method for accessing the intranet by the one-way tunnel service is easily subjected to ARP attack, DNS spoofing and the like, and the safety and the stability of the method are greatly reduced.
In order to solve the security and stability of VPN connection, in 2012, the chinese patent document "a method and an apparatus for accessing intranet resources of a VPN server" (CN 103023898B), proposes a method for establishing a virtual IP, and solves the problem that a user host cannot normally access the intranet resources of the VPN server due to address overlapping; in 2012, chinese patent document "a system and method for accessing an intranet by a user side through a VPN" (CN 103840994A), mainly includes that the user side communicates with an intranet VPN server, a VPN tunnel is established at the user side, and security is improved by a data interception system and method in an application process; in 2016, the chinese patent document "intelligent offload gateway based on lightweight secure virtual private network" (CN 106330653A), solves the security problem of the enterprise mobile IP network layer through the virtual private network, and improves the secure transmission performance of the IP network.
Disclosure of Invention
The invention provides an internal and external network data real-time exchange system based on a one-way light splitting technology, wherein the internal and external network data real-time exchange system is separated from a traditional service platform with single internal and external network access, the internet connection uplink and downlink tunnel services accessed by the internal and external networks are separated in the data transmission process, the internal network part physically isolates the internet connection through a one-way light splitter, and the uplink and downlink data correlation detection and analysis on a circuit are prevented. The random port is adopted during internet connection, so that the traditional transaction analysis based on four-tuple (source address/destination address, source port/destination port) can not track the transaction, further the state tracking of the link is prevented, and the stateless connection is realized.
The technical scheme of the invention is as follows:
the internal and external network data real-time exchange system based on one-way light splitting stateless end-to-end connection comprises:
1. the request connection module is used for requesting logical connection from a user side (the user side is any networking device which is protected by the device of the system and needs to access the remote local area network service through the Internet and is a user of the system and the device) to a destination service, and the system is transparent to the user side.
2. The client node module comprises four sub-modules, namely an encryption and decryption module, an uplink and downlink data separation module, a one-way light separation module, an internet connection module and the like.
The encryption and decryption module comprises: the encryption and decryption module sends all transaction requests of a user to the encryption and decryption service through the redirection service, encrypts the transaction requests (an encryption algorithm can be optional), and sends encrypted data to the stateless tunnel service; the stateless tunnel service in the encryption and decryption module of the client node module respectively initiates an uplink tunnel connection request and a downlink tunnel receiving request at the same time, and maintains the state of the received data or overtime.
The uplink and downlink data separation module is divided into an uplink tunnel service and a downlink tunnel service which are independent, and is provided with a trap server which is mainly used for transmitting the encrypted user request and receiving the response data from the service end node module. The sending end and the receiving end of the uplink and downlink data separation module can pass through the one-way light splitter in the one-way light splitting and isolating module, the one-way light splitter copies one copy of data originally sent to the trap server to perform actual data processing, and actual data processing and the internet are isolated, so that the safety of the data processing process is guaranteed. And the one-way optical splitter of the one-way optical splitting and isolating module is respectively used for the sending end and the receiving end of the uplink data separating module and the downlink data separating module.
At a sending end, the data is copied by the one-way optical splitter, one copied part reaches an uplink trap server of the client node module, and the uplink trap server sends the data to an uplink tunnel service of the service end node module through a WAN1 port; the other is discarded after reaching the redirection service for maintaining the physical connection signal of the link.
At a receiving end, the optical splitter copies data, and one part of the data reaches a downlink trap server and is used for maintaining internet connection; and the other part reaches the stateless tunnel service and is sent to the encryption and decryption module for further processing.
The internet connection module is divided into independent uplink tunnel service connection and downlink tunnel service connection in the internet and is used for providing internet communication of the client node module.
3. The service end node module also comprises an internet connection module, a one-way light splitting and isolating module, an uplink and downlink data separating module, an encryption and decryption module and other four sub-modules.
The internet connection module is divided into independent uplink tunnel service connection and downlink tunnel service connection in the internet and is used for providing internet communication of the client node module.
The uplink and downlink data separation module is divided into independent uplink tunnel service and downlink tunnel service, the uplink tunnel service and the downlink tunnel service are divided into an inner network port and an outer network port, the inner network port can pass through a one-way optical splitter in the one-way optical splitting and isolating module, at a receiving end, the uplink tunnel service can copy received data through the optical splitter, an original part of data is sent to a receiving port of an uplink trap server in the uplink tunnel service in the service end node module, then the uplink trap server processes the data, and the copied part of data is sent to the encryption and decryption module for further processing. The unidirectional optical splitter splits encrypted data, actual processing of the data is isolated behind the unidirectional optical splitter, uplink and downlink data transmitted by a network are completely separated, and a trap server (an uplink trap server with an address is used for processing the data in an uplink tunnel service) arranged in the unidirectional optical splitter is provided with a static internet address and is specially used for preventing unidentified traffic. The unidentified flow is transferred to the tunnel service, and the information of the tunnel is sent to the encryption and decryption module and then sent to the intranet target service system; in order to protect the intranet from attacks, it is not recognized that the internet connection transaction is isolated in the DMZ zone, i.e. two routers of the network can be directly connected. The encryption of the tunnel transmission is realized by negotiating the transmitted key when the transaction is started, and the key adopted by each transaction is different.
The encryption and decryption module comprises a data processing board and a key authentication control board, and is used for encrypting and decrypting data so that a user can finally access a target service system in an internal network. The working process of the data processing board and the key authentication control board comprises the following steps:
the uplink tunnel service transmits the encrypted user transaction request data flow to a data processing board by using an optical splitter, and then transmits the encrypted user transaction request data flow to a key authentication control board for encryption and decryption; the data processing board is directly connected with an information socket in the intranet wiring system, namely a communication leading-out end connector; the data processing board sends data to be transmitted back to the key authentication control board, the data passes through the uplink and downlink data separation module, then copies a flow through the optical splitter and finally sends the flow to the client node module, and the key authentication control board discards the flow; the encryption and decryption circuit and the splitter shunt circuit are not coherent with each other.
4. The user accesses the target service system module in the internal network and is used for realizing the establishment of the logical connection between the initial request of the user and the target service system.
The encryption and decryption module in the client node module further comprises the steps of sending encrypted data to stateless tunnel service, respectively initiating an uplink tunnel connection request and a downlink tunnel receiving request, and maintaining the state to receive the data or overtime; the IP address used by the client node module can be a dynamic IP address/a static address or any other Internet access mode, and a trap server is arranged to prevent illegal attacks. All internet nodes of the service node module are not configured with any port, all service node devices are not connected with no port externally, all transport layer protocols are converted into UDP for transmission, the port number of the converted UDP for transmission is not used for judging transaction connection and is only used for passing through a gateway and a firewall, and the port is uncertain and is maintained in a stateless manner for each transaction connection.
Each module in the system works independently and is not coupled with each other.
From the above summary of the invention, the invention has the following advantages compared with the prior art:
the invention has proposed a based on the inner and outer network data real-time switching system and apparatus of the stateless end-to-end connection of upstream and downstream separation of unidirectional light splitting, through differentiating the upstream and downstream tunnel service, all internet nodes do not have any fixed port configuration, and utilize the splitter to carry on the actual processing of the data after shunting the data flow, utilize the trap apparatus to bear all internet attacks, protect the safety of the inner network, is not attacked by ARP, DNS deception, etc.; in addition, the non-authentication internet connection affairs are isolated in the DMZ (direct connection network router), so that a plurality of safety problems of VPN access to the intranet are solved, and the safety protection performance of real-time data transmission and exchange of the intranet and the extranet is improved.
Drawings
FIG. 1 is a schematic flow chart of the operation of the system of the present invention;
FIG. 2 is an internal block diagram of a client node module;
FIG. 3 is a timing diagram illustrating the operation of the encryption/decryption module;
FIG. 4 is a flow chart of the client node module uplink tunnel service processing and transmitting the encrypted user request;
FIG. 5 is a flow block diagram of a client node module downstream tunnel service receiving data from a server node module;
FIG. 6 is an internal block diagram of a service end node module;
fig. 7 is the working process of the data processing board and the key authentication control board of the encryption and decryption module in the service end node module.
Detailed Description
The technical content of the invention is further explained by combining the drawings as follows:
the main flow of the operation of the system and the device of the invention is shown in figure 1, and the steps mainly comprise:
step 11, the user requests a connection module, and the user sends a connection request to the target service system.
The target service system is a computer system containing a service which a user requests to access, and the system is in an internal network which cannot be directly accessed through the Internet; the user request is an access request sent by a user to a target service system, the purpose of the access request is to access a specific resource on the target service system, and the content of the request comprises predefined signaling such as a network address, a port, a specific instruction and the like of the target service system.
And step 12, a client node module, the internal structure of which is shown in figure 2, wherein the client node module comprises four sub-modules including an encryption and decryption module, an uplink and downlink data separation module, a one-way light separation module and an internet connection module.
Step 12-1: and an encryption and decryption module. The encryption and decryption modules comprise a redirection service 31, an encryption and decryption service 32 and a stateless tunnel service 33, and the sequence diagram of the working process of the encryption and decryption module is shown in fig. 3. Redirection service 31 receives a request from a user to access a destination service system, and encryption/decryption service 32 encrypts the request (an encryption algorithm may be optional); the encrypted data is then sent to the stateless tunnel service 33 and sent by the stateless tunnel service 33 to the client node device upstream tunnel service. When receiving data, the stateless tunnel service 33 receives data from the downlink tunnel service in the uplink and downlink data separation module, and then sends the data to the encryption and decryption service 32 for decryption, and then feeds back the data to the user through the redirection service 31.
The redirection service 31 is a service built in the encryption and decryption module, and functions to receive data and forward the data to a specific entity, thereby realizing data exchange.
The encryption and decryption service 32 is a data encryption and decryption function provided by the encryption and decryption module, and the used keys are transmitted through protocol negotiation when transactions are started, and the keys in each transaction are different.
The stateless tunnel service 33 is a communication service used by the encryption and decryption module, and the service encapsulates data from the encryption and decryption service 32 on a transport layer by using a UDP protocol according to an internet address of an uplink router of the service node module by means of the redirection service 31, and initiates a request for receiving a connection tunnel, sends the request to an uplink tunnel service of the uplink and downlink data separation module, maintains the received data or overtime, and receives UDP packet data from the downlink tunnel service of the uplink and downlink data separation module.
The UDP packet is a converted transport layer protocol packet, and is used to be compatible with the current internet protocol and to pass through a gateway and a firewall, where the included port number is not used as a judgment of the original user transaction connection, and the port number may be different or the same as needed for each new user request transaction connection.
Step 12-2: and an uplink and downlink data separation module. The uplink and downlink data separation module comprises an uplink tunnel service and a downlink tunnel service.
The flow of processing and transmitting the encrypted user request by the uplink tunnel service is shown in fig. 4, and at this time, the client node module is in any local area network connected to the internet. The stateless tunnel service in the encryption and decryption module sends data to the redirection service, the data can be copied by the optical splitter through the unidirectional splitter optical isolation module when passing through the optical fiber, one copied part reaches the uplink trap server of the client node module, and the uplink trap server sends the data to the uplink tunnel service of the service end node module through a WAN1 port; the other is discarded after reaching the redirection service.
The flow of the downstream tunnel service receiving data from the server end node module is shown in fig. 5. The client node module Internet connection module WAN2 port receives data from the Internet, including data transmitted by the server node module; the data can be sent to a downlink trap server of the client node module, at the moment, the unidirectional optical isolation module can copy the data, and the original part of the data reaches the downlink trap server and is used for processing internet data; and one copy of the copied data reaches the stateless tunnel service and is sent to the encryption and decryption module for further processing.
Step 12-3: one-way light splitting isolation module. The unidirectional light splitting and isolating module comprises a unidirectional light splitter, and the unidirectional light splitter copies a copy of data originally sent to the downlink trap server at a WAN1 port, and sends the copy of the data to the encryption and decryption module through the uplink and downlink data separating module to perform actual data processing; or copying the data originally sent to the encryption and decryption module redirection service by the encryption and decryption module stateless tunnel service to an uplink and downlink data separation module uplink tunnel service under the condition of not establishing link connection, and finally sending the data to a service end node module. The module isolates the actual data processing process from the Internet to ensure the safety of the data processing process.
Step 12-4: and an internet connection module. The internet connection module comprises a WAN1 port and a WAN2 port, the WAN1 port has dynamic internet address or internal local area network address for receiving data from the service end node module; the WAN2 port has a dynamic internet address or an internal local area network address for sending data to the service end node module.
And step 13, a service end node module, the internal structure of which is shown in FIG. 6, comprises four sub-modules including an internet connection module, a one-way light splitting and isolating module, an uplink and downlink data separating module and an encryption and decryption module.
Step 13-1: and an internet connection module. The internet connection module comprises a WAN1 port and a WAN2 port, the WAN1 port has a static internet address for receiving data from the service end node module; the WAN2 port has a static internet address for sending data to the service end node module.
Step 13-2: one-way light splitting isolation module. The unidirectional light splitting and isolating module comprises a unidirectional light splitter, and the unidirectional light splitter copies a copy of data originally sent to the uplink trap server at a WAN1 port, and sends the copy of the data to the encryption and decryption module through the uplink and downlink data separating module for actual data processing; or copying the data originally sent to the encryption and decryption module key authentication control panel by the encryption and decryption module data processing panel under the condition of not establishing a logical link, sending the data to the uplink and downlink data separation module for downlink tunnel service, and finally sending the data to the client node module. The module isolates the actual data processing process from the Internet to ensure the safety of the data processing process.
Step 13-3: and an uplink and downlink data separation module. The uplink and downlink data separation module comprises an uplink tunnel service and a downlink tunnel service.
The flow of the uplink tunnel service and the downlink tunnel service for processing and transmitting data is basically the same as that of the uplink and downlink data separation module of the client node module.
Step 13-4: and an encryption and decryption module. The encryption and decryption module comprises a data processing board and a key authentication control board, and is used for encrypting and decrypting data so that a user can finally access a target service system in an internal network.
The working process of the data processing board and the key authentication control board is shown in fig. 7. The service end node module uplink tunnel service transmits the encrypted user transaction request data flow to a data processing board by using an optical splitter, and then transmits the encrypted user transaction request data flow to a key authentication control board for encryption and decryption; the data processing board is directly connected with an information socket in the intranet wiring system, namely a communication leading-out end connector; the data processing board sends data to be transmitted back to the key authentication control board, the data passes through the uplink and downlink data separation module, then copies a flow through the optical splitter and finally sends the flow to the client node module, and the key authentication control board discards the flow; the encryption and decryption circuit and the splitter shunt circuit are not coherent with each other.
And 14, accessing a target service system in the internal network, wherein the data processed by the service end node module can reach the target service system through the intranet, and the data processed by the target service system can also be sent to the service end node module through the intranet.
It can be seen from the above embodiments that the stateless end-to-end connected internal and external network data real-time exchange system and device based on unidirectional light splitting uplink and downlink separation provided by the present invention can hide the internal network through the characteristic of unidirectional light splitting of the light splitter and the trap service, and defend against attacks in a manner of isolating non-authentication data in the trap server, so as to safely exchange data between the user and the target service system, and separate the uplink and downlink data paths during exchange, thereby further improving the security of data, and better preventing hijacking and intrusion means such as man-in-the-middle attacks. The device also provides real-time service capability for all TCP/UDP services on the premise of ensuring the access safety.