CN109246065A - Network Isolation method and apparatus and electronic equipment - Google Patents
Network Isolation method and apparatus and electronic equipment Download PDFInfo
- Publication number
- CN109246065A CN109246065A CN201710560613.4A CN201710560613A CN109246065A CN 109246065 A CN109246065 A CN 109246065A CN 201710560613 A CN201710560613 A CN 201710560613A CN 109246065 A CN109246065 A CN 109246065A
- Authority
- CN
- China
- Prior art keywords
- packet
- data packet
- recipient
- isolation
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a kind of Network Isolation method and apparatus and electronic equipments.This method comprises: obtaining data packet to be sent;For the data packet, isolation parameters are set;The data packet of isolation parameters is provided with using transmission to recipient.The embodiment of the present invention is directed to the application being deployed in machine, and isolation parameters are arranged for the data packet that application issues, so that, receiving end judges whether recipient's application allows to communicate by the isolation parameters, realizes safe Network Isolation.
Description
Technical field
The present invention relates to field of computer technology more particularly to a kind of Network Isolation method and apparatus and electronic equipments.
Background technique
It in container scene, is disposed using with machine with the mode of multi-to-multi, single machine can dispose multiple applications, single
A application can also be deployed on more machines.In order to guarantee network security, do not allow to be communicated between certain applications,
That is, needing to take quarantine measures to specific application.
Traditional isolation scheme has following a few classes:
1, it is authenticated using application layer protocol.It is application setting access authority in application layer, leads between the application for allowing to communicate
It crosses certification permission and communicates.
2, (the Virtual Local Area Network of the virtual LAN based on network layer;Hereinafter referred to as: VLAN) skill
Art.Multiple virtual subnets are divided in network layer, the application for allowing to communicate is deployed in the same subnet, would not allow for communication
Using being deployed in different subnets, to realize Network Isolation.
In the implementation of the present invention, at least there are the following problems for the discovery prior art: for using application by inventor
The isolation scheme of layer protocol certification is needed using certification is supported in realization, if not supporting to authenticate or do not prop up using itself
Certain types of certification is held, then cannot achieve isolation;For the isolation scheme based on network layer VLAN, it is limited to vlan technology,
It could support up 4096 subnets, be unable to satisfy the deployment more applied, in addition, the complete plaintext of the ethernet frame in vlan technology,
In the presence of the risk being tampered.
Summary of the invention
The embodiment of the present invention provides a kind of Network Isolation method and apparatus and electronic equipment, to avoid lacking for the prior art
It falls into, realizes safe and reliable Network Isolation.
In order to achieve the above objectives, the embodiment of the invention provides a kind of Network Isolation methods, comprising: obtains number to be sent
According to packet;For the data packet, isolation parameters are set;The data packet of isolation parameters is provided with using transmission to recipient.
The embodiment of the invention also provides a kind of Network Isolation methods, comprising: receives the data packet for being provided with isolation parameters;
Matching operation about the isolation parameters is carried out to the data packet;When the isolation parameters and the recipient apply phase
Timing sends the data packet to recipient application.
The embodiment of the invention also provides a kind of data sending devices, comprising: module is obtained, for obtaining number to be sent
According to packet;Setup module, for isolation parameters to be arranged for the data packet;Sending module, for sending setting to recipient's application
There is the data packet of isolation parameters.
The embodiment of the invention also provides a kind of data sinks, comprising: receiving module is provided with isolation for receiving
The data packet of parameter;Matching module, for carrying out the matching operation about the isolation parameters to the data packet;Execute mould
Block, for sending the data packet to recipient application when the isolation parameters match with recipient application.
The embodiment of the present invention also provides a kind of electronic equipment, comprising: memory, for storing program;Processor, for transporting
The described program stored in the row memory, to be used for: obtaining data packet to be sent;For the data packet, isolation ginseng is set
Number;The data packet of isolation parameters is provided with using transmission to recipient.
The embodiment of the present invention also provides a kind of electronic equipment, comprising: memory, for storing program;Processor, for transporting
The described program stored in the row memory, to be used for: receiving the data packet for being provided with isolation parameters;To the data packet into
Matching operation of the row about the isolation parameters;When the isolation parameters and recipient's application match, to the recipient
Using the transmission data packet.
Network Isolation method and apparatus provided in an embodiment of the present invention and electronic equipment, for being deployed in answering in machine
With, for the data packet that application issues, isolation parameters are set, so that, whether receiving end judges recipient's application by the isolation parameters
Allow to communicate, realizes safe Network Isolation.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the application
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 is the schematic illustration of Network Isolation method provided in an embodiment of the present invention;
Fig. 2 is the structural schematic diagram of operation system provided in an embodiment of the present invention;
Fig. 3 is the flow chart of Network Isolation method one embodiment provided by the invention;
Fig. 4 a is the flow chart of one specific embodiment of Network Isolation method provided by the invention;
Fig. 4 b is the schematic diagram of data structure in the embodiment of the present invention;
Fig. 5 is the flow chart of another embodiment of Network Isolation method provided by the invention;
Fig. 6 is the flow chart of another specific embodiment of Network Isolation method provided by the invention;
Fig. 7 is the structural schematic diagram of data sending device one embodiment provided by the invention;
Fig. 8 is the structural schematic diagram of data sink one embodiment provided by the invention;
Fig. 9 is the structural schematic diagram of electronic equipment one embodiment provided by the invention;
Figure 10 is the structural schematic diagram of another embodiment of electronic equipment provided by the invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
In view of the drawbacks of the prior art, the application provides a solution, and cardinal principle is: to be deployed in machine
Each application configuration isolation parameters, when one application (sender's application) to another application (recipient's application) send data
Configuration parameter is arranged for the data packet in Bao Shi, determines whether recipient's application allows to apply with sender by the configuration parameter
Communication.Specifically, when being disposed to application, it can will apply and be grouped, the application to allow to communicate distributes identical
Packet ID (Identity, mark), is arranged corresponding packet ID when sending data for data packet, (for example, can be by packet ID
It is added in data packet and sends, data packet and packet ID can also be sent together) so that, the machine of recipient is by comparing
Packet ID and determine whether to communicate, to realize safe Network Isolation.It can also be answered in application deployment for each
With a pair of asymmetric key of configuration, private key oneself retains, and public key is open to other applications for allowing to communicate.When sender apply to
When recipient's application sends data packet, the public key that the machine of sender is applied with recipient carries out the specified portions in data packet
Cryptographic operation passes through decrypted result so that the machine of recipient is decrypted execution part with the private key that recipient applies
To judge whether public key and private key match, whether which is allowed to.The list between two applications may be implemented in this mode
To communication, that is, A can send data to B, and B sends data without normal direction A.Fig. 1 is Network Isolation side provided in an embodiment of the present invention
The schematic illustration of method.Communicating pair of the embodiment of the present invention can be based on transmission control protocol (Transmission Control
Protocol;Hereinafter referred to as: TCP), and linux system is used.As shown in Figure 1, it is assumed that the application deployment A and C on machine 1,
Application deployment B and C on machine 2.User wishes to realize can be in communication with each other using A and B, and cannot all communicate using C with A, B.
So by application packet, it will be one group using A and B points, and be its allocation packets ID (group=1000), be another by dividing using C
Group is its allocation packets ID (group=1001).When be deployed in machine 1 using A to be deployed in machine 2 application B send out
When sending data, the sending module (Netfilter Module Sent) of machine 1 adds the packet ID (group=1000) of application A
It is added in the Option field using the A TCP data packet issued, and is packaged into IP packet, sent by Ethernet interface (EthX)
To machine 2.When machine 2 receives IP packet, receiving module (Netfilter Module Sent) decapsulate TCP data packet,
And it obtains the packet ID (group=1000) added in TCP data packet and is then found according to the destination address of TCP data packet
Whether using B, and it is consistent with the packet ID of application B to compare the packet ID in TCP data packet, if it is, allowing to communicate (will count
According to being sent to using B), otherwise, does not allow to communicate and (abandon data or return to the message etc. of refusal communication).
Method provided in an embodiment of the present invention can be applied to the operation system of any multiple applications of deployment.Fig. 2 is the present invention
The structural schematic diagram for the operation system that embodiment provides.As shown in Fig. 2, the operation system is made of several machines, every machine
For disposing at least one application, each application can be deployed in an at least machine.Usual situation, a machine have simultaneously
There is the function of sending and receiving data, an application also can receive and send data, therefore, machine in embodiments of the present invention
Device can be used for disposing sender simultaneously and apply using with recipient, while start delivery and reception module.The operation system is logical
External call service is crossed to obtain data, external call service can be any service for being capable of providing or generating data,
Operation system is mostly come to the business access or service call of other systems or client, external call service is new
The main source that data generate.For disposing machine (referred to as: transmitting terminal is expressed as machine 1 in Fig. 1) packet of sender's application
It includes and obtains module, setup module and sending module, can be used to execute following process flows shown in Fig. 3.When being deployed in machine 1
In application (sender's application) send data when, machine 1 obtain sender apply issued data packet;It then, is the number
Corresponding isolation parameters are applied with sender according to packet setting;Finally, the data packet for being provided with isolation parameters is sent to recipient
Using.Machine (referred to as: receiving end is expressed as machine 2 in Fig. 1) for disposing recipient's application include receiving module,
With module and execution module, can be used to execute following process flows shown in fig. 5.When machine 2 receives data packet, obtain
For the isolation parameters of data packet setting;Matching operation about the configuration parameter is carried out to data, to determine that recipient applies
Whether allow and sender's application communication.
Embodiment one
Fig. 3 is the flow chart of Network Isolation method one embodiment provided by the invention, and the executing subject of this method can be with
For the machine applied described in above-described embodiment for disposing sender.As shown in figure 3, the Network Isolation method includes as follows
Step:
S301 obtains data packet to be sent.
Isolation parameters are arranged for data packet in S302, which can be used for that the application for not allowing to communicate is isolated.
In embodiments of the present invention, isolation parameters can be packet ID, which is used to identify the application for allowing to communicate
Grouping, all applications in each grouping correspond to the same packet ID.Transmitting terminal adds packet ID into data packet (can also
To take the mode for sending data packet and packet ID together).Receiving end can be divided by comparing when receiving data packet
It organizes ID and judges whether both sides' application belongs to the same grouping, if allow to communicate.
In addition, the isolation parameters in the embodiment of the present invention may be the public key for receiving recipient's application of the data packet,
The private key that the public key is used to apply with recipient is used cooperatively, to determine whether recipient's application allows to communicate.Transmitting terminal to
When public key being arranged in data packet, specific set-up mode be can be, and the public key applied with recipient is to the specifying part in data packet
Divide progress cryptographic operation that data packet after treatment is then sent to receiving end.Receiving end after receiving data packet,
Operation is decrypted to the specified portions in the data packet received with the private key that recipient applies.If energy successful decryption, it was demonstrated that
The public key matches with recipient's application.The one-way communication between two applications may be implemented in this mode, that is, A can be sent out to B
Data are sent, B sends data without normal direction A.
S303 is provided with the data packet of isolation parameters to recipient using transmission.
Network Isolation method provided in an embodiment of the present invention, for the application being deployed in machine, the number issued for application
According to packet, isolation parameters are set, so that, receiving end judges whether recipient's application allows to communicate by the isolation parameters, realizes peace
Full Network Isolation.
Fig. 4 a is the flow chart of one specific embodiment of Network Isolation method provided by the invention.As shown in fig. 4 a, upper
On the basis of stating embodiment illustrated in fig. 3, Network Isolation method provided in an embodiment of the present invention can specifically comprise the following steps:
S401 obtains sender and applies issued TCP data packet, and the destination address of the TCP data packet is answered for recipient
Address.
S402 adds packet ID into TCP data packet, which is used to identify the grouping for allowing the application communicated, often
The corresponding same packet ID of application in a grouping.
In the embodiment of the present invention, when disposing to application, user can will apply and be grouped, for allow to communicate
Using identical packet ID is distributed, when sender, which applies, sends data to recipient's application, for disposing sender's application
Machine obtains sender first and then adds packet ID into the TCP data packet using issued TCP data packet.
The TCP data encapsulation for being added to packet ID is iso-ip Internetworking protocol ISO-IP (Internet Protocol by S403;With
Lower abbreviation: IP) packet, and it is sent to destination address.
On the other hand, packet ID is tampered in transmission process in order to prevent, before above-mentioned steps S402, for disposing
The machine of sender's application can be encrypted packet ID, form encryption packet ID and then add into TCP data packet
Encryption packet ID;Finally, being IP packet by the TCP data encapsulation of encryption packet ID is added to, and it is sent to destination address.Make
Must be used to dispose recipient application machine when receiving IP packet, by comparing in TCP data packet packet ID (or decryption divide
Group ID) it is whether consistent using corresponding packet ID with recipient, to determine whether allowing to communicate.
In embodiments of the present invention, packet ID can be added in TCP data packet, packet ID can also be added to IP
Bao Zhong.Fig. 4 b is the schematic diagram of data structure in the embodiment of the present invention.As shown in Figure 4 b, packet ID can be added to TCP number
According in Option (option) field in the packet header TCP of packet, then, the TCP data packet of packet ID will be added to as IP packet
IP data are packaged and send;It can also be when encapsulating TCP data packet, it, will using TCP data packet as the IP data of IP packet
Packet ID is added in Option (option) field of IP packet, is then sent.
Network Isolation method provided in an embodiment of the present invention is grouped the application being deployed in machine, to allow to lead to
The application of letter distributes identical packet ID, and corresponding packet ID is arranged when sending data, so that, receiving end is sentenced by packet ID
It is disconnected whether to allow to communicate, realize safe Network Isolation.
Embodiment two
Fig. 5 is the flow chart of another embodiment of Network Isolation method provided by the invention, and the executing subject of this method can
Think that above-described embodiment is described for disposing the machine of recipient's application.As shown in figure 5, network provided in this embodiment every
It may comprise steps of from method:
S501 receives the data packet for being provided with isolation parameters.The isolation parameters, which can be used for being isolated, does not allow what is communicated to answer
With.
S502 carries out the matching operation about the isolation parameters to data packet.
In embodiments of the present invention, isolation parameters can be packet ID, which is used to identify the application for allowing to communicate
Grouping, all applications in each grouping correspond to the same packet ID.At this point, step S502 may include: to compare for data
Whether the packet ID for wrapping setting is consistent using corresponding packet ID with recipient;When the packet ID and recipient being arranged for data packet
When consistent using corresponding packet ID, determine that the isolation parameters match with recipient's application.
In addition, the isolation parameters in the embodiment of the present invention can be public key, which is used for the private key applied with recipient
It is used cooperatively, to determine whether recipient's application allows to communicate.Receiving end is after receiving data packet, with the private of recipient's application
Operation is decrypted to the specified portions in the data packet received in key, if energy successful decryption, it was demonstrated that the public key is answered with recipient
With matching.
S503 sends the data packet to recipient's application when isolation parameters match with recipient's application.
Network Isolation method provided in an embodiment of the present invention, for the application being deployed in machine, receiving end is being received
After data packet, the isolation parameters of data packet setting are retrieved as, judge whether recipient's application allows to lead to by the isolation parameters
Letter, realizes safe Network Isolation.
Fig. 6 is the flow chart of another specific embodiment of Network Isolation method provided by the invention.As shown in fig. 6, upper
On the basis of stating embodiment illustrated in fig. 5, Network Isolation method provided in an embodiment of the present invention can specifically comprise the following steps:
S601 decapsulates the IP packet received, to obtain the TCP data packet for being provided with packet ID, the packet ID
The corresponding same packet ID of application for identifying the grouping for allowing the application communicated, in each grouping.
S602 compares for whether the packet ID of TCP data packet setting is consistent using corresponding packet ID with recipient.
In embodiments of the present invention, when the machine for disposing recipient's application receives IP packet, it is carried out first
Decapsulation obtains the TCP data packet for being added with packet ID;Then compare the packet ID for TCP data packet setting and recipient
It is whether consistent using corresponding packet ID.
S603, when the packet ID being arranged for TCP data packet is consistent using corresponding packet ID with recipient, by TCP number
Recipient's application is sent to according to packet.
In embodiments of the present invention, in the case where only allowing communication there are two application, corresponding packet ID just can be consistent.
Therefore, it when the packet ID being arranged for TCP data packet is consistent using corresponding packet ID with recipient, is answered for disposing recipient
TCP data packet is sent to recipient's application by machine.
On the other hand, packet ID is tampered in transmission process in order to prevent, can be added to packet ID in transmitting terminal
Close operation.Therefore, it in receiving end, if the packet ID of decapsulate is the packet ID encrypted, is answered for disposing recipient
Machine forms decryption packet ID firstly the need of it being decrypted operation.Then, compare decryption packet ID to answer with recipient
It is whether consistent with corresponding packet ID;When decryption packet ID is consistent using corresponding packet ID with recipient, by the TCP data
Packet is sent to recipient's application.
Network Isolation method provided in an embodiment of the present invention is grouped the application being deployed in machine, to allow to lead to
The application of letter distributes identical packet ID, and corresponding packet ID is arranged when sending data, and receiving end is by packet ID judgement
It is no to allow to communicate, realize safe Network Isolation.
Embodiment three
Fig. 7 is the structural schematic diagram of data sending device one embodiment provided by the invention, can be used for executing such as Fig. 3 institute
The method and step shown.As shown in fig. 7, the data sending device may include: to obtain module 71, setup module 72 and sending module
73。
Wherein, the data packet that module 71 is used to obtain side to be sent is obtained;Setup module 72 be used for for data packet setting every
From parameter, which is used to that the application for allowing to communicate to be isolated not;Sending module 73 is used to send setting to recipient's application
There is the data packet of isolation parameters.
In embodiments of the present invention, isolation parameters can be packet ID, which is used to identify the application for allowing to communicate
Grouping, all applications in each grouping correspond to the same packet ID.When disposing to application, user can will be applied
It being grouped, the application to allow to communicate distributes identical packet ID, when sender, which applies, sends data to recipient's application,
It obtains module 71 and obtains sender first using issued data packet, then, setup module 72 is added into the data packet divides
The data packet for being provided with packet ID is sent to recipient's application by sending module 73 by group ID;Alternatively, packet ID is not added to
In data packet, but data packet and packet ID are sent together by sending module 73.
In addition, the isolation parameters in the embodiment of the present invention may be the public key for receiving recipient's application of the data packet,
The private key that the public key is used to apply with recipient is used cooperatively, to determine whether recipient's application allows to communicate.Setup module 72
Cryptographic operation is carried out to the specified portions in data packet with the public key, it can specifically retouching with the step S302 in reference implementation example one
It states, details are not described herein.
On the other hand, packet ID is tampered in transmission process in order to prevent, and data sending device can also include: encryption
Module (not shown).The encrypting module can be used for carrying out cryptographic operation to packet ID.It is TCP data in setup module 72
Before packet setting packet ID, encrypting module can carry out cryptographic operation to packet ID, form encryption packet ID, then, mould be arranged
Block 72 is TCP data packet setting encryption packet ID;Finally, sending module 73 encapsulates the TCP data for being added to encryption packet ID
Dress is IP packet (alternatively, TCP data packet and encryption packet ID are encapsulated as IP packet together), and is sent to destination address.So that with
In deployment recipient application machine when receiving IP packet, by comparing for TCP data packet setting packet ID (or decryption divide
Group ID) it is whether consistent using corresponding packet ID with recipient, to determine whether allowing to communicate.For example, dividing that will encrypt
When group ID is added in TCP data packet, encryption packet ID can be added in Option (option) field of TCP data packet;
When TCP data packet and encryption packet ID are encapsulated as IP packet together, encryption packet ID can be added to the Option of IP packet
In (option) field.
Data sending device provided in an embodiment of the present invention, for the application being deployed in machine, the number issued for application
According to packet setting isolation parameters (e.g., packet ID or the public key etc. of recipient's application), so that, receiving end is judged by the isolation parameters
Whether recipient's application allows to communicate, and realizes safe Network Isolation.
Example IV
Fig. 8 is the structural schematic diagram of data sink one embodiment provided by the invention, can be used for executing such as Fig. 5 institute
The method and step shown.As shown in figure 8, the data sink may include: receiving module 81, matching module 82 and execution module
83。
Wherein, for receiving the data packet for being provided with isolation parameters, which does not permit receiving module 81 for being isolated
Perhaps the application communicated;Matching module 82 is used to carry out data packet the matching operation about the isolation parameters;Execution module 83 is used
In when the isolation parameters match with recipient's application, data packet is sent to recipient's application.
In embodiments of the present invention, isolation parameters can be packet ID, which is used to identify the application for allowing to communicate
Grouping, all applications in each grouping correspond to the same packet ID.When receiving module 81 receives data packet, obtain first
It is taken as the packet ID of its setting;Then, it is corresponding with recipient's application to compare the packet ID being arranged for the data packet for matching module 82
Packet ID it is whether consistent.In the case where only allowing communication there are two application, corresponding packet ID just can be consistent.Therefore, when
When applying corresponding packet ID consistent for the packet ID of data packet setting and recipient, determine that the isolation parameters and recipient are applied
Match.At this point, execution module 83 sends data packets to recipient's application.
In addition, the isolation parameters in the embodiment of the present invention may be the public key for receiving recipient's application of the data packet,
The private key that the public key is used to apply with recipient is used cooperatively, to determine whether recipient's application allows to communicate.Matching module 82
Operation is decrypted to the specified portions in the data packet received in private key for being applied with recipient, to determine isolation ginseng
It is several whether to be matched with recipient's application.Matching module 82 can be with the step in reference implementation example two to the matching operation of isolation parameters
The specific descriptions of S502, details are not described herein.
On the other hand, packet ID is tampered in transmission process in order to prevent, which can also include: solution
Close module (not shown).The deciphering module can be used for that operation is decrypted to the packet ID being arranged for TCP data packet.Cause
This, if the packet ID of 81 decapsulate of receiving module is the packet ID encrypted, deciphering module is carried out firstly the need of to it
Decryption oprerations form decryption packet ID.Then, matching module 82 compares decryption packet ID with recipient using corresponding packet ID
It is whether consistent;When decryption packet ID is consistent using corresponding packet ID with recipient, execution module 83 sends out the TCP data packet
It send to recipient and applies.
Data sink provided in an embodiment of the present invention, for the application being deployed in machine, receiving end is being received
After data packet, the isolation parameters of its setting are retrieved as, judges whether recipient's application allows to communicate by the isolation parameters, realizes
The Network Isolation of safety.
Embodiment five
The foregoing describe the built-in function of data sending device and structure, which can be realized as a kind of electronic equipment.Fig. 9
For the structural schematic diagram of electronic equipment one embodiment provided by the invention.As shown in figure 9, the electronic equipment includes memory 91
With processor 92.
Memory 91, for storing program.In addition to above procedure, memory 91 is also configured to store various other
Data are to support operation on an electronic device.The example of these data includes any application for operating on an electronic device
The instruction of program or method, contact data, telephone book data, message, picture, video etc..
Memory 91 can be by any kind of volatibility or non-volatile memory device or their combination realization, such as
Static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable is read-only to be deposited
Reservoir (EPROM), programmable read only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, disk or
CD.
Processor 92 is coupled with memory 91, executes the program that memory 91 is stored, to be used for:
Obtain data packet to be sent;Isolation parameters are set for data packet, which does not allow to communicate for being isolated
Application;The data packet of isolation parameters is provided with using transmission to recipient.
Above-mentioned specific processing operation is described in detail in embodiment in front, and details are not described herein.
Further, as shown in figure 9, electronic equipment can also include: communication component 93, power supply module 94, audio component 95,
Other components such as display 96.Members are only schematically provided in Fig. 9, are not meant to that electronic equipment only includes shown in Fig. 9
Component.
Communication component 93 is configured to facilitate the communication of wired or wireless way between electronic equipment and other equipment.Electronics
Equipment can access the wireless network based on communication standard, such as WiFi, 2G or 3G or their combination.In an exemplary reality
It applies in example, communication component 93 receives broadcast singal or the related letter of broadcast from external broadcasting management system via broadcast channel
Breath.In one exemplary embodiment, the communication component 93 further includes near-field communication (NFC) module, to promote short range communication.
For example, radio frequency identification (RFID) technology, Infrared Data Association (IrDA) technology, ultra wide band (UWB) skill can be based in NFC module
Art, bluetooth (BT) technology and other technologies are realized.
Power supply module 94 provides electric power for the various assemblies of electronic equipment.Power supply module 94 may include power management system
System, one or more power supplys and other with for electronic equipment generate, manage, and distribute the associated component of electric power.
Audio component 95 is configured as output and/or input audio signal.For example, audio component 95 includes a microphone
(MIC), when electronic equipment is in operation mode, when such as call mode, recording mode, and voice recognition mode, microphone is configured
To receive external audio signal.The received audio signal can be further stored in memory 91 or via communication component 93
It sends.In some embodiments, audio component 95 further includes a loudspeaker, is used for output audio signal.
Display 96 includes screen, and screen may include liquid crystal display (LCD) and touch panel (TP).If screen
Including touch panel, screen may be implemented as touch screen, to receive input signal from the user.Touch panel includes one
Or multiple touch sensors are to sense the gesture on touch, slide, and touch panel.The touch sensor can be sensed not only
The boundary of a touch or slide action, but also detect duration and pressure associated with the touch or slide operation.
Embodiment six
The foregoing describe the built-in function of data sink and structure, which can be realized as a kind of electronic equipment.Figure
10 be the structural schematic diagram of another embodiment of electronic equipment provided by the invention.As shown in Figure 10, which includes depositing
Reservoir 101 and processor 102.
Memory 101, for storing program.In addition to above procedure, memory 101 is also configured to store other each
Kind data are to support operation on an electronic device.The example of these data includes any answering for what is operated on an electronic device
With the instruction of program or method, contact data, telephone book data, message, picture, video etc..
Memory 101 can realize by any kind of volatibility or non-volatile memory device or their combination,
Such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable is read-only
Memory (EPROM), programmable read only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, disk
Or CD.
Processor 102 is coupled with memory 101, executes the program that memory 101 is stored, to be used for:
The data packet for being provided with isolation parameters is received, which is used to that the application for allowing to communicate to be isolated not;Logarithm
The matching operation about the isolation parameters is carried out according to packet;When isolation parameters and recipient's application match, applied to recipient
Send the data packet.
Above-mentioned specific processing operation is described in detail in embodiment in front, and details are not described herein.
Further, as shown in Figure 10, electronic equipment can also include: communication component 103, power supply module 104, audio component
105, other components such as display 106.Members are only schematically provided in Figure 10, are not meant to that electronic equipment only includes figure
Component shown in 10.
Communication component 103 is configured to facilitate the communication of wired or wireless way between electronic equipment and other equipment.Electricity
Sub- equipment can access the wireless network based on communication standard, such as WiFi, 2G or 3G or their combination.It is exemplary at one
In embodiment, communication component 103 receives broadcast singal or broadcast correlation from external broadcasting management system via broadcast channel
Information.In one exemplary embodiment, the communication component 103 further includes near-field communication (NFC) module, to promote short distance logical
Letter.For example, radio frequency identification (RFID) technology, Infrared Data Association (IrDA) technology, ultra wide band (UWB) can be based in NFC module
Technology, bluetooth (BT) technology and other technologies are realized.
Power supply module 104 provides electric power for the various assemblies of electronic equipment.Power supply module 104 may include power management
System, one or more power supplys and other with for electronic equipment generate, manage, and distribute the associated component of electric power.
Audio component 105 is configured as output and/or input audio signal.For example, audio component 105 includes a Mike
Wind (MIC), when electronic equipment is in operation mode, when such as call mode, recording mode, and voice recognition mode, microphone is matched
It is set to reception external audio signal.The received audio signal can be further stored in memory 101 or via communication set
Part 103 is sent.In some embodiments, audio component 105 further includes a loudspeaker, is used for output audio signal.
Display 106 includes screen, and screen may include liquid crystal display (LCD) and touch panel (TP).If screen
Curtain includes touch panel, and screen may be implemented as touch screen, to receive input signal from the user.Touch panel includes one
A or multiple touch sensors are to sense the gesture on touch, slide, and touch panel.The touch sensor can not only be felt
The boundary of a touch or slide action is surveyed, but also detects duration and pressure associated with the touch or slide operation.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above-mentioned each method embodiment can lead to
The relevant hardware of program instruction is crossed to complete.Program above-mentioned can be stored in a computer readable storage medium.The journey
When being executed, execution includes the steps that above-mentioned each method embodiment to sequence;And storage medium above-mentioned include: ROM, RAM, magnetic disk or
The various media that can store program code such as person's CD.
Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent
Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to
So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into
Row equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution
The range of scheme.
Claims (20)
1. a kind of Network Isolation method characterized by comprising
Obtain data packet to be sent;
For the data packet, isolation parameters are set;
The data packet of isolation parameters is provided with using transmission to recipient.
2. Network Isolation method according to claim 1, which is characterized in that described for data packet setting isolation ginseng
Number, specifically:
Packet ID is set for the data packet, the packet ID is used to identify the grouping for the application for allowing communication, in each grouping
All applications correspond to the same packet ID.
3. Network Isolation method according to claim 1, which is characterized in that described for data packet setting isolation ginseng
Number, specifically:
Cryptographic operation, institute are carried out to the specified portions in the data packet with the public key for the recipient's application for receiving the data packet
It states private key of the public key for applying with the recipient to be used cooperatively, whether allows to communicate with determination recipient's application.
4. according to claim 1 to Network Isolation method described in any claim in 3, which is characterized in that described to be sent
Data packet be TCP data packet.
5. Network Isolation method according to claim 4, which is characterized in that it is described to recipient using send be provided with every
The data packet from parameter, comprising:
It is IP packet by the TCP data encapsulation for being provided with isolation parameters;
The IP packet is sent to recipient application.
6. according to claim 1 to Network Isolation method described in any claim in 3, which is characterized in that described for institute
Data packet is stated to be arranged before isolation parameters, further includes:
The isolation parameters are encrypted.
7. a kind of Network Isolation method characterized by comprising
Receive the data packet for being provided with isolation parameters;
Matching operation about the isolation parameters is carried out to the data packet;
When the isolation parameters and recipient's application match, the data packet is sent to recipient application.
8. Network Isolation method according to claim 7, which is characterized in that described to carry out the data packet about described
The matching operation of isolation parameters, comprising:
Whether the packet ID compared for data packet setting applies corresponding packet ID consistent with the recipient, the grouping
ID is used to identify the grouping for allowing the application communicated, and all applications in each grouping correspond to the same packet ID;
When the packet ID being arranged for the data packet is consistent using corresponding packet ID with the recipient, the isolation is determined
Parameter matches with recipient application.
9. Network Isolation method according to claim 7, which is characterized in that described to carry out the data packet about described
The matching operation of isolation parameters, comprising:
Operation is decrypted to the specified portions in the data packet received with the private key that the recipient applies;
When the private key successful decryption goes out the data packet, determine that the isolation parameters match with recipient application.
10. the Network Isolation method according to any claim in claim 7 to 9, which is characterized in that the institute received
Stating data packet is IP packet.
11. Network Isolation method according to claim 10, which is characterized in that it is described to the data packet carry out about
Before the matching operation of the isolation parameters, further includes:
The IP packet received is decapsulated;
Obtain the TCP data packet for being provided with isolation parameters.
12. the Network Isolation method according to any claim in claim 7 to 9, which is characterized in that described to institute
It states before data packet carries out matching operation about the isolation parameters, further includes:
The isolation parameters are decrypted.
13. a kind of data sending device characterized by comprising
Module is obtained, for obtaining data packet to be sent;
Setup module, for isolation parameters to be arranged for the data packet;
Sending module, for being provided with the data packet of isolation parameters using transmission to recipient.
14. data sending device according to claim 13, which is characterized in that the isolation parameters are packet ID, described
Setup module is used to be arranged for the data packet packet ID, and the packet ID is used to identify the grouping for allowing the application communicated, often
All applications in a grouping correspond to the same packet ID.
15. data sending device according to claim 13, which is characterized in that the isolation parameters are to receive the data
The public key of recipient's application of packet, the setup module is for adding the specified portions in the data packet with the public key
Whether close operation, the private key that the public key is used to apply with the recipient are used cooperatively, are permitted with determination recipient's application
Perhaps it communicates.
16. a kind of data sink characterized by comprising
Receiving module, for receiving the data packet for being provided with isolation parameters;
Matching module, for carrying out the matching operation about the isolation parameters to the data packet;
Execution module, for being applied to the recipient described in sending when the isolation parameters are applied with recipient and match
Data packet.
17. data sink according to claim 16, which is characterized in that the matching module is also used to, compare for
Whether the packet ID of the data packet setting is consistent using corresponding packet ID with the recipient, is arranged when for the data packet
Packet ID and when the recipient consistent using corresponding packet ID, determine that the isolation parameters and the recipient apply phase
Matching, the packet ID are used to identify the grouping for allowing the application communicated, and all applications in each grouping correspond to same point
Group ID.
18. data sink according to claim 16, which is characterized in that the matching module is also used to, with described
Operation is decrypted to the specified portions in the data packet received in the private key of recipient's application, when the private key successfully solves
When the close data packet out, determine that the isolation parameters match with recipient application.
19. a kind of electronic equipment characterized by comprising
Memory, for storing program;
Processor, for running the described program stored in the memory, to be used for:
Obtain data packet to be sent;
For the data packet, isolation parameters are set;
The data packet of isolation parameters is provided with using transmission to recipient.
20. a kind of electronic equipment characterized by comprising
Memory, for storing program;
Processor, for running the described program stored in the memory, to be used for:
Receive the data packet for being provided with isolation parameters;
Matching operation about the isolation parameters is carried out to the data packet;
When the isolation parameters and recipient's application match, the data packet is sent to recipient application.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710560613.4A CN109246065A (en) | 2017-07-11 | 2017-07-11 | Network Isolation method and apparatus and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710560613.4A CN109246065A (en) | 2017-07-11 | 2017-07-11 | Network Isolation method and apparatus and electronic equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109246065A true CN109246065A (en) | 2019-01-18 |
Family
ID=65083897
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710560613.4A Pending CN109246065A (en) | 2017-07-11 | 2017-07-11 | Network Isolation method and apparatus and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109246065A (en) |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050091658A1 (en) * | 2003-10-24 | 2005-04-28 | Microsoft Corporation | Operating system resource protection |
CN102271333A (en) * | 2011-08-08 | 2011-12-07 | 东南大学 | Safe receiving and dispatching method for 3G (3rd Generation) message on basis of trusted chain transmission |
EP2535832A1 (en) * | 2011-06-17 | 2012-12-19 | Simulity Labs Ltd | A method for operating a virtual machine over a file system |
CN103476032A (en) * | 2013-08-28 | 2013-12-25 | 北京创毅讯联科技股份有限公司 | Method and system for communication between group user equipment in LTE (Long Term Evolution) enterprise network |
CN103971065A (en) * | 2014-05-16 | 2014-08-06 | 北京网秦天下科技有限公司 | Method and device used for preventing data tampering |
CN104680084A (en) * | 2015-03-20 | 2015-06-03 | 北京瑞星信息技术有限公司 | Method and system for protecting user privacy in computer |
CN105656632A (en) * | 2015-12-29 | 2016-06-08 | 蓝盾信息安全技术股份有限公司 | Group RFID tag identity authentication method |
CN105723425A (en) * | 2013-12-05 | 2016-06-29 | 德国邮政股份公司 | Access control system |
-
2017
- 2017-07-11 CN CN201710560613.4A patent/CN109246065A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050091658A1 (en) * | 2003-10-24 | 2005-04-28 | Microsoft Corporation | Operating system resource protection |
EP2535832A1 (en) * | 2011-06-17 | 2012-12-19 | Simulity Labs Ltd | A method for operating a virtual machine over a file system |
CN102271333A (en) * | 2011-08-08 | 2011-12-07 | 东南大学 | Safe receiving and dispatching method for 3G (3rd Generation) message on basis of trusted chain transmission |
CN103476032A (en) * | 2013-08-28 | 2013-12-25 | 北京创毅讯联科技股份有限公司 | Method and system for communication between group user equipment in LTE (Long Term Evolution) enterprise network |
CN105723425A (en) * | 2013-12-05 | 2016-06-29 | 德国邮政股份公司 | Access control system |
CN103971065A (en) * | 2014-05-16 | 2014-08-06 | 北京网秦天下科技有限公司 | Method and device used for preventing data tampering |
CN104680084A (en) * | 2015-03-20 | 2015-06-03 | 北京瑞星信息技术有限公司 | Method and system for protecting user privacy in computer |
CN105656632A (en) * | 2015-12-29 | 2016-06-08 | 蓝盾信息安全技术股份有限公司 | Group RFID tag identity authentication method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
TWI756439B (en) | Network access authentication method, device and system | |
US10237247B2 (en) | User interface systems and methods for secure message oriented communications | |
CN102595404B (en) | For storing and executing the method and device of access control clients | |
EP3358805B1 (en) | Systems and methods for provisioning a camera with a dynamic qr code and a ble connection | |
CN107306214B (en) | Method, system and related equipment for connecting terminal with virtual private network | |
CN108702371A (en) | System, apparatus and method for generating the addresses dynamic IP V6 for being used for safety verification | |
US11997193B2 (en) | Secure communication method and smart lock system based thereof | |
US9398455B2 (en) | System and method for generating an identification based on a public key of an asymmetric key pair | |
CN103986723B (en) | A kind of secret communication control, secret communication method and device | |
US10880079B2 (en) | Private key generation method and system, and device | |
CN107852326A (en) | For monitoring the methods, devices and systems of encrypted communication session | |
CN106657136B (en) | Terminal device, communication method of hidden channel and device thereof | |
CN106031120A (en) | Key management | |
CN107534555B (en) | Method and device for certificate verification | |
CN104065648A (en) | Data processing method of voice communication | |
EP3320648B1 (en) | Two-user authentication | |
CN105228144B (en) | Cut-in method, apparatus and system based on temporary MAC address | |
US9667652B2 (en) | Mobile remote access | |
CN109246065A (en) | Network Isolation method and apparatus and electronic equipment | |
WO2016067113A1 (en) | Pseudonymous proximity location device | |
CN113709732A (en) | Network access method, user equipment, network entity and storage medium | |
SK500542015U1 (en) | System for secure transmission of voice communication via the communication network and method for secure transmission of voice communication | |
CN104080080A (en) | Data processing system for voice communication | |
CN104065650A (en) | Data processing system for voice communication | |
CN104038932A (en) | Security device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190118 |