CN109245982B - Internal and external network data real-time exchange system based on one-way light splitting and stateless end-to-end connection - Google Patents

Internal and external network data real-time exchange system based on one-way light splitting and stateless end-to-end connection Download PDF

Info

Publication number
CN109245982B
CN109245982B CN201710558284.XA CN201710558284A CN109245982B CN 109245982 B CN109245982 B CN 109245982B CN 201710558284 A CN201710558284 A CN 201710558284A CN 109245982 B CN109245982 B CN 109245982B
Authority
CN
China
Prior art keywords
module
service
data
uplink
internet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710558284.XA
Other languages
Chinese (zh)
Other versions
CN109245982A (en
Inventor
程克非
张睿
刘晓侠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing Zhizai Technology Co ltd
Original Assignee
Chongqing University of Post and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University of Post and Telecommunications filed Critical Chongqing University of Post and Telecommunications
Priority to CN201710558284.XA priority Critical patent/CN109245982B/en
Publication of CN109245982A publication Critical patent/CN109245982A/en
Application granted granted Critical
Publication of CN109245982B publication Critical patent/CN109245982B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • H04L12/4675Dynamic sharing of VLAN information amongst network nodes
    • H04L12/4683Dynamic sharing of VLAN information amongst network nodes characterized by the protocol used
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/40Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass for recovering from a failure of a protocol instance or entity, e.g. service redundancy protocols, protocol state redundancy or protocol service redirection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

A real-time internal and external network data exchange system based on one-way light splitting and stateless end-to-end connection comprises a user request connection module, a client node module, a service end node module and a target service system module in a user access internal network. The client node module comprises an encryption and decryption module, an uplink and downlink data separation module, a one-way light separation module and an internet connection module. The service end node also comprises an internet connection module, a unidirectional light splitting and isolating module, an uplink and downlink data gathering and distributing module and an encryption and decryption module. The user accesses the target service system module in the internal network to realize the establishment of the logic connection between the initial request of the user and the target service system. The system utilizes the trap equipment to bear all internet attacks, protects the safety of the intranet, can prevent ARP attacks, DNS cheating and the like, and in addition, non-authentication internet connection transactions are isolated in a DMZ area, so that the safety protection performance of internal and external network data real-time transmission and exchange is improved.

Description

Internal and external network data real-time exchange system based on one-way light splitting and stateless end-to-end connection
Technical Field
The invention relates to the technical field of network communication, in particular to a stateless end-to-end connection internal and external network data real-time exchange system based on uplink and downlink separation of a one-way light splitting technology.
Background
With the rapid development of computer communication technology and the internet, more and more enterprises or government departments work through computer networks, and a large amount of information systems are built in the internal networks of the units and generate massive data. With the development of the mobile internet, in order to achieve the purposes of improving office efficiency, improving management level, improving decision-making capability, reducing cost and improving benefit, the office mode of the internal network becomes a very important part of the whole operation of an enterprise, and is very commonly applied to modern high-efficiency management enterprises. However, the internal network office mode brings new experience to office and introduces new network insecurity, so that the security requirements of enterprises on the internal network are higher and higher. The traditional internal and external network data real-time exchange mainly adopts VPN, namely a private network is established on a public network to carry out encryption communication. The method mainly comprises the steps of establishing a VPN server connected to a certain enterprise through the VPN, and accessing internal resources of the enterprise network through a single-row tunnel service. The method for accessing the intranet by the one-way tunnel service is easily subjected to ARP attack, DNS spoofing and the like, and the safety and the stability of the method are greatly reduced.
In order to solve the security and stability of VPN connection, in 2012, the chinese patent document "a method and an apparatus for accessing intranet resources of a VPN server" (CN 103023898B), proposes a method for establishing a virtual IP, and solves the problem that a user host cannot normally access the intranet resources of the VPN server due to address overlapping; in 2012, chinese patent document "a system and method for accessing an intranet by a user side through a VPN" (CN 103840994A), mainly includes that the user side communicates with an intranet VPN server, a VPN tunnel is established at the user side, and security is improved by a data interception system and method in an application process; in 2016, the chinese patent document "intelligent offload gateway based on lightweight secure virtual private network" (CN 106330653A), solves the security problem of the enterprise mobile IP network layer through the virtual private network, and improves the secure transmission performance of the IP network.
Disclosure of Invention
The invention provides an internal and external network data real-time exchange system based on a one-way light splitting technology, wherein the internal and external network data real-time exchange system is separated from a traditional service platform with single internal and external network access, the internet connection uplink and downlink tunnel services accessed by the internal and external networks are separated in the data transmission process, the internal network part physically isolates the internet connection through a one-way light splitter, and the uplink and downlink data correlation detection and analysis on a circuit are prevented. The random port is adopted during internet connection, so that the traditional transaction analysis based on four-tuple (source address/destination address, source port/destination port) can not track the transaction, further the state tracking of the link is prevented, and the stateless connection is realized.
The technical scheme of the invention is as follows:
the internal and external network data real-time exchange system based on one-way light splitting stateless end-to-end connection comprises:
1. the request connection module is used for requesting logical connection from a user side (the user side is any networking device which is protected by the device of the system and needs to access the remote local area network service through the Internet and is a user of the system and the device) to a destination service, and the system is transparent to the user side.
2. The client node module comprises four sub-modules, namely an encryption and decryption module, an uplink and downlink data separation module, a one-way light separation module, an internet connection module and the like.
The encryption and decryption module comprises: the encryption and decryption module sends all transaction requests of a user to the encryption and decryption service through the redirection service, encrypts the transaction requests (an encryption algorithm can be optional), and sends encrypted data to the stateless tunnel service; the stateless tunnel service in the encryption and decryption module of the client node module respectively initiates an uplink tunnel connection request and a downlink tunnel receiving request at the same time, and maintains the state of the received data or overtime.
The uplink and downlink data separation module is divided into an uplink tunnel service and a downlink tunnel service which are independent, and is provided with a trap server which is mainly used for transmitting the encrypted user request and receiving the response data from the service end node module. The sending end and the receiving end of the uplink and downlink data separation module can pass through the one-way light splitter in the one-way light splitting and isolating module, the one-way light splitter copies one copy of data originally sent to the trap server to perform actual data processing, and actual data processing and the internet are isolated, so that the safety of the data processing process is guaranteed. And the one-way optical splitter of the one-way optical splitting and isolating module is respectively used for the sending end and the receiving end of the uplink data separating module and the downlink data separating module.
At a sending end, the data is copied by the one-way optical splitter, one copied part reaches an uplink trap server of the client node module, and the uplink trap server sends the data to an uplink tunnel service of the service end node module through a WAN1 port; the other is discarded after reaching the redirection service for maintaining the physical connection signal of the link.
At a receiving end, the optical splitter copies data, and one part of the data reaches a downlink trap server and is used for maintaining internet connection; and the other part reaches the stateless tunnel service and is sent to the encryption and decryption module for further processing.
The internet connection module is divided into independent uplink tunnel service connection and downlink tunnel service connection in the internet and is used for providing internet communication of the client node module.
3. The service end node module also comprises an internet connection module, a one-way light splitting and isolating module, an uplink and downlink data separating module, an encryption and decryption module and other four sub-modules.
The internet connection module is divided into independent uplink tunnel service connection and downlink tunnel service connection in the internet and is used for providing internet communication of the client node module.
The uplink and downlink data separation module is divided into independent uplink tunnel service and downlink tunnel service, the uplink tunnel service and the downlink tunnel service are divided into an inner network port and an outer network port, the inner network port can pass through a one-way optical splitter in the one-way optical splitting and isolating module, at a receiving end, the uplink tunnel service can copy received data through the optical splitter, an original part of data is sent to a receiving port of an uplink trap server in the uplink tunnel service in the service end node module, then the uplink trap server processes the data, and the copied part of data is sent to the encryption and decryption module for further processing. The unidirectional optical splitter splits encrypted data, actual processing of the data is isolated behind the unidirectional optical splitter, uplink and downlink data transmitted by a network are completely separated, and a trap server (an uplink trap server with an address is used for processing the data in an uplink tunnel service) arranged in the unidirectional optical splitter is provided with a static internet address and is specially used for preventing unidentified traffic. The unidentified flow is transferred to the tunnel service, and the information of the tunnel is sent to the encryption and decryption module and then sent to the intranet target service system; in order to protect the intranet from attacks, it is not recognized that the internet connection transaction is isolated in the DMZ zone, i.e. two routers of the network can be directly connected. The encryption of the tunnel transmission is realized by negotiating the transmitted key when the transaction is started, and the key adopted by each transaction is different.
The encryption and decryption module comprises a data processing board and a key authentication control board, and is used for encrypting and decrypting data so that a user can finally access a target service system in an internal network. The working process of the data processing board and the key authentication control board comprises the following steps:
the uplink tunnel service transmits the encrypted user transaction request data flow to a data processing board by using an optical splitter, and then transmits the encrypted user transaction request data flow to a key authentication control board for encryption and decryption; the data processing board is directly connected with an information socket in the intranet wiring system, namely a communication leading-out end connector; the data processing board sends data to be transmitted back to the key authentication control board, the data passes through the uplink and downlink data separation module, then copies a flow through the optical splitter and finally sends the flow to the client node module, and the key authentication control board discards the flow; the encryption and decryption circuit and the splitter shunt circuit are not coherent with each other.
4. The user accesses the target service system module in the internal network and is used for realizing the establishment of the logical connection between the initial request of the user and the target service system.
The encryption and decryption module in the client node module further comprises the steps of sending encrypted data to stateless tunnel service, respectively initiating an uplink tunnel connection request and a downlink tunnel receiving request, and maintaining the state to receive the data or overtime; the IP address used by the client node module can be a dynamic IP address/a static address or any other Internet access mode, and a trap server is arranged to prevent illegal attacks. All internet nodes of the service node module are not configured with any port, all service node devices are not connected with no port externally, all transport layer protocols are converted into UDP for transmission, the port number of the converted UDP for transmission is not used for judging transaction connection and is only used for passing through a gateway and a firewall, and the port is uncertain and is maintained in a stateless manner for each transaction connection.
Each module in the system works independently and is not coupled with each other.
From the above summary of the invention, the invention has the following advantages compared with the prior art:
the invention has proposed a based on the inner and outer network data real-time switching system and apparatus of the stateless end-to-end connection of upstream and downstream separation of unidirectional light splitting, through differentiating the upstream and downstream tunnel service, all internet nodes do not have any fixed port configuration, and utilize the splitter to carry on the actual processing of the data after shunting the data flow, utilize the trap apparatus to bear all internet attacks, protect the safety of the inner network, is not attacked by ARP, DNS deception, etc.; in addition, the non-authentication internet connection affairs are isolated in the DMZ (direct connection network router), so that a plurality of safety problems of VPN access to the intranet are solved, and the safety protection performance of real-time data transmission and exchange of the intranet and the extranet is improved.
Drawings
FIG. 1 is a schematic flow chart of the operation of the system of the present invention;
FIG. 2 is an internal block diagram of a client node module;
FIG. 3 is a timing diagram illustrating the operation of the encryption/decryption module;
FIG. 4 is a flow chart of the client node module uplink tunnel service processing and transmitting the encrypted user request;
FIG. 5 is a flow block diagram of a client node module downstream tunnel service receiving data from a server node module;
FIG. 6 is an internal block diagram of a service end node module;
fig. 7 is the working process of the data processing board and the key authentication control board of the encryption and decryption module in the service end node module.
Detailed Description
The technical content of the invention is further explained by combining the drawings as follows:
the main flow of the operation of the system and the device of the invention is shown in figure 1, and the steps mainly comprise:
step 11, the user requests a connection module, and the user sends a connection request to the target service system.
The target service system is a computer system containing a service which a user requests to access, and the system is in an internal network which cannot be directly accessed through the Internet; the user request is an access request sent by a user to a target service system, the purpose of the access request is to access a specific resource on the target service system, and the content of the request comprises predefined signaling such as a network address, a port, a specific instruction and the like of the target service system.
And step 12, a client node module, the internal structure of which is shown in figure 2, wherein the client node module comprises four sub-modules including an encryption and decryption module, an uplink and downlink data separation module, a one-way light separation module and an internet connection module.
Step 12-1: and an encryption and decryption module. The encryption and decryption modules comprise a redirection service 31, an encryption and decryption service 32 and a stateless tunnel service 33, and the sequence diagram of the working process of the encryption and decryption module is shown in fig. 3. Redirection service 31 receives a request from a user to access a destination service system, and encryption/decryption service 32 encrypts the request (an encryption algorithm may be optional); the encrypted data is then sent to the stateless tunnel service 33 and sent by the stateless tunnel service 33 to the client node device upstream tunnel service. When receiving data, the stateless tunnel service 33 receives data from the downlink tunnel service in the uplink and downlink data separation module, and then sends the data to the encryption and decryption service 32 for decryption, and then feeds back the data to the user through the redirection service 31.
The redirection service 31 is a service built in the encryption and decryption module, and functions to receive data and forward the data to a specific entity, thereby realizing data exchange.
The encryption and decryption service 32 is a data encryption and decryption function provided by the encryption and decryption module, and the used keys are transmitted through protocol negotiation when transactions are started, and the keys in each transaction are different.
The stateless tunnel service 33 is a communication service used by the encryption and decryption module, and the service encapsulates data from the encryption and decryption service 32 on a transport layer by using a UDP protocol according to an internet address of an uplink router of the service node module by means of the redirection service 31, and initiates a request for receiving a connection tunnel, sends the request to an uplink tunnel service of the uplink and downlink data separation module, maintains the received data or overtime, and receives UDP packet data from the downlink tunnel service of the uplink and downlink data separation module.
The UDP packet is a converted transport layer protocol packet, and is used to be compatible with the current internet protocol and to pass through a gateway and a firewall, where the included port number is not used as a judgment of the original user transaction connection, and the port number may be different or the same as needed for each new user request transaction connection.
Step 12-2: and an uplink and downlink data separation module. The uplink and downlink data separation module comprises an uplink tunnel service and a downlink tunnel service.
The flow of processing and transmitting the encrypted user request by the uplink tunnel service is shown in fig. 4, and at this time, the client node module is in any local area network connected to the internet. The stateless tunnel service in the encryption and decryption module sends data to the redirection service, the data can be copied by the optical splitter through the unidirectional splitter optical isolation module when passing through the optical fiber, one copied part reaches the uplink trap server of the client node module, and the uplink trap server sends the data to the uplink tunnel service of the service end node module through a WAN1 port; the other is discarded after reaching the redirection service.
The flow of the downstream tunnel service receiving data from the server end node module is shown in fig. 5. The client node module Internet connection module WAN2 port receives data from the Internet, including data transmitted by the server node module; the data can be sent to a downlink trap server of the client node module, at the moment, the unidirectional optical isolation module can copy the data, and the original part of the data reaches the downlink trap server and is used for processing internet data; and one copy of the copied data reaches the stateless tunnel service and is sent to the encryption and decryption module for further processing.
Step 12-3: one-way light splitting isolation module. The unidirectional light splitting and isolating module comprises a unidirectional light splitter, and the unidirectional light splitter copies a copy of data originally sent to the downlink trap server at a WAN1 port, and sends the copy of the data to the encryption and decryption module through the uplink and downlink data separating module to perform actual data processing; or copying the data originally sent to the encryption and decryption module redirection service by the encryption and decryption module stateless tunnel service to an uplink and downlink data separation module uplink tunnel service under the condition of not establishing link connection, and finally sending the data to a service end node module. The module isolates the actual data processing process from the Internet to ensure the safety of the data processing process.
Step 12-4: and an internet connection module. The internet connection module comprises a WAN1 port and a WAN2 port, the WAN1 port has dynamic internet address or internal local area network address for receiving data from the service end node module; the WAN2 port has a dynamic internet address or an internal local area network address for sending data to the service end node module.
And step 13, a service end node module, the internal structure of which is shown in FIG. 6, comprises four sub-modules including an internet connection module, a one-way light splitting and isolating module, an uplink and downlink data separating module and an encryption and decryption module.
Step 13-1: and an internet connection module. The internet connection module comprises a WAN1 port and a WAN2 port, the WAN1 port has a static internet address for receiving data from the service end node module; the WAN2 port has a static internet address for sending data to the service end node module.
Step 13-2: one-way light splitting isolation module. The unidirectional light splitting and isolating module comprises a unidirectional light splitter, and the unidirectional light splitter copies a copy of data originally sent to the uplink trap server at a WAN1 port, and sends the copy of the data to the encryption and decryption module through the uplink and downlink data separating module for actual data processing; or copying the data originally sent to the encryption and decryption module key authentication control panel by the encryption and decryption module data processing panel under the condition of not establishing a logical link, sending the data to the uplink and downlink data separation module for downlink tunnel service, and finally sending the data to the client node module. The module isolates the actual data processing process from the Internet to ensure the safety of the data processing process.
Step 13-3: and an uplink and downlink data separation module. The uplink and downlink data separation module comprises an uplink tunnel service and a downlink tunnel service.
The flow of the uplink tunnel service and the downlink tunnel service for processing and transmitting data is basically the same as that of the uplink and downlink data separation module of the client node module.
Step 13-4: and an encryption and decryption module. The encryption and decryption module comprises a data processing board and a key authentication control board, and is used for encrypting and decrypting data so that a user can finally access a target service system in an internal network.
The working process of the data processing board and the key authentication control board is shown in fig. 7. The service end node module uplink tunnel service transmits the encrypted user transaction request data flow to a data processing board by using an optical splitter, and then transmits the encrypted user transaction request data flow to a key authentication control board for encryption and decryption; the data processing board is directly connected with an information socket in the intranet wiring system, namely a communication leading-out end connector; the data processing board sends data to be transmitted back to the key authentication control board, the data passes through the uplink and downlink data separation module, then copies a flow through the optical splitter and finally sends the flow to the client node module, and the key authentication control board discards the flow; the encryption and decryption circuit and the splitter shunt circuit are not coherent with each other.
And 14, accessing a target service system in the internal network, wherein the data processed by the service end node module can reach the target service system through the intranet, and the data processed by the target service system can also be sent to the service end node module through the intranet.
It can be seen from the above embodiments that the stateless end-to-end connected internal and external network data real-time exchange system and device based on unidirectional light splitting uplink and downlink separation provided by the present invention can hide the internal network through the characteristic of unidirectional light splitting of the light splitter and the trap service, and defend against attacks in a manner of isolating non-authentication data in the trap server, so as to safely exchange data between the user and the target service system, and separate the uplink and downlink data paths during exchange, thereby further improving the security of data, and better preventing hijacking and intrusion means such as man-in-the-middle attacks. The device also provides real-time service capability for all TCP/UDP services on the premise of ensuring the access safety.

Claims (10)

1. A system for exchanging data of internal and external networks in real time based on stateless end-to-end connection of unidirectional light splitting is characterized by comprising:
the request connection module is used for requesting logic connection from a user side to a target service, the user side is any networking device which is protected by the system and needs to access a remote local area network service through the Internet, and the system is transparent to the user side;
the client node module comprises an encryption and decryption module, an uplink and downlink data separation module, a one-way light separation module and an internet connection module; the encryption and decryption module is used for redirecting all transaction requests of the user to encryption and decryption service and sending the transaction requests to the server node module through the stateless tunnel service; the uplink and downlink data separation module is divided into independent uplink tunnel service and downlink tunnel service, is provided with a trap server, transmits the encrypted user request and receives response data from the service end node module; the sending end and the receiving end of the uplink and downlink data separation module pass through a one-way optical splitter in the one-way optical splitting and isolating module, and the one-way optical splitter copies data originally sent to the trap server for actual data processing and isolates the actual data processing from the internet; the Internet connection module is used for providing Internet communication of the client node module;
the service end node module comprises an internet connection module, an encryption and decryption module, an uplink and downlink data separation module and a one-way light separation module which are the same as the client; the internet connection module is divided into independent uplink tunnel service connection and downlink tunnel service connection in the internet and is used for providing internet communication of the client node module;
the user accesses a target service system module in the internal network and is used for realizing the establishment of the logic connection between the initial request of the user and the target service system; the target service system is a computer system containing a service which a user requests to access, and the system is in an internal network which cannot be directly accessed through the internet.
2. The system of claim 1, wherein the modules in the system operate independently and are not coupled to each other.
3. The system of claim 1, wherein the encryption and decryption module of the client comprises: the encryption and decryption module sends all transaction requests of a user to the encryption and decryption service through the redirection service, encrypts the transaction requests and sends encrypted data to the stateless tunnel service; the stateless tunnel service simultaneously and respectively initiates an uplink tunnel connection request and a downlink tunnel receiving request, and maintains the state of the received data or overtime.
4. The system of claim 3 wherein the stateless tunneling service encapsulates data from the encryption/decryption service at the transport layer using UDP protocol according to the Internet address of the upstream router of the service end node module via the redirection service and initiates receiving a connection tunnel request, sending the upstream tunnel service to the client end node module, maintaining the receipt of the data or timeout, and receiving UDP packet data from the downstream tunnel service of the client end node module; the UDP packet is a converted transport layer protocol packet, and is used to be compatible with the current internet protocol and to pass through a gateway and a firewall, where the included port number is not used as a judgment of the original user transaction connection, and the port number may be different or the same as needed for each new user request transaction connection.
5. The system of claim 1, wherein the unidirectional light splitting and isolating module comprises a unidirectional light splitter, and the unidirectional light splitter copies a copy of data originally sent to the trap server for actual data processing, and isolates the actual data processing from the internet to ensure the safety of the data processing process; the unidirectional optical splitter isolation module in the client node module copies data by the unidirectional optical splitter at a transmitting end, the copied data reach an uplink trap server of the client node module, and the uplink trap server transmits the data to an uplink tunnel service of the service end node module through a WAN1 port under the condition that link connection is not established; the other part is discarded after reaching the redirection service, and is used for maintaining the physical connection signal of the link; at a receiving end, the one-way optical splitter copies data, and one copy of the data reaches a downlink trap server and is used for maintaining internet connection; the other part reaches the stateless tunnel service and is sent to the encryption and decryption module for further processing; at a receiving end of the unidirectional optical splitter isolation module in the service end node module, the uplink tunnel service copies received data through an optical splitter, an original part of data is sent to a receiving port of an uplink trap server in the uplink tunnel service in the service end node module, then the uplink trap server processes the data, and the copied part of data is sent to the encryption and decryption module for further processing; at a sending end, a downlink trap server receives backflow data or internet data processed by an encryption and decryption module, if the backflow data exists, the downlink trap server directly sends the data to a client node module, and if the internet data exists, the downlink trap server processes the data and sends the data back to the internet according to a source path;
the IP address used by the client node module is a dynamic IP address or a static address or any other Internet access mode; the service end node module is provided with a static internet address; the system also provides real-time service capability for all TCP/UDP services on the premise of ensuring the access safety.
6. The system of claim 5, wherein the actual data processing, the actual data processing process thereof is isolated behind the unidirectional splitter, and the uplink and downlink data transmitted by the network are completely separated, thereby preventing the uplink and downlink data correlation detection and analysis on the line.
7. The system of claim 1, wherein the upstream and downstream data separation module comprises: the system comprises an uplink tunnel service and a downlink tunnel service, wherein the uplink tunnel service comprises an uplink trap server, the downlink tunnel service comprises a downlink trap server, an inner network port and an outer network port are respectively distributed in the downlink tunnel service, tunnel transmission is encrypted, the encryption of the tunnel transmission is realized by negotiating a transmitted key when a transaction is started, and the key adopted by each transaction is different; the uplink tunnel service is provided with a one-way optical splitter, and the one-way optical splitter completes the shunting process of the uplink tunnel service; all internet nodes of the service node module are not configured with any port, all service node devices are not connected with no port externally, all transport layer protocols are converted into UDP for transmission, the port number of the converted UDP for transmission is not used for judging transaction connection and is only used for passing through a gateway and a firewall, and the port is uncertain and is maintained in a stateless manner for each transaction connection.
8. The system according to claim 5 or 7, characterized in that the upstream trap server of the service end node module is provided with a static internet address for preventing unidentified traffic, wherein the unidentified traffic is transferred to the service end by the tunnel service, and the information of the tunnel is sent to the service end encryption and decryption module and then sent to the intranet destination service system; in order to protect the intranet from attacks, it is not recognized that the internet connection transaction is isolated in the DMZ zone, i.e. two routers of the network can be directly connected.
9. The system of claim 1, wherein the encryption and decryption module comprises: the data processing board and the key authentication control board are used for encrypting and decrypting the data so that a user can finally access a target service system in the internal network; the working process of the data processing board and the key authentication control board comprises the following steps: the uplink tunnel service transmits the encrypted user transaction request data flow to a data processing board by using a one-way optical splitter, and then transmits the encrypted user transaction request data flow to a key authentication control board for encryption and decryption; the data processing board is directly connected with an information socket in the intranet wiring system, namely a communication leading-out end connector; the data processing board sends data to be transmitted back to the key authentication control board, a piece of flow is copied through the uplink and downlink data separation module and then is finally sent to the client node module through the one-way optical splitter, and the flow is discarded by the key authentication control board; the encryption and decryption circuit and the splitter shunt circuit are not coherent with each other.
10. The system of claim 1, wherein a random port is used for internet connection, so that the transaction analysis based on the traditional four-tuple, i.e. source address/destination address, source port/destination port cannot track the transaction, thereby preventing the state tracking of the link and realizing stateless connection.
CN201710558284.XA 2017-07-10 2017-07-10 Internal and external network data real-time exchange system based on one-way light splitting and stateless end-to-end connection Active CN109245982B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710558284.XA CN109245982B (en) 2017-07-10 2017-07-10 Internal and external network data real-time exchange system based on one-way light splitting and stateless end-to-end connection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710558284.XA CN109245982B (en) 2017-07-10 2017-07-10 Internal and external network data real-time exchange system based on one-way light splitting and stateless end-to-end connection

Publications (2)

Publication Number Publication Date
CN109245982A CN109245982A (en) 2019-01-18
CN109245982B true CN109245982B (en) 2020-11-24

Family

ID=65083097

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710558284.XA Active CN109245982B (en) 2017-07-10 2017-07-10 Internal and external network data real-time exchange system based on one-way light splitting and stateless end-to-end connection

Country Status (1)

Country Link
CN (1) CN109245982B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109698837B (en) * 2019-02-01 2021-06-18 重庆邮电大学 Internal and external network isolation and data exchange device and method based on unidirectional transmission physical medium
CN113055350B (en) * 2019-12-27 2022-11-22 深圳云天励飞技术有限公司 Data transmission method, device, equipment and readable storage medium
CN111596633B (en) * 2020-06-15 2021-07-09 中国人民解放军63796部队 Industrial control system
CN113872686A (en) * 2021-09-18 2021-12-31 中邮科通信技术股份有限公司 Customer self-service troubleshooting processing method based on optical broadband network service

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005295464A (en) * 2004-04-05 2005-10-20 Nippon Telegr & Teleph Corp <Ntt> Light transmission system
CN102045201A (en) * 2010-12-27 2011-05-04 北京锐安科技有限公司 Automatic upgrading method and system of intranet server cluster
CN103714151A (en) * 2013-12-26 2014-04-09 北京锐安科技有限公司 One-way optical gate and method for carrying out data synchronizing between heterogeneous databases
CN104038494A (en) * 2014-06-11 2014-09-10 普联技术有限公司 Method for recording attack source and exchanger

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005295464A (en) * 2004-04-05 2005-10-20 Nippon Telegr & Teleph Corp <Ntt> Light transmission system
CN102045201A (en) * 2010-12-27 2011-05-04 北京锐安科技有限公司 Automatic upgrading method and system of intranet server cluster
CN103714151A (en) * 2013-12-26 2014-04-09 北京锐安科技有限公司 One-way optical gate and method for carrying out data synchronizing between heterogeneous databases
CN104038494A (en) * 2014-06-11 2014-09-10 普联技术有限公司 Method for recording attack source and exchanger

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
《网络流量分析关键技术研究》;任春梅;《中国优秀硕士学位论文全文数据库——信息科技辑》;20130115;全文 *
《面向内容的网络安全监控模型及其关键技术研究》;万国根;《中国优秀博硕士学位论文全文数据库——信息科技辑》;20070115;全文 *

Also Published As

Publication number Publication date
CN109245982A (en) 2019-01-18

Similar Documents

Publication Publication Date Title
CN109245982B (en) Internal and external network data real-time exchange system based on one-way light splitting and stateless end-to-end connection
US7441262B2 (en) Integrated VPN/firewall system
EP4366269A2 (en) Efficient ssl/tls proxy
US7506368B1 (en) Methods and apparatus for network communications via a transparent security proxy
US20080072035A1 (en) Securing multicast data
US8468347B2 (en) Secure network communications
US20100313023A1 (en) Method, apparatus and system for internet key exchange negotiation
US8104082B2 (en) Virtual security interface
CN106209897B (en) Agent-based secure communication method for distributed multi-granularity controller of software defined network
CN1332552A (en) Network address conversion gateway of local network using local IP address and untranslated port address
CN104767752A (en) Distributed network isolating system and method
JP2006121510A (en) Encryption communications system
US20100031337A1 (en) Methods and systems for distributed security processing
CN112332901B (en) Heaven and earth integrated mobile access authentication method and device
Rashid et al. Proposed methods of IP spoofing detection & prevention
Chakraborty et al. 6LoWPAN security: classification, analysis and open research issues
CN111194541A (en) Apparatus and method for data transmission
Ertaul et al. Security of software defined networks (SDN)
Mehran et al. SPKT: Secure Port Knock-Tunneling, an enhanced port security authentication mechanism
WO2008118227A2 (en) Securing multicast data
Khoussainov et al. LAN security: problems and solutions for Ethernet networks
CN103929423B (en) Handle the safe retransmission methods of IPSec VPN and system of electric power stipulations
Bejarano et al. Security in IP satellite networks: COMSEC and TRANSEC integration aspects
Jiang et al. Security-Oriented Network Architecture
US20060253603A1 (en) Data communication system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220909

Address after: No. 4-2, Unit 2, Building 1, No. 22, Chongwen Road, Huangjueya Town, Nan'an District, Chongqing 400065

Patentee after: Chongqing Lingdie Technology Co.,Ltd.

Address before: 400065 Chongqing Nan'an District huangjuezhen pass Chongwen Road No. 2

Patentee before: CHONGQING University OF POSTS AND TELECOMMUNICATIONS

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230613

Address after: No. B2-2-6, B2-2-7, No. 5, Middle Mount Huangshan Avenue, High tech Park, New North Zone, Yubei District, Chongqing 401121

Patentee after: Chongqing Zhizai Technology Co.,Ltd.

Address before: No. 4-2, Unit 2, Building 1, No. 22, Chongwen Road, Huangjueya Town, Nan'an District, Chongqing 400065

Patentee before: Chongqing Lingdie Technology Co.,Ltd.