CN110995658A - Gateway protection method, device, computer equipment and storage medium - Google Patents
Gateway protection method, device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN110995658A CN110995658A CN201911097488.3A CN201911097488A CN110995658A CN 110995658 A CN110995658 A CN 110995658A CN 201911097488 A CN201911097488 A CN 201911097488A CN 110995658 A CN110995658 A CN 110995658A
- Authority
- CN
- China
- Prior art keywords
- request
- verification
- message data
- interface
- condition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
Abstract
The embodiment of the application belongs to the field of information security, and relates to a gateway protection method, a gateway protection device, computer equipment and a storage medium, wherein the method comprises the following steps: receiving an access request carrying message data sent by a request terminal; responding to the access request, and judging whether the message data meets an interface matching condition; if the message data does not meet the interface matching condition, outputting a matching failure signal to the request terminal; if the message data meets the interface matching condition, judging whether the message data meets the verification condition; if the verification data meets the verification condition, the access request is sent to a service system according to a preset routing rule; and if the verification data does not meet the verification condition, outputting a verification failure signal to the request terminal. The method and the device can shield partial requests with unmatched interfaces, and still maintain the security when the network equipment is exposed; meanwhile, the information security of the transmission data is ensured.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a gateway protection method and apparatus, a computer device, and a storage medium.
Background
In the development of the internet today, the connection between devices is getting tighter and tighter, and the security problem existing in the data transmission process between devices is getting more and more concerned. When the network environment where the current network equipment is located has high-risk viruses and the early warning system cannot timely remove the high-risk viruses or repair the system, users cannot timely take effective measures to deal with the high-risk viruses because the high-risk viruses are not easy to be timely perceived, and the safety of the network equipment cannot be effectively protected.
In the existing gateway protection method, the number of times of intercepting an event which forms a security threat to network equipment is recorded in real time, and if the number of times of attacking the network equipment on a certain time node reaches a preset threshold value, early warning information corresponding to the time node is sent out. Thereby realizing the safety protection of the network equipment.
However, the conventional gateway protection method is generally not intelligent, and the external request can still be randomly connected to the gateway under the condition that no limitation exists between the external request and the gateway, and if a port of the gateway is exposed, the gateway still faces the danger of being violently attacked, so that the existing gateway still has great potential safety hazard.
Disclosure of Invention
The embodiment of the application aims to provide a gateway protection method, and aims to solve the problems that the existing gateway protection method still faces the danger of being violently attacked and has great potential safety hazards.
In order to solve the above technical problem, an embodiment of the present application provides a gateway protection method, which adopts the following technical solutions:
receiving an access request carrying message data sent by a request terminal;
responding to the access request, and judging whether the message data meets an interface matching condition;
if the message data does not meet the interface matching condition, outputting a matching failure signal to the request terminal;
if the message data meets the interface matching condition, judging whether the message data meets the verification condition;
if the verification data meets the verification condition, the access request is sent to a service system according to a preset routing rule;
and if the verification data does not meet the verification condition, outputting a verification failure signal to the request terminal.
In order to solve the above technical problem, an embodiment of the present application further provides a gateway protection device, which adopts the following technical solutions:
the request receiving module is used for receiving an access request which is sent by a request terminal and carries message data;
the interface matching module is used for responding to the access request and judging whether the message data meets interface matching conditions;
the matching failure module is used for outputting a matching failure signal to the request terminal if the message data does not meet the interface matching condition;
the signature verification module is used for judging whether the message data meets the verification condition or not if the message data meets the interface matching condition;
the verification success module is used for sending the access request to a service system according to a preset routing rule if the verification data meets the verification condition;
and the verification failure module is used for outputting a verification failure signal to the request terminal if the verification data does not meet the verification condition.
In order to solve the above technical problem, an embodiment of the present application further provides a computer device, which adopts the following technical solutions:
comprising a memory and a processor;
the memory stores a computer program, and the processor implements the steps of the gateway protection method as described above when executing the computer program.
In order to solve the above technical problem, an embodiment of the present application further provides a computer-readable storage medium, which adopts the following technical solutions:
the computer readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps of the gateway protection method as described above.
Compared with the prior art, the embodiment of the application mainly has the following beneficial effects:
the invention provides a gateway protection method, which receives an access request carrying message data sent by a request terminal; responding to the access request, and judging whether the message data meets an interface matching condition; if the message data does not meet the interface matching condition, outputting a matching failure signal to the request terminal; if the message data meets the interface matching condition, judging whether the message data meets the verification condition; if the verification data meets the verification condition, the access request is sent to a service system according to a preset routing rule; and if the verification data does not meet the verification condition, outputting a verification failure signal to the request terminal. When the external request is received, the interface matching operation is carried out firstly, and the external request is received for subsequent processing only if the matching is successful, so that the request with part of interfaces not matched can be shielded, and the security is still kept when the network equipment is exposed; meanwhile, the verification of the message data ensures that the access request content cannot be tampered, and the information security of the data is ensured.
Drawings
In order to more clearly illustrate the solution of the present application, the drawings needed for describing the embodiments of the present application will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of an implementation of a gateway protection method according to an embodiment of the present invention;
FIG. 2 is a flowchart of an implementation of step S102 in FIG. 1;
FIG. 3 is a flowchart of one implementation of step S104 in FIG. 1;
FIG. 4 is a flowchart of another implementation of step S104 in FIG. 1;
FIG. 5 is a flowchart of another implementation of step S104 in FIG. 1;
fig. 6 is a flowchart of an implementation of a response request processing method according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a gateway protection device according to a second embodiment of the present invention;
fig. 8 is a schematic structural diagram of an interface matching module according to a second embodiment of the present invention;
FIG. 9 is a schematic block diagram of one embodiment of a computer device according to the present application.
Detailed Description
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "including" and "having," and any variations thereof, in the description and claims of this application and the description of the above figures are intended to cover non-exclusive inclusions. The terms "first," "second," and the like in the description and claims of this application or in the above-described drawings are used for distinguishing between different objects and not for describing a particular order.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings.
According to the gateway protection method provided by the embodiment of the invention, when the external request is received, the interface matching operation is carried out firstly, and the external request is received for subsequent processing only if the matching is successful, so that the request with part of interfaces not matched can be shielded, and the security is still kept when the network equipment is exposed; meanwhile, the verification of the message data ensures that the access request content cannot be tampered, and the information security of the data is ensured.
Example one
Fig. 1 shows a flowchart of an implementation of a gateway protection method according to an embodiment of the present invention, and for convenience of description, only a part related to the present invention is shown.
In step S101, an access request carrying packet data sent by a requesting terminal is received.
In the embodiment of the present invention, the requesting terminal may be a mobile terminal such as a mobile phone, a smart phone, a notebook computer, a digital broadcast receiver, a PDA (personal digital assistant), a PAD (tablet computer), a PMP (portable multimedia player), a navigation device, etc., and a fixed terminal such as a digital TV, a desktop computer, etc., it should be understood that the examples of the requesting terminal are only for convenience of understanding and are not intended to limit the present invention.
In the embodiment of the present invention, the message data refers to information carriers that are used to exchange information when performing requests and responses between systems and also need to comply with a well-defined format.
In step S102, in response to the access request, it is determined whether the message data satisfies an interface matching condition.
In the embodiment of the invention, the system is preset with the screening condition of the interface, and the interface screening condition can be set as a web service interface; the interface screening condition may also be set as an http api interface, and it should be understood that the example of the interface matching condition is only for convenience of understanding and is not used to limit the present invention.
In the embodiment of the invention, after receiving the message data, the gateway splits the message data so as to obtain the interface data corresponding to the request, and if the interface data does not accord with the matching condition, the gateway automatically ignores the access request so as to shield the request with part of interfaces not matched, and the security is still kept when the network equipment is exposed.
In step S103, if the message data does not satisfy the interface matching condition, a matching failure signal is output to the request terminal.
In the embodiment of the invention, the request terminal is informed that the access request is caused by the unsuccessful interface matching by outputting the matching failure signal to the request terminal, so that the request terminal can correct the matching failure signal in time.
In step S104, if the packet data meets the interface matching condition, it is determined whether the packet data meets the verification condition.
In the embodiment of the present invention, the verification condition is used to verify whether the content data of the message data is maliciously tampered by a third party, and the verification condition may be a verification of information security based on a digital signature.
In step S105, if the verification data meets the verification condition, the access request is sent to a service system according to a preset routing rule.
In the embodiment of the present invention, the preset routing rule refers to that a system database stores in advance a correspondence between a message data identifier and an internal service system, and when a data request needs to be made to the internal service system, a transmission object corresponding to the message data can be retrieved based on the correspondence.
In the embodiment of the invention, the business system refers to a system provided for basic personnel to use, is an information system for pertinently supporting the business processing process, and can provide powerful tool support for completing certain work. For example, an ERP system can be regarded as a typical business processing system, which can provide good support for relevant business links such as production, purchase and the like based on some functional modules.
In step S106, if the verification data does not satisfy the verification condition, a verification failure signal is output to the requesting terminal.
In the embodiment of the invention, the verification failure signal is output to the request terminal to inform the request terminal that the access request is maliciously tampered by a third party, so that the access content has potential safety hazard, and the request terminal can take timely protective measures.
In the embodiment of the invention, a gateway protection method is provided, which receives an access request carrying message data sent by a request terminal; responding to the access request, and judging whether the message data meets an interface matching condition; if the message data does not meet the interface matching condition, outputting a matching failure signal to the request terminal; if the message data meets the interface matching condition, judging whether the message data meets the verification condition; if the verification data meets the verification condition, the access request is sent to a service system according to a preset routing rule; and if the verification data does not meet the verification condition, outputting a verification failure signal to the request terminal. When the external request is received, the interface matching operation is carried out firstly, and the external request is received for subsequent processing only if the matching is successful, so that the request with part of interfaces not matched can be shielded, and the security is still kept when the network equipment is exposed; meanwhile, the verification of the message data ensures that the access request content cannot be tampered, and the information security of the data is ensured.
With continued reference to fig. 2, a flowchart for implementing step S102 in fig. 1 is shown, and for convenience of explanation, only the parts relevant to the present invention are shown.
In some optional implementations as the first embodiment, the step S102 specifically includes: step S201 and step S202.
In step S201, a splitting operation is performed on the message data to obtain access interface data.
In the embodiment of the invention, because the message data is written according to the specified format, the message data can be split and collected according to the data information corresponding to the interface module in the message data, so as to obtain the interface data information.
In the embodiment of the present invention, the interface data information refers to a mode of transmitting parameters.
In step S202, a system database is read, and it is determined whether there is matching interface data corresponding to the requested interface data in the system database.
In the embodiment of the present invention, the system database refers to a relational database management system that stores interface information issued by the requesting terminal, so that the interface information issued by the requesting terminal is associated with the message data in the access request.
In the embodiment of the invention, when the gateway receives the interface information which is not issued by the request terminal, the access request can carry out brute force attack on the gateway system.
In the embodiment of the present invention, the interface data may be defined as a Uniform Resource Locator (URL).
In the embodiment of the invention, after the gateway system receives the message data, the gateway system needs to perform a security verification operation on the interface data in the message request firstly, judge whether the interface information issued by the external system corresponding to the message data is received before the message data is received, and receive the external request for subsequent processing only if the matching is successful, so that the request with unmatched part of interfaces can be shielded, and the security can be still maintained when the network equipment is exposed.
With continued reference to fig. 3, a flowchart of one implementation of step S104 of fig. 1 is shown, and for ease of illustration, only the portions relevant to the present invention are shown.
In some optional implementations as the first embodiment of the present invention, in step S104, the method specifically includes: step S301, step S302, step S303, and step S304.
In step S301, a request method extraction operation is performed on the message data to obtain request method information.
In the embodiment of the invention, the message header of the message data is marked with the request method of the message data, and the marking position of the request method can be obtained through the standard format of the message data, so that the extraction operation of the request method is realized.
In the embodiment of the invention, the request method refers to a method parameter message requested by POST.
In step S302, it is determined whether the request method information is a POST request method.
In step S303, if the request method information is not the POST request method, a request method error signal is output to the request terminal.
In the embodiment of the invention, the request method error signal is sent to the request terminal, so that the request terminal is informed that the gateway does not process the message data except the POST request, and the user can access by using the POST request method instead.
In step S304, if the request method information is a POST request method, the step of determining whether the message data meets the verification condition is performed.
In the embodiment of the invention, the intercepted access request forming the security threat to the network equipment is further limited by standardizing the request method of the message data, so that the gateway still keeps better security under the condition of being exposed.
With continued reference to fig. 4, another implementation flowchart of step S104 in fig. 1 is shown, and for convenience of illustration, only the parts relevant to the present invention are shown.
In some optional implementation manners of the first embodiment of the present invention, the step S104 specifically includes: step S401, step S402, step S403, and step S404.
In step S401, a request content extracting operation is performed on the message data to obtain request content information.
In the embodiment of the present invention, the information of the header position of the message data may be obtained, where the information of the header position is the request content information of the message data.
In step S402, it is determined whether the requested content information is a file upload request.
In step S403, if the requested content information is not a file upload request, the step of determining whether the message data meets a verification condition is performed.
In step S404, if the requested content information is a file upload request, a file type corresponding to the file upload request is obtained.
In step S405, it is determined whether the file type is normal based on the regular expression.
In the embodiment of the present invention, the regular expression is also called a regular expression. (English: Regular Expression, often abbreviated in code as regex, regexp or RE), a concept of computer science. Are typically used to retrieve and replace text that conforms to a certain pattern (rule).
In step S406, if the file type is not standardized, a type error signal is output to the requesting terminal.
In step S407, if the file type is normal, the step of determining whether the packet data meets a verification condition is performed.
In the embodiment of the invention, when the request content of the heat preservation data is a file uploading request, the file uploading type is specified, so that the implication that a service system is attacked due to the uploading of a malicious file is effectively avoided, and the protection capability of a gateway system is effectively improved.
With continued reference to fig. 5, a flowchart of another implementation of step S104 in fig. 1 is shown, and for convenience of illustration, only the parts relevant to the present invention are shown.
In some optional implementation manners of the first embodiment of the present invention, the step S104 specifically includes: step S501, step S502, step S503, and step S504.
In step S501, a signature server is read, and a public signature key corresponding to the key identifier is acquired in the signature server.
In the embodiment of the invention, the signature server stores the key information of each system, and each key is marked by a unique key identifier.
In step S502, a request parameter extraction operation is performed on the message data to obtain request parameter information.
In the embodiment of the invention, the data table head of the message data stores parameter information, and the parameter information is used for performing signature operation through the key in the process of signature verification to obtain a signature to be verified.
In step S503, a full name generation operation is performed on the request parameter information based on the key-value and the signature public key, and signature information to be verified is obtained.
In step S504, it is determined whether the original signature information is consistent with the signature information to be verified.
In the embodiment of the invention, the external system aims to access the internal business system, the signature server stores the signature private key of each system, and each signature private key corresponds to a certID. In the communication process, the certID is sent to a signature server of a user to take a signature private key, so that the outside cannot know information such as a mode, an encryption algorithm and the like of searching the signature private key, and the safety of the signature private key is improved.
Furthermore, the signature server provides a management tool for maintaining the information of the signature private key, and the signature private key can be generated, updated, invalidated and the like by management and maintenance. These timed or random operations may improve the privacy of the private signature key. When a system needs to be accessed, the signature private key and the system identification need to be registered, and then the certID is generated. The certID is used for transmission, so that the condition that a service system is attacked due to the fact that a signature private key is leaked in the transmission process can be avoided.
With continuing reference to fig. 6, a flowchart of an implementation of a response request processing method provided in the first embodiment of the present invention is shown, and for convenience of description, only the relevant portions of the present invention are shown.
In some optional implementations as the first embodiment, after the step S106, the method further includes: step S601, step S602, step S603, and step S604.
In step S601, response information carrying the key identifier and the response packet sent by the service system is received.
In step S602, a signature server is read, and a signature private key corresponding to the key identifier is acquired in the signature server.
In step S603, a signature operation is performed on the response packet according to the signature private key, and a response request is obtained.
In step S604, the response request is sent to the requesting terminal.
In the embodiment of the invention, after the service system processes the access request, the signature private key identification and the message are returned to the gateway system, at the moment, the gateway system extracts the signature private key identification of the response message body, then the signature private key corresponding to the signature private key identification is obtained from the signature server through the key identification, the signature is added to the key identification, and the signature is successful, then the response message is sent to the request terminal, thereby realizing the information transmission of the service system responding to the access system.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and can include the processes of the embodiments of the methods described above when the computer program is executed. The storage medium may be a non-volatile storage medium such as a magnetic disk, an optical disk, a Read-Only Memory (ROM), or a Random Access Memory (RAM).
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless explicitly stated herein. Moreover, at least a portion of the steps in the flow chart of the figure may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
Example two
With further reference to fig. 7 as an implementation of the method shown in fig. 1, the present application provides a gateway protection apparatus, where an embodiment of the apparatus corresponds to the embodiment of the method shown in fig. 1, and the apparatus may be applied to various electronic devices.
As shown in fig. 7, a gateway protection apparatus 100 according to a second embodiment of the present invention includes: a request receiving module 101, an interface matching module 102, a match failure module 103, a signature verification module 104, a verification success module 105, and a verification failure module 106. Wherein:
a request receiving module 101, configured to receive an access request carrying packet data sent by a request terminal;
the interface matching module 102 is configured to respond to the access request and determine whether the message data meets an interface matching condition;
a matching failure module 103, configured to output a matching failure signal to the request terminal if the packet data does not meet the interface matching condition;
a signature verification module 104, configured to determine whether the packet data meets a verification condition if the packet data meets an interface matching condition;
a verification success module 105, configured to send the access request to a service system according to a preset routing rule if the verification data meets the verification condition;
a verification failure module 106, configured to output a verification failure signal to the requesting terminal if the verification data does not satisfy the verification condition.
In the embodiment of the present invention, the requesting terminal may be a mobile terminal such as a mobile phone, a smart phone, a notebook computer, a digital broadcast receiver, a PDA (personal digital assistant), a PAD (tablet computer), a PMP (portable multimedia player), a navigation device, etc., and a fixed terminal such as a digital TV, a desktop computer, etc., it should be understood that the examples of the requesting terminal are only for convenience of understanding and are not intended to limit the present invention.
In the embodiment of the present invention, the message data refers to information carriers that are used to exchange information when performing requests and responses between systems and also need to comply with a well-defined format.
In the embodiment of the invention, the system is preset with the screening condition of the interface, and the interface screening condition can be set as a web service interface; the interface screening condition may also be set as an http api interface, and it should be understood that the example of the interface matching condition is only for convenience of understanding and is not used to limit the present invention.
In the embodiment of the invention, after receiving the message data, the gateway splits the message data so as to obtain the interface data corresponding to the request, and if the interface data does not accord with the matching condition, the gateway automatically ignores the access request so as to shield the request with part of interfaces not matched, and the security is still kept when the network equipment is exposed.
In the embodiment of the invention, the request terminal is informed that the access request is caused by the unsuccessful interface matching by outputting the matching failure signal to the request terminal, so that the request terminal can correct the matching failure signal in time.
In the embodiment of the present invention, the verification condition is used to verify whether the content data of the message data is maliciously tampered by a third party, and the verification condition may be a verification of information security based on a digital signature.
In the embodiment of the present invention, the preset routing rule refers to that a system database stores in advance a correspondence between a message data identifier and an internal service system, and when a data request needs to be made to the internal service system, a transmission object corresponding to the message data can be retrieved based on the correspondence.
In the embodiment of the invention, the business system refers to a system provided for basic personnel to use, is an information system for pertinently supporting the business processing process, and can provide powerful tool support for completing certain work. For example, an ERP system can be regarded as a typical business processing system, which can provide good support for relevant business links such as production, purchase and the like based on some functional modules.
In the embodiment of the invention, the verification failure signal is output to the request terminal to inform the request terminal that the access request is maliciously tampered by a third party, so that the access content has potential safety hazard, and the request terminal can take timely protective measures.
In an embodiment of the present invention, a gateway protection device is provided, including: the request receiving module is used for receiving an access request which is sent by a request terminal and carries message data; the interface matching module is used for responding to the access request and judging whether the message data meets interface matching conditions; the matching failure module is used for outputting a matching failure signal to the request terminal if the message data does not meet the interface matching condition; the signature verification module is used for judging whether the message data meets the verification condition or not if the message data meets the interface matching condition; the verification success module is used for sending the access request to a service system according to a preset routing rule if the verification data meets the verification condition; and the verification failure module is used for outputting a verification failure signal to the request terminal if the verification data does not meet the verification condition. When the external request is received, the interface matching operation is carried out firstly, and the external request is received for subsequent processing only if the matching is successful, so that the request with part of interfaces not matched can be shielded, and the security is still kept when the network equipment is exposed; meanwhile, the verification of the message data ensures that the access request content cannot be tampered, and the information security of the data is ensured.
In some optional implementations of the second embodiment of the present invention, as shown in fig. 8, the interface matching module 102 includes: a debit capture sub-module 1021, and an interface match sub-module 1022. Wherein:
a port borrowing obtaining submodule 1021, configured to perform splitting operation on the message data, and obtain access interface data;
the interface matching sub-module 1022 is configured to read a system database, and determine whether there is matching interface data corresponding to the requested interface data in the system database.
In the embodiment of the invention, because the message data is written according to the specified format, the message data can be split and collected according to the data information corresponding to the interface module in the message data, so as to obtain the interface data information.
In the embodiment of the present invention, the interface data information refers to a mode of transmitting parameters.
In the embodiment of the present invention, the system database refers to a relational database management system that stores interface information issued by the requesting terminal, so that the interface information issued by the requesting terminal is associated with the message data in the access request.
In the embodiment of the invention, when the gateway receives the interface information which is not issued by the request terminal, the access request can carry out brute force attack on the gateway system.
In the embodiment of the present invention, the interface data may be defined as a Uniform Resource Locator (URL).
In the embodiment of the invention, after the gateway system receives the message data, the gateway system needs to perform a security verification operation on the interface data in the message request firstly, judge whether the interface information issued by the external system corresponding to the message data is received before the message data is received, and receive the external request for subsequent processing only if the matching is successful, so that the request with unmatched part of interfaces can be shielded, and the security can be still maintained when the network equipment is exposed.
In some optional implementation manners of the second embodiment of the present invention, the gateway protection device further includes: a request method extraction sub-module, a request method judgment sub-module, a request method error sub-module and a request method correct sub-module. Wherein:
and the request method extraction submodule is used for carrying out request method extraction operation on the message data and acquiring request method information.
And the request method judgment submodule is used for judging whether the request method information is a POST request method.
And the request method error sub-module is used for outputting a request method error signal to the request terminal if the request method information is not the POST request method.
And the request method correct submodule is used for executing the step of judging whether the message data meets the verification condition or not if the request method information is a POST request method.
In some optional implementation manners of the second embodiment of the present invention, the gateway protection device further includes:
and the request content extraction submodule is used for carrying out request content extraction operation on the message data and acquiring request content information.
And the request content judgment submodule is used for judging whether the request content information is a file uploading request.
And the verification condition judgment submodule is used for executing the step of judging whether the message data meets the verification condition or not if the request content information is not the file uploading request.
And the file type obtaining submodule is used for obtaining the file type corresponding to the file uploading request if the request content information is the file uploading request.
And the file type judging submodule is used for judging whether the file type is standard or not based on the regular expression.
And the type error submodule is used for outputting a type error signal to the request terminal if the file type is not standard.
And the type correct submodule is used for executing the step of judging whether the message data meets the verification condition or not if the file type is standard.
In some optional implementation manners of the second embodiment of the present invention, the verification and judgment module includes: the device comprises a public key obtaining submodule, a parameter obtaining submodule, a signature to be verified generating submodule and a signature to be verified judging submodule. Wherein:
and the public key acquisition submodule is used for reading the signature server and acquiring the signature public key corresponding to the key identification in the signature server.
And the parameter acquisition submodule is used for performing request parameter extraction operation on the message data and acquiring request parameter information.
And the signature to be verified generation submodule is used for carrying out full name generation operation on the request parameter information based on the key-value and the signature public key to acquire the signature to be verified information.
And the submodule is used for judging the submodule of the signature to be verified and is used for judging whether the original signature information is consistent with the signature information to be verified.
In some optional implementations of the second embodiment of the present invention, the gateway protection apparatus 100 further includes: the system comprises a response information receiving submodule, a key obtaining submodule, a response request obtaining submodule and a response request sending submodule.
And the response information receiving submodule is used for receiving the response information which is sent by the service system and carries the key identification and the response message.
And the key acquisition submodule is used for reading the signature server and acquiring the key corresponding to the key identification in the signature server.
And the response request acquisition submodule is used for carrying out signature operation on the response message according to the secret key to acquire a response request.
And the response request sending submodule is used for sending the response request to the request terminal.
In summary, the present application provides a gateway protection method, which receives an access request carrying message data sent by a request terminal; responding to the access request, and judging whether the message data meets an interface matching condition; if the message data does not meet the interface matching condition, outputting a matching failure signal to the request terminal; if the message data meets the interface matching condition, judging whether the message data meets the verification condition; if the verification data meets the verification condition, the access request is sent to a service system according to a preset routing rule; and if the verification data does not meet the verification condition, outputting a verification failure signal to the request terminal. When the external request is received, the interface matching operation is carried out firstly, and the external request is received for subsequent processing only if the matching is successful, so that the request with part of interfaces not matched can be shielded, and the security is still kept when the network equipment is exposed; meanwhile, the verification of the message data ensures that the access request content cannot be tampered, and the information security of the data is ensured. Meanwhile, after receiving the message data, the gateway system needs to perform a security verification operation on the interface data in the message request, judge whether the interface information issued by the external system corresponding to the message data is received before receiving the message data, and receive the external request for subsequent processing only if the matching is successful, so that the request with part of interfaces unmatched can be shielded, and the security is still maintained when the network equipment is exposed; by standardizing the request method of the message data, the intercepted access request forming security threat to the network equipment is further limited, so that the gateway still keeps better security under the condition of being exposed; when the request content of the heat preservation data is a file uploading request, the file uploading type is specified, so that the implication that a service system is attacked due to the uploading of malicious files is effectively avoided, and the protection capability of a gateway system is effectively improved; the external system aims at accessing the internal business system, the signature server stores the signature private key of each system, and each signature private key corresponds to a certID. In the communication process, the certID is sent to a signature server of a user to take a private signature key signature private key, so that the outside cannot know information such as a mode, an encryption algorithm and the like of searching the private signature key signature private key, and the security of the private signature key signature private key of the private signature private key is improved; after the service system processes the access request, the signature private key identification and the message are returned to the gateway system, at the moment, the gateway system extracts the signature private key identification of the response message body, then the signature private key corresponding to the signature private key is obtained from the signature server through the key identification, the signature is added to the key identification, and if the signature is successful, the response message is sent to the request terminal, so that the information transmission of the service system responding to the access system is realized.
In order to solve the technical problem, an embodiment of the present application further provides a computer device. Referring to fig. 9, fig. 9 is a block diagram of a basic structure of a computer device according to the present embodiment.
The computer device 9 comprises a memory 91, a processor 92, a network interface 93 communicatively connected to each other via a system bus. It is noted that only a computer device 9 having components 91-93 is shown, but it is understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead. As will be understood by those skilled in the art, the computer device is a device capable of automatically performing numerical calculation and/or information processing according to a preset or stored instruction, and the hardware includes, but is not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable gate array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like.
The computer device can be a desktop computer, a notebook, a palm computer, a cloud server and other computing devices. The computer equipment can carry out man-machine interaction with a user through a keyboard, a mouse, a remote controller, a touch panel or voice control equipment and the like.
The memory 91 includes at least one type of readable storage medium including a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, etc. In some embodiments, the storage 91 may be an internal storage unit of the computer device 9, such as a hard disk or a memory of the computer device 9. In other embodiments, the memory 91 may also be an external storage device of the computer device 9, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a flash Card (FlashCard), and the like, provided on the computer device 9. Of course, the memory 91 may also comprise both an internal memory unit and an external memory device of the computer device 9. In this embodiment, the memory 91 is generally used for storing an operating system installed in the computer device 9 and various types of application software, such as program codes of the X method. Further, the memory 91 may also be used to temporarily store various types of data that have been output or are to be output.
The processor 92 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. The processor 92 is typically used to control the overall operation of the computer device 9. In this embodiment, the processor 92 is configured to execute the program code stored in the memory 91 or process data, for example, execute the program code of the X method.
The network interface 93 may comprise a wireless network interface or a wired network interface, and the network interface 93 is generally used for establishing communication connection between the computer device 9 and other electronic devices.
The present application further provides another embodiment, which is to provide a computer-readable storage medium storing an X program, which is executable by at least one processor to cause the at least one processor to perform the steps of the X method as described above.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present application.
It is to be understood that the above-described embodiments are merely illustrative of some, but not restrictive, of the broad invention, and that the appended drawings illustrate preferred embodiments of the invention and do not limit the scope of the invention. This application is capable of embodiments in many different forms and is provided for the purpose of enabling a thorough understanding of the disclosure of the application. Although the present application has been described in detail with reference to the foregoing embodiments, it will be apparent to one skilled in the art that the present application may be practiced without modification or with equivalents of some of the features described in the foregoing embodiments. All equivalent structures made by using the contents of the specification and the drawings of the present application are directly or indirectly applied to other related technical fields and are within the protection scope of the present application.
Claims (10)
1. A method for gateway protection, comprising:
receiving an access request carrying message data sent by a request terminal;
responding to the access request, and judging whether the message data meets an interface matching condition;
if the message data does not meet the interface matching condition, outputting a matching failure signal to the request terminal;
if the message data meets the interface matching condition, judging whether the message data meets the verification condition;
if the verification data meets the verification condition, the access request is sent to a service system according to a preset routing rule;
and if the verification data does not meet the verification condition, outputting a verification failure signal to the request terminal.
2. The gateway protection method according to claim 1, wherein the step of determining whether the packet data satisfies an interface matching condition specifically includes:
splitting the message data to obtain access interface data;
and reading a system database, and judging whether the system database has matched interface data corresponding to the requested interface data.
3. The gateway protection method according to claim 1, wherein before the step of determining whether the packet data satisfies the verification condition, the method further comprises:
performing request method extraction operation on the message data to acquire request method information;
judging whether the request method information is a POST request method;
if the request method information is not a POST request method, outputting a request method error signal to the request terminal;
and if the request method information is a POST request method, executing the step of judging whether the message data meets the verification condition.
4. The gateway protection method according to claim 1, wherein before the step of determining whether the packet data satisfies the verification condition, the method further comprises:
performing request content extraction operation on the message data to acquire request content information;
judging whether the request content information is a file uploading request or not;
if the request content information is not a file uploading request, executing the step of judging whether the message data meets the verification condition;
if the request content information is a file uploading request, acquiring a file type corresponding to the file uploading request;
judging whether the file type is standard or not based on the regular expression;
if the file type is not standard, outputting a type error signal to the request terminal;
and if the file type is standard, executing the step of judging whether the message data meets the verification condition.
5. The gateway protection method according to claim 1, wherein the packet data carries key identification information and original signature information, and the step of determining whether the packet data satisfies a verification condition specifically includes:
reading a signature server, and acquiring a signature public key corresponding to the key identification in the signature server;
performing request parameter extraction operation on the message data to acquire request parameter information;
performing full name generation operation on the request parameter information based on the key-value and the signature public key to obtain signature information to be verified;
and judging whether the original signature information is consistent with the signature information to be verified.
6. The gateway protection method of claim 1, wherein after the step of sending the access request to the service system according to the preset routing rule, the method further comprises:
receiving response information which is sent by the service system and carries a key identification and a response message;
reading a signature server, and acquiring a signature private key corresponding to the key identification in the signature server;
performing signature operation on the response message according to the signature private key to obtain a response request;
and sending the response request to the request terminal.
7. A gateway protection device, comprising:
the request receiving module is used for receiving an access request which is sent by a request terminal and carries message data;
the interface matching module is used for responding to the access request and judging whether the message data meets interface matching conditions;
the matching failure module is used for outputting a matching failure signal to the request terminal if the message data does not meet the interface matching condition;
the verification judging module is used for judging whether the message data meets the verification condition or not if the message data meets the interface matching condition;
the verification success module is used for sending the access request to a service system according to a preset routing rule if the verification data meets the verification condition;
and the verification failure module is used for outputting a verification failure signal to the request terminal if the verification data does not meet the verification condition.
8. The gateway protection apparatus of claim 7, wherein the interface matching module comprises:
the interface borrowing acquisition submodule is used for splitting the message data to acquire access interface data;
and the interface matching submodule is used for reading a system database and judging whether the system database has matching interface data corresponding to the requested interface data.
9. A computer device comprising a memory in which a computer program is stored and a processor which, when executing the computer program, implements the steps of the gateway protection method according to any one of claims 1 to 6.
10. A computer-readable storage medium, characterized in that a computer program is stored thereon, which computer program, when being executed by a processor, carries out the steps of the gateway protection method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911097488.3A CN110995658A (en) | 2019-11-12 | 2019-11-12 | Gateway protection method, device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911097488.3A CN110995658A (en) | 2019-11-12 | 2019-11-12 | Gateway protection method, device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110995658A true CN110995658A (en) | 2020-04-10 |
Family
ID=70083780
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911097488.3A Pending CN110995658A (en) | 2019-11-12 | 2019-11-12 | Gateway protection method, device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110995658A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112148508A (en) * | 2020-09-30 | 2020-12-29 | 深圳市晨北科技有限公司 | Information processing method and related device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6557105B1 (en) * | 1999-04-14 | 2003-04-29 | Tut Systems, Inc. | Apparatus and method for cryptographic-based license management |
| CN102760155A (en) * | 2012-05-30 | 2012-10-31 | 中兴通讯股份有限公司 | Database-based transaction control method and device |
| US8775559B1 (en) * | 2012-01-11 | 2014-07-08 | Amazon Technologies, Inc. | Generating network pages using customer-supplied generation code |
| CN107315754A (en) * | 2016-04-27 | 2017-11-03 | 上海易飞信息技术有限公司 | A kind of implementation method of general-purpose web service interfaces |
| CN109150805A (en) * | 2017-06-19 | 2019-01-04 | 亿阳安全技术有限公司 | The method for managing security and system of application programming interface |
| CN109450649A (en) * | 2018-12-28 | 2019-03-08 | 北京金山安全软件有限公司 | Gateway verification method and device based on application program interface and electronic equipment |
-
2019
- 2019-11-12 CN CN201911097488.3A patent/CN110995658A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6557105B1 (en) * | 1999-04-14 | 2003-04-29 | Tut Systems, Inc. | Apparatus and method for cryptographic-based license management |
| US8775559B1 (en) * | 2012-01-11 | 2014-07-08 | Amazon Technologies, Inc. | Generating network pages using customer-supplied generation code |
| CN102760155A (en) * | 2012-05-30 | 2012-10-31 | 中兴通讯股份有限公司 | Database-based transaction control method and device |
| CN107315754A (en) * | 2016-04-27 | 2017-11-03 | 上海易飞信息技术有限公司 | A kind of implementation method of general-purpose web service interfaces |
| CN109150805A (en) * | 2017-06-19 | 2019-01-04 | 亿阳安全技术有限公司 | The method for managing security and system of application programming interface |
| CN109450649A (en) * | 2018-12-28 | 2019-03-08 | 北京金山安全软件有限公司 | Gateway verification method and device based on application program interface and electronic equipment |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112148508A (en) * | 2020-09-30 | 2020-12-29 | 深圳市晨北科技有限公司 | Information processing method and related device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6609047B2 (en) | Method and device for application information risk management | |
| WO2015169158A1 (en) | Information protection method and system | |
| CN112217835B (en) | Message data processing method and device, server and terminal equipment | |
| US9781109B2 (en) | Method, terminal device, and network device for improving information security | |
| CN111131221B (en) | Interface checking device, method and storage medium | |
| CN110324416B (en) | Download path tracking method, device, server, terminal and medium | |
| CN110138731B (en) | Network anti-attack method based on big data | |
| CN112838951B (en) | Operation and maintenance method, device and system of terminal equipment and storage medium | |
| CN113239397A (en) | Information access method, device, computer equipment and medium | |
| KR101586048B1 (en) | System, Server, Method and Recording Medium for Blocking Illegal Applications, and Communication Terminal Therefor | |
| CN109495458A (en) | A kind of method, system and the associated component of data transmission | |
| CN110995658A (en) | Gateway protection method, device, computer equipment and storage medium | |
| CN110650014B (en) | Signature authentication method, system, equipment and storage medium based on hessian protocol | |
| CN115242608A (en) | Method, device and equipment for generating alarm information and storage medium | |
| CN113709136B (en) | Access request verification method and device | |
| CN115756255A (en) | Method, device and equipment for processing equipment parameters of parking lot equipment and storage medium | |
| CN115170355A (en) | Evidence obtaining data credibility verification method and device, computer equipment and storage medium | |
| CN111935122B (en) | Data security processing method and device | |
| CN114143308A (en) | File uploading information processing method and device, computer equipment and storage medium | |
| CN114448722A (en) | Cross-browser login method and device, computer equipment and storage medium | |
| CN110941412A (en) | Method, system and terminal for realizing multi-terminal animation co-browsing based on imaging | |
| CN112015494A (en) | Third-party API tool calling method, system and device | |
| CN112966277A (en) | Webpage protection method and device, computer equipment and storage medium | |
| CN110943982A (en) | Document data encryption method and device, electronic equipment and storage medium | |
| CN113660274B (en) | Website information processing method and device, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200410 |