CN114244846A - Flow message forwarding method and device, intermediate device and storage medium - Google Patents
Flow message forwarding method and device, intermediate device and storage medium Download PDFInfo
- Publication number
- CN114244846A CN114244846A CN202111535045.5A CN202111535045A CN114244846A CN 114244846 A CN114244846 A CN 114244846A CN 202111535045 A CN202111535045 A CN 202111535045A CN 114244846 A CN114244846 A CN 114244846A
- Authority
- CN
- China
- Prior art keywords
- server name
- message
- white list
- name mark
- handshake message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 230000006870 function Effects 0.000 claims description 22
- 238000004590 computer program Methods 0.000 claims description 7
- 230000005856 abnormality Effects 0.000 claims description 5
- 238000012795 verification Methods 0.000 abstract description 8
- 238000004891 communication Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/38—Flow based routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a flow message forwarding method, a flow message forwarding device, intermediate equipment and a storage medium. The method comprises the following steps: receiving a handshake message sent by terminal equipment; wherein, the handshake message carries a server name mark; analyzing the handshake message, and judging whether the server name mark carried by the handshake message is stored in a preset white list or not; and when the server name carried by the handshake message is marked in a preset white list, directly forwarding the flow message which is sent by the terminal equipment and corresponds to the server name mark. By the method, after receiving the handshake message sent by the terminal equipment, the intermediate equipment can firstly analyze the handshake message, judge whether the server name mark carried by the handshake message is stored in the preset white list, and directly forward the flow message corresponding to the server name mark sent by the subsequent terminal equipment if the server name mark carried by the handshake message is stored in the preset white list, so that the terminal equipment subjected to special verification can normally access the remote website.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for forwarding a traffic packet, an intermediate device, and a storage medium.
Background
In order to increase the security of the network system, the intermediate devices such as the load balancer may have an SSL (Server Name Indication) traffic perspective mirror function. The load balancer with the SSL traffic perspective mirror function decrypts the SSL encrypted traffic message after receiving the SSL encrypted traffic message of the terminal equipment, and forwards the SSL encrypted traffic message to a remote website for access if the decryption is successful. In addition, after decryption is successful, the flow can be bypassed for further analysis. And the load balancer without the function of the SSL flow perspective mirror directly forwards the flow message after receiving the flow message.
In general, after the terminal device is equipped with the credential of the load balancer, it may initiate a call to the outside through the SSL encrypted traffic message, but the inventor finds in actual research that if the terminal device performs a special check, for example, after operations such as preventing a man-in-the-middle agent, changing a message protocol (for example, changing the message protocol into a private protocol), and the like, the load balancer may fail to decrypt the SSL encrypted traffic message sent by the terminal device, or the decryption of the load balancer fails, so that the terminal device may fail to access a remote website.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for forwarding a traffic packet, an intermediate device, and a storage medium, so that even if an intermediate device such as a load balancer has an SSL traffic perspective mirror function, a terminal device that has been specially verified can normally access a remote website.
The invention is realized by the following steps:
in a first aspect, an embodiment of the present application provides a method for forwarding a traffic packet, where the method is applied to an intermediate device, and the method includes: receiving a handshake message sent by terminal equipment; wherein, the handshake message carries a server name mark; analyzing the handshake message, and judging whether the server name mark carried by the handshake message is stored in a preset white list or not; and when the server name carried by the handshake message is marked in the preset white list, directly forwarding the traffic message which is sent by the terminal equipment and corresponds to the server name mark.
In the embodiment of the application, the white list is configured in the intermediate device in advance. The white list stores server name marks, and the traffic messages corresponding to the server name marks stored in the white list do not need to be decrypted. By the method, after receiving the handshake message sent by the terminal device, the intermediate device can firstly analyze whether the server name mark carried by the handshake message is stored in the preset white list, and if so, directly forwards the subsequent flow message sent by the terminal device and corresponding to the server name mark, so that the terminal device subjected to special verification can normally access the remote website.
With reference to the technical solution provided by the first aspect, in some possible implementations, the method further includes: when the server name mark carried by the handshake message is not in the preset white list, decrypting a flow message which is sent by the terminal equipment and corresponds to the server name mark; and if the decryption is successful, directly forwarding the flow message corresponding to the server name mark.
In the embodiment of the application, if the server name mark carried by the handshake message is not in the preset white list, the traffic message sent by the terminal device and corresponding to the server name mark is decrypted, and decryption verification is performed on all traffic messages of the non-white list through the method.
With reference to the technical solution provided by the first aspect, in some possible implementations, the method further includes: and if the decryption fails, determining whether to add the server name mark to the preset white list based on the decryption failure condition of the flow message corresponding to the server name mark.
In the embodiment of the application, if the intermediate device fails to decrypt the traffic message which is sent by the terminal device and corresponds to the server name mark, whether the server name mark which fails to decrypt needs to be added to the preset white list or not can be determined according to the decryption failure condition, and the white list can be updated through the method.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, the determining whether to add the server name identifier to the preset white list based on a decryption failure condition of the traffic packet corresponding to the server name identifier includes: and when the decryption failure times of the flow message corresponding to the server name mark are greater than the preset times, adding the server name mark into the preset white list.
In this embodiment of the application, a user may configure the number of times of decryption failure in the intermediate device in advance, so that when the number of times of decryption failure of a traffic packet corresponding to a certain server name label by the intermediate device is greater than the preset number of times, the server name label is added to a preset white list, so as to complete updating of the white list according to a user configuration requirement.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, the determining whether to add the server name identifier to the preset white list based on a decryption failure condition of the traffic packet corresponding to the server name identifier includes: and when the decryption failure reason of the flow message corresponding to the server name mark is network abnormality, not adding the server name mark to the preset white list.
When the reason causing the decryption failure is network abnormality, the white list is not updated at the moment, so that the white list is prevented from being unreasonably updated under the condition of network abnormality.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, before receiving the handshake packet sent by the terminal device, the method further includes: and determining to turn on the SSL flow perspective mirror function by itself.
In the embodiment of the application, the intermediate device executes the analysis and decryption of the message only when determining that the function of the SSL flow perspective mirror is opened, and the message processing speed can be increased by the method.
With reference to the technical solution provided by the first aspect, in some possible implementations, the method further includes: and after determining that the function of the SSL flow perspective mirror is not started, directly forwarding the flow message sent by the terminal equipment.
In the embodiment of the application, after the SSL flow perspective mirror function is determined not to be started, the flow message sent by the terminal equipment is directly forwarded, so that the flow message is quickly forwarded.
In a second aspect, an embodiment of the present application further provides a traffic packet forwarding apparatus, which is applied to an intermediate device, where the apparatus includes: the receiving module is used for receiving the handshake message sent by the terminal equipment; wherein, the handshake message carries a server name mark; the analysis module is used for analyzing the handshake message and judging whether the server name mark carried by the handshake message is stored in a preset white list or not; and the forwarding module is used for directly forwarding the traffic message which is sent by the terminal equipment and corresponds to the server name mark when the server name mark carried by the handshake message is marked in the preset white list.
In a third aspect, an embodiment of the present application provides an intermediate device, including: a processor and a memory, the processor and the memory connected; the memory is used for storing programs; the processor is configured to invoke a program stored in the memory to perform a method as provided in the above-described first aspect embodiment and/or in combination with some possible implementations of the above-described first aspect embodiment.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, performs the method as set forth in the above first aspect embodiment and/or in combination with some possible implementations of the above first aspect embodiment.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a block diagram of a network system according to an embodiment of the present disclosure.
Fig. 2 is a block diagram of an intermediate device according to an embodiment of the present disclosure.
Fig. 3 is a flowchart of a method for forwarding a traffic packet according to an embodiment of the present application.
Fig. 4 is a flowchart of another traffic packet forwarding method according to an embodiment of the present application.
Fig. 5 is a block diagram of a traffic packet forwarding apparatus according to an embodiment of the present application.
Icon: 10-a network system; 100-an intermediate device; 110-a processor; 120-a memory; 200-a terminal device; 300-a server; 400-a traffic message forwarding device; 410-a receiving module; 420-a resolution module; 430-forwarding module.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Referring to fig. 1, an embodiment of the present application provides a network system 10, where the network system 10 includes an intermediate device 100, a terminal device 200, and a server 300.
Wherein the intermediate device 100 communicates as a proxy with an external site, i.e. the server 300. The middleware 100 is typically deployed at the egress of a local area network to connect to the internet. The traffic packets sent by all terminal devices 200 in the local area network need to be forwarded to the server 300 through the intermediate device 100.
Referring to fig. 2, a schematic structural block diagram of an intermediate device 100 for applying a traffic message forwarding method and apparatus according to an embodiment of the present application is provided. In the embodiment of the present application, the intermediate device 100 may be, but is not limited to, a load balancer, a wireless router, or a gateway device.
Structurally, intermediary device 100 may comprise a processor 110 and a memory 120.
The processor 110 and the memory 120 are electrically connected directly or indirectly to enable data transmission or interaction, for example, the components may be electrically connected to each other via one or more communication buses or signal lines. The traffic packet forwarding apparatus includes at least one software module that may be stored in the memory 120 in the form of software or Firmware (Firmware) or solidified in an Operating System (OS) of the middleware 100. The processor 110 is configured to execute executable modules stored in the memory 120, for example, software functional modules and computer programs included in the traffic message forwarding apparatus, so as to implement the traffic message forwarding method. The processor 110 may execute the computer program upon receiving the execution instruction.
The processor 110 may be an integrated circuit chip having signal processing capabilities. The Processor 110 may also be a general-purpose Processor, for example, a Central Processing Unit (CPU), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a discrete gate or transistor logic device, or a discrete hardware component, which may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present Application. Further, a general purpose processor may be a microprocessor or any conventional processor or the like.
The Memory 120 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), and an electrically Erasable Programmable Read-Only Memory (EEPROM). The memory 120 is used for storing a program, and the processor 110 executes the program after receiving the execution instruction.
It should be noted that the structure shown in fig. 2 is merely an illustration, and the intermediate device 100 provided in the embodiment of the present application may also have fewer or more components than those shown in fig. 2, or have a different configuration than that shown in fig. 2. Further, the components shown in fig. 2 may be implemented by software, hardware, or a combination thereof.
The terminal Device 200 may be, but is not limited to, a Personal Computer (PC), a smart phone, a tablet PC, a Personal Digital Assistant (PDA), a Mobile Internet Device (MID), and the like. The server 300 may be, but is not limited to, a web server, a database server, a cloud server, a server assembly composed of a plurality of sub servers, or the like. Of course, the above-mentioned devices are only used to facilitate understanding of the embodiments of the present application, and should not be taken as limiting the embodiments. The specific structure of the terminal device 200 and the server 300 may also refer to the structure shown in fig. 2, and for avoiding redundancy, the description is not repeated here, and the same parts may be referred to each other.
Referring to fig. 3, fig. 3 is a flowchart illustrating steps of a method for forwarding a traffic packet according to an embodiment of the present application, where the method is applied to the intermediate device 100 shown in fig. 2. It should be noted that, the method for forwarding a traffic packet provided in this embodiment of the present application is not limited by the sequence shown in fig. 3 and the following, and the method includes: step S101-step S103.
Step S101: receiving a handshake message sent by terminal equipment; wherein, the handshake message carries the name mark of the server.
The Server Name Indication (SNI) is an extension of TLS (Transport Layer Security). Under the protocol, the terminal device and the intermediate device pass through SNI at the beginning of the handshake process to determine the host name of the server to be connected.
Step S102: analyzing the handshake message, and judging whether the server name mark carried by the handshake message is stored in a preset white list.
And then, the intermediate device analyzes the handshake message to judge whether the server name mark carried by the handshake message is matched with the server name mark in the preset white list.
It should be noted that the white list stores a server name identifier. And the flow message corresponding to the server name mark stored in the white list does not need to be decrypted.
Initially, some server name tags may be stored in the white list by user customization. Of course, it may also be determined whether to add the server name tag carried by the traffic packet to the white list according to the decryption condition of the traffic packet by the intermediate device in the later stage.
Step S103: and when the server name carried by the handshake message is marked in a preset white list, directly forwarding the flow message which is sent by the terminal equipment and corresponds to the server name mark.
And finally, if the server name carried by the handshake message is in a preset white list, directly forwarding the flow message.
It should be noted that the traffic message is an SSL encrypted traffic message. Before the SSL encrypted traffic message is established, the terminal device needs to establish a connection with the intermediate device through a handshake message.
The handshaking process of the intermediate device and the terminal device comprises the verification of the certificate and the exchange of the key. After the handshake is completed, the terminal equipment encrypts the traffic data through the key obtained by exchange so as to construct an SSL encrypted traffic message. The load balancer with the SSL traffic perspective mirror function can bypass traffic for decryption after receiving an SSL encrypted traffic message of the terminal device, and forwards the SSL encrypted traffic message if the bypass traffic decryption is successful, so that the terminal device can access a remote website. However, if the terminal device performs special verification, for example, after operations such as a man-in-the-middle agent and a message protocol change (for example, the message protocol is changed to a private protocol) are prevented, the load balancer may fail to decrypt the SSL encrypted traffic message sent by the terminal device, or the decryption of the load balancer fails, so that the terminal device may fail to access the remote website.
In the embodiment of the present application, the white list is configured in advance in the intermediate device. The white list stores server name marks, and the traffic messages corresponding to the server name marks stored in the white list do not need to be decrypted. By the method, after receiving the handshake message sent by the terminal equipment, the intermediate equipment can firstly analyze the handshake message, judge whether the server name mark carried by the handshake message is stored in the preset white list, and directly forward the flow message corresponding to the server name mark sent by the subsequent terminal equipment if the server name mark carried by the handshake message is stored in the preset white list, so that the terminal equipment subjected to special verification can normally access the remote website.
In an embodiment, when the server name tag carried in the handshake message is not in the preset white list, the traffic message sent by the terminal device and corresponding to the server name tag is decrypted.
That is, when the intermediate device determines that the server name mark carried in the handshake message is not in the preset white list, the traffic message is decrypted through the SSL traffic perspective mirror function.
And if the decryption is successful, directly forwarding the flow message corresponding to the server name mark.
That is, if the server name mark carried by the handshake message is not in the preset white list, the traffic message sent by the terminal device and corresponding to the server name mark is decrypted, and decryption and verification are performed on all traffic messages of the non-white list in this way.
And if the decryption fails, determining whether to add the server name mark to a preset white list based on the decryption failure condition of the flow message corresponding to the server name mark.
That is, if the intermediate device fails to decrypt the traffic packet sent by the terminal device and corresponding to the server name identifier, whether the server name identifier that failed to decrypt needs to be added to the preset white list or not can be determined according to the decryption failure condition, and the white list can be updated by the method.
As an embodiment, the determining whether to add the server name identifier to a preset white list based on a decryption failure condition of the traffic packet corresponding to the server name identifier may specifically include: and when the decryption failure times of the flow message corresponding to the server name mark are greater than the preset times, adding the server name mark into a preset white list.
The preset times may be set according to actual conditions, for example, the preset times may be five times, seven times, ten times, and the like, and the present application is not limited.
For example, when the number of times of decryption failure of the traffic message corresponding to the server name indicator a1 is greater than the preset number of times, the server name indicator a1 is added to the preset white list.
In addition, the preset number of times may also be one time, that is, if the intermediate device fails to decrypt the traffic packet corresponding to the server name identifier, subsequent verification is not required, and the server name identifier is directly added to the white list, so that the white list is updated.
It can be seen that, in the embodiment of the present application, a user may configure the number of times of decryption failure in the intermediate device in advance, so that the number of times of decryption failure of a traffic packet corresponding to a certain server name label by the intermediate device is greater than the preset number of times, and then add the server name label to a preset white list, so as to complete updating of the white list according to a user configuration requirement.
As another embodiment, the determining whether to add the server name identifier to a preset white list based on the decryption failure condition of the traffic packet corresponding to the server name identifier may specifically include: and when the decryption failure reason of the flow message corresponding to the server name mark is network abnormality, not adding the server name mark to a preset white list.
It should be noted that, when the reason for the decryption failure is network anomaly, the white list is not updated at this time, so as to avoid unreasonable updating of the white list under the condition of network anomaly.
In an embodiment, before the step S101, the method further includes: the intermediate equipment judges whether the function of the SSL flow perspective mirror is started or not.
When determining that the SSL flow perspective mirror function is turned on, step S101 is executed. That is, in the embodiment of the present application, the intermediate device executes the parsing and decryption of the packet only when determining that the SSL mirror function is turned on, and by this way, the packet processing rate can be increased.
And when the function of the SSL flow perspective mirror is not started, directly forwarding the flow message sent by the terminal equipment. It should be noted that, when the SSL mirror function is not turned on by the intermediate device, the traffic message sent by the terminal device may be an unencrypted message. That is, in the embodiment of the present application, after it is determined that the SSL flow perspective mirror function is not turned on, the flow message sent by the terminal device is directly forwarded, so as to implement fast forwarding of the flow message.
In summary, when the terminal device requests to access the remote website, the traffic message may pass through the load balancer, and when the intermediate device does not turn on the SSL traffic perspective mirror function, the intermediate device may automatically forward the traffic message to the internet, so as to implement normal internet access. When the intermediate device starts the SSL flow perspective mirror function, if the destination host requested to be accessed by the terminal device is in the white list, the destination host is directly forwarded without decryption, and normal internet surfing is realized. However, if the destination host requested to be accessed by the terminal device is not in the white list, SSL traffic decryption is performed, and some traffic messages that cannot be accessed are statistically analyzed and whether the traffic messages are added to the white list is determined according to the situation.
The following describes the above traffic packet forwarding method with a complete example in conjunction with fig. 4. Firstly, the intermediate device can determine whether to start SSL flow perspective, if not, the intermediate device can automatically forward the flow message sent by the terminal device to the Internet, so as to realize normal Internet surfing. And if so, analyzing the handshake message sent by the terminal equipment, and judging whether the server name mark carried by the handshake message is stored in a preset white list. If the server name carried by the handshake message is marked in the preset white list, the server name is directly forwarded without decryption, and normal internet access is realized. And if the server name mark carried by the handshake message is not stored in the preset white list, decrypting the flow message sent by the subsequent terminal equipment, and recording the server name mark corresponding to the flow message. If the decryption is successful, the flow message is directly forwarded. And if the decryption fails, determining whether to add the server name mark to a preset white list based on the decryption failure condition of the flow message corresponding to the server name mark.
Referring to fig. 5, based on the same inventive concept, an embodiment of the present application further provides a traffic packet forwarding apparatus 400, including:
a receiving module 410, configured to receive a handshake message sent by a terminal device; and the handshake message carries a server name mark.
And the analyzing module 420 is configured to analyze the handshake message, and determine whether the server name identifier carried in the handshake message is stored in a preset white list.
A forwarding module 430, configured to directly forward, when the server name carried in the handshake packet is indicated in the preset white list, a traffic packet sent by the terminal device and corresponding to the server name indication.
Optionally, the apparatus further comprises a decryption module.
The decryption module is used for decrypting the traffic message which is sent by the terminal equipment and corresponds to the server name mark when the server name mark carried by the handshake message is not in the preset white list; and if the decryption is successful, directly forwarding the flow message corresponding to the server name mark.
Optionally, the apparatus further comprises a determination module.
The determining module is configured to determine whether to add the server name identifier to the preset white list based on a decryption failure condition of the traffic packet corresponding to the server name identifier if decryption fails.
Optionally, the determining module is specifically configured to add the server name identifier to the preset white list when the number of times of decryption failure of the traffic packet corresponding to the server name identifier is greater than a preset number of times.
Optionally, the determining module is further specifically configured to, when a decryption failure reason of the traffic packet corresponding to the server name identifier is a network anomaly, not add the server name identifier to the preset white list.
Optionally, the receiving module 410 is further configured to determine to turn on the SSL flowthrough mirror function before receiving the handshake message sent by the terminal device.
Optionally, the forwarding module 430 is further configured to directly forward the traffic message sent by the terminal device after determining that the SSL mirror function is not started.
It should be noted that, as those skilled in the art can clearly understand, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
Based on the same inventive concept, embodiments of the present application further provide a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed, the computer program performs the methods provided in the above embodiments.
The storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more integrated servers, data centers, and the like. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. A method for forwarding a traffic message is applied to an intermediate device, and the method comprises the following steps:
receiving a handshake message sent by terminal equipment; wherein, the handshake message carries a server name mark;
analyzing the handshake message, and judging whether the server name mark carried by the handshake message is stored in a preset white list or not;
and when the server name carried by the handshake message is marked in the preset white list, directly forwarding the traffic message which is sent by the terminal equipment and corresponds to the server name mark.
2. The method of claim 1, further comprising:
when the server name mark carried by the handshake message is not in the preset white list, decrypting a flow message which is sent by the terminal equipment and corresponds to the server name mark;
and if the decryption is successful, directly forwarding the flow message corresponding to the server name mark.
3. The method of claim 2, further comprising:
and if the decryption fails, determining whether to add the server name mark to the preset white list based on the decryption failure condition of the flow message corresponding to the server name mark.
4. The method according to claim 3, wherein the determining whether to add the server name tag to the preset white list based on the decryption failure condition of the traffic packet corresponding to the server name tag comprises:
and when the decryption failure times of the flow message corresponding to the server name mark are greater than the preset times, adding the server name mark into the preset white list.
5. The method according to claim 3, wherein the determining whether to add the server name tag to the preset white list based on the decryption failure condition of the traffic packet corresponding to the server name tag comprises:
and when the decryption failure reason of the flow message corresponding to the server name mark is network abnormality, not adding the server name mark to the preset white list.
6. The method according to claim 1, wherein before receiving the handshake message sent by the terminal device, the method further comprises:
and determining to turn on the SSL flow perspective mirror function by itself.
7. The method of claim 1, further comprising:
and after determining that the function of the SSL flow perspective mirror is not started, directly forwarding the flow message sent by the terminal equipment.
8. A traffic message forwarding device is applied to an intermediate device, and the device comprises:
the receiving module is used for receiving the handshake message sent by the terminal equipment; wherein, the handshake message carries a server name mark;
the analysis module is used for analyzing the handshake message and judging whether the server name mark carried by the handshake message is stored in a preset white list or not;
and the forwarding module is used for directly forwarding the traffic message which is sent by the terminal equipment and corresponds to the server name mark when the server name mark carried by the handshake message is marked in the preset white list.
9. An intermediary device, comprising: a processor and a memory, the processor and the memory connected;
the memory is used for storing programs;
the processor is configured to execute a program stored in the memory to perform the method of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when executed by a computer, performs the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111535045.5A CN114244846B (en) | 2021-12-15 | 2021-12-15 | Flow message forwarding method and device, intermediate equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111535045.5A CN114244846B (en) | 2021-12-15 | 2021-12-15 | Flow message forwarding method and device, intermediate equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114244846A true CN114244846A (en) | 2022-03-25 |
| CN114244846B CN114244846B (en) | 2024-02-09 |
Family
ID=80756384
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111535045.5A Active CN114244846B (en) | 2021-12-15 | 2021-12-15 | Flow message forwarding method and device, intermediate equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114244846B (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014019386A1 (en) * | 2012-08-02 | 2014-02-06 | 华为技术有限公司 | Message sending and receiving method, device and system |
| US9419942B1 (en) * | 2013-06-05 | 2016-08-16 | Palo Alto Networks, Inc. | Destination domain extraction for secure protocols |
| US20160277372A1 (en) * | 2015-03-17 | 2016-09-22 | Riverbed Technology, Inc. | Optimization of a secure connection with enhanced security for private cryptographic keys |
| CN106161449A (en) * | 2016-07-19 | 2016-11-23 | 青松智慧(北京)科技有限公司 | Transmission method without key authentication and system |
| CN109450945A (en) * | 2018-12-26 | 2019-03-08 | 成都西维数码科技有限公司 | A kind of web page access method for safety monitoring based on SNI |
| US20190116027A1 (en) * | 2016-06-07 | 2019-04-18 | Huawei Technologies Co., Ltd. | Service processing method and apparatus |
| US20190245700A1 (en) * | 2018-02-06 | 2019-08-08 | Adobe Inc. | Managing And Negotiating Certificates |
| CN111200666A (en) * | 2018-11-20 | 2020-05-26 | 中国电信股份有限公司 | Method and system for identifying access domain name |
| CN111448788A (en) * | 2017-10-18 | 2020-07-24 | 思杰系统有限公司 | SS L optimized method of tracking SS L session state for SAAS-based applications |
| CN111865990A (en) * | 2020-07-23 | 2020-10-30 | 上海中通吉网络技术有限公司 | Method, device, equipment and system for managing and controlling malicious reverse connection behavior of intranet |
| CN111953706A (en) * | 2020-08-21 | 2020-11-17 | 公安部第三研究所 | Method for identifying mobile application based on HTTPS flow information |
| WO2021083284A1 (en) * | 2019-10-31 | 2021-05-06 | 贵州白山云科技股份有限公司 | Load balancing method and apparatus, medium and device |
| CN113518080A (en) * | 2021-06-23 | 2021-10-19 | 北京观成科技有限公司 | TLS encrypted traffic detection method and device and electronic equipment |
-
2021
- 2021-12-15 CN CN202111535045.5A patent/CN114244846B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014019386A1 (en) * | 2012-08-02 | 2014-02-06 | 华为技术有限公司 | Message sending and receiving method, device and system |
| US9419942B1 (en) * | 2013-06-05 | 2016-08-16 | Palo Alto Networks, Inc. | Destination domain extraction for secure protocols |
| US20160277372A1 (en) * | 2015-03-17 | 2016-09-22 | Riverbed Technology, Inc. | Optimization of a secure connection with enhanced security for private cryptographic keys |
| US20190116027A1 (en) * | 2016-06-07 | 2019-04-18 | Huawei Technologies Co., Ltd. | Service processing method and apparatus |
| CN106161449A (en) * | 2016-07-19 | 2016-11-23 | 青松智慧(北京)科技有限公司 | Transmission method without key authentication and system |
| CN111448788A (en) * | 2017-10-18 | 2020-07-24 | 思杰系统有限公司 | SS L optimized method of tracking SS L session state for SAAS-based applications |
| US20190245700A1 (en) * | 2018-02-06 | 2019-08-08 | Adobe Inc. | Managing And Negotiating Certificates |
| CN111200666A (en) * | 2018-11-20 | 2020-05-26 | 中国电信股份有限公司 | Method and system for identifying access domain name |
| CN109450945A (en) * | 2018-12-26 | 2019-03-08 | 成都西维数码科技有限公司 | A kind of web page access method for safety monitoring based on SNI |
| WO2021083284A1 (en) * | 2019-10-31 | 2021-05-06 | 贵州白山云科技股份有限公司 | Load balancing method and apparatus, medium and device |
| CN111865990A (en) * | 2020-07-23 | 2020-10-30 | 上海中通吉网络技术有限公司 | Method, device, equipment and system for managing and controlling malicious reverse connection behavior of intranet |
| CN111953706A (en) * | 2020-08-21 | 2020-11-17 | 公安部第三研究所 | Method for identifying mobile application based on HTTPS flow information |
| CN113518080A (en) * | 2021-06-23 | 2021-10-19 | 北京观成科技有限公司 | TLS encrypted traffic detection method and device and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114244846B (en) | 2024-02-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102204143B1 (en) | Tunnel-based conectivity management method and apparatus and system therefor | |
| US9749292B2 (en) | Selectively performing man in the middle decryption | |
| US9509628B2 (en) | Managing devices in a heterogeneouus network | |
| US10067787B2 (en) | Configurable forensic investigative tool | |
| CN102047262B (en) | Authentication for distributed secure content management system | |
| JP4307448B2 (en) | System and method for managing distributed objects as a single representation | |
| KR102349038B1 (en) | Tunneling and gateway access system optimized for distributed gateway environment and method therefor | |
| US20150156025A1 (en) | Message sending and receiving method, apparatus, and system | |
| EP2770689A1 (en) | Authentication method, transfer apparatus, and authentication server | |
| GB2503540A (en) | Applying policy wrappers to computer applications for secure communication | |
| US11575662B2 (en) | Transmitting and storing different types of encrypted information using TCP urgent mechanism | |
| WO2021073376A1 (en) | Method and device for remote attestation of combined device | |
| US20210081527A1 (en) | Service API Invoking Method and Related Apparatus | |
| JP2010263310A (en) | Wireless communication device, wireless communication monitoring system, wireless communication method, and program | |
| CN111726328B (en) | Method, system and related device for remotely accessing a first device | |
| CN114125027B (en) | Communication establishment method and device, electronic equipment and storage medium | |
| CN113422768B (en) | Application access method and device in zero trust and computing equipment | |
| Lukaszewski et al. | Towards software defined layer 4.5 customization | |
| KR101473607B1 (en) | Apparatus and Method for Access Control in a Virtual Private Network | |
| CN114244846A (en) | Flow message forwarding method and device, intermediate device and storage medium | |
| Salazar-Chacón et al. | OpenSDN Southbound Traffic Characterization: Proof-of-Concept Virtualized SDN-Infrastructure | |
| CN115438353A (en) | User data management method and related equipment | |
| US10499249B1 (en) | Data link layer trust signaling in communication network | |
| US11363072B1 (en) | Identifying and mitigating vulnerable security policies | |
| US20230283588A1 (en) | Packet processing method and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |