CN114826754A - Communication method and system among different networks, storage medium and electronic device - Google Patents

Communication method and system among different networks, storage medium and electronic device Download PDF

Info

Publication number
CN114826754A
CN114826754A CN202210488217.6A CN202210488217A CN114826754A CN 114826754 A CN114826754 A CN 114826754A CN 202210488217 A CN202210488217 A CN 202210488217A CN 114826754 A CN114826754 A CN 114826754A
Authority
CN
China
Prior art keywords
network
access request
server
protocol
relay server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210488217.6A
Other languages
Chinese (zh)
Inventor
周正文
郭一鸣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Everbright Bank Co Ltd
Original Assignee
China Everbright Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Everbright Bank Co Ltd filed Critical China Everbright Bank Co Ltd
Priority to CN202210488217.6A priority Critical patent/CN114826754A/en
Publication of CN114826754A publication Critical patent/CN114826754A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a communication method and system among different networks, a storage medium and an electronic device. The method comprises the following steps: under the condition that a second relay server deployed in a second network receives a protocol inference result of a first access request reported by a first relay server through a network communication link, analyzing the protocol inference result to obtain a request inference result, wherein the network security of the first network is lower than that of the second network, and the network communication link is a communication link established from the second relay server to the first relay server; in the case that the request inference result indicates that the first access request is legal, determining a second server matched with the first access request according to the protocol configuration information; and establishing a network communication link and a service link of the second server so as to complete the communication link of the first client accessing the second server. The problem of low safety of cross-network data transmission in the related technology is solved, and the effect of improving the safety of cross-network data transmission is achieved.

Description

Communication method and system among different networks, storage medium and electronic device
Technical Field
The embodiment of the invention relates to the technical field of computer security, in particular to a communication method and system among different networks, a storage medium and an electronic device.
Background
With the development of the internet, the application of internet finance gradually becomes the trend of the development of the internet, and banks blend financial services into various scenes of social life through cooperation with various industry service providers. In the cross-network transmission of data such as financial documents, it is necessary to ensure the security of data transmission.
In order to ensure the security of data in the process of transmitting across networks, a file transmission platform between a bank system and an isolation area is generally established based on a network structure of security isolation, as shown in fig. 1, from an internal network of a bank to a cooperative service network, a bank network (hereinafter referred to as NET-1), an isolation area (NET-2), an internet (NET-3), and a cooperative service network (NET-4) are sequentially arranged, and the network structure is a four-layer network structure. To implement communication routing in the isolation area, the Nginx software is usually deployed in the isolation area as an application communication relay. Based on a four-layer network structure, two docking modes are provided between a bank network and a cooperation service network, and each mode has two processes of receiving and transmitting:
in a first mode, a bank network provides a transmission server:
(1) file sending process
1. The cooperation service network installs a special transmission client provided by the bank network, installs a certificate issued by the bank network, encrypts sensitive data by adopting technologies such as digital envelopes and the like, and accesses the DMZ isolation area from the Internet through security protocol channels such as http/Sftp and the like;
2. after entering the DMZ isolation zone, the data needs to pass through Nginx of the DMZ zone, and the Nginx sends the data to a file transmission platform of a bank network through a reverse proxy technology;
3. the file transmission platform of the bank network distributes the data to each application system, and each application system decrypts the data through an encryption system;
(2) file receiving process
1. Each application system of the bank network adopts a digital envelope technology, is connected with an encryption system, encrypts data and issues the encrypted sensitive data to a file transmission platform;
2. the cooperation service network installs a certificate issued by a bank by using a special transmission client provided by a bank network, accesses Nginx of the DMZ isolation area from the Internet through a security protocol channel such as http/Sftp and the like, and is connected with a file transmission platform of the bank network through a reverse proxy of the Nginx;
3. and the cooperation service network downloads the data on the file transmission platform and decrypts the data.
In a second mode, the partner provides a transmission server:
(1) the file sending process comprises the following steps:
1. each application system of the bank network adopts a digital envelope technology, is connected with an encryption system, encrypts data and issues the encrypted sensitive data to a file transmission platform;
2. the file transmission platform is connected with Nginx of the DMZ isolation area by adopting a client or a standard protocol provided by a cooperative service network, and the Nginx is connected with the file transmission platform through a reverse proxy to send data to the cooperative service network;
3. the cooperative service network decrypts the received data using soft encryption techniques.
(2) File receiving process:
1. the file transmission platform adopts a client or a standard protocol provided by a cooperative service network, is connected with Nginx of the DMZ isolation area, is connected with the file transmission platform through a reverse proxy, and captures data from the file transmission platform;
2. and the file transmission platform transmits the captured data to each application system of the bank network after killing viruses.
In the data transmission process, the service endpoint information belonging to the sensitive networks is generally configured in an area with a low security degree, so that the service endpoint information is easy to leak, and the leakage of the service endpoint information enables an attack to bypass the application and attack the server, so that potential safety hazards exist in data transmission.
Disclosure of Invention
Embodiments of the present invention provide a communication method and system between different networks, a storage medium, and an electronic device, so as to at least solve the problem of low security of data transmission across networks in the related art.
According to an embodiment of the present invention, there is provided a method for communication between different networks, including: when a second relay server deployed in a second network receives a protocol inference result of a first access request reported by a first relay server through a network communication link, analyzing the protocol inference result to obtain a request inference result, wherein the first relay server is deployed in the first network, the first access request is an access request initiated by a first client in the first network and accessing the second network, the network security of the first network is lower than that of the second network, and the network communication link is a communication link established by the second relay server to the first relay server; determining a second server matched with the first access request according to protocol configuration information when the request inference result indicates that the first access request is legal, wherein the protocol configuration information is the corresponding relation between each protocol type and the server in the second network; and establishing a service link between the network communication link and the second server so as to complete the communication link for the first client to access the second server.
In an exemplary embodiment, parsing the protocol inference result to obtain a request inference result includes: analyzing the protocol deduction result to obtain the protocol characteristics of the first access request; determining the communication protocol type of the first access request according to the protocol characteristics of the first access request; obtaining a request inference result indicating that the first access request is legal in a case that a communication protocol type of the first access request hits a preset communication protocol type in the second network; and obtaining a request inference result indicating that the first access request is illegal when the communication protocol type of the first access request does not hit a preset communication protocol type in the second network.
In an exemplary embodiment, determining a second server matching the first access request according to the protocol configuration information includes: and determining a server corresponding to the communication protocol type of the first access request in the protocol configuration information as a second server matched with the first access request.
In an exemplary embodiment, when the second relay server receives, through the network communication link, a first proxy request reported by the first relay server, the second relay server parses the first proxy request to obtain proxy account information, where the first proxy request is a proxy request initiated by the first client and accessing a target server in the second network; verifying whether the proxy account information is legal or not; and under the condition that the proxy account information is verified to be legal, establishing a service link between the network communication link and the target server so as to complete the communication link of the first client accessing the target server in the second network.
In an exemplary embodiment, in a case that the second relay server receives a second access request initiated by a second client, a second application link with a second relay server of the second client is established, where the second access request is used for requesting to access the first network; acquiring the protocol characteristics of the second access request through the second application link, and determining whether the second access request is legal or not; and if the second access request is valid, identifying a first server matching the second access request, and transmitting service information of the first server to the first relay server through the network communication link so that the first relay server establishes a service connection between the network communication link and the first server, thereby completing the communication link through which the second client accesses the first network.
In an exemplary embodiment, in a case where the second relay server receives a second proxy request initiated by a second client, the second proxy request is used for requesting to access a target server in the first network, a second application link with a second relay server of the second client is established; acquiring the proxy account information of the second proxy request through the second application link, and verifying whether the proxy account information is legal or not; and when the proxy account information is verified to be legal, sending the proxy account information to the first relay server through the network communication link, so that the first relay server establishes service connection between the network communication link and the target server, and the second client accesses the communication link of the target server in the first network.
According to another embodiment of the present invention, there is provided a method for communication between different networks, including: the method comprises the steps that under the condition that a first relay server deployed in a first network receives a first access request initiated by a first client, a first application link with the first client is established, wherein the first access request is used for requesting to access a second network, and the network security of the first network is lower than that of the second network; acquiring a protocol feature of the first access request through the first application link, and performing protocol inference on the protocol feature of the first access request to obtain a protocol inference result, wherein the protocol inference result is a validity verification result of the first relay server on a communication protocol of the first access request; and reporting the protocol estimation result to a second relay server through a network communication link when the protocol estimation result indicates that the first access request is legal, so that the second relay server establishes an application link between the network communication link and the second server to complete a communication link for the first client to access the second network when the request estimation result obtained by analyzing the protocol estimation result indicates that the first access request is legal, wherein the network communication link is established from the second relay server to the first relay server.
In an exemplary embodiment, obtaining the protocol feature of the first access request through the first application link, and performing protocol inference on the protocol feature of the first access request to obtain a protocol inference result, includes: intercepting the first N bytes of the first access request through the first application link as a protocol feature of the first access request; determining the communication protocol type of the first access request according to the byte format of the first N bytes; obtaining a protocol inference result indicating that the first access request is legal when the communication protocol type of the first access request hits a preset communication protocol type in the first network; and obtaining a protocol inference result indicating that the first access request is illegal when the communication protocol type of the first access request is not in the preset communication protocol type in the second network.
In an exemplary embodiment, when the first relay server receives a first proxy request of the first client, a first application link with the first client is established, where the first proxy request is used to request access to a target server in the second network, and the first proxy request carries proxy account information; reporting the first proxy request to the second relay server through the network communication link, so that the second relay server establishes a service link between the network communication link and the target server under the condition that the proxy account information is verified to be legal, and the communication link of the first client accessing the target server in the second network is completed.
In an exemplary embodiment, when the first relay server receives, through the network communication link, a second access request sent by the second relay server, where the second access request is an access request initiated by a second client in the second network and used for accessing the first network, the first server indicated by the second access request is determined; and establishing the network communication link and the service link of the first server to complete the communication link of the second client accessing the first network.
In an exemplary embodiment, in a case that the first relay server receives, through the network communication link, a second proxy request sent by the second relay server, the second proxy request being a proxy request initiated by a second client in the second network and used for accessing a target server in the first network, a target server in the first network indicated by the second proxy request is determined; and establishing a service link between the network communication link and the target server so as to complete the communication link of the second client accessing the target server in the first network.
According to another embodiment of the present invention, there is provided a communication system between different networks, including: a first client located in a first network, a target server located in a second network, a first relay server deployed in the first network and a second relay server deployed in the second network, wherein the network security of the first network is lower than that of the second network, wherein the first relay server is configured to establish a first application link with the first client when receiving a first access request initiated by the first client, acquire a protocol feature of the first access request through the first application link, perform protocol inference on the protocol feature of the first access request to obtain a protocol inference result, and report the protocol inference result to the second relay server through a network communication link when the protocol inference result indicates that the first access request is legitimate, wherein the network communication link is a communication link established by the second relay server to the first relay server, and the first access request is for requesting access to the second network; and the second relay server is configured to, when the protocol inference result is received through the network communication link, parse the protocol inference result to obtain a request inference result, and when the request inference result indicates that the first access request is legitimate, determine a target server matching the first access request according to protocol configuration information, and establish a service connection between the network communication link and the target server to complete a communication link for the first client to access the target server, where the protocol configuration information is a correspondence relationship between each protocol type in the second network and the server.
According to a further embodiment of the present invention, there is also provided a computer-readable storage medium having a computer program stored thereon, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
According to yet another embodiment of the present invention, there is also provided an electronic device, comprising a memory in which a computer program is stored and a processor configured to run the computer program to perform the steps of any of the method embodiments described above.
According to the invention, when a second relay server deployed in a second network receives a protocol inference result of a first access request reported by a first relay server through a network communication link, the protocol inference result is analyzed to obtain a request inference result, wherein the first relay server is deployed in the first network, the first access request is an access request initiated by a first client in the first network and accessing the second network, the network security of the first network is lower than that of the second network, the network communication link is a communication link established by the second relay server to the first relay server, and when the request inference result indicates that the first access request is legal, a second server matched with the first access request is determined according to protocol configuration information, wherein the protocol configuration information is a corresponding relation between each protocol type in the second network and the server, establishing a network communication link with a service link of a second server in a manner to complete the communication link for the first client to access the second server based on deploying the first relay server in the first network and the second relay server in the second network, when a first client in a first network with lower network security initiates an access request to a second network, the access validity is verified through the first relay server and the second relay server, and the protocol configuration information used for indicating the corresponding relation between the protocol type and the server is only stored in the second relay server with higher network security, establishing a communication link for a first client in a first network to access a second network through a network communication link established by a second relay server to a first relay server, the method can purposefully avoid the unsafe behavior that the illegal access can bypass the attack of the application to the network. Therefore, the problem of low security of data transmission across networks in the related art can be solved, and the effect of improving the security of data transmission across networks is achieved.
Drawings
Fig. 1 is a network architecture diagram of a communication method between different networks in the related art;
fig. 2 is a block diagram of a hardware configuration of a computer terminal that operates a communication method between different networks according to an embodiment of the present invention;
FIG. 3 is a flow chart of a method of communication between different networks according to an embodiment of the present invention;
FIG. 4 is a flow chart of a method of communication between different networks according to an embodiment of the present invention;
FIG. 5 is a block diagram of a communication device between different networks according to another embodiment of the present invention;
FIG. 6 is a block diagram of a communication device between different networks according to another embodiment of the present invention;
FIG. 7 is a system network architecture diagram for communication between different networks, according to an embodiment of the invention;
fig. 8 is a network architecture diagram of communications between different networks according to an embodiment of the present invention.
Detailed Description
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings in conjunction with the embodiments.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
In order to facilitate understanding of the technical solutions provided by the present invention, the following explains the terms of art that will be referred to in the embodiments of the present invention.
Forward proxy: the client sends a proxy request to the proxy server and specifies the address of the target server in order to obtain the content from the target server, and then the proxy server forwards the request to the target server and returns the obtained content to the client.
Reverse proxy: the proxy server receives the request from the client, then forwards the request to the target server according to a certain routing rule, and returns the content obtained from the target server to the client, wherein the proxy server is a reverse proxy server, and the client has no accessed target server information.
IO multiplexing: the method is mainly used for a scene that a server processes a plurality of sockets at the same time, and can use one thread to manage the read-write process of a group of sockets based on system calls such as select, epoll and the like.
Link level multiplexing: link-level multiplexing refers to that a service layer can create multiple virtual links and send requests and responses of multiple services simultaneously on the basis of sharing the same physical TCP link connection, that is, one physical TCP connection can simultaneously carry multiple service data streams and send multiple bidirectional request-response data packets simultaneously.
The method embodiments provided in the embodiments of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Taking the operation on a computer terminal as an example, fig. 2 is a hardware structure block diagram of a computer terminal operating a communication method between different networks according to an embodiment of the present invention. As shown in fig. 2, the computer terminal may include one or more processors 202 (only one is shown in fig. 2) (the processor 202 may include, but is not limited to, a Processing device such as a Microprocessor (MCU) or a Programmable logic device (FPGA)) and a memory 204 for storing data, wherein the computer terminal may further include a transmission device 206 for communication function and an input and output device 208. It will be understood by those skilled in the art that the structure shown in fig. 2 is only an illustration, and is not intended to limit the structure of the computer terminal. For example, the computer terminal may also include more or fewer components than shown in FIG. 2, or have a different configuration than shown in FIG. 2.
The memory 204 may be used to store computer programs, for example, software programs and modules of application software, such as a computer program corresponding to the principal behavior authority management method in the embodiment of the present invention, and the processor 202 executes various functional applications and data processing by running the computer programs stored in the memory 204, that is, implements the method described above. Memory 204 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 204 may further include memory located remotely from the processor 202, which may be connected to a computer terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission means 206 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal. In one example, the transmission device 206 includes a Network adapter (NIC), which can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission device 206 can be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
Fig. 3 is a flowchart of a communication method between different networks according to an embodiment of the present invention, as shown in fig. 3, the flowchart includes the following steps:
step S302, under the condition that a second relay server deployed in a second network receives a protocol inference result of a first access request reported by a first relay server through a network communication link, analyzing the protocol inference result to obtain a request inference result;
in step S302, the first relay server is deployed in the first network, the first access request is an access request initiated by the first client in the first network and accessing the second network, the network security of the first network is lower than that of the second network, and the network communication link is a communication link established by the second relay server to the first relay server.
Step S304, under the condition that the request inference result indicates that the first access request is legal, determining a second server matched with the first access request according to the protocol configuration information;
in step S304, the protocol configuration information is a corresponding relationship between each protocol type in the second network and the server.
Step S306, a network communication link and a service link of the second server are established to complete the communication link of the first client accessing the second server.
And a network firewall is arranged between the first network and the second network and used for isolating the first network from the second network, and the first relay server deployed in the first network and the second relay server deployed in the second network are communication relay servers and are respectively positioned at two sides of the network firewall. The network communication link is a physical communication link established from the second relay server to the first relay server, is not limited to a TCP link, and realizes a communication link crossing a network firewall between the first relay server and the second relay server.
The network communication link is a necessary link for communication between the first network and the second network, the network communication link is a communication link which is allowed to be established from a link layer to a first relay server with low security degree from a second relay server with high security degree, a firewall policy of designating a port to the first relay server by the second relay server is opened between the first network and the second network, and other access links are all prohibited by the firewall policy, so that the establishment of other illegal communication links which do not pass through the network communication link is avoided.
The network communication link is a bidirectional communication link, and is not limited to a plurality of virtual links created to realize sending different service requests and service responses through different virtual links at the same time, and one physical TCP link can simultaneously carry a plurality of service data flows through a plurality of virtual links to send multiple, bidirectional request-response data packets at the same time.
The network communication link is multiplexed by the second relay server to the first relay server to establish a set of long TCP connections, one long TCP connection capable of simultaneously carrying multiple data streams while transmitting multiple, bi-directional request-response packets. The first relay server may receive an access request from a first client in the first network and forward the access request to the second relay server, receive a response from the second relay server from a server in the second network and forward the response to the first client. The second relay server may receive and forward to the first relay server an access request of the second client in the second network, receive from the first relay server a response from the server in the first network, and forward to the second client. At the same time, the TCP long connection includes both the request and the response transmitted from the first relay server to the second relay server and the request and the response received from the second relay server, and also includes the request and the response transmitted from the second relay server to the first relay server and the request and the response received from the first relay server.
The communication between the first network and the second network based on the relay server supports two forms of a forward proxy and a reverse proxy, and it should be noted that protocol configuration information (routing information) of the reverse proxy is only stored in the second relay server with high security, a request destination address of the forward proxy is only stored in a memory of the second relay server with high security, and routing information in a persistent form does not exist on the first relay server with low security.
In an exemplary embodiment, parsing the protocol inference result in step S302 of this embodiment to obtain a request inference result includes:
s302-1, analyzing the protocol inference result to obtain the protocol characteristics of the first access request;
s302-2, determining the communication protocol type of the first access request according to the protocol characteristics of the first access request;
s302-3-1, obtaining a request inference result indicating that the first access request is legal under the condition that the communication protocol type of the first access request hits a preset communication protocol type in the second network;
s302-3-2, under the condition that the communication protocol type of the first access request is not in the preset communication protocol type in the second network, a request inference result indicating that the first access request is illegal is obtained.
The protocol inference result is a communication protocol type of the first access request acquired by the first relay server through the first application link when the first relay server receives the access request initiated by the first client, and the first relay server is not limited to perform protocol type judgment on the communication protocol type of the first access request, so as to obtain a protocol inference result of whether the first access request judged by the first relay server is a legal access request. And the second relay server acquires the communication protocol type of the first access request from the protocol inference result and judges whether the communication protocol type of the first access request hits the preset communication protocol type in the second network again. The preset communication protocol type in the second network is the communication protocol type supported by the second network.
And under the condition that the request inference result obtained by the second relay server indicates that the first access request is illegal, notifying the first relay server of the inference result that the first access request is illegal through a network communication link so that the first relay server is disconnected from the first application link of the first client.
In an exemplary embodiment, the determining, in step S304 of the present embodiment, the second server matching the first access request according to the protocol configuration information includes: and determining the server corresponding to the communication protocol type of the first access request in the protocol configuration information as a second server matched with the first access request.
And under the condition that the request inference result obtained by the second relay server indicates that the first access request is legal, determining a second server corresponding to the communication protocol type of the first access request according to protocol configuration information stored in the second relay server, and establishing a service link with the second server, so that a complete communication link for a first client in the first network to access the second network is formed by using the first application link, the network communication link and the service link between the second relay server and the second server, and the safe data transmission between the first client and the second network is carried out through the complete communication link between the first client and the second server. In the case where any one of the first application link, the network communication link, and the service link of the second relay server and the second server is disconnected, the entire communication link will be automatically disconnected.
The protocol configuration information is corresponding information of each protocol type and the server in the second network, and is not limited to routing information of each protocol type and the corresponding server port, so that the first client is allocated with the corresponding server to perform communication based on the protocol type of the access request.
In one exemplary embodiment, in the case that the second relay server receives the first proxy request reported by the first relay server through the network communication link:
s1-1, analyzing a first proxy request to obtain proxy account information, wherein the first proxy request is a proxy request initiated by a first client and accessing a target server in a second network;
s1-2, verifying whether the proxy account information is legal;
and S1-3, under the condition that the proxy account information is verified to be legal, establishing a network communication link and a service link of the target server so as to complete the communication link of the first client accessing the target server in the second network.
When the first relay server initiates a forward proxy request to the second relay server based on the first client, the first relay server sends the proxy account information to the second relay server through the network communication link, so that the second relay server verifies whether the proxy account information is legal or not.
The proxy account information is not limited to comprise an authentication account and an account password for accessing the target server, and under the condition that the second relay server verifies that the proxy account information is illegal, the first relay server is informed that the first proxy request is illegal through a network communication link, so that the first relay server breaks an application link with the first client initiating the first proxy request
And under the condition that the second relay server verifies that the proxy account information is legal, establishing a service link between the network communication link and the target server so as to form a complete communication link for the first client in the first network to access the target server in the second network by using the first application link between the first relay server and the first client, the network communication link and the service link between the second relay server and the target server, and carrying out safe data transmission between the first client and the target server in the second network through the complete communication link between the first client and the target server. In the case where any one of the first application link, the network communication link, and the service link of the second relay server and the target server is disconnected, the entire communication link will be automatically disconnected.
In one exemplary embodiment, in case the second relay server receives a second access request initiated by the second client:
s2-1, establishing a second application link with a second relay server of a second client, wherein the second access request is used for requesting access to the first network;
s2-2, acquiring the protocol characteristics of the second access request through the second application link, and determining whether the second access request is legal;
and S2-3, under the condition that the second access request is legal, determining a first server matched with the second access request, and sending the service information of the first server to the first relay server through the network communication link, so that the first relay server establishes the service connection between the network communication link and the first server, and the communication link of the second client accessing the first network is completed.
And under the condition that a second client in the second network initiates a reverse proxy access request to the first network, when receiving a second access request of the second client, the second relay server establishes a second application link with the second client, and acquires the protocol characteristics of the second access request to judge whether the second access request is legal or not. The second relay server judges whether the second access request is legal or not, and is not limited to determining the protocol type of the second access request through the protocol feature of the second access request, so that whether the protocol type of the second access request hits the protocol type preset in the second relay server or not is judged. And under the condition that the second access request does not hit the preset protocol type in the second relay server, determining that the second access request is illegal, informing the second client that the second access request is illegal through the second application link, and disconnecting the application link with the second client.
And under the condition that the second access request is legal, determining a first server matched with the protocol characteristics of the second access request, and sending the information of the first server to a first relay server through a network communication link, so that the first relay server establishes the network communication link and the service link of the first server, and a complete communication link of the second client for accessing the first network is constructed. And carrying out safe data transmission between the second client and the first server in the first network through the complete communication link between the second client and the first server. In the case where any one of the second application link, the network communication link, and the service link of the first relay server and the first server is disconnected, the entire communication link will be automatically disconnected.
In one exemplary embodiment, in the event that the second relay server receives a second client-initiated second proxy request:
s3-1, establishing a second application link with a second relay server of a second client, wherein the second proxy request is used for requesting to access a target server in the first network;
s3-2, the proxy account information of the second proxy request is obtained through the second application link, and whether the proxy account information is legal or not is verified;
and S3-3, under the condition that the proxy account information is verified to be legal, sending the proxy account information to the first relay server through the network communication link, so that the first relay server establishes service connection between the network communication link and the target server, and the communication link of the second client accessing the target server in the first network is completed.
Under the condition that a second client in a second network initiates a forward proxy access request to a first network, when receiving a second proxy request of the second client, a second relay server establishes a second application link with the second client, and acquires proxy account information of the second proxy request to judge whether the second proxy request is legal or not. The second relay server judges whether the second proxy request is legal or not, and is not limited to obtaining the authentication account and the account password of the access target server carried in the second proxy request through the second proxy request, and whether the authentication account and the account password are correct or not is verified.
And under the condition that any one of the authentication account number or the account number password is incorrect, determining that the second proxy request is illegal, informing the second client of the illegal second proxy request through the second application link, and disconnecting the application link with the second client.
Determining that the second proxy request is legal under the condition that the authentication account number and the account number password are both correct, determining the IP address and the port information of the target server corresponding to the second proxy request, and transmits the IP address and port information of the destination server to the first relay server through the network communication link, so that the first relay server establishes a network communication link with the service link of the target server according to the IP address and the port information of the target server, to form a complete communication link for a second client in the second network to access a target server of the first network using the second application link of the second relay server with the second client, the network communication link, and the service link of the first relay server with the target server, and carrying out safe data transmission between the second client and the target server of the first network through the complete communication link between the second client and the target server. In the case where any one of the second application link, the network communication link, and the service link of the first relay server and the target server is disconnected, the entire communication link will be automatically disconnected.
In the above embodiment of the present invention, when a second relay server deployed in a second network receives, through a network communication link, a protocol inference result of a first access request reported by a first relay server, the protocol inference result is parsed to obtain a request inference result, where the first relay server is deployed in the first network, the first access request is an access request initiated by a first client in the first network and used for accessing the second network, the network security of the first network is lower than that of the second network, the network communication link is a communication link established by the second relay server to the first relay server, and when the request inference result indicates that the first access request is legal, a second server matched with the first access request is determined according to protocol configuration information, where the protocol configuration information is a correspondence between each protocol type in the second network and a server, establishing a network communication link with a service link of a second server in a manner to complete the communication link for the first client to access the second server based on deploying the first relay server in the first network and the second relay server in the second network, when a first client in a first network with lower network security initiates an access request to a second network, the access validity is verified through the first relay server and the second relay server, and the protocol configuration information used for indicating the corresponding relation between the protocol type and the server is only stored in the second relay server with higher network security, establishing a communication link for a first client in a first network to access a second network through a network communication link established by a second relay server to a first relay server, the method can purposefully avoid the unsafe behavior that the illegal access can bypass the attack of the application to the network. Therefore, the problem of low security of data transmission across networks in the related art can be solved, and the effect of improving the security of data transmission across networks is achieved.
Fig. 4 is a flowchart of a communication method between different networks according to another embodiment of the present invention, as shown in fig. 4, the flowchart includes the following steps:
step S402, under the condition that a first relay server deployed in a first network receives a first access request initiated by a first client, establishing a first application link with the first client;
in the above step S402, the first access request is used to request access to the second network, and the network security of the first network is lower than that of the second network.
Step S404, acquiring the protocol characteristics of the first access request through the first application link, and performing protocol inference on the protocol characteristics of the first access request to obtain a protocol inference result;
in step S404, the protocol estimation result is a result of verifying the validity of the communication protocol of the first access request by the first relay server.
Step S404, under the condition that the protocol inference result indicates that the first access request is legal, the protocol inference result is reported to the second relay server through the network communication link, so that the second relay server establishes the application link between the network communication link and the second server under the condition that the request inference result obtained by analyzing the protocol inference result indicates that the first access request is legal, and the communication link of the first client accessing the second network is completed;
in step S406, the network communication link is a communication link established from the second relay server to the first relay server.
The above is not limited to the processing flow of the first relay server deployed in the first network when the first client in the first network initiates the reverse proxy request access to the second network.
In an exemplary embodiment, in step S404, obtaining the protocol feature of the first access request through the first application link, and performing protocol inference on the protocol feature of the first access request to obtain a protocol inference result, including:
s404-1, intercepting the first N bytes of the first access request through the first application link as the protocol feature of the first access request;
s404-2, determining the communication protocol type of the first access request according to the byte format of the first N bytes;
s404-3-1, obtaining a protocol inference result indicating that the first access request is legal under the condition that the communication protocol type of the first access request hits a preset communication protocol type in the first network;
s404-3-2, under the condition that the communication protocol type of the first access request does not hit the preset communication protocol type in the first network, obtaining a protocol inference result indicating that the first access request is illegal.
The method comprises the steps that when a first relay server receives a reverse proxy request access initiated by a first client in a first network to a second network, a first application link with the first client is established, the first N bytes in the first access request are intercepted through the first application link, the first N bytes are not limited to a protocol header of the access request, and the communication protocol type of the first access request is determined according to the protocol characteristics of the protocol header. And judging whether the first access request hits a preset communication protocol type in the first relay server, so as to obtain a protocol inference result whether the first access request is legal.
And under the condition that the first relay server determines that the first access request is illegal, informing the first client of an inference result that the first access request is illegal through the first application link, and disconnecting the first application link. And under the condition that the first relay server determines that the first access request is legal, the protocol inference result is sent to a second relay server through a network communication link, so that under the condition that the second relay server verifies that the first access request is legal, the first server corresponding to the first access request is determined, a service link of the communication network link and the first server is established, a complete communication link of the first client side for accessing the second network is constructed, and the communication link is completed to realize the safe data transmission of the first client side and the second network.
In one exemplary embodiment, in the case where the first relay server receives the first proxy request of the first client:
s4-1, establishing a first application link with a first client, wherein a first proxy request is used for requesting access to a target server in a second network, and the first proxy request carries proxy account information;
and S4-2, reporting the first proxy request to the second relay server through the network communication link, so that the second relay server establishes a service link between the network communication link and the target server under the condition that the proxy account information is verified to be legal, and completing the communication link of the first client accessing the target server in the second network.
Under the condition that a first client in a first network initiates a forward proxy access request to a second network, a first relay server establishes a first application link with the first client based on the first proxy request, acquires an IP address, port information and proxy account information of a target server indicated by the first proxy request based on the first application link, and sends the information to the second relay server through a network communication link, so that the second relay server verifies whether the proxy account information is legal or not.
And under the condition that the proxy account information is verified to be illegal by the second relay server, informing the first relay server that the proxy account information is verified to be illegal through a network communication link so as to disconnect the application link with the first client by the first relay server.
And under the condition that the second relay server verifies that the proxy account information is legal, establishing a service link between a network communication link and a target server in the second network, thereby establishing a complete communication link for the first client to access the target server of the second network, and completing the safe data transmission between the first client and the second network based on the complete communication link.
In one exemplary embodiment, in the case where the first relay server receives the second access request transmitted by the second relay server through the network communication link:
s5-1, determining a first server indicated by a second access request, wherein the second access request is an access request initiated by a second client in a second network and used for accessing the first network;
and S5-2, establishing a network communication link and a service link of the first server to complete the communication link of the second client accessing the first network.
In the case that a second client in the second network initiates a reverse proxy access request to the first network, the first relay server receives the second access request through the network communication link, determines a first server indicated by the second access request, and accordingly establishes the network communication link and a service link of the first server to construct a complete communication link for the second client to access the first network.
In one exemplary embodiment, in the case where the first relay server receives the second proxy request sent by the second relay server over the network communication link:
s6-1, determining a target server in the first network indicated by a second proxy request, wherein the second proxy request is a proxy request initiated by a second client in the second network and used for accessing the target server in the first network;
and S6-2, establishing a network communication link and a service link of the target server to complete the communication link of the second client accessing the target server in the first network.
Under the condition that a second client in a second network initiates a forward proxy access request to a first network, a first relay server receives information indicating a target server through a network communication link, so that the target server indicated by the second proxy request is determined, and a network communication link and a service link of the target server are established, so that a complete communication link of the second client for accessing the target server of the first network is constructed.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., a Read-Only Memory/Random Access Memory (ROM/RAM), a magnetic disk, an optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
In this embodiment, a communication device between different networks is also provided, and the device is used to implement the foregoing embodiments and preferred embodiments, and the description of the device that has been already made is omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 5 is a block diagram of a communication apparatus between different networks according to an embodiment of the present invention, which is not limited to be deployed in a second network, and includes:
the analysis unit 502 is configured to, when a second relay server deployed in a second network receives a protocol inference result of a first access request reported by a first relay server through a network communication link, analyze the protocol inference result to obtain a request inference result, where the first relay server is deployed in the first network, the first access request is an access request initiated by a first client in the first network and accessing the second network, a network security of the first network is lower than that of the second network, and the network communication link is a communication link established by the second relay server to the first relay server;
a determining unit 504, configured to determine, according to protocol configuration information, a second server that matches the first access request when the request inference result indicates that the first access request is legal, where the protocol configuration information is a correspondence between each protocol type in the second network and the server;
an establishing unit 506, configured to establish a network communication link with a service link of the second server to complete a communication link for the first client to access the second server.
Optionally, the parsing unit 502 is further configured to parse the protocol inference result to obtain a protocol feature of the first access request; determining the communication protocol type of the first access request according to the protocol characteristics of the first access request; obtaining a request inference result indicating that the first access request is legal under the condition that the communication protocol type of the first access request hits a preset communication protocol type in a second network; and obtaining a request inference result indicating that the first access request is illegal in the case that the communication protocol type of the first access request does not hit a preset communication protocol type in the second network.
Optionally, the determining unit is further configured to determine, in the protocol configuration information, a server corresponding to the communication protocol type of the first access request as a second server matched with the first access request.
The communication device between different networks further comprises a first processing unit, configured to, when a second relay server receives a first proxy request reported by a first relay server through a network communication link, parse the first proxy request to obtain proxy account information, where the first proxy request is a proxy request initiated by a first client and accessing a target server in a second network; verifying whether the proxy account information is legal or not; and under the condition that the proxy account information is verified to be legal, establishing a service link between the network communication link and the target server so as to finish the communication link of the first client accessing the target server in the second network.
The communication device between different networks further includes a second processing unit, configured to establish a second application link with a second relay server of a second client when the second relay server receives a second access request initiated by the second client, where the second access request is used to request access to the first network; acquiring the protocol characteristics of the second access request through the second application link, and determining whether the second access request is legal or not; and under the condition that the second access request is legal, determining a first server matched with the second access request, and sending the service information of the first server to the first relay server through the network communication link, so that the first relay server establishes the service connection between the network communication link and the first server, and the communication link of the second client accessing the first network is completed.
The communication device between different networks further comprises a third processing unit, configured to establish a second application link with a second relay server of a second client when the second relay server receives a second proxy request initiated by the second client, where the second proxy request is used to request access to a target server in the first network; acquiring proxy account information of the second proxy request through the second application link, and verifying whether the proxy account information is legal or not; and under the condition that the proxy account information is verified to be legal, sending the proxy account information to the first relay server through the network communication link so that the first relay server establishes service connection between the network communication link and the target server and finishes the communication link of the second client accessing the target server in the first network.
Fig. 6 is a block diagram of a communication device between different networks according to another embodiment of the present invention, which is not limited to be deployed in a first network, and includes:
an establishing unit 602, configured to establish a first application link with a first client when a first relay server deployed in a first network receives a first access request initiated by the first client, where the first access request is used to request access to a second network, and a network security of the first network is lower than that of the second network;
an inference unit 604, configured to obtain a protocol feature of the first access request through the first application link, and perform protocol inference on the protocol feature of the first access request to obtain a protocol inference result, where the protocol inference result is a validity verification result of the communication protocol of the first access request by the first relay server;
a reporting unit 606, configured to report the protocol inference result to the second relay server through the network communication link when the protocol inference result indicates that the first access request is legal, so that the second relay server establishes an application link between the network communication link and the second server to complete a communication link for the first client to access the second network when the request inference result obtained by parsing the protocol inference result indicates that the first access request is legal, where the network communication link is a communication link established by the second relay server to the first relay server.
Optionally, the inference unit 604 is further configured to intercept, as a protocol feature of the first access request, the first N bytes of the first access request through the first application link; determining the communication protocol type of the first access request according to the byte format of the first N bytes; obtaining a protocol inference result indicating that the first access request is legal under the condition that the communication protocol type of the first access request hits a preset communication protocol type in the first network; and obtaining a protocol inference result indicating that the first access request is illegal under the condition that the communication protocol type of the first access request does not hit a preset communication protocol type in the second network.
The communication device between different networks further comprises a first processing unit, configured to establish a first application link with a first client when the first relay server receives a first proxy request of the first client, where the first proxy request is used to request access to a target server in a second network, and the first proxy request carries proxy account information; and reporting the first proxy request to a second relay server through a network communication link, so that the second relay server establishes a service link between the network communication link and a target server under the condition that the proxy account information is verified to be legal, and the communication link of the first client accessing the target server in the second network is completed.
The communication device between different networks further includes a second processing unit, configured to determine, when the first relay server receives, through the network communication link, a second access request sent by the second relay server, the first server indicated by the second access request, where the second access request is an access request initiated by a second client in the second network and used for accessing the first network; and establishing a network communication link and a service link of the first server to complete the communication link of the second client accessing the first network.
The communication device between different networks further comprises a third processing unit, configured to determine, when the first relay server receives, through the network communication link, a second proxy request sent by the second relay server, a target server in the first network indicated by the second proxy request, where the second proxy request is a proxy request initiated by a second client in the second network and used for accessing the target server in the first network; and establishing a network communication link and a service link of the target server so as to complete the communication link of the second client accessing the target server in the first network.
It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are respectively located in different processors in any combination.
In order to facilitate understanding of the technical solutions provided by the present invention, the following detailed description will be made with reference to embodiments of specific scenarios.
Fig. 7 is a schematic structural diagram of a communication system between different networks according to an embodiment of the present invention, and as shown in fig. 7, the communication system between different networks includes: a first client 101 located in a first network 100 and a target server located in a second network 200, and a first relay server 110 deployed in the first network 100 and a second relay server 210 deployed in the second network 200, wherein the network security of the first network 100 is lower than that of the second network 200, wherein:
the first relay service 110 is configured to establish a first application link with a first client when receiving a first access request initiated by the first client, acquire a protocol feature of the first access request through the first application link, perform protocol inference on the protocol feature of the first access request to obtain a protocol inference result, and report the protocol inference result to a second relay server through a network communication link when the protocol inference result indicates that the first access request is legal, where the network communication link is a communication link established by the second relay server to the first relay server, and the first access request is used to request access to a second network;
and the second relay server 210 is configured to, when the protocol inference result is received through the network communication link, parse the protocol inference result to obtain a request inference result, and when the request inference result indicates that the first access request is legal, determine, according to the protocol configuration information, a target server matched with the first access request, and establish a service connection between the network communication link and the target server to complete a communication link for the first client to access the target server, where the protocol configuration information is a corresponding relationship between each protocol type in the second network and the server.
The target server in the second network 200 may be the second server 202 or may be a proxy server. The target server may be a matching server determined based on the protocol type of the first access request, or may be a server designated by the first client 101 when initiating the access request, such as a proxy server.
The secure relay is composed of a first relay server 110 deployed in the first network 100 and a second relay server 210 deployed in the second network 200, and the first relay server 110 and the second relay server 210 are in a many-to-many relationship in data transmission and perform bidirectional communication according to a certain load balancing mechanism. The first relay server 110 and the second relay server 210 only allow the first relay server 110 with low security to establish the underlying TCP link from the second relay server 210 with high security, that is, only open the firewall that the second relay server 210 designates a port to the first relay server 110 between the first network 100 and the second network 200, and all other access link firewall policies are prohibited, for example, the establishment of an access link from the first client 101 to the second server 202, the establishment of an access link from the first relay server 110 to the second relay server 210, the establishment of an access link from the second relay server 210 to the first server 102, and the establishment of an access link from the second client to the first server 102 are prohibited.
Bidirectional communication between first relay server 110 and second relay server 210 in a secure relay establishes a set of TCP long connections in a multiplexed form by second relay server 210 to first relay server 110. One long TCP connection can simultaneously carry multiple bi-directional data streams. The communication between the first network 100 and the second network 200 through the secure relay supports both forms of forward proxy and reverse proxy.
The first relay server 110 and the second relay server 210 are not limited to both include a multiplexing communication module, the multiplexing communication module in the second relay server 210 establishes a set of TCP long connections to the multiplexing communication module in the first relay server 110, and the multiplexing module is not limited to:
managing and maintaining a mutual authentication and TCP long connection heartbeat and reconnection mechanism between a first relay server and a second relay server;
managing the mapping relation and load balance between TCP connection between a first relay server and a second relay server or between the relay server and a client or between long TCP connection in a multiplexing module and a server in a network;
managing the creation and destruction of TCP connections between the relay server and the client.
The establishment of the communication link by the multiplex communication module in the proxy request of the first network and the second network is not limited to that shown in fig. 8. The security of the second network 200 is higher than that of the first network 100, and the multiplex communication module of the second relay server 210 of the second network 200 establishes a set of TCP long connections to the multiplex communication module of the first relay server 110 of the first network 100.
The reverse proxy request flow performed by the first network 100 to the second network 200 is not limited to:
1) the first client 101 initiates an access request to the first relay server 110, and the first client 101 establishes a TCP connection with the reverse proxy request entry of the first relay server 110 and sends the first access request.
2) The first relay server 110 intercepts the first few bytes of the first access request and infers the application protocol type of the first access request from the application protocol characteristics (protocol header format). When the application protocol of the first access request is not the multiple protocol types preset in the first relay server 110, it is inferred that the first access request is illegal, and then the TCP connection with the first client 101 is disconnected; when the application protocol type of the first access request is a plurality of protocol types preset in the first relay server 110, it is inferred that the first access request is legitimate, a virtual connection (mapping relationship) between the TCP connection and the TCP long connection of the multiplex communication module is established, and the protocol inference result and the protocol header are reported to the second relay server 210 through the multiplex communication module.
3) The second relay server 210 determines whether the application protocol of the first access request is a plurality of protocol types preset in the second relay server 210 by analyzing the protocol inference result and the protocol header. When the application protocol of the first access request is not the multiple protocol types preset in the second relay server 210, it is determined that the first access request is illegal, and the first relay server 110 is notified of the determination result through the multiplex communication module, so that the first relay server 110 disconnects the TCP connection with the first client 101. When the application protocol of the first access request is the multi-protocol type preset in the second relay server 210, it is determined that the first access request is legal, a TCP connection is established with a corresponding server (for example, the second server 202) based on the reverse proxy configuration information locally stored in the second relay server 210, a virtual connection between the TCP connection and a multiplexing communication module (reverse proxy request egress) is established, and the multiplexing module notifies the first relay server 110 that the full link establishment is successful.
4) The first relay server 110 replays the first few bytes used for deducing the protocol type, and the complete link from the first client 101 to the second server 202 is formally established, so that the request can be normally sent and the response can be normally received. The request and the response can be sent and received for many times based on the complete link, and if any one section of connection is disconnected, the complete link is automatically disconnected.
The execution of the forward proxy request flow from the first network 100 to the second network 200 is not limited to:
1) the first client 101 establishes a TCP connection with the forward proxy request entry of the first relay server 110, and initiates a proxy handshake request (carrying a target server IP, a port, a proxy authentication account, and a password) through the TCP connection.
2) The first relay server 110 establishes a virtual connection (mapping relationship) of the TCP connection and the TCP long connection of the multiplex communication module, and reports the proxy handshake request to the second relay server 210 through the multiplex communication module.
3) The second relay server 210 determines whether the target server IP, the port, the proxy authentication account, and the password in the proxy handshake request are valid. When it is judged to be illegal, the first relay server 110 is notified of the judgment result through the multiplex communication module so that the first relay server 110 disconnects the TCP connection with the first client 101. When the validity is judged, a TCP connection with a target server (for example, the second server 202) is established, a virtual connection between the TCP connection and the multiplexing communication module (forward proxy request egress) is established, and the multiplexing module notifies the first relay server 110 that the full link establishment is successful.
4) The first relay server 110 returns a proxy success response to the first client 101, and the first client 101 sends a request and receives a response based on the complete chain. The request and the response can be sent and received for many times based on the complete link, and if any section of connection is disconnected, the complete link is automatically disconnected.
The second network 200 performs the reverse proxy request flow to the first network 100 is not limited to:
1) the second client 201 initiates an access request to the second relay server 210, and the second client 201 establishes a TCP connection with the reverse proxy request entry of the second relay server 210 and sends the second access request.
2) The second relay server 210 intercepts the first few bytes of the second access request and infers the application protocol type of the second access request from the application protocol characteristics (protocol header format). When the application protocol of the second access request is not the multiple protocol types preset in the second relay server 210, it is inferred that the second access request is illegal, and then the TCP connection with the second client 201 is disconnected; when the application protocol type of the second access request is a plurality of protocol types preset in the second relay server 210, it is inferred that the second access request is legitimate, a virtual connection (mapping relationship) between the TCP connection and the TCP long connection of the multiplex communication module is established, and information of the server (for example, the first server 102) requested to be accessed by the second client 201 is transmitted to the first relay server 110 through the multiplex communication module.
3) The first relay server 110, upon receiving the server information, establishes a TCP connection with the server (e.g., the first server 102), establishes a virtual connection between the TCP connection and the multiplex communication module (reverse proxy request egress), and notifies the second relay server 210 of the success of the full link establishment through the multiplex module.
4) The second relay server 210 replays the first few bytes for deducing the protocol type, and the complete link from the second client 201 to the first server 102 is formally established, and can normally send a request and receive a response. The request and the response can be sent and received for many times based on the complete link, and if any section of connection is disconnected, the complete link is automatically disconnected.
The second network 200 performs the forward proxy request flow to the first network 100 is not limited to:
1) the second client 201 establishes a TCP connection with the forward proxy request entry of the second relay server 210, and initiates a proxy handshake request (carrying the target server IP, port, proxy authentication account, and password) through the TCP connection.
2) The second relay server 210 determines whether the target server IP, the port, the proxy authentication account, and the password in the proxy handshake request are valid. When the judgment is illegal, the TCP connection with the second client 201 is disconnected. When it is judged that the TCP connection is legitimate, a virtual connection between the TCP connection and the multiplex communication module (forward proxy request entry) is established, and information of the destination server is transmitted to the first relay server 110 through the multiplex communication module.
3) The first relay server 110, upon receiving the destination server information, establishes a TCP connection with the server (e.g., the first server 102), establishes a virtual connection between the TCP connection and the multiplex communication module (forward proxy request egress), and notifies the second relay server 210 of the success of the full link establishment through the multiplex module.
4) The second relay server 210 returns a proxy success response to the second client 201, and the second client 201 transmits a request and receives a response based on the complete link. The request and the response can be sent and received for many times based on the complete link, and if any section of connection is disconnected, the complete link is automatically disconnected.
Embodiments of the present invention also provide a computer-readable storage medium having a computer program stored thereon, wherein the computer program is arranged to perform the steps of any of the above-mentioned method embodiments when executed.
In an exemplary embodiment, the computer-readable storage medium may include, but is not limited to: various media capable of storing computer programs, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Embodiments of the present invention also provide an electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the above method embodiments.
In an exemplary embodiment, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
For specific examples in this embodiment, reference may be made to the examples described in the above embodiments and exemplary embodiments, and details of this embodiment are not repeated herein.
It will be apparent to those skilled in the art that the various modules or steps of the invention described above may be implemented using a general purpose computing device, they may be centralized on a single computing device or distributed across a network of computing devices, and they may be implemented using program code executable by the computing devices, such that they may be stored in a memory device and executed by the computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into various integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the principle of the present invention should be included in the protection scope of the present invention.

Claims (14)

1. A method for communication between different networks, comprising:
under the condition that a second relay server deployed in a second network receives a protocol inference result of a first access request reported by a first relay server through a network communication link, analyzing the protocol inference result to obtain a request inference result, wherein the first relay server is deployed in the first network, the first access request is an access request initiated by a first client in the first network and accessing the second network, the network security of the first network is lower than that of the second network, and the network communication link is a communication link established by the second relay server to the first relay server;
under the condition that the request inference result indicates that the first access request is legal, determining a second server matched with the first access request according to protocol configuration information, wherein the protocol configuration information is the corresponding relation between each protocol type and the server in the second network;
and establishing the network communication link and the service link of the second server so as to complete the communication link of the first client accessing the second server.
2. The method of claim 1, wherein parsing the protocol inference results to obtain request inference results comprises:
analyzing the protocol inference result to obtain the protocol characteristics of the first access request;
determining the communication protocol type of the first access request according to the protocol characteristics of the first access request;
obtaining a request inference result indicating that the first access request is legal under the condition that the communication protocol type of the first access request hits a preset communication protocol type in the second network;
and obtaining a request inference result indicating that the first access request is illegal under the condition that the communication protocol type of the first access request is not hit in a preset communication protocol type in the second network.
3. The method of claim 2, wherein determining the second server matching the first access request based on protocol configuration information comprises: and determining a server corresponding to the communication protocol type of the first access request in the protocol configuration information as a second server matched with the first access request.
4. A method according to any one of claims 1-3, characterized in that:
under the condition that the second relay server receives a first proxy request reported by the first relay server through the network communication link, analyzing the first proxy request to obtain proxy account information, wherein the first proxy request is a proxy request initiated by the first client and used for accessing a target server in the second network;
verifying whether the proxy account information is legal or not;
and under the condition that the proxy account information is verified to be legal, establishing a service link between the network communication link and the target server so as to finish the communication link of the first client accessing the target server in the second network.
5. A method according to any one of claims 1-3, characterized in that:
under the condition that the second relay server receives a second access request initiated by a second client, establishing a second application link with a second relay server of the second client, wherein the second access request is used for requesting to access the first network;
acquiring the protocol characteristics of the second access request through the second application link, and determining whether the second access request is legal or not;
and under the condition that the second access request is legal, determining a first server matched with the second access request, and sending the service information of the first server to the first relay server through the network communication link, so that the first relay server establishes the service connection between the network communication link and the first server, and the communication link of the second client accessing the first network is completed.
6. A method according to any one of claims 1-3, characterized in that:
establishing a second application link with a second relay server of a second client in the case that the second relay server receives a second proxy request initiated by the second client, wherein the second proxy request is used for requesting to access a target server in the first network;
acquiring the proxy account information of the second proxy request through the second application link, and verifying whether the proxy account information is legal or not;
and under the condition that the proxy account information is verified to be legal, sending the proxy account information to the first relay server through the network communication link, so that the first relay server establishes service connection between the network communication link and the target server, and the second client accesses the communication link of the target server in the first network.
7. A method for communication between different networks, comprising:
the method comprises the steps that under the condition that a first relay server deployed in a first network receives a first access request initiated by a first client, a first application link with the first client is established, wherein the first access request is used for requesting to access a second network, and the network security of the first network is lower than that of the second network;
acquiring the protocol feature of the first access request through the first application link, and performing protocol inference on the protocol feature of the first access request to obtain a protocol inference result, wherein the protocol inference result is a validity verification result of the first relay server on a communication protocol of the first access request;
and under the condition that the protocol inference result indicates that the first access request is legal, reporting the protocol inference result to a second relay server through a network communication link, so that the second relay server establishes an application link between the network communication link and the second server and finishes the communication link of the first client accessing the second network under the condition that the request inference result obtained by analyzing the protocol inference result indicates that the first access request is legal, wherein the network communication link is the communication link established by the second relay server to the first relay server.
8. The method of claim 7, wherein obtaining the protocol feature of the first access request through the first application link and performing protocol inference on the protocol feature of the first access request to obtain a protocol inference result comprises:
intercepting the first N bytes of the first access request through the first application link as a protocol feature of the first access request;
determining the communication protocol type of the first access request according to the byte format of the first N bytes;
obtaining a protocol inference result indicating that the first access request is legal under the condition that the communication protocol type of the first access request hits a preset communication protocol type in the first network;
and obtaining a protocol inference result indicating that the first access request is illegal under the condition that the communication protocol type of the first access request is not hit in a preset communication protocol type in the second network.
9. The method according to claim 7 or 8, characterized in that:
under the condition that the first relay server receives a first proxy request of the first client, establishing a first application link with the first client, wherein the first proxy request is used for requesting to access a target server in the second network, and the first proxy request carries proxy account information;
reporting the first proxy request to the second relay server through the network communication link, so that the second relay server establishes a service link between the network communication link and the target server under the condition that the proxy account information is verified to be legal, and the first client accesses the communication link of the target server in the second network.
10. The method according to claim 7 or 8, characterized in that:
under the condition that the first relay server receives a second access request sent by the second relay server through the network communication link, determining a first server indicated by the second access request, wherein the second access request is an access request initiated by a second client in the second network and used for accessing the first network;
and establishing the network communication link and the service link of the first server to complete the communication link of the second client accessing the first network.
11. The method according to claim 7 or 8, characterized in that:
under the condition that the first relay server receives a second proxy request sent by the second relay server through the network communication link, determining a target server in the first network indicated by the second proxy request, wherein the second proxy request is a proxy request initiated by a second client in the second network and used for accessing the target server in the first network;
and establishing the network communication link and the service link of the target server so as to complete the communication link of the second client accessing the target server in the first network.
12. A communication system between different networks, comprising: a first client located in a first network and a target server located in a second network, and a first relay server deployed in the first network and a second relay server deployed in the second network, wherein the first network has a lower network security than the second network, wherein,
the first relay server is configured to, when a first access request initiated by the first client is received, establish a first application link with the first client, obtain a protocol feature of the first access request through the first application link, perform protocol inference on the protocol feature of the first access request to obtain a protocol inference result, and report the protocol inference result to a second relay server through a network communication link when the protocol inference result indicates that the first access request is legal, where the network communication link is a communication link established by the second relay server to the first relay server, and the first access request is used to request access to the second network;
the second relay server is configured to, when the protocol inference result is received through the network communication link, parse the protocol inference result to obtain a request inference result, and when the request inference result indicates that the first access request is legal, determine, according to protocol configuration information, a target server matched with the first access request, and establish service connection between the network communication link and the target server to complete a communication link through which the first client accesses the target server, where the protocol configuration information is a correspondence between each protocol type in the second network and the server.
13. A computer-readable storage medium, in which a computer program is stored, wherein the computer program is arranged to perform the method of any of claims 1 to 6 or 7 to 11 when executed.
14. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and wherein the processor is arranged to execute the computer program to perform the method of any of claims 1 to 6 or 7 to 11.
CN202210488217.6A 2022-05-06 2022-05-06 Communication method and system among different networks, storage medium and electronic device Pending CN114826754A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210488217.6A CN114826754A (en) 2022-05-06 2022-05-06 Communication method and system among different networks, storage medium and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210488217.6A CN114826754A (en) 2022-05-06 2022-05-06 Communication method and system among different networks, storage medium and electronic device

Publications (1)

Publication Number Publication Date
CN114826754A true CN114826754A (en) 2022-07-29

Family

ID=82511369

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210488217.6A Pending CN114826754A (en) 2022-05-06 2022-05-06 Communication method and system among different networks, storage medium and electronic device

Country Status (1)

Country Link
CN (1) CN114826754A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115834584A (en) * 2022-11-23 2023-03-21 重庆紫光华山智安科技有限公司 Cross-network data transmission method, device, equipment and medium
CN116112560A (en) * 2023-04-10 2023-05-12 广东电网有限责任公司佛山供电局 Data uplink and proxy method and system based on Reactive mechanism
CN116708381A (en) * 2023-08-04 2023-09-05 腾讯科技(深圳)有限公司 Cross-network data transmission method and device, storage medium and electronic equipment
CN116743738A (en) * 2023-07-20 2023-09-12 北京道迩科技有限公司 Log transmission method and device and electronic equipment
CN117240599A (en) * 2023-11-07 2023-12-15 国家工业信息安全发展研究中心 Security protection method, device, equipment, network and storage medium
CN115834584B (en) * 2022-11-23 2024-05-24 重庆紫光华山智安科技有限公司 Cross-network data transmission method, device, equipment and medium

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140331046A1 (en) * 2013-05-03 2014-11-06 Santhosh Krishnamurthy Virtual desktop accelerator with support for multiple cryptographic contexts
CN106790161A (en) * 2016-12-29 2017-05-31 武汉华星光电技术有限公司 It is a kind of to ensure server security and mitigate the communication system and method for fire wall pressure
CN109962913A (en) * 2019-03-11 2019-07-02 北京信安世纪科技股份有限公司 Proxy server and Proxy Method based on secure socket layer protocol
CN110839027A (en) * 2019-11-14 2020-02-25 北京京东尚科信息技术有限公司 User authentication method, device, proxy server and network service system
CN111431956A (en) * 2019-01-10 2020-07-17 阿里巴巴集团控股有限公司 Cross-network service access method, device, system and storage medium
CN111818100A (en) * 2020-09-04 2020-10-23 腾讯科技(深圳)有限公司 Method for configuring channel across networks, related equipment and storage medium
CN111865868A (en) * 2019-04-24 2020-10-30 顺丰科技有限公司 Cross-network regional service calling method and system
CN111865900A (en) * 2020-06-03 2020-10-30 中邮消费金融有限公司 RPC protocol-based cross-network regional proxy access method and system
CN112165480A (en) * 2020-09-22 2021-01-01 北京字跳网络技术有限公司 Information acquisition method and device and electronic equipment
CN113542274A (en) * 2021-07-15 2021-10-22 南京中孚信息技术有限公司 Cross-domain data transmission method, device, server and storage medium
CN114070578A (en) * 2021-09-27 2022-02-18 杭州安恒信息技术股份有限公司 User private network intranet intercommunication method, system, computer and storage medium

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140331046A1 (en) * 2013-05-03 2014-11-06 Santhosh Krishnamurthy Virtual desktop accelerator with support for multiple cryptographic contexts
CN106790161A (en) * 2016-12-29 2017-05-31 武汉华星光电技术有限公司 It is a kind of to ensure server security and mitigate the communication system and method for fire wall pressure
CN111431956A (en) * 2019-01-10 2020-07-17 阿里巴巴集团控股有限公司 Cross-network service access method, device, system and storage medium
CN109962913A (en) * 2019-03-11 2019-07-02 北京信安世纪科技股份有限公司 Proxy server and Proxy Method based on secure socket layer protocol
CN111865868A (en) * 2019-04-24 2020-10-30 顺丰科技有限公司 Cross-network regional service calling method and system
CN110839027A (en) * 2019-11-14 2020-02-25 北京京东尚科信息技术有限公司 User authentication method, device, proxy server and network service system
CN111865900A (en) * 2020-06-03 2020-10-30 中邮消费金融有限公司 RPC protocol-based cross-network regional proxy access method and system
CN111818100A (en) * 2020-09-04 2020-10-23 腾讯科技(深圳)有限公司 Method for configuring channel across networks, related equipment and storage medium
CN112165480A (en) * 2020-09-22 2021-01-01 北京字跳网络技术有限公司 Information acquisition method and device and electronic equipment
CN113542274A (en) * 2021-07-15 2021-10-22 南京中孚信息技术有限公司 Cross-domain data transmission method, device, server and storage medium
CN114070578A (en) * 2021-09-27 2022-02-18 杭州安恒信息技术股份有限公司 User private network intranet intercommunication method, system, computer and storage medium

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115834584A (en) * 2022-11-23 2023-03-21 重庆紫光华山智安科技有限公司 Cross-network data transmission method, device, equipment and medium
CN115834584B (en) * 2022-11-23 2024-05-24 重庆紫光华山智安科技有限公司 Cross-network data transmission method, device, equipment and medium
CN116112560A (en) * 2023-04-10 2023-05-12 广东电网有限责任公司佛山供电局 Data uplink and proxy method and system based on Reactive mechanism
CN116112560B (en) * 2023-04-10 2023-06-30 广东电网有限责任公司佛山供电局 Data uplink and proxy method and system based on Reactive mechanism
CN116743738A (en) * 2023-07-20 2023-09-12 北京道迩科技有限公司 Log transmission method and device and electronic equipment
CN116743738B (en) * 2023-07-20 2024-04-05 北京道迩科技有限公司 Log transmission method and device and electronic equipment
CN116708381A (en) * 2023-08-04 2023-09-05 腾讯科技(深圳)有限公司 Cross-network data transmission method and device, storage medium and electronic equipment
CN116708381B (en) * 2023-08-04 2023-11-14 腾讯科技(深圳)有限公司 Cross-network data transmission method and device, storage medium and electronic equipment
CN117240599A (en) * 2023-11-07 2023-12-15 国家工业信息安全发展研究中心 Security protection method, device, equipment, network and storage medium
CN117240599B (en) * 2023-11-07 2024-02-20 国家工业信息安全发展研究中心 Security protection method, device, equipment, network and storage medium

Similar Documents

Publication Publication Date Title
CN114826754A (en) Communication method and system among different networks, storage medium and electronic device
EP1305687B1 (en) Filtered application-to-application communication
US20160308849A1 (en) System and Method for Out-of-Ban Application Authentication
ZA200506363B (en) Method for processing security message in a mobile communication system
US20200162245A1 (en) Method and system for performing ssl handshake
US8789134B2 (en) Method for establishing trusted network connect framework of tri-element peer authentication
KR101992976B1 (en) A remote access system using the SSH protocol and managing SSH authentication key securely
WO2009115029A1 (en) Method, system and apparatus for data remediation
US11539695B2 (en) Secure controlled access to protected resources
CN113422768B (en) Application access method and device in zero trust and computing equipment
CN114697963A (en) Terminal identity authentication method and device, computer equipment and storage medium
CN114513326A (en) Method and system for realizing communication audit based on dynamic proxy
CN109905352B (en) Method, device and storage medium for auditing data based on encryption protocol
WO2023020606A1 (en) Method, system and apparatus for hiding source station, and device and storage medium
CN116319028A (en) Rebound shell attack interception method and device
CN114301967B (en) Control method, device and equipment for narrowband Internet of things
EP4071640A1 (en) Controlling command execution in a computer network
CN115499177A (en) Cloud desktop access method, zero-trust gateway, cloud desktop client and server
KR101992985B1 (en) An access control system of controlling hard-coded passwords and commands for enhancing security of the servers
CN111163466B (en) Method for 5G user terminal to access block chain, user terminal equipment and medium
CN114363073A (en) TLS encrypted traffic analysis method and device, terminal device and storage medium
CN115623013A (en) Strategy information synchronization method, system and related product
CN114157475B (en) Equipment access method and device, authentication equipment and access equipment
CN117478428B (en) Stealth communication system and configuration method
KR102218079B1 (en) Method for excluding sites not accessible from secure socket layer decryption apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination