CN109246065A - Network Isolation method and apparatus and electronic equipment - Google Patents

Network Isolation method and apparatus and electronic equipment Download PDF

Info

Publication number
CN109246065A
CN109246065A CN201710560613.4A CN201710560613A CN109246065A CN 109246065 A CN109246065 A CN 109246065A CN 201710560613 A CN201710560613 A CN 201710560613A CN 109246065 A CN109246065 A CN 109246065A
Authority
CN
China
Prior art keywords
packet
data packet
recipient
isolation
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710560613.4A
Other languages
Chinese (zh)
Inventor
姜继忠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201710560613.4A priority Critical patent/CN109246065A/en
Publication of CN109246065A publication Critical patent/CN109246065A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a kind of Network Isolation method and apparatus and electronic equipments.This method comprises: obtaining data packet to be sent;For the data packet, isolation parameters are set;The data packet of isolation parameters is provided with using transmission to recipient.The embodiment of the present invention is directed to the application being deployed in machine, and isolation parameters are arranged for the data packet that application issues, so that, receiving end judges whether recipient's application allows to communicate by the isolation parameters, realizes safe Network Isolation.

Description

Network Isolation method and apparatus and electronic equipment
Technical field
The present invention relates to field of computer technology more particularly to a kind of Network Isolation method and apparatus and electronic equipments.
Background technique
It in container scene, is disposed using with machine with the mode of multi-to-multi, single machine can dispose multiple applications, single A application can also be deployed on more machines.In order to guarantee network security, do not allow to be communicated between certain applications, That is, needing to take quarantine measures to specific application.
Traditional isolation scheme has following a few classes:
1, it is authenticated using application layer protocol.It is application setting access authority in application layer, leads between the application for allowing to communicate It crosses certification permission and communicates.
2, (the Virtual Local Area Network of the virtual LAN based on network layer;Hereinafter referred to as: VLAN) skill Art.Multiple virtual subnets are divided in network layer, the application for allowing to communicate is deployed in the same subnet, would not allow for communication Using being deployed in different subnets, to realize Network Isolation.
In the implementation of the present invention, at least there are the following problems for the discovery prior art: for using application by inventor The isolation scheme of layer protocol certification is needed using certification is supported in realization, if not supporting to authenticate or do not prop up using itself Certain types of certification is held, then cannot achieve isolation;For the isolation scheme based on network layer VLAN, it is limited to vlan technology, It could support up 4096 subnets, be unable to satisfy the deployment more applied, in addition, the complete plaintext of the ethernet frame in vlan technology, In the presence of the risk being tampered.
Summary of the invention
The embodiment of the present invention provides a kind of Network Isolation method and apparatus and electronic equipment, to avoid lacking for the prior art It falls into, realizes safe and reliable Network Isolation.
In order to achieve the above objectives, the embodiment of the invention provides a kind of Network Isolation methods, comprising: obtains number to be sent According to packet;For the data packet, isolation parameters are set;The data packet of isolation parameters is provided with using transmission to recipient.
The embodiment of the invention also provides a kind of Network Isolation methods, comprising: receives the data packet for being provided with isolation parameters; Matching operation about the isolation parameters is carried out to the data packet;When the isolation parameters and the recipient apply phase Timing sends the data packet to recipient application.
The embodiment of the invention also provides a kind of data sending devices, comprising: module is obtained, for obtaining number to be sent According to packet;Setup module, for isolation parameters to be arranged for the data packet;Sending module, for sending setting to recipient's application There is the data packet of isolation parameters.
The embodiment of the invention also provides a kind of data sinks, comprising: receiving module is provided with isolation for receiving The data packet of parameter;Matching module, for carrying out the matching operation about the isolation parameters to the data packet;Execute mould Block, for sending the data packet to recipient application when the isolation parameters match with recipient application.
The embodiment of the present invention also provides a kind of electronic equipment, comprising: memory, for storing program;Processor, for transporting The described program stored in the row memory, to be used for: obtaining data packet to be sent;For the data packet, isolation ginseng is set Number;The data packet of isolation parameters is provided with using transmission to recipient.
The embodiment of the present invention also provides a kind of electronic equipment, comprising: memory, for storing program;Processor, for transporting The described program stored in the row memory, to be used for: receiving the data packet for being provided with isolation parameters;To the data packet into Matching operation of the row about the isolation parameters;When the isolation parameters and recipient's application match, to the recipient Using the transmission data packet.
Network Isolation method and apparatus provided in an embodiment of the present invention and electronic equipment, for being deployed in answering in machine With, for the data packet that application issues, isolation parameters are set, so that, whether receiving end judges recipient's application by the isolation parameters Allow to communicate, realizes safe Network Isolation.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention, And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the application Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 is the schematic illustration of Network Isolation method provided in an embodiment of the present invention;
Fig. 2 is the structural schematic diagram of operation system provided in an embodiment of the present invention;
Fig. 3 is the flow chart of Network Isolation method one embodiment provided by the invention;
Fig. 4 a is the flow chart of one specific embodiment of Network Isolation method provided by the invention;
Fig. 4 b is the schematic diagram of data structure in the embodiment of the present invention;
Fig. 5 is the flow chart of another embodiment of Network Isolation method provided by the invention;
Fig. 6 is the flow chart of another specific embodiment of Network Isolation method provided by the invention;
Fig. 7 is the structural schematic diagram of data sending device one embodiment provided by the invention;
Fig. 8 is the structural schematic diagram of data sink one embodiment provided by the invention;
Fig. 9 is the structural schematic diagram of electronic equipment one embodiment provided by the invention;
Figure 10 is the structural schematic diagram of another embodiment of electronic equipment provided by the invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure It is fully disclosed to those skilled in the art.
In view of the drawbacks of the prior art, the application provides a solution, and cardinal principle is: to be deployed in machine Each application configuration isolation parameters, when one application (sender's application) to another application (recipient's application) send data Configuration parameter is arranged for the data packet in Bao Shi, determines whether recipient's application allows to apply with sender by the configuration parameter Communication.Specifically, when being disposed to application, it can will apply and be grouped, the application to allow to communicate distributes identical Packet ID (Identity, mark), is arranged corresponding packet ID when sending data for data packet, (for example, can be by packet ID It is added in data packet and sends, data packet and packet ID can also be sent together) so that, the machine of recipient is by comparing Packet ID and determine whether to communicate, to realize safe Network Isolation.It can also be answered in application deployment for each With a pair of asymmetric key of configuration, private key oneself retains, and public key is open to other applications for allowing to communicate.When sender apply to When recipient's application sends data packet, the public key that the machine of sender is applied with recipient carries out the specified portions in data packet Cryptographic operation passes through decrypted result so that the machine of recipient is decrypted execution part with the private key that recipient applies To judge whether public key and private key match, whether which is allowed to.The list between two applications may be implemented in this mode To communication, that is, A can send data to B, and B sends data without normal direction A.Fig. 1 is Network Isolation side provided in an embodiment of the present invention The schematic illustration of method.Communicating pair of the embodiment of the present invention can be based on transmission control protocol (Transmission Control Protocol;Hereinafter referred to as: TCP), and linux system is used.As shown in Figure 1, it is assumed that the application deployment A and C on machine 1, Application deployment B and C on machine 2.User wishes to realize can be in communication with each other using A and B, and cannot all communicate using C with A, B. So by application packet, it will be one group using A and B points, and be its allocation packets ID (group=1000), be another by dividing using C Group is its allocation packets ID (group=1001).When be deployed in machine 1 using A to be deployed in machine 2 application B send out When sending data, the sending module (Netfilter Module Sent) of machine 1 adds the packet ID (group=1000) of application A It is added in the Option field using the A TCP data packet issued, and is packaged into IP packet, sent by Ethernet interface (EthX) To machine 2.When machine 2 receives IP packet, receiving module (Netfilter Module Sent) decapsulate TCP data packet, And it obtains the packet ID (group=1000) added in TCP data packet and is then found according to the destination address of TCP data packet Whether using B, and it is consistent with the packet ID of application B to compare the packet ID in TCP data packet, if it is, allowing to communicate (will count According to being sent to using B), otherwise, does not allow to communicate and (abandon data or return to the message etc. of refusal communication).
Method provided in an embodiment of the present invention can be applied to the operation system of any multiple applications of deployment.Fig. 2 is the present invention The structural schematic diagram for the operation system that embodiment provides.As shown in Fig. 2, the operation system is made of several machines, every machine For disposing at least one application, each application can be deployed in an at least machine.Usual situation, a machine have simultaneously There is the function of sending and receiving data, an application also can receive and send data, therefore, machine in embodiments of the present invention Device can be used for disposing sender simultaneously and apply using with recipient, while start delivery and reception module.The operation system is logical External call service is crossed to obtain data, external call service can be any service for being capable of providing or generating data, Operation system is mostly come to the business access or service call of other systems or client, external call service is new The main source that data generate.For disposing machine (referred to as: transmitting terminal is expressed as machine 1 in Fig. 1) packet of sender's application It includes and obtains module, setup module and sending module, can be used to execute following process flows shown in Fig. 3.When being deployed in machine 1 In application (sender's application) send data when, machine 1 obtain sender apply issued data packet;It then, is the number Corresponding isolation parameters are applied with sender according to packet setting;Finally, the data packet for being provided with isolation parameters is sent to recipient Using.Machine (referred to as: receiving end is expressed as machine 2 in Fig. 1) for disposing recipient's application include receiving module, With module and execution module, can be used to execute following process flows shown in fig. 5.When machine 2 receives data packet, obtain For the isolation parameters of data packet setting;Matching operation about the configuration parameter is carried out to data, to determine that recipient applies Whether allow and sender's application communication.
Embodiment one
Fig. 3 is the flow chart of Network Isolation method one embodiment provided by the invention, and the executing subject of this method can be with For the machine applied described in above-described embodiment for disposing sender.As shown in figure 3, the Network Isolation method includes as follows Step:
S301 obtains data packet to be sent.
Isolation parameters are arranged for data packet in S302, which can be used for that the application for not allowing to communicate is isolated.
In embodiments of the present invention, isolation parameters can be packet ID, which is used to identify the application for allowing to communicate Grouping, all applications in each grouping correspond to the same packet ID.Transmitting terminal adds packet ID into data packet (can also To take the mode for sending data packet and packet ID together).Receiving end can be divided by comparing when receiving data packet It organizes ID and judges whether both sides' application belongs to the same grouping, if allow to communicate.
In addition, the isolation parameters in the embodiment of the present invention may be the public key for receiving recipient's application of the data packet, The private key that the public key is used to apply with recipient is used cooperatively, to determine whether recipient's application allows to communicate.Transmitting terminal to When public key being arranged in data packet, specific set-up mode be can be, and the public key applied with recipient is to the specifying part in data packet Divide progress cryptographic operation that data packet after treatment is then sent to receiving end.Receiving end after receiving data packet, Operation is decrypted to the specified portions in the data packet received with the private key that recipient applies.If energy successful decryption, it was demonstrated that The public key matches with recipient's application.The one-way communication between two applications may be implemented in this mode, that is, A can be sent out to B Data are sent, B sends data without normal direction A.
S303 is provided with the data packet of isolation parameters to recipient using transmission.
Network Isolation method provided in an embodiment of the present invention, for the application being deployed in machine, the number issued for application According to packet, isolation parameters are set, so that, receiving end judges whether recipient's application allows to communicate by the isolation parameters, realizes peace Full Network Isolation.
Fig. 4 a is the flow chart of one specific embodiment of Network Isolation method provided by the invention.As shown in fig. 4 a, upper On the basis of stating embodiment illustrated in fig. 3, Network Isolation method provided in an embodiment of the present invention can specifically comprise the following steps:
S401 obtains sender and applies issued TCP data packet, and the destination address of the TCP data packet is answered for recipient Address.
S402 adds packet ID into TCP data packet, which is used to identify the grouping for allowing the application communicated, often The corresponding same packet ID of application in a grouping.
In the embodiment of the present invention, when disposing to application, user can will apply and be grouped, for allow to communicate Using identical packet ID is distributed, when sender, which applies, sends data to recipient's application, for disposing sender's application Machine obtains sender first and then adds packet ID into the TCP data packet using issued TCP data packet.
The TCP data encapsulation for being added to packet ID is iso-ip Internetworking protocol ISO-IP (Internet Protocol by S403;With Lower abbreviation: IP) packet, and it is sent to destination address.
On the other hand, packet ID is tampered in transmission process in order to prevent, before above-mentioned steps S402, for disposing The machine of sender's application can be encrypted packet ID, form encryption packet ID and then add into TCP data packet Encryption packet ID;Finally, being IP packet by the TCP data encapsulation of encryption packet ID is added to, and it is sent to destination address.Make Must be used to dispose recipient application machine when receiving IP packet, by comparing in TCP data packet packet ID (or decryption divide Group ID) it is whether consistent using corresponding packet ID with recipient, to determine whether allowing to communicate.
In embodiments of the present invention, packet ID can be added in TCP data packet, packet ID can also be added to IP Bao Zhong.Fig. 4 b is the schematic diagram of data structure in the embodiment of the present invention.As shown in Figure 4 b, packet ID can be added to TCP number According in Option (option) field in the packet header TCP of packet, then, the TCP data packet of packet ID will be added to as IP packet IP data are packaged and send;It can also be when encapsulating TCP data packet, it, will using TCP data packet as the IP data of IP packet Packet ID is added in Option (option) field of IP packet, is then sent.
Network Isolation method provided in an embodiment of the present invention is grouped the application being deployed in machine, to allow to lead to The application of letter distributes identical packet ID, and corresponding packet ID is arranged when sending data, so that, receiving end is sentenced by packet ID It is disconnected whether to allow to communicate, realize safe Network Isolation.
Embodiment two
Fig. 5 is the flow chart of another embodiment of Network Isolation method provided by the invention, and the executing subject of this method can Think that above-described embodiment is described for disposing the machine of recipient's application.As shown in figure 5, network provided in this embodiment every It may comprise steps of from method:
S501 receives the data packet for being provided with isolation parameters.The isolation parameters, which can be used for being isolated, does not allow what is communicated to answer With.
S502 carries out the matching operation about the isolation parameters to data packet.
In embodiments of the present invention, isolation parameters can be packet ID, which is used to identify the application for allowing to communicate Grouping, all applications in each grouping correspond to the same packet ID.At this point, step S502 may include: to compare for data Whether the packet ID for wrapping setting is consistent using corresponding packet ID with recipient;When the packet ID and recipient being arranged for data packet When consistent using corresponding packet ID, determine that the isolation parameters match with recipient's application.
In addition, the isolation parameters in the embodiment of the present invention can be public key, which is used for the private key applied with recipient It is used cooperatively, to determine whether recipient's application allows to communicate.Receiving end is after receiving data packet, with the private of recipient's application Operation is decrypted to the specified portions in the data packet received in key, if energy successful decryption, it was demonstrated that the public key is answered with recipient With matching.
S503 sends the data packet to recipient's application when isolation parameters match with recipient's application.
Network Isolation method provided in an embodiment of the present invention, for the application being deployed in machine, receiving end is being received After data packet, the isolation parameters of data packet setting are retrieved as, judge whether recipient's application allows to lead to by the isolation parameters Letter, realizes safe Network Isolation.
Fig. 6 is the flow chart of another specific embodiment of Network Isolation method provided by the invention.As shown in fig. 6, upper On the basis of stating embodiment illustrated in fig. 5, Network Isolation method provided in an embodiment of the present invention can specifically comprise the following steps:
S601 decapsulates the IP packet received, to obtain the TCP data packet for being provided with packet ID, the packet ID The corresponding same packet ID of application for identifying the grouping for allowing the application communicated, in each grouping.
S602 compares for whether the packet ID of TCP data packet setting is consistent using corresponding packet ID with recipient.
In embodiments of the present invention, when the machine for disposing recipient's application receives IP packet, it is carried out first Decapsulation obtains the TCP data packet for being added with packet ID;Then compare the packet ID for TCP data packet setting and recipient It is whether consistent using corresponding packet ID.
S603, when the packet ID being arranged for TCP data packet is consistent using corresponding packet ID with recipient, by TCP number Recipient's application is sent to according to packet.
In embodiments of the present invention, in the case where only allowing communication there are two application, corresponding packet ID just can be consistent. Therefore, it when the packet ID being arranged for TCP data packet is consistent using corresponding packet ID with recipient, is answered for disposing recipient TCP data packet is sent to recipient's application by machine.
On the other hand, packet ID is tampered in transmission process in order to prevent, can be added to packet ID in transmitting terminal Close operation.Therefore, it in receiving end, if the packet ID of decapsulate is the packet ID encrypted, is answered for disposing recipient Machine forms decryption packet ID firstly the need of it being decrypted operation.Then, compare decryption packet ID to answer with recipient It is whether consistent with corresponding packet ID;When decryption packet ID is consistent using corresponding packet ID with recipient, by the TCP data Packet is sent to recipient's application.
Network Isolation method provided in an embodiment of the present invention is grouped the application being deployed in machine, to allow to lead to The application of letter distributes identical packet ID, and corresponding packet ID is arranged when sending data, and receiving end is by packet ID judgement It is no to allow to communicate, realize safe Network Isolation.
Embodiment three
Fig. 7 is the structural schematic diagram of data sending device one embodiment provided by the invention, can be used for executing such as Fig. 3 institute The method and step shown.As shown in fig. 7, the data sending device may include: to obtain module 71, setup module 72 and sending module 73。
Wherein, the data packet that module 71 is used to obtain side to be sent is obtained;Setup module 72 be used for for data packet setting every From parameter, which is used to that the application for allowing to communicate to be isolated not;Sending module 73 is used to send setting to recipient's application There is the data packet of isolation parameters.
In embodiments of the present invention, isolation parameters can be packet ID, which is used to identify the application for allowing to communicate Grouping, all applications in each grouping correspond to the same packet ID.When disposing to application, user can will be applied It being grouped, the application to allow to communicate distributes identical packet ID, when sender, which applies, sends data to recipient's application, It obtains module 71 and obtains sender first using issued data packet, then, setup module 72 is added into the data packet divides The data packet for being provided with packet ID is sent to recipient's application by sending module 73 by group ID;Alternatively, packet ID is not added to In data packet, but data packet and packet ID are sent together by sending module 73.
In addition, the isolation parameters in the embodiment of the present invention may be the public key for receiving recipient's application of the data packet, The private key that the public key is used to apply with recipient is used cooperatively, to determine whether recipient's application allows to communicate.Setup module 72 Cryptographic operation is carried out to the specified portions in data packet with the public key, it can specifically retouching with the step S302 in reference implementation example one It states, details are not described herein.
On the other hand, packet ID is tampered in transmission process in order to prevent, and data sending device can also include: encryption Module (not shown).The encrypting module can be used for carrying out cryptographic operation to packet ID.It is TCP data in setup module 72 Before packet setting packet ID, encrypting module can carry out cryptographic operation to packet ID, form encryption packet ID, then, mould be arranged Block 72 is TCP data packet setting encryption packet ID;Finally, sending module 73 encapsulates the TCP data for being added to encryption packet ID Dress is IP packet (alternatively, TCP data packet and encryption packet ID are encapsulated as IP packet together), and is sent to destination address.So that with In deployment recipient application machine when receiving IP packet, by comparing for TCP data packet setting packet ID (or decryption divide Group ID) it is whether consistent using corresponding packet ID with recipient, to determine whether allowing to communicate.For example, dividing that will encrypt When group ID is added in TCP data packet, encryption packet ID can be added in Option (option) field of TCP data packet; When TCP data packet and encryption packet ID are encapsulated as IP packet together, encryption packet ID can be added to the Option of IP packet In (option) field.
Data sending device provided in an embodiment of the present invention, for the application being deployed in machine, the number issued for application According to packet setting isolation parameters (e.g., packet ID or the public key etc. of recipient's application), so that, receiving end is judged by the isolation parameters Whether recipient's application allows to communicate, and realizes safe Network Isolation.
Example IV
Fig. 8 is the structural schematic diagram of data sink one embodiment provided by the invention, can be used for executing such as Fig. 5 institute The method and step shown.As shown in figure 8, the data sink may include: receiving module 81, matching module 82 and execution module 83。
Wherein, for receiving the data packet for being provided with isolation parameters, which does not permit receiving module 81 for being isolated Perhaps the application communicated;Matching module 82 is used to carry out data packet the matching operation about the isolation parameters;Execution module 83 is used In when the isolation parameters match with recipient's application, data packet is sent to recipient's application.
In embodiments of the present invention, isolation parameters can be packet ID, which is used to identify the application for allowing to communicate Grouping, all applications in each grouping correspond to the same packet ID.When receiving module 81 receives data packet, obtain first It is taken as the packet ID of its setting;Then, it is corresponding with recipient's application to compare the packet ID being arranged for the data packet for matching module 82 Packet ID it is whether consistent.In the case where only allowing communication there are two application, corresponding packet ID just can be consistent.Therefore, when When applying corresponding packet ID consistent for the packet ID of data packet setting and recipient, determine that the isolation parameters and recipient are applied Match.At this point, execution module 83 sends data packets to recipient's application.
In addition, the isolation parameters in the embodiment of the present invention may be the public key for receiving recipient's application of the data packet, The private key that the public key is used to apply with recipient is used cooperatively, to determine whether recipient's application allows to communicate.Matching module 82 Operation is decrypted to the specified portions in the data packet received in private key for being applied with recipient, to determine isolation ginseng It is several whether to be matched with recipient's application.Matching module 82 can be with the step in reference implementation example two to the matching operation of isolation parameters The specific descriptions of S502, details are not described herein.
On the other hand, packet ID is tampered in transmission process in order to prevent, which can also include: solution Close module (not shown).The deciphering module can be used for that operation is decrypted to the packet ID being arranged for TCP data packet.Cause This, if the packet ID of 81 decapsulate of receiving module is the packet ID encrypted, deciphering module is carried out firstly the need of to it Decryption oprerations form decryption packet ID.Then, matching module 82 compares decryption packet ID with recipient using corresponding packet ID It is whether consistent;When decryption packet ID is consistent using corresponding packet ID with recipient, execution module 83 sends out the TCP data packet It send to recipient and applies.
Data sink provided in an embodiment of the present invention, for the application being deployed in machine, receiving end is being received After data packet, the isolation parameters of its setting are retrieved as, judges whether recipient's application allows to communicate by the isolation parameters, realizes The Network Isolation of safety.
Embodiment five
The foregoing describe the built-in function of data sending device and structure, which can be realized as a kind of electronic equipment.Fig. 9 For the structural schematic diagram of electronic equipment one embodiment provided by the invention.As shown in figure 9, the electronic equipment includes memory 91 With processor 92.
Memory 91, for storing program.In addition to above procedure, memory 91 is also configured to store various other Data are to support operation on an electronic device.The example of these data includes any application for operating on an electronic device The instruction of program or method, contact data, telephone book data, message, picture, video etc..
Memory 91 can be by any kind of volatibility or non-volatile memory device or their combination realization, such as Static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable is read-only to be deposited Reservoir (EPROM), programmable read only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, disk or CD.
Processor 92 is coupled with memory 91, executes the program that memory 91 is stored, to be used for:
Obtain data packet to be sent;Isolation parameters are set for data packet, which does not allow to communicate for being isolated Application;The data packet of isolation parameters is provided with using transmission to recipient.
Above-mentioned specific processing operation is described in detail in embodiment in front, and details are not described herein.
Further, as shown in figure 9, electronic equipment can also include: communication component 93, power supply module 94, audio component 95, Other components such as display 96.Members are only schematically provided in Fig. 9, are not meant to that electronic equipment only includes shown in Fig. 9 Component.
Communication component 93 is configured to facilitate the communication of wired or wireless way between electronic equipment and other equipment.Electronics Equipment can access the wireless network based on communication standard, such as WiFi, 2G or 3G or their combination.In an exemplary reality It applies in example, communication component 93 receives broadcast singal or the related letter of broadcast from external broadcasting management system via broadcast channel Breath.In one exemplary embodiment, the communication component 93 further includes near-field communication (NFC) module, to promote short range communication. For example, radio frequency identification (RFID) technology, Infrared Data Association (IrDA) technology, ultra wide band (UWB) skill can be based in NFC module Art, bluetooth (BT) technology and other technologies are realized.
Power supply module 94 provides electric power for the various assemblies of electronic equipment.Power supply module 94 may include power management system System, one or more power supplys and other with for electronic equipment generate, manage, and distribute the associated component of electric power.
Audio component 95 is configured as output and/or input audio signal.For example, audio component 95 includes a microphone (MIC), when electronic equipment is in operation mode, when such as call mode, recording mode, and voice recognition mode, microphone is configured To receive external audio signal.The received audio signal can be further stored in memory 91 or via communication component 93 It sends.In some embodiments, audio component 95 further includes a loudspeaker, is used for output audio signal.
Display 96 includes screen, and screen may include liquid crystal display (LCD) and touch panel (TP).If screen Including touch panel, screen may be implemented as touch screen, to receive input signal from the user.Touch panel includes one Or multiple touch sensors are to sense the gesture on touch, slide, and touch panel.The touch sensor can be sensed not only The boundary of a touch or slide action, but also detect duration and pressure associated with the touch or slide operation.
Embodiment six
The foregoing describe the built-in function of data sink and structure, which can be realized as a kind of electronic equipment.Figure 10 be the structural schematic diagram of another embodiment of electronic equipment provided by the invention.As shown in Figure 10, which includes depositing Reservoir 101 and processor 102.
Memory 101, for storing program.In addition to above procedure, memory 101 is also configured to store other each Kind data are to support operation on an electronic device.The example of these data includes any answering for what is operated on an electronic device With the instruction of program or method, contact data, telephone book data, message, picture, video etc..
Memory 101 can realize by any kind of volatibility or non-volatile memory device or their combination, Such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable is read-only Memory (EPROM), programmable read only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, disk Or CD.
Processor 102 is coupled with memory 101, executes the program that memory 101 is stored, to be used for:
The data packet for being provided with isolation parameters is received, which is used to that the application for allowing to communicate to be isolated not;Logarithm The matching operation about the isolation parameters is carried out according to packet;When isolation parameters and recipient's application match, applied to recipient Send the data packet.
Above-mentioned specific processing operation is described in detail in embodiment in front, and details are not described herein.
Further, as shown in Figure 10, electronic equipment can also include: communication component 103, power supply module 104, audio component 105, other components such as display 106.Members are only schematically provided in Figure 10, are not meant to that electronic equipment only includes figure Component shown in 10.
Communication component 103 is configured to facilitate the communication of wired or wireless way between electronic equipment and other equipment.Electricity Sub- equipment can access the wireless network based on communication standard, such as WiFi, 2G or 3G or their combination.It is exemplary at one In embodiment, communication component 103 receives broadcast singal or broadcast correlation from external broadcasting management system via broadcast channel Information.In one exemplary embodiment, the communication component 103 further includes near-field communication (NFC) module, to promote short distance logical Letter.For example, radio frequency identification (RFID) technology, Infrared Data Association (IrDA) technology, ultra wide band (UWB) can be based in NFC module Technology, bluetooth (BT) technology and other technologies are realized.
Power supply module 104 provides electric power for the various assemblies of electronic equipment.Power supply module 104 may include power management System, one or more power supplys and other with for electronic equipment generate, manage, and distribute the associated component of electric power.
Audio component 105 is configured as output and/or input audio signal.For example, audio component 105 includes a Mike Wind (MIC), when electronic equipment is in operation mode, when such as call mode, recording mode, and voice recognition mode, microphone is matched It is set to reception external audio signal.The received audio signal can be further stored in memory 101 or via communication set Part 103 is sent.In some embodiments, audio component 105 further includes a loudspeaker, is used for output audio signal.
Display 106 includes screen, and screen may include liquid crystal display (LCD) and touch panel (TP).If screen Curtain includes touch panel, and screen may be implemented as touch screen, to receive input signal from the user.Touch panel includes one A or multiple touch sensors are to sense the gesture on touch, slide, and touch panel.The touch sensor can not only be felt The boundary of a touch or slide action is surveyed, but also detects duration and pressure associated with the touch or slide operation.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above-mentioned each method embodiment can lead to The relevant hardware of program instruction is crossed to complete.Program above-mentioned can be stored in a computer readable storage medium.The journey When being executed, execution includes the steps that above-mentioned each method embodiment to sequence;And storage medium above-mentioned include: ROM, RAM, magnetic disk or The various media that can store program code such as person's CD.
Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into Row equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution The range of scheme.

Claims (20)

1. a kind of Network Isolation method characterized by comprising
Obtain data packet to be sent;
For the data packet, isolation parameters are set;
The data packet of isolation parameters is provided with using transmission to recipient.
2. Network Isolation method according to claim 1, which is characterized in that described for data packet setting isolation ginseng Number, specifically:
Packet ID is set for the data packet, the packet ID is used to identify the grouping for the application for allowing communication, in each grouping All applications correspond to the same packet ID.
3. Network Isolation method according to claim 1, which is characterized in that described for data packet setting isolation ginseng Number, specifically:
Cryptographic operation, institute are carried out to the specified portions in the data packet with the public key for the recipient's application for receiving the data packet It states private key of the public key for applying with the recipient to be used cooperatively, whether allows to communicate with determination recipient's application.
4. according to claim 1 to Network Isolation method described in any claim in 3, which is characterized in that described to be sent Data packet be TCP data packet.
5. Network Isolation method according to claim 4, which is characterized in that it is described to recipient using send be provided with every The data packet from parameter, comprising:
It is IP packet by the TCP data encapsulation for being provided with isolation parameters;
The IP packet is sent to recipient application.
6. according to claim 1 to Network Isolation method described in any claim in 3, which is characterized in that described for institute Data packet is stated to be arranged before isolation parameters, further includes:
The isolation parameters are encrypted.
7. a kind of Network Isolation method characterized by comprising
Receive the data packet for being provided with isolation parameters;
Matching operation about the isolation parameters is carried out to the data packet;
When the isolation parameters and recipient's application match, the data packet is sent to recipient application.
8. Network Isolation method according to claim 7, which is characterized in that described to carry out the data packet about described The matching operation of isolation parameters, comprising:
Whether the packet ID compared for data packet setting applies corresponding packet ID consistent with the recipient, the grouping ID is used to identify the grouping for allowing the application communicated, and all applications in each grouping correspond to the same packet ID;
When the packet ID being arranged for the data packet is consistent using corresponding packet ID with the recipient, the isolation is determined Parameter matches with recipient application.
9. Network Isolation method according to claim 7, which is characterized in that described to carry out the data packet about described The matching operation of isolation parameters, comprising:
Operation is decrypted to the specified portions in the data packet received with the private key that the recipient applies;
When the private key successful decryption goes out the data packet, determine that the isolation parameters match with recipient application.
10. the Network Isolation method according to any claim in claim 7 to 9, which is characterized in that the institute received Stating data packet is IP packet.
11. Network Isolation method according to claim 10, which is characterized in that it is described to the data packet carry out about Before the matching operation of the isolation parameters, further includes:
The IP packet received is decapsulated;
Obtain the TCP data packet for being provided with isolation parameters.
12. the Network Isolation method according to any claim in claim 7 to 9, which is characterized in that described to institute It states before data packet carries out matching operation about the isolation parameters, further includes:
The isolation parameters are decrypted.
13. a kind of data sending device characterized by comprising
Module is obtained, for obtaining data packet to be sent;
Setup module, for isolation parameters to be arranged for the data packet;
Sending module, for being provided with the data packet of isolation parameters using transmission to recipient.
14. data sending device according to claim 13, which is characterized in that the isolation parameters are packet ID, described Setup module is used to be arranged for the data packet packet ID, and the packet ID is used to identify the grouping for allowing the application communicated, often All applications in a grouping correspond to the same packet ID.
15. data sending device according to claim 13, which is characterized in that the isolation parameters are to receive the data The public key of recipient's application of packet, the setup module is for adding the specified portions in the data packet with the public key Whether close operation, the private key that the public key is used to apply with the recipient are used cooperatively, are permitted with determination recipient's application Perhaps it communicates.
16. a kind of data sink characterized by comprising
Receiving module, for receiving the data packet for being provided with isolation parameters;
Matching module, for carrying out the matching operation about the isolation parameters to the data packet;
Execution module, for being applied to the recipient described in sending when the isolation parameters are applied with recipient and match Data packet.
17. data sink according to claim 16, which is characterized in that the matching module is also used to, compare for Whether the packet ID of the data packet setting is consistent using corresponding packet ID with the recipient, is arranged when for the data packet Packet ID and when the recipient consistent using corresponding packet ID, determine that the isolation parameters and the recipient apply phase Matching, the packet ID are used to identify the grouping for allowing the application communicated, and all applications in each grouping correspond to same point Group ID.
18. data sink according to claim 16, which is characterized in that the matching module is also used to, with described Operation is decrypted to the specified portions in the data packet received in the private key of recipient's application, when the private key successfully solves When the close data packet out, determine that the isolation parameters match with recipient application.
19. a kind of electronic equipment characterized by comprising
Memory, for storing program;
Processor, for running the described program stored in the memory, to be used for:
Obtain data packet to be sent;
For the data packet, isolation parameters are set;
The data packet of isolation parameters is provided with using transmission to recipient.
20. a kind of electronic equipment characterized by comprising
Memory, for storing program;
Processor, for running the described program stored in the memory, to be used for:
Receive the data packet for being provided with isolation parameters;
Matching operation about the isolation parameters is carried out to the data packet;
When the isolation parameters and recipient's application match, the data packet is sent to recipient application.
CN201710560613.4A 2017-07-11 2017-07-11 Network Isolation method and apparatus and electronic equipment Pending CN109246065A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710560613.4A CN109246065A (en) 2017-07-11 2017-07-11 Network Isolation method and apparatus and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710560613.4A CN109246065A (en) 2017-07-11 2017-07-11 Network Isolation method and apparatus and electronic equipment

Publications (1)

Publication Number Publication Date
CN109246065A true CN109246065A (en) 2019-01-18

Family

ID=65083897

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710560613.4A Pending CN109246065A (en) 2017-07-11 2017-07-11 Network Isolation method and apparatus and electronic equipment

Country Status (1)

Country Link
CN (1) CN109246065A (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050091658A1 (en) * 2003-10-24 2005-04-28 Microsoft Corporation Operating system resource protection
CN102271333A (en) * 2011-08-08 2011-12-07 东南大学 Safe receiving and dispatching method for 3G (3rd Generation) message on basis of trusted chain transmission
EP2535832A1 (en) * 2011-06-17 2012-12-19 Simulity Labs Ltd A method for operating a virtual machine over a file system
CN103476032A (en) * 2013-08-28 2013-12-25 北京创毅讯联科技股份有限公司 Method and system for communication between group user equipment in LTE (Long Term Evolution) enterprise network
CN103971065A (en) * 2014-05-16 2014-08-06 北京网秦天下科技有限公司 Method and device used for preventing data tampering
CN104680084A (en) * 2015-03-20 2015-06-03 北京瑞星信息技术有限公司 Method and system for protecting user privacy in computer
CN105656632A (en) * 2015-12-29 2016-06-08 蓝盾信息安全技术股份有限公司 Group RFID tag identity authentication method
CN105723425A (en) * 2013-12-05 2016-06-29 德国邮政股份公司 Access control system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050091658A1 (en) * 2003-10-24 2005-04-28 Microsoft Corporation Operating system resource protection
EP2535832A1 (en) * 2011-06-17 2012-12-19 Simulity Labs Ltd A method for operating a virtual machine over a file system
CN102271333A (en) * 2011-08-08 2011-12-07 东南大学 Safe receiving and dispatching method for 3G (3rd Generation) message on basis of trusted chain transmission
CN103476032A (en) * 2013-08-28 2013-12-25 北京创毅讯联科技股份有限公司 Method and system for communication between group user equipment in LTE (Long Term Evolution) enterprise network
CN105723425A (en) * 2013-12-05 2016-06-29 德国邮政股份公司 Access control system
CN103971065A (en) * 2014-05-16 2014-08-06 北京网秦天下科技有限公司 Method and device used for preventing data tampering
CN104680084A (en) * 2015-03-20 2015-06-03 北京瑞星信息技术有限公司 Method and system for protecting user privacy in computer
CN105656632A (en) * 2015-12-29 2016-06-08 蓝盾信息安全技术股份有限公司 Group RFID tag identity authentication method

Similar Documents

Publication Publication Date Title
TWI756439B (en) Network access authentication method, device and system
US10237247B2 (en) User interface systems and methods for secure message oriented communications
CN102595404B (en) For storing and executing the method and device of access control clients
EP3358805B1 (en) Systems and methods for provisioning a camera with a dynamic qr code and a ble connection
CN107306214B (en) Method, system and related equipment for connecting terminal with virtual private network
CN108702371A (en) System, apparatus and method for generating the addresses dynamic IP V6 for being used for safety verification
US11997193B2 (en) Secure communication method and smart lock system based thereof
US9398455B2 (en) System and method for generating an identification based on a public key of an asymmetric key pair
CN103986723B (en) A kind of secret communication control, secret communication method and device
US10880079B2 (en) Private key generation method and system, and device
CN107852326A (en) For monitoring the methods, devices and systems of encrypted communication session
CN106657136B (en) Terminal device, communication method of hidden channel and device thereof
CN106031120A (en) Key management
CN107534555B (en) Method and device for certificate verification
CN104065648A (en) Data processing method of voice communication
EP3320648B1 (en) Two-user authentication
CN105228144B (en) Cut-in method, apparatus and system based on temporary MAC address
US9667652B2 (en) Mobile remote access
CN109246065A (en) Network Isolation method and apparatus and electronic equipment
WO2016067113A1 (en) Pseudonymous proximity location device
CN113709732A (en) Network access method, user equipment, network entity and storage medium
SK500542015U1 (en) System for secure transmission of voice communication via the communication network and method for secure transmission of voice communication
CN104080080A (en) Data processing system for voice communication
CN104065650A (en) Data processing system for voice communication
CN104038932A (en) Security device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190118