CN113965395A - Method, system and device for safely accessing intranet in real time - Google Patents
Method, system and device for safely accessing intranet in real time Download PDFInfo
- Publication number
- CN113965395A CN113965395A CN202111259983.7A CN202111259983A CN113965395A CN 113965395 A CN113965395 A CN 113965395A CN 202111259983 A CN202111259983 A CN 202111259983A CN 113965395 A CN113965395 A CN 113965395A
- Authority
- CN
- China
- Prior art keywords
- file
- transmitted
- external network
- client
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 238000012795 verification Methods 0.000 claims abstract description 121
- 238000012546 transfer Methods 0.000 claims abstract description 30
- 238000002955 isolation Methods 0.000 claims description 16
- 230000015654 memory Effects 0.000 claims description 16
- 238000010586 diagram Methods 0.000 description 19
- 230000006870 function Effects 0.000 description 10
- 238000004590 computer program Methods 0.000 description 8
- 101100194362 Schizosaccharomyces pombe (strain 972 / ATCC 24843) res1 gene Proteins 0.000 description 5
- 101100194363 Schizosaccharomyces pombe (strain 972 / ATCC 24843) res2 gene Proteins 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method, a system and a device for safely accessing an intranet in real time, which are used for solving the technical problem that the file synchronization on two sides of a gatekeeper can not be safely and real-timely completed in the prior art. The method for safely accessing the intranet comprises the following steps: receiving a file to be transmitted and an access request sent by an extranet client of a low security domain through a File Transfer Protocol (FTP) and a hypertext transfer protocol (HTTP); the access request comprises identity information of an external network client and related information related to a file to be transmitted, and the file to be transmitted is stored in an external network unit of the gatekeeper system; verifying whether the identity information and the related information are legal or not to obtain a verification result; and determining whether to ferry the file to be transmitted to an intranet unit of the gatekeeper system according to the verification result so as to upload the file to a file server of a high security domain.
Description
Technical Field
The invention relates to the technical field of data exchange, in particular to a method, a system and a device for safely accessing an intranet in real time.
Background
With the development of informatization, for safety reasons, networks in many important fields are physically isolated and built to ensure the network safety in the core field.
By "physical isolation" is meant networks of different security levels, no direct physical connection exists at any time, and each network is an individual information island, so that the information security of each network can be guaranteed. However, information cannot be transmitted between different networks, which brings inconvenience to data exchange.
In the prior art, a gatekeeper is usually arranged among networks with different security levels, and the gatekeeper uses a solid-state switch read-write medium with multiple control functions, so that physical connection, logical connection and information transmission protocols for communication do not exist among systems, information exchange according to the protocols does not exist, and only protocol-free ferrying is performed in a data file form. And data transmission between networks with different security levels needs to arrange a file server between two different networks, a file request from a low security domain can temporarily store a file to the file server at the side of the low security domain, and a gatekeeper can synchronize the content of the file servers of the low security domain to the file servers of a high security domain in batches at regular time. However, the method relies on the gatekeeper to synchronize the files at regular time, has poor real-time performance, does not verify the visitor per se, and still has potential safety hazards.
In view of this, how to ensure that the two sides of the gatekeeper can complete the file synchronization safely and in real time becomes a technical problem to be solved urgently.
Disclosure of Invention
The invention provides a method, a system and a device for safely accessing an intranet in real time, which are used for solving the technical problem that the file synchronization on two sides of a gatekeeper can not be safely and real-timely completed in the prior art.
The invention provides a method for safely accessing an intranet in real time in a first aspect, which comprises the following steps:
receiving a file to be transmitted and an access request sent by an extranet client of a low security domain through a File Transfer Protocol (FTP) and a hypertext transfer protocol (HTTP); the access request comprises identity information of the external network client and related information related to the file to be transmitted, and the file to be transmitted is stored in an external network unit of the gatekeeper system;
verifying whether the identity information and the related information are legal or not to obtain a verification result;
and determining whether to ferry the file to be transmitted to an intranet unit of the gatekeeper system according to the verification result so as to upload the file to a file server of a high security domain.
Optionally, before receiving the file to be transmitted and the access request sent by the extranet client with the low security domain through the file transfer protocol FTP and the hypertext transfer protocol HTTP, the method further includes:
and the user verifies whether the file server of the high security domain can accept the external access, and registers the file server which can accept the external access in the high security domain into the gatekeeper system according to the verification result.
Optionally, verifying whether the identity information and the related information are legal to obtain a verification result, including:
verifying whether the external network client is a legal user registered in the gatekeeper system or not according to the identity information of the external network client included in the access request;
when the external network client is a registered legal user, verifying whether the external network client can obtain the service of the file server according to the related information; the related information comprises the resource name of a file server accessed by the external network client, the file name of the file to be transmitted and the verification information of the file to be transmitted;
when the external network client is a registered legal user and the external network client can obtain the service of the file server according to the relevant information, determining that the verification result is legal access;
when the external network client is a registered legal user and the external network client is verified to be incapable of obtaining the service of the file server according to the related information, determining that the verification result is illegal access;
and when the external network client is an unregistered illegal user, determining that the verification result is illegal access.
Optionally, verifying whether the extranet client can obtain the service of the file server according to the relevant information includes:
verifying whether the resource name of a file server which needs to be accessed by the external network client is registered in the gatekeeper system and whether the file server can provide service for the external network client or not in the related information;
when the resource name of a file server which needs to be accessed by the external network client is registered in the gatekeeper system and the file server can provide service for the external network client, verifying the integrity of the file to be transmitted according to the file name and verification information of the file to be transmitted in the related information;
when the resource name of a file server which needs to be accessed by the external network client is registered in the gatekeeper system, the file server can provide service for the external network client, and the file to be transmitted is complete, the relevant information related to the file to be transmitted in the access request is determined to pass verification;
and when the resource name of the file server which needs to be accessed by the external network client is illegal, and/or the file server cannot provide service for the external network client, and/or the file to be transmitted is incomplete, determining that the relevant information related to the file to be transmitted in the access request is not verified.
Optionally, verifying the integrity of the file to be transmitted according to the file name and the verification information of the file to be transmitted in the related information includes:
acquiring first verification information of a file to be transmitted from the external network unit according to the file name of the file to be transmitted;
verifying whether the first verification information is consistent with second verification information in the related information;
if the first verification information is consistent with the second verification information, determining that the file to be transmitted is complete;
and if the first verification information is inconsistent with the second verification information, determining that the file to be transmitted is incomplete.
Optionally, determining whether to ferry the file to be transmitted to an intranet unit of the gatekeeper system according to the verification result includes:
when the verification result is illegal access, giving up ferrying the file to be transmitted to an intranet unit of the network gate system, and sending error information to the extranet client;
and when the verification result is legal access, ferrying the file to be transmitted to an intranet unit of the gatekeeper system.
Optionally, sending error information to the extranet client includes:
when the external network client is an unregistered illegal user, the error information is that the user is unregistered;
when the resource name of the file server which needs to be accessed by the external network client is illegal and/or the external network client does not have the access right, the error information indicates that the user does not have the access right;
and when the verification information of the file to be transmitted of the external network client is inconsistent with the verification information in the related information, the error information is that the file to be transmitted is wrong.
In a second aspect, an embodiment of the present application provides a gatekeeper system, including:
the external network unit is used for receiving an access request and a file to be transmitted sent by an external network client of a low security network domain, verifying the security of the file to be transmitted and sending the file to be transmitted which passes the security verification to a special isolation switching device;
the private isolation exchange unit is configured to execute the method according to the first aspect, so as to receive the to-be-transmitted file sent by the external network unit while isolating the internal network unit and the external network unit, and ferry the to-be-transmitted file passing the security verification to the internal network unit;
the intranet unit is used for receiving the file to be transmitted ferred by the special isolation exchange unit and forwarding the file to be transmitted to a file server in a high security network domain; the external network unit, the special isolation exchange unit and the internal network unit are located in different networks which are isolated from each other.
In a third aspect, an embodiment of the present application provides a system for securely accessing an intranet in real time, including:
the low security domain client sends the file to be transmitted to a gateway system by using a File Transfer Protocol (FTP), and sends the access request to the gateway system by using an expansion header field of a hypertext transfer protocol (HTTP);
the gatekeeper system is configured to receive the to-be-transmitted file and the access request sent by the low-security domain client, and execute the method according to the first aspect, so as to ferry the to-be-transmitted file that passes security authentication to a high-security domain file server according to the access request while ensuring that a low-security domain and a high-security domain are isolated;
the high security domain file server is used for receiving the file to be transmitted from the gatekeeper system and providing a service corresponding to the access request to the low security domain client; wherein the low security domain client and the high security domain file server are located in different networks that are isolated from each other.
In a fourth aspect, an embodiment of the present application provides an apparatus for securely accessing an intranet, including:
at least one processor, and
a memory coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, the at least one processor performing the method of the first aspect by executing the instructions stored by the memory.
The technical scheme in the embodiment of the invention has the following beneficial effects: when an intranet needs to be safely accessed, receiving a file to be transmitted and an access request sent by an extranet client of a low security domain through a File Transfer Protocol (FTP) and a hypertext transfer protocol (HTTP); the access request comprises identity information of an external network client and related information related to a file to be transmitted, and the file to be transmitted is stored in an external network unit of the gatekeeper system; verifying whether the identity information and the related information are legal or not to obtain a verification result; and determining whether to ferry the file to be transmitted to an intranet unit of the gatekeeper system according to the verification result so as to upload the file to a file server of a high security domain. Therefore, the identity of the visitor is safely verified, the legal user can access the authorized file server, the uniqueness of the content of the uploaded file is ensured by verifying the related information of the file to be transmitted, the uploaded file is prevented from being tampered, and the safe and real-time synchronization of the files among the network domains with different safety levels is completed.
Drawings
Fig. 1 is a flowchart of a method for securely accessing an intranet in real time according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a system for securely accessing an intranet in real time according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram illustrating a high security domain file server registering to a gatekeeper system according to an embodiment of the present invention;
fig. 4 is a schematic diagram illustrating a correspondence relationship between identity information and related information of an external network client verified by a gatekeeper system according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a gatekeeper system according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of another gatekeeper system according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of another gatekeeper system according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a system for securely accessing an intranet in real time according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application.
In the prior art, in order to complete data exchange between two networks with different security levels, a file server is generally deployed between the two different networks, a file request from a low security domain temporarily stores a file to a file server on the side of the low security domain, and a gatekeeper synchronizes the contents of the file servers of the low security domain to file servers in a high security domain in batches at regular time. However, the synchronization of the exchange method is poor, the identity of the visitor cannot be verified safely, the file sent by the visitor cannot be verified, and certain potential safety hazards exist.
Therefore, the invention provides a method, a system and a device for safely accessing an intranet in real time, which are used for solving the technical problem that the file synchronization on two sides of a gatekeeper cannot be safely and real-timely completed in the prior art.
The technical scheme provided by the embodiment of the application is described in the following with the accompanying drawings of the specification.
Referring to fig. 1, the present invention provides a method for securely accessing an intranet in real time, which specifically includes the following steps:
s101, receiving a file to be transmitted and an access request sent by an extranet client with a low security domain through a File Transfer Protocol (FTP) and a hypertext transfer protocol (HTTP); the access request comprises identity information of an external network client and related information related to a file to be transmitted, and the file to be transmitted is stored in an external network unit of the gatekeeper system;
s102, verifying whether the identity information and the related information are legal or not to obtain a verification result;
s103, determining whether the file to be transmitted is ferried to an intranet unit of the gatekeeper system or not according to the verification result so as to be uploaded to a file server of a high security domain.
For example, referring to fig. 2, fig. 2 is a schematic structural diagram of a system for accessing an intranet safely in real time according to an embodiment of the present invention, and fig. 2 includes extranet clients 201 and 202 with low security domains, a gatekeeper system 203, and a file server 204 with a high security domain. Assume that extranet client 201 and extranet client 202 need to request the services of file server 204.
The extranet client 201 and the extranet client 202 upload a File to the gatekeeper system 203 in real time by using a File Transfer Protocol (FTP) Protocol, and send an access request to the gatekeeper system 203 by using a hypertext Transfer Protocol (HTTP).
The gatekeeper system 203 verifies the access request sent by the extranet client 201, the access request comprises the identity information of the extranet client 201 and the related information of the uploaded file to be transmitted, the extranet client 201 is determined to be an illegal user by comparing the access request with the extranet client registered in the gatekeeper system 203, the verification information of the file to be transmitted uploaded by the extranet client 201 is compared with the verification information in the access request, and the integrity of the uploaded file to be transmitted is determined to be damaged. The authentication result thus obtained is that the extranet client 201 is an illegal access;
the gatekeeper system 203 verifies the access request sent by the extranet client 202, the access request includes the identity information of the extranet client 202 and the related information of the uploaded file to be transmitted, and in the verification, the extranet client 202 is determined to be a legal user, the uploaded file to be transmitted is complete, and the target file server is accessed with corresponding authority, so that the obtained verification result is that the extranet client 202 is legally accessed.
According to the verification result, the gatekeeper system 203 gives up ferrying the file to be transmitted, which is uploaded by the extranet client 201, to an intranet unit of the gatekeeper system, and sends error information to the extranet client 201;
the gatekeeper system 203 ferries the file to be transmitted, which is uploaded by the extranet client 202, to the intranet unit of the gatekeeper system 203 so as to upload the file to the file server 204 in the high security domain.
In the embodiment provided by the invention, when an external client needs to access an intranet, a file to be transmitted and an access request sent by the external client with a low security domain through a File Transfer Protocol (FTP) and a hypertext transfer protocol (HTTP) are received; the access request comprises identity information of an external network client and related information related to a file to be transmitted, and the file to be transmitted is stored in an external network unit of the gatekeeper system; verifying whether the identity information and the related information are legal or not to obtain a verification result; and determining whether to ferry the file to be transmitted to an intranet unit of the gatekeeper system according to the verification result so as to upload the file to a file server of a high security domain. Therefore, the identity of the visitor is safely verified, the legal user can access the authorized file server, the uniqueness of the content of the uploaded file is ensured by verifying the related information of the file to be transmitted, the uploaded file is prevented from being tampered, and the safe and real-time synchronization of the files among the network domains with different safety levels is completed.
Before receiving a file to be transmitted and an access request sent by an extranet client of a low security domain through a File Transfer Protocol (FTP) and a hypertext transfer protocol (HTTP), a possible implementation manner further comprises:
and the user verifies whether the file server of the high security domain can accept the external access, and registers the file server which can accept the external access in the high security domain into the gatekeeper system according to the verification result.
For example, referring to fig. 3, fig. 3 is a schematic structural diagram of a high security domain file server registering to a gatekeeper system according to an embodiment of the present invention, where fig. 3 includes: file servers 301-303, and a gatekeeper system 304. Assuming that the IP address of the file server 301 is 192.168.0.1, the FTP port is 01, the IP address of the file server 302 is 192.168.0.2, the FTP port is 02, the IP address of the file server 303 is 192.168.0.3, and the FTP port is 03, the file server 301 and the file server 303 can receive external access after user verification.
When the file servers 301-303 of the high security domain need to receive external access, the user performs pre-auditing to determine whether the external access can be received. At this time, the file servers 301 and 303 are confirmed to be able to receive external access, and the IP addresses and FTP ports, user names and passwords of the file servers 301 and 303 are registered in the gatekeeper system 304, and each obtains a corresponding resource name of the file server, where the resource name corresponding to the file server 301 is RES1, and the resource name corresponding to the file server 303 is RES 2. Since the file server 302 does not pass the user's audit, it is not registered in the gatekeeper system 304, and the file server 302 is not visible to extranet clients with low security domains.
In the embodiment provided by the invention, the file server capable of receiving the external access needs to be checked and confirmed by the user, and the confirmed file server is registered in the gatekeeper system before receiving the external access. Therefore, the file server with the high security domain can respectively select whether to receive external access according to user requirements, and the file server which does not receive the external access is invisible to the outside, so that the security of the file server is ensured.
One possible implementation manner of verifying whether the identity information and the related information are legal or not and obtaining a verification result includes:
verifying whether the external network client is a legal user registered in the gatekeeper system or not according to the identity information of the external network client included in the access request; when the external network client is a registered legal user, verifying whether the external network client can obtain the service of the file server according to the related information; the related information comprises the resource name of a file server accessed by the external network client, the file name of the file to be transmitted and the verification information of the file to be transmitted; when the external network client is a registered legal user and can obtain the service of the file server according to the related information, determining that the verification result is legal access; when the external network client is a registered legal user and the external network client is verified to be incapable of obtaining the service of the file server according to the related information, determining that the verification result is illegal access; and when the external network client is an unregistered illegal user, determining that the verification result is illegal access.
The method for verifying whether the external network client can obtain the service of the file server according to the relevant information comprises the following steps:
verifying whether the resource name of the file server which needs to be accessed by the external network client is registered in the gatekeeper system and whether the file server can provide service for the external network client in the related information; when the resource name of a file server which needs to be accessed by the external network client is registered in the gatekeeper system and the file server can provide service for the external network client, verifying the integrity of the file to be transmitted according to the file name and the verification information of the file to be transmitted in the related information; when the resource name of a file server which needs to be accessed by an external network client is registered in a gatekeeper system, the file server can provide service for the external network client, and a file to be transmitted is complete, the relevant information related to the file to be transmitted in an access request is determined to pass verification; and when the resource name of the file server which needs to be accessed by the external network client is illegal, and/or the file server cannot provide service for the external network client, and/or the file to be transmitted is incomplete, determining that the relevant information related to the file to be transmitted in the access request is not verified.
The method for verifying the integrity of the file to be transmitted according to the file name and the verification information of the file to be transmitted in the related information comprises the following steps:
acquiring first verification information of a file to be transmitted from an external network unit according to the file name of the file to be transmitted; verifying whether the first verification information is consistent with second verification information in the related information; if the first verification information is consistent with the second verification information, determining that the file to be transmitted is complete; and if the first verification information is inconsistent with the second verification information, determining that the file to be transmitted is incomplete.
For example, as shown in fig. 4, fig. 4 is a schematic diagram illustrating a correspondence relationship between identity information and related information of a gatekeeper system for verifying an external network client according to an embodiment of the present invention. The figure includes extranet clients 401-405 and a gatekeeper system 406. Suppose that a file server 1 and a file server 3 are registered in a gatekeeper system, both of them need a-level authority to access, the IP address of the file server 1 is 192.168.0.1, the FTP port is port 1, the resource name of the file server is RES1, the IP address of the file server 3 is 192.168.0.3, the FTP port is port 3, the resource name of the file server is RES2, and the external network client side obtains the verification information of the file to be transmitted by using a one-way hash function SHA 256.
The external network clients 401-405 respectively upload files to be transmitted and corresponding access requests to the gatekeeper system 406, wherein the access requests sent by the external network clients 401 are { user name 932, the file to be transmitted is file 1, verification information 6114cef1bd066b1d63ebd2b0fc961677931947287852ff3adc1eb5516bc63520, the file server resource name RES1, and the operation type is upload }; the access request sent by the extranet client 402 is { username is 421, file to be transmitted is file 2, authentication information is df9128ecc2de700ac9e16a58f22ff891e4e6d083b 3e 59f951d8e5f77b7b52, file server resource name is RES1, operation type is upload }; the access request sent by the extranet client 403 is { username is 47, file to be transmitted is file 3, authentication information is 29ab0c96874aaa499ebc86bb3d85268b1eab6852fd7df007a9523dc0ecfdfb 2, file server resource name is RES3, and operation type is upload }; the access request sent by the extranet client 404 is { user name 549, file to be transmitted is file 4, authentication information is c678f0d2475a0b65708e629c078a1a025652e5abec6004151776ce138948d3db, file server resource name is RES2, and the operation type is upload }; the access request sent by the extranet client 405 is { username is 481, the file to be transmitted is file 5, the authentication information is 7802a05037ebec5311ad2dc630cb0d84e1b900c6b705a1c704bd43d2b47b719a, the file server resource name is RES2, and the operation type is upload }.
After receiving the access request sent by the extranet client 401, the gatekeeper system 406 verifies the identity information of the extranet client 401, and the user name 932 of the extranet client 401 is not registered in the gatekeeper system 406, so that the gatekeeper system 406 determines that the extranet client 401 is an unregistered user and the sent access request is illegal access.
The gatekeeper system 406 verifies its identity information after receiving an access request sent by the extranet client 402. The user name of the extranet client 402 is 421, which is a legal user registered in the gatekeeper system 406, and the authority thereof is level B. When verifying whether the extranet client 402 can obtain the service of the file server according to the relevant information, the extranet client 406 has the authority of B level, and the required file server RES1 needs the authority of A level to provide the service, so that the extranet client 402 is determined not to have the access authority, and the sent access request is illegal access.
The gatekeeper system 406 verifies its identity information after receiving an access request sent by the extranet client 403. The user name of the extranet client 403 is 47, which is a legal user registered in the gatekeeper system 406, and the authority of the extranet client is level a. When verifying whether the extranet client 403 can obtain the service of the file server according to the related information, the file server to be accessed by the extranet client is not the file server registered in the gatekeeper system 406 and capable of providing the service to the extranet client, because the resource name of the file server is RES 3. Therefore, it is determined that the extranet client 403 does not have the access right, and the transmitted access request is illegal access.
The gatekeeper system 406 verifies its identity information after receiving an access request sent by the extranet client 404. The user name of the extranet client 404 is 549, which is a legal user registered in the gatekeeper system 406, and the authority of the extranet client is level a. When verifying whether the extranet client 404 can obtain the service of the file server according to the relevant information, the resource name of the file server to be accessed by the extranet client is RES2, and the authority is A level, and the extranet client can receive the service of the file server 3 corresponding to RES 2. When a file to be transmitted by the extranet client 404 is verified, the corresponding file is queried in the extranet unit of the gatekeeper system 406 according to the file name (file 4) in the access request, and the one-way hash function SHA256 is used to calculate that the first verification information is 69151d7b5df6dfe88a1859430bd8ebc31be23534f59a5e4bf4b7946d0cef2557, while the second verification information obtained by the gatekeeper system 406 from the relevant information of the access request is c678f0d2475a0b65708e629c078a1a025652e5abec6004151776ce138948d3db, which are not consistent, the integrity of the file 4 to be transmitted is destroyed, and the file 4 is incomplete. Therefore, it is determined that the file to be transmitted uploaded by the extranet client 404 is incorrect, and the sent access request is illegal access.
The gatekeeper system 406 verifies its identity information after receiving an access request sent by the extranet client 405. The user name of the extranet client 405 is 481, which is a legal user registered in the gatekeeper system 406, and the authority of the user is level a. When verifying whether the extranet client 405 can obtain the service of the file server according to the relevant information, the resource name of the file server to be accessed by the extranet client is RES2, and the authority of the extranet client is A level, and the extranet client can receive the service of the file server 3 corresponding to RES 2. When a file to be transmitted by the external network client 405 is verified, the corresponding file is queried in the external network unit of the gatekeeper system 406 according to the file name (file 5) in the access request, and the one-way hash function SHA256 is used to calculate that the first verification information is 7802a05037ebec5311ad2dc630cb0d84e 1c 900 b 6b705a1c704bd43d2b 719a, and the second verification information obtained by the gatekeeper system 406 from the relevant information of the access request is 7802a05037ebec5311ad2dc630cb0d84e 1c 900 b705a1c704bd43d2b 719a, which are consistent with each other, so that the file 5 is complete. Thus, the access request sent by the extranet client 405 is determined to be legitimate access.
In practical application, the gatekeeper system and the external network client can use various one-way hash functions to verify files to be transmitted, and the one-way hash functions can select algorithms such as SHA-256, SHA-384 and SHA-512 according to the security requirements of users.
In the embodiment provided by the invention, after receiving the file to be transmitted and the access request sent by the external network client, the gatekeeper system verifies the contents of identity information, authority information, integrity and the like of the uploaded file to be transmitted, and provides corresponding service for the external network client after confirming that the external network client is a legal user to access the file server and the file to be transmitted is complete. Therefore, the high-security domain network is protected to the maximum extent, the possibility that the high-security domain is attacked by the network is reduced, access control is increased, meanwhile, the pressure of a high-level security domain server can be relieved to the maximum extent, and the real-time high-security access request of the file between different security domain networks through a gatekeeper system is guaranteed.
One possible embodiment of determining whether to ferry the file to be transmitted to an intranet unit of a gatekeeper system according to the verification result includes:
when the verification result is illegal access, giving up ferrying the file to be transmitted to an intranet unit of the gatekeeper system, and sending error information to an extranet client; and when the verification result is legal access, ferrying the file to be transmitted to an intranet unit of the network gate system.
Wherein, send error message to the extranet client, include:
when the external network client is an unregistered illegal user, the error information is that the user is unregistered; when the resource name of the file server which needs to be accessed by the external network client is illegal and/or the external network client does not have the access right, the error information indicates that the user does not have the access right; and when the verification information of the file to be transmitted of the external network client is inconsistent with the verification information in the related information, the error information is that the file to be transmitted is wrong.
For example, taking the example in fig. 4 as an example, where the extranet client 401 is an unregistered user, and the sent access request is an illegal access; the extranet client 402 does not have access right, and the sent access request is illegal access; the extranet client 403 does not have access right, and the sent access request is illegal access; the file to be transmitted uploaded by the extranet client 404 is wrong, and the sent access request is illegal access; the access request sent by the extranet client 405 is a legitimate access.
The gatekeeper system 406 ferries the file to be transmitted (file 5) uploaded by the external network client 405 to the internal network unit of the gatekeeper system 406.
The gatekeeper system 406 gives up and ferries the to-be-transmitted files uploaded by the external network clients 401-404 to the intranet unit of the gatekeeper system 406. And sends an error message "the user is not registered" to the foreign client 401; send an error message "this user does not have access right" to the foreign clients 402 and 403; the error message "file error to be transmitted" is sent to the foreign client 404.
In the embodiment provided by the invention, the gatekeeper system only ferries the file to be transmitted uploaded by the verified external network client into the internal network unit, so that the network security of the high security domain network is ensured; and sending corresponding error information to the external network client which is not verified so as to facilitate the user to correct the access request and the file to be transmitted and better obtain service.
Based on the same inventive concept, the present invention provides a gatekeeper system, referring to fig. 5, comprising:
a file receiving module 501, configured to receive a file to be transmitted and an access request sent by an extranet client of a low security domain through a file transfer protocol FTP and a hypertext transfer protocol HTTP; the access request comprises identity information of an external network client and related information related to a file to be transmitted, and the file to be transmitted is stored in an external network unit of the gatekeeper system;
a security verification module 502, configured to verify whether the identity information and the related information are legal, and obtain a verification result;
and a file ferrying module 503, configured to determine whether to ferry a file to be transmitted to an intranet unit of the gatekeeper system according to the verification result, so as to upload the file to a file server of a high security domain.
In a possible implementation, the file receiving module 501 is further configured to:
and the user verifies whether the file server of the high security domain can accept the external access, and registers the file server which can accept the external access in the high security domain into the gatekeeper system according to the verification result.
In one possible implementation, the security verification module 502 is further configured to:
verifying whether the external network client is a legal user registered in the gatekeeper system or not according to the identity information of the external network client included in the access request;
when the external network client is a registered legal user, verifying whether the external network client can obtain the service of the file server according to the related information; the related information comprises the resource name of a file server accessed by the external network client, the file name of the file to be transmitted and the verification information of the file to be transmitted;
when the external network client is a registered legal user and can obtain the service of the file server according to the related information, determining that the verification result is legal access;
when the external network client is a registered legal user and the external network client is verified to be incapable of obtaining the service of the file server according to the related information, determining that the verification result is illegal access;
and when the external network client is an unregistered illegal user, determining that the verification result is illegal access.
In one possible implementation, the security verification module 502 is further configured to:
verifying whether the resource name of the file server which needs to be accessed by the external network client is registered in the gatekeeper system and whether the file server can provide service for the external network client in the related information;
when the resource name of a file server which needs to be accessed by the external network client is registered in the gatekeeper system and the file server can provide service for the external network client, verifying the integrity of the file to be transmitted according to the file name and the verification information of the file to be transmitted in the related information;
when the resource name of a file server which needs to be accessed by an external network client is registered in a gatekeeper system, the file server can provide service for the external network client, and a file to be transmitted is complete, the relevant information related to the file to be transmitted in an access request is determined to pass verification;
and when the resource name of the file server which needs to be accessed by the external network client is illegal, and/or the file server cannot provide service for the external network client, and/or the file to be transmitted is incomplete, determining that the relevant information related to the file to be transmitted in the access request is not verified.
In one possible implementation, the security verification module 502 is further configured to:
acquiring first verification information of a file to be transmitted from an external network unit according to the file name of the file to be transmitted;
verifying whether the first verification information is consistent with second verification information in the related information;
if the first verification information is consistent with the second verification information, determining that the file to be transmitted is complete;
and if the first verification information is inconsistent with the second verification information, determining that the file to be transmitted is incomplete.
In one possible implementation, the file ferry module 503 is further configured to:
when the verification result is illegal access, giving up ferrying the file to be transmitted to an intranet unit of the gatekeeper system, and sending error information to an extranet client;
and when the verification result is legal access, ferrying the file to be transmitted to an intranet unit of the network gate system.
In one possible implementation, the file ferry module 503 is further configured to:
when the external network client is an unregistered illegal user, the error information is that the user is unregistered;
when the resource name of the file server which needs to be accessed by the external network client is illegal and/or the external network client does not have the access right, the error information indicates that the user does not have the access right;
and when the verification information of the file to be transmitted of the external network client is inconsistent with the verification information in the related information, the error information is that the file to be transmitted is wrong.
Based on the same inventive concept, the present application provides a gatekeeper system, referring to fig. 6, comprising:
the extranet unit 601 is configured to receive an access request and a file to be transmitted sent by an extranet client in a low security network domain, verify the security of the file to be transmitted, and send the file to be transmitted that passes the security verification to the private isolated switching unit 602;
the special isolation exchange unit 602 is configured to execute the above method for accessing the intranet safely in real time, so as to receive the to-be-transmitted file sent by the extranet unit 601 while isolating the intranet unit 603 and the extranet unit 601, and ferry the to-be-transmitted file passing the safety verification to the intranet unit 602;
the intranet unit 603 is configured to receive the file to be transmitted ferred by the special isolation exchange unit 602, and forward the file to a file server in a high security network domain; the extranet unit 601, the private isolated switch unit 602, and the intranet unit 603 are located in different networks isolated from each other.
For example, as shown in fig. 7, fig. 7 is a schematic structural diagram of a gatekeeper system according to an embodiment of the present invention, and the outer net unit 601 includes: an FTP module 6011, a web service module 6012, a security verification module 6013 and a file synchronization module 6014; intranet unit 603 includes: a monitoring module 6031, an information parsing module 6032 and an uploading module 6033.
After an extranet client in the low security domain sends an access request and a file to be transmitted to the extranet unit 601 of the gatekeeper system, the FTP module 6011 receives the file to be transmitted sent by the extranet client through the FTP protocol, the web service module 6012 receives the access request sent by the extranet client through the HTTP protocol, and after the access request is verified by the security verification module 6013, the verified access request and the file to be transmitted are synchronized to the proprietary isolation switching unit 602 through the file synchronization unit 6014. The proprietary isolation exchange unit 602 ferries the synchronized file to the intranet unit 603. When the monitoring module 6031 in the intranet unit 603 monitors that a new file to be transmitted exists, the information analysis module 6032 is called to analyze the file to be transmitted. The uploading module 6033 uploads the file to be transmitted to the corresponding file server in the high security network domain according to the file server analyzed by the information analyzing module 6032.
In the embodiment provided by the invention, after receiving the access request and the file to be transmitted sent by the external network client in the low security network domain, the external network unit carries out security verification and synchronizes the file to be transmitted which passes the verification to the special isolation switching device. And the special isolation switching device ferries the file to be transmitted to the intranet unit. And the intranet unit analyzes the file to be transmitted and uploads the file to a file server in a high security network domain. Therefore, the safe files to be transmitted are ferried into a high-safety network domain while the network domains with different safety levels are kept isolated.
Based on the same inventive concept, the present application provides a system for securely accessing an intranet, and referring to fig. 8, the system for securely accessing an intranet in real time includes:
the low security domain client 801 is used for sending a file to be transmitted and an access request to the gatekeeper system 802 through a File Transfer Protocol (FTP) and a hypertext transfer protocol (HTTP);
the gatekeeper system 802 is configured to receive a to-be-transmitted file and an access request sent by the low-security domain client 801, and execute the above method for securely accessing the intranet, so as to ferry the to-be-transmitted file that passes security authentication to a high-security domain file server according to the access request while ensuring that a low-security domain and a high-security domain are isolated;
the high-security domain file server 803 is used for receiving a file to be transmitted from the gatekeeper system 802 and providing a service corresponding to the access request to the low-security domain client 801; where the low security domain client 801 and the high security domain file server 803 are located in different networks that are isolated from each other.
The low security domain client 801 is specifically configured to:
using a File Transfer Protocol (FTP) to send a file to be transmitted to a gateway system;
the access request is sent to the gatekeeper system using the hypertext transfer protocol HTTP.
Based on the same inventive concept, an embodiment of the present invention provides a device for securely accessing an intranet in real time, where the device for securely accessing the intranet may be an electronic device such as a personal computer, and the device may include:
at least one processor, configured to implement the steps of the method for securely accessing the intranet as provided in the embodiments of the present application when executing the computer program stored in the memory.
Alternatively, the processor may be a central processing unit, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits for controlling program execution.
Optionally, the device for protecting data integrity further includes a Memory connected to the at least one processor, where the Memory may include a Read Only Memory (ROM), a Random Access Memory (RAM), and a disk Memory. The memory is used for storing data required by the processor during operation, that is, storing instructions executable by the at least one processor, and the at least one processor executes the method shown in the figure I by executing the instructions stored in the memory. Wherein, the number of the memories is one or more.
The embodiment of the present application further provides a computer storage medium, where the computer storage medium stores computer instructions, and when the computer instructions are executed on a computer, the computer is enabled to execute the above steps of the method for accessing an intranet safely in real time.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (10)
1. A method for safely accessing an intranet in real time is applied to a gatekeeper system arranged among networks with different security levels, and is characterized by comprising the following steps:
receiving a file to be transmitted and an access request sent by an extranet client of a low security domain through a File Transfer Protocol (FTP) and a hypertext transfer protocol (HTTP); the access request comprises identity information of the external network client and related information related to the file to be transmitted, and the file to be transmitted is stored in an external network unit of the gatekeeper system;
verifying whether the identity information and the related information are legal or not to obtain a verification result;
and determining whether to ferry the file to be transmitted to an intranet unit of the gatekeeper system according to the verification result so as to upload the file to a file server of a high security domain.
2. The method of claim 1, wherein the receiving of the file to be transmitted and the access request sent by the extranet client of the low security domain through the file transfer protocol FTP and the hypertext transfer protocol HTTP further comprises:
and the user verifies whether the file server of the high security domain can accept the external access, and registers the file server which can accept the external access in the high security domain into the gatekeeper system according to the verification result.
3. The method of claim 1, wherein verifying whether the identity information and the related information are legitimate and obtaining a verification result comprises:
verifying whether the external network client is a legal user registered in the gatekeeper system or not according to the identity information of the external network client included in the access request;
when the external network client is a registered legal user, verifying whether the external network client can obtain the service of the file server according to the related information; the related information comprises the resource name of a file server accessed by the external network client, the file name of the file to be transmitted and the verification information of the file to be transmitted;
when the external network client is a registered legal user and the external network client can obtain the service of the file server according to the relevant information, determining that the verification result is legal access;
when the external network client is a registered legal user and the external network client is verified to be incapable of obtaining the service of the file server according to the related information, determining that the verification result is illegal access;
and when the external network client is an unregistered illegal user, determining that the verification result is illegal access.
4. The method of claim 3, wherein verifying that the extranet client can obtain the services of the file server based on the relevant information comprises:
verifying whether the resource name of a file server which needs to be accessed by the external network client is registered in the gatekeeper system and whether the file server can provide service for the external network client or not in the related information;
when the resource name of a file server which needs to be accessed by the external network client is registered in the gatekeeper system and the file server can provide service for the external network client, verifying the integrity of the file to be transmitted according to the file name and verification information of the file to be transmitted in the related information;
when the resource name of a file server which needs to be accessed by the external network client is registered in the gatekeeper system, the file server can provide service for the external network client, and the file to be transmitted is complete, the relevant information related to the file to be transmitted in the access request is determined to pass verification;
and when the resource name of the file server which needs to be accessed by the external network client is illegal, and/or the file server cannot provide service for the external network client, and/or the file to be transmitted is incomplete, determining that the relevant information related to the file to be transmitted in the access request is not verified.
5. The method according to claim 4, wherein verifying the integrity of the file to be transmitted according to the file name and the verification information of the file to be transmitted in the related information comprises:
acquiring first verification information of a file to be transmitted from the external network unit according to the file name of the file to be transmitted;
verifying whether the first verification information is consistent with second verification information in the related information;
if the first verification information is consistent with the second verification information, determining that the file to be transmitted is complete;
and if the first verification information is inconsistent with the second verification information, determining that the file to be transmitted is incomplete.
6. The method of claim 1, wherein determining whether to ferry the document to be transmitted to an intranet unit of the gatekeeper system according to the verification result comprises:
when the verification result is illegal access, giving up ferrying the file to be transmitted to an intranet unit of the network gate system, and sending error information to the extranet client;
and when the verification result is legal access, ferrying the file to be transmitted to an intranet unit of the gatekeeper system.
7. The method of claim 6, wherein sending error information to the extranet client comprises:
when the external network client is an unregistered illegal user, the error information is that the user is unregistered;
when the resource name of the file server which needs to be accessed by the external network client is illegal and/or the external network client does not have the access right, the error information indicates that the user does not have the access right;
and when the verification information of the file to be transmitted of the external network client is inconsistent with the verification information in the related information, the error information is that the file to be transmitted is wrong.
8. A gatekeeper system, comprising:
the external network unit is used for receiving an access request and a file to be transmitted sent by an external network client of a low security network domain, verifying the security of the file to be transmitted and sending the file to be transmitted which passes the security verification to a special isolation switching device;
the proprietary isolation exchange unit is used for executing the method according to any one of claims 1 to 7 so as to ensure that an intranet unit and an extranet unit are isolated, receiving the file to be transmitted sent by the extranet unit, and ferrying the file to be transmitted which passes the security verification to the intranet unit;
the intranet unit is used for receiving the file to be transmitted ferred by the special isolation exchange unit and forwarding the file to be transmitted to a file server in a high security network domain; the external network unit, the special isolation exchange unit and the internal network unit are located in different networks which are isolated from each other.
9. A system for real-time secure access to an intranet, comprising:
the low security domain client is used for sending the file to be transmitted to a gateway system by using a File Transfer Protocol (FTP) and sending the access request to the gateway system by using an expansion head field of a hypertext transfer protocol (HTTP);
the gatekeeper system is used for receiving the file to be transmitted and the access request sent by the low security domain client, and executing the method according to any one of claims 1 to 7, so as to guarantee isolation of a low security domain and a high security domain, and meanwhile, ferrying the file to be transmitted, which passes security authentication, to a high security domain file server according to the access request;
the high security domain file server is used for receiving the file to be transmitted from the gatekeeper system and providing a service corresponding to the access request to the low security domain client; wherein the low security domain client and the high security domain file server are located in different networks that are isolated from each other.
10. An apparatus for securely accessing an intranet, comprising:
at least one processor, and
a memory coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, the at least one processor performing the method of any one of claims 1-7 by executing the instructions stored by the memory.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111259983.7A CN113965395B (en) | 2021-10-28 | 2021-10-28 | Method, system and device for safely accessing intranet in real time |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111259983.7A CN113965395B (en) | 2021-10-28 | 2021-10-28 | Method, system and device for safely accessing intranet in real time |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113965395A true CN113965395A (en) | 2022-01-21 |
| CN113965395B CN113965395B (en) | 2024-02-09 |
Family
ID=79467824
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111259983.7A Active CN113965395B (en) | 2021-10-28 | 2021-10-28 | Method, system and device for safely accessing intranet in real time |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113965395B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114710333A (en) * | 2022-03-23 | 2022-07-05 | 未鲲(上海)科技服务有限公司 | Data transmission and verification method, system, computer equipment and storage medium |
| CN117240618A (en) * | 2023-11-13 | 2023-12-15 | 中国联合网络通信集团有限公司 | Household cloud box access method, device, equipment and storage medium |
Citations (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2004206670A (en) * | 2002-10-30 | 2004-07-22 | Nippon Telegr & Teleph Corp <Ntt> | Use right management system, method, and device with mechanism therefor |
| CN102208982A (en) * | 2011-04-28 | 2011-10-05 | 广州汇智通信技术有限公司 | Isolation gateway |
| CN103491072A (en) * | 2013-09-06 | 2014-01-01 | 北京信息控制研究所 | Boundary access control method based on double one-way separation gatekeepers |
| CN104363221A (en) * | 2014-11-10 | 2015-02-18 | 青岛微智慧信息有限公司 | Network safety isolation file transmission control method |
| CN104573914A (en) * | 2014-12-05 | 2015-04-29 | 国家电网公司 | Gateway measurement acquisition and operation maintenance management system and application thereof |
| CN105656883A (en) * | 2015-12-25 | 2016-06-08 | 冶金自动化研究设计院 | Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network |
| CN105812387A (en) * | 2016-05-09 | 2016-07-27 | 北京航天数控系统有限公司 | Unidirectional safe data exchange device |
| US20160261576A1 (en) * | 2015-03-05 | 2016-09-08 | M-Files Oy | Method, an apparatus, a computer program product and a server for secure access to an information management system |
| CN106060003A (en) * | 2016-05-09 | 2016-10-26 | 北京航天数控系统有限公司 | Network boundary unidirectional isolated transmission device |
| CN106341397A (en) * | 2016-08-25 | 2017-01-18 | 柏盟(北京)科技发展有限公司 | Industrial safety isolation GAP |
| US20170111336A1 (en) * | 2015-10-14 | 2017-04-20 | FullArmor Corporation | Resource access system and method |
| CN206272653U (en) * | 2016-12-07 | 2017-06-20 | 常州华龙通信科技股份有限公司 | A kind of one-way isolation shutter |
| CN109120651A (en) * | 2018-11-07 | 2019-01-01 | 成都华栖云科技有限公司 | A kind of realization method and system improving teaching network file transmission fluency |
| CN109309730A (en) * | 2018-10-31 | 2019-02-05 | 北京国信宏数科技有限责任公司 | A kind of believable document transmission method and system |
| CN110620791A (en) * | 2019-10-10 | 2019-12-27 | 江苏亨通工控安全研究院有限公司 | Industrial safety data ferrying system with early warning function |
| CN110933025A (en) * | 2019-10-21 | 2020-03-27 | 武汉神库小匠科技有限公司 | Multi-source heterogeneous data cross-domain synchronous shared storage method, device, equipment and medium |
| CN111641650A (en) * | 2020-05-29 | 2020-09-08 | 中京天裕科技(北京)有限公司 | Industrial data unidirectional import system and method |
| CN111740993A (en) * | 2020-06-18 | 2020-10-02 | 河南优易信息技术有限公司 | Internal and external network safety data exchange method |
| CN112346758A (en) * | 2020-10-09 | 2021-02-09 | 北京国电通网络技术有限公司 | Digital infrastructure service updating platform, updating method and electronic equipment |
| CN112448957A (en) * | 2020-11-27 | 2021-03-05 | 成都新希望金融信息有限公司 | Network isolation method, device, system, server and readable storage medium |
-
2021
- 2021-10-28 CN CN202111259983.7A patent/CN113965395B/en active Active
Patent Citations (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2004206670A (en) * | 2002-10-30 | 2004-07-22 | Nippon Telegr & Teleph Corp <Ntt> | Use right management system, method, and device with mechanism therefor |
| CN102208982A (en) * | 2011-04-28 | 2011-10-05 | 广州汇智通信技术有限公司 | Isolation gateway |
| CN103491072A (en) * | 2013-09-06 | 2014-01-01 | 北京信息控制研究所 | Boundary access control method based on double one-way separation gatekeepers |
| CN104363221A (en) * | 2014-11-10 | 2015-02-18 | 青岛微智慧信息有限公司 | Network safety isolation file transmission control method |
| CN104573914A (en) * | 2014-12-05 | 2015-04-29 | 国家电网公司 | Gateway measurement acquisition and operation maintenance management system and application thereof |
| US20160261576A1 (en) * | 2015-03-05 | 2016-09-08 | M-Files Oy | Method, an apparatus, a computer program product and a server for secure access to an information management system |
| US20170111336A1 (en) * | 2015-10-14 | 2017-04-20 | FullArmor Corporation | Resource access system and method |
| CN105656883A (en) * | 2015-12-25 | 2016-06-08 | 冶金自动化研究设计院 | Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network |
| CN106060003A (en) * | 2016-05-09 | 2016-10-26 | 北京航天数控系统有限公司 | Network boundary unidirectional isolated transmission device |
| CN105812387A (en) * | 2016-05-09 | 2016-07-27 | 北京航天数控系统有限公司 | Unidirectional safe data exchange device |
| CN106341397A (en) * | 2016-08-25 | 2017-01-18 | 柏盟(北京)科技发展有限公司 | Industrial safety isolation GAP |
| CN206272653U (en) * | 2016-12-07 | 2017-06-20 | 常州华龙通信科技股份有限公司 | A kind of one-way isolation shutter |
| CN109309730A (en) * | 2018-10-31 | 2019-02-05 | 北京国信宏数科技有限责任公司 | A kind of believable document transmission method and system |
| CN109120651A (en) * | 2018-11-07 | 2019-01-01 | 成都华栖云科技有限公司 | A kind of realization method and system improving teaching network file transmission fluency |
| CN110620791A (en) * | 2019-10-10 | 2019-12-27 | 江苏亨通工控安全研究院有限公司 | Industrial safety data ferrying system with early warning function |
| CN110933025A (en) * | 2019-10-21 | 2020-03-27 | 武汉神库小匠科技有限公司 | Multi-source heterogeneous data cross-domain synchronous shared storage method, device, equipment and medium |
| CN111641650A (en) * | 2020-05-29 | 2020-09-08 | 中京天裕科技(北京)有限公司 | Industrial data unidirectional import system and method |
| CN111740993A (en) * | 2020-06-18 | 2020-10-02 | 河南优易信息技术有限公司 | Internal and external network safety data exchange method |
| CN112346758A (en) * | 2020-10-09 | 2021-02-09 | 北京国电通网络技术有限公司 | Digital infrastructure service updating platform, updating method and electronic equipment |
| CN112448957A (en) * | 2020-11-27 | 2021-03-05 | 成都新希望金融信息有限公司 | Network isolation method, device, system, server and readable storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 杨?;吴永生;: "南京广电集团融媒发布平台信息安全策略", 电视工程, no. 01, pages 54 - 56 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114710333A (en) * | 2022-03-23 | 2022-07-05 | 未鲲(上海)科技服务有限公司 | Data transmission and verification method, system, computer equipment and storage medium |
| CN117240618A (en) * | 2023-11-13 | 2023-12-15 | 中国联合网络通信集团有限公司 | Household cloud box access method, device, equipment and storage medium |
| CN117240618B (en) * | 2023-11-13 | 2024-03-01 | 中国联合网络通信集团有限公司 | Household cloud box access method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113965395B (en) | 2024-02-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3443519B1 (en) | System of security using blockchain protocol | |
| WO2016006520A1 (en) | Detection device, detection method and detection program | |
| CN110213276B (en) | Authorization verification method under micro-service architecture, server, terminal and medium | |
| CN110177124B (en) | Identity authentication method based on block chain and related equipment | |
| US10824744B2 (en) | Secure client-server communication | |
| CN113965395B (en) | Method, system and device for safely accessing intranet in real time | |
| US10516653B2 (en) | Public key pinning for private networks | |
| US9954853B2 (en) | Network security | |
| CN115277168B (en) | Method, device and system for accessing server | |
| CN115242546A (en) | Industrial control system access control method based on zero trust architecture | |
| JP2022534677A (en) | Protecting online applications and web pages that use blockchain | |
| Barreto et al. | An intrusion tolerant identity management infrastructure for cloud computing services | |
| CN117155716B (en) | Access verification method and device, storage medium and electronic equipment | |
| CN112600831B (en) | Network client identity authentication system and method | |
| CN111885057A (en) | Message middleware access method, device, equipment and storage medium | |
| EP2359525B1 (en) | Method for enabling limitation of service access | |
| CN112738005A (en) | Access processing method, device, system, first authentication server and storage medium | |
| CN111698299B (en) | Session object replication method, device, distributed micro-service architecture and medium | |
| KR102583604B1 (en) | System for controlling data flow based on logical connection identification and method of the same | |
| KR102609368B1 (en) | System for controlling network access and method of the same | |
| KR102545160B1 (en) | System for controlling network access and method of the same | |
| JP5118834B2 (en) | Fraud check system for time authentication service | |
| CN116664124A (en) | Online authorization method, device, electronic equipment and storage medium | |
| Hosseyni et al. | Formal security analysis of the OpenID FAPI 2.0 Security Profile with FAPI 2.0 Message Signing, FAPI-CIBA, Dynamic Client Registration and Management: technical report | |
| CN115865315A (en) | Data reading system, method, electronic device and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |