CN116582328A - Network isolation device and method for transmitting data between network isolation systems - Google Patents

Network isolation device and method for transmitting data between network isolation systems Download PDF

Info

Publication number
CN116582328A
CN116582328A CN202310557993.1A CN202310557993A CN116582328A CN 116582328 A CN116582328 A CN 116582328A CN 202310557993 A CN202310557993 A CN 202310557993A CN 116582328 A CN116582328 A CN 116582328A
Authority
CN
China
Prior art keywords
address
local
port
terminal
opposite
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310557993.1A
Other languages
Chinese (zh)
Inventor
陈静
杨勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hubei Topsec Network Security Technology Co Ltd
Original Assignee
Hubei Topsec Network Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hubei Topsec Network Security Technology Co Ltd filed Critical Hubei Topsec Network Security Technology Co Ltd
Priority to CN202310557993.1A priority Critical patent/CN116582328A/en
Publication of CN116582328A publication Critical patent/CN116582328A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5061Pools of addresses

Abstract

The embodiment of the application provides a network isolation device and a method for transmitting data between network isolation systems, wherein the network isolation device comprises the following components: a configuration module configured to: the address pre-allocation in the address pool is completed, and a local address pre-allocation result is obtained, wherein the local address pre-allocation result is determined by comparing the size relation between the number of local service types and the number of addresses in the local address pool; maintaining the address pre-allocation result of the home terminal and the address use state of the home terminal address pool; the connection module is configured to acquire a local end data transmission address and a port according to the local end address pre-allocation result as a data message to be transmitted of the opposite end; and the data transmission module is configured to send the data message to be transmitted of the local terminal to the opposite terminal network isolation device according to the opposite terminal data transmission address and the port. The embodiment of the application realizes a certain degree of sharing by incompletely isolating the pre-allocated addresses of different service types during specific address allocation.

Description

Network isolation device and method for transmitting data between network isolation systems
Technical Field
The application relates to the field of network security, in particular to a network isolation device and a method for transmitting data between network isolation systems.
Background
In some industries with high requirements on isolation compliance, in order to realize regional network isolation and cross-network safety data exchange, cross-network safety data exchange products are deployed on different networks to serve as unique channels for network isolation and data ferry, so that the cross-network safety data exchange products are matched with a network gate or a light gate to form a complete cross-network data ferry solution. The cross-network safety data exchange product can be applied to network isolation scenes in various industries, and in order to meet various complex mass services, the requirements of users on high throughput and high concurrency of the cross-network safety data exchange product are required to be met. As shown in fig. 1, the cross-network secure data exchange product is composed of a front-end (i.e., a network isolation device) and a back-end (i.e., another network isolation device) as a set of devices, i.e., a cross-network secure data exchange product 130. Communication of the two network areas may be achieved by configuring proxy policies (i.e., policies supported by each service type). The front-end can forward the message sent by the client side located in the first network 110 to the front-end to the rear-end by configuring the strategy, and the rear-end sends the message to the server side located in the second network 120, thereby completing the communication between the client side and the server side in the two isolated networks; or the client sends the message to the rear end, the rear end forwards the message to the front end, and the front end sends the message to the server, so that the communication between the client and the server in the two isolated networks is completed.
As shown in fig. 1, some cross-network secure data exchange products of the related art carry data transmission between the front end and the rear end through a pair of ip addresses, so as to complete communication from a real client to a server. And a private protocol is used between the front-end and the rear-end, so that network isolation is realized, and safety data is improved. All data transmission between the front and rear sets is carried through a pair of ip addresses between the front and rear sets, which results in limitation of a single ip, limited concurrent connections available between the front and rear sets, and low newly-built and throughput performance of the device due to insufficient concurrent connections between the front and rear sets when the number of client connections is excessive.
Disclosure of Invention
The embodiment of the application aims to provide a network isolation device and a method for transmitting data among network isolation systems, and the embodiment of the application determines a pre-allocation strategy for addresses in an address pool according to the relation between the number of ip addresses in the address pool and the number of service types, and if a pre-allocation result obtained according to the pre-allocation strategy is used for recording the addresses in the address pool pre-allocated for each service type, the pre-allocation addresses of different service types are not completely isolated when specific addresses are allocated, namely, the available addresses can be adjusted according to the service types and the strategy configuration when the transmission addresses and ports are selected for data messages to be transmitted according to the pre-allocation result, so that sharing is realized to a certain extent.
In a first aspect, an embodiment of the present application provides a network isolation device, including: a configuration module configured to: the address pre-allocation in the address pool is completed, and a local address pre-allocation result is obtained, wherein the local address pre-allocation result is determined by comparing the size relation between the number of local service types and the number of addresses in the local address pool; maintaining the address pre-allocation result of the home terminal and the address use state of the home terminal address pool; the connection module is configured to acquire a local end data transmission address and a port according to the local end address pre-allocation result as a data message to be transmitted of the opposite end; and the data transmission module is configured to send the data message to be transmitted of the local terminal to the opposite terminal network isolation device according to the opposite terminal data transmission address and the port.
Some embodiments of the present application determine an address allocation policy by comparing the size relationship between the number of service types supported by corresponding network isolation devices (e.g., a network isolation device of a home terminal and a network isolation device of an opposite terminal) and the number of addresses in an address pool, and complete pre-allocation of addresses in the address pool according to the allocation policy, so as to obtain a home terminal address pre-allocation result, and then allocate a data transmission address and a port for a data packet to be transmitted according to the home terminal address pre-allocation result, where when the data transmission address and the port are selected from the address pre-allocation result for the data packet to be transmitted, the correspondence between the address and the service type recorded in the address pre-allocation result may be adjusted.
In some embodiments, the configuration module further comprises: an address pool module configured to: calculating the remaining available addresses of the sub-network where the transmission port address is located, and obtaining an address set to be allocated; dividing all addresses in the address set to be allocated into the network isolation device and the opposite-end network isolation device in a sharing way to obtain the local-end address pool and the opposite-end address pool; determining an address pre-allocation strategy according to the size relation between the number of the local service types and the number of the addresses in the local address pool, and completing pre-allocation of the addresses in the local address pool according to the address pre-allocation strategy to obtain the local address pre-allocation result; and the record table module is configured to store the local address pre-allocation result and the local address pool address use state.
According to some embodiments of the application, address pools corresponding to the network isolation devices are obtained through dividing and transmitting addresses in a plurality of addresses of the same subnet, and then address pre-allocation in the address pools of the network isolation devices is realized according to the address pools, so that address pre-allocation results of all ends are obtained.
In some embodiments, the address pool module is further configured to: if the number of the local terminal service types is confirmed to be larger than the number of the addresses of the local terminal address pool, a first mark is allocated for each service type, and the addresses of the local terminal address pool are used as first local terminal address pre-allocation result information; if the number of the local terminal service types is confirmed to be equal to the number of the addresses of the local terminal address pool, pre-distributing each address in the local terminal address pool to one service type to obtain the corresponding relation between each address and each port and the service type, and taking the corresponding relation as at least part of information in pre-distributing result information of a second local terminal address; if the number of the local terminal service types is confirmed to be smaller than the number of the addresses in the local terminal address pool, each address in the local terminal address pool is allocated to one service type, and the rest addresses in the local terminal address pool address are pre-allocated again according to the strategy number of the service type; recording addresses and ports pre-allocated for each service type to obtain a corresponding relation; and taking the corresponding relation as at least part of information in the third home address pre-allocation result.
Some embodiments of the present application determine a policy of pre-allocating addresses by comparing the number of service types supported by the corresponding end with the number of addresses in the address pool, and if the former is greater than the latter, the corresponding addresses are not pre-allocated for each service type, but the address pool address is directly used as a pre-allocation result; if the two types are equal, an address in an address pool is allocated for each service type, a one-to-one correspondence between the service type and the address is obtained, and the one-to-one correspondence is used as part (the number of policies started by each service type can be further included) or all information in an address pre-allocation result; if the former is smaller than the latter, more than one address can be used for supporting more than one service types under the condition that each service type is allocated with one address, the corresponding relation between each service type and the pre-allocated address is obtained, and the one-to-one object relation is used as part (the number of the policies started by each service type can be further included) or all information in the address pre-allocation result. It can be understood that the method for obtaining the address pre-allocation result of the opposite terminal is the same as the strategy of the address pre-allocation result of the home terminal.
In some embodiments, the second home address pre-allocation result and the third home address pre-allocation result are further used to record the number of policies for starting each service type at the current time.
According to some embodiments of the application, the corresponding relation between the address in the address pre-allocation result and the service type can be adjusted according to the recorded policy number, and the purpose that the mapping relation between the address in the address pre-allocation result and the service type can be changed according to the service type and the available address of the data to be transmitted can be adjusted according to the policy configuration is achieved.
In some embodiments, the connection module comprises: the address acquisition module is configured to acquire the local data transmission address and the port by inquiring the local address pre-allocation result as the data to be transmitted of the opposite terminal according to the service type of the data to be transmitted of the opposite terminal; and the connection judging module is configured to acquire the local data transmission address and the port by calling the address acquisition module if the data message to be transmitted of the opposite terminal belongs to the first message, acquire the local data transmission address and the port by calling the record table module if the data message to be transmitted of the opposite terminal does not belong to the first message, and provide the local data transmission address and the port for the data transmission module of the opposite terminal.
According to some embodiments of the application, when a specific data message needs to be transmitted, the data transmission address and the port of the opposite-end network isolation device are obtained through the opposite-end address pre-allocation result, so that the data message to be transmitted is provided to the opposite end.
In some embodiments, the fetch address module is further configured to: and if the service type of the data to be transmitted of the opposite terminal is the first type, reading the next address and the port from the local terminal address pool as the data transmission address and the port.
When the number of the service types is larger than the number of the strategies, the embodiments of the application directly and sequentially read the addresses in the address pool to complete the address allocation, thereby improving the use efficiency of the addresses in the address pool and ensuring the efficient use of scarce resources (i.e. addresses).
In some embodiments, the fetch address module is further configured to: if the service type of the data to be transmitted of the opposite terminal is confirmed not to belong to the first type, searching a data transmission address and a port for transmitting the service type of the data to be transmitted of the opposite terminal from the address using state of the local terminal address pool to obtain the local terminal data transmission address and the port, if the data transmission address and the port for transmitting the data to be transmitted of the opposite terminal are not searched from the address using state information of the local terminal address pool, further searching whether the service type without a starting strategy exists in the pre-allocation result of the local terminal address, if so, acquiring the local terminal data transmission address and the port from the pre-allocation address corresponding to the service type without the starting strategy, otherwise, preferentially acquiring the local terminal data transmission address and the port from the pre-allocation address corresponding to the service type with a small number of starting strategies.
Some embodiments of the present application adjust the data transmission address and port corresponding to each service type in the address pre-allocation result according to the attribute information of the home terminal when allocating the home terminal data transmission address and port for the data to be transmitted of the opposite terminal, that is, the address pre-allocation result can be adjusted according to the service type and the device policy configuration when searching the data transmission address and port for the data to be transmitted of the opposite terminal, so as to realize sharing.
In a second aspect, some embodiments of the present application provide a method of transmitting data between network isolation systems including a first network isolation device in communication with a client and a second network isolation device in communication with a server, the method comprising: receiving a message to be transmitted; if the fact that new connection needs to be established for the message to be transmitted is confirmed, acquiring an opposite-end data transmission address and a port by inquiring an opposite-end address pre-allocation result or an opposite-end address pool address use state, wherein the opposite-end address pre-allocation result is determined by comparing the size relation between the number of opposite-end service types and the number of addresses in an opposite-end address pool; and sending the data message to be transmitted of the local terminal to the opposite terminal network isolation device through the opposite terminal data transmission address and the port.
In some embodiments, before the obtaining the peer data transmission address and the port by querying the peer address pre-allocation result information or the peer address pool address use state information, the method further includes: configuring an opposite terminal transmission port address; calculating the remaining available addresses of the sub-network where the opposite-end transmission port addresses are located, and obtaining an address set to be allocated; dividing all addresses in the address set to be allocated into the first network isolation device and the second network isolation device in a sharing mode to serve as an address pool of the corresponding network isolation device; and completing the pre-allocation of the addresses of the opposite terminal address pool according to the size relation between the number of the opposite terminal service types and the number of the addresses in the opposite terminal address pool, and obtaining the opposite terminal address pre-allocation result.
In some embodiments, the pre-allocation of the address pool address according to the size relationship between the number of service types and the number of addresses in the address pool, to obtain the address pre-allocation result, includes: if the number of the opposite terminal service types is confirmed to be larger than the number of the addresses of the opposite terminal address pools, a first type mark is allocated for each service type, and the addresses of the opposite terminal address pools are used as an opposite terminal address pre-allocation result; if the number of the opposite terminal service types is confirmed to be equal to the number of the addresses of the opposite terminal address pool, pre-distributing each address in the opposite terminal address pool to one service type to obtain the corresponding relation between each address and the port and the service type, and taking the corresponding relation as at least part of information in the pre-distribution result of the opposite terminal address; if the number of the opposite terminal service types is confirmed to be smaller than the number of the addresses in the opposite terminal address pool, each address in the opposite terminal address pool is allocated to one service type, and the rest addresses in the opposite terminal address pool address are pre-allocated again according to the strategy number of the service types; recording addresses and ports pre-allocated for each service type to obtain a corresponding relation; and taking the corresponding relation as at least part of information in the opposite-end address pre-allocation result.
In some embodiments, the obtaining the peer data transmission address and the port by querying the peer address pre-allocation result or the peer address pool address use state includes: and if the service type of the data message to be transmitted of the local terminal is confirmed to be the first type, reading the next address and port from the address pre-allocation result of the first opposite terminal as the data transmission address and the port.
In some embodiments, the obtaining the peer data transmission address and the port by querying the peer address pre-allocation result or the peer address pool address use state includes: if the service type of the data to be transmitted does not belong to the first type, searching a pre-allocation address and a port of the service type of the data to be transmitted from the address using state of the opposite end address pool to obtain the data transmission address and the port of the opposite end, if the process of searching the data transmission address and the port of the opposite end from the address using state of the opposite end address pool fails, inquiring whether the service type without a starting strategy exists in the pre-allocation result of the address of the opposite end, if so, acquiring the data transmission address and the port of the opposite end from the pre-allocation address corresponding to the service type without the starting strategy, otherwise, preferentially acquiring the data transmission address and the port of the opposite end from the pre-allocation address corresponding to the service type with a small number of the starting strategies.
In some embodiments, after the sending the to-be-transmitted data packet of the home terminal to the peer network isolation device through the peer data transmission address and the port, the method further includes: and releasing the data transmission address and the port when the message to be transmitted of the local terminal is confirmed to belong to the ending message.
In a third aspect, some of the present application provides an electronic device comprising a memory and a processor, wherein the memory stores a computer program, the processor when executing the computer program being operable to: the address pre-allocation in the address pool is completed, and a local address pre-allocation result is obtained, wherein the local address pre-allocation result is determined by comparing the size relation between the number of local service types and the number of addresses in the local address pool; maintaining the address pre-allocation result of the home terminal and the address use state of the home terminal address pool; acquiring a local end data transmission address and a port according to the local end address pre-allocation result as a data message to be transmitted of an opposite end; and sending the data message to be transmitted of the local terminal to the opposite terminal network isolation device according to the opposite terminal data transmission address and the port.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of an isolated network system according to the related art according to an embodiment of the present application;
fig. 2 is a functional block diagram of a front-end device/rear-end device according to an embodiment of the present application;
FIG. 3 is a functional block diagram of a configuration module according to an embodiment of the present application;
fig. 4 is a functional module composition diagram of a connection module according to an embodiment of the present application;
FIG. 5 is a flowchart of a method for transmitting data between network isolated systems according to an embodiment of the present application;
FIG. 6 is a second flowchart of a method for transmitting data between network isolated systems according to an embodiment of the present application;
fig. 7 is a schematic diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
At least to solve the technical problems existing in the background art, some embodiments of the present application pre-allocate address pool addresses based on address pool according to the relationship between address pool addresses and service types, and dynamically adjust available addresses according to address availability and policy configuration conditions of devices, so that pre-allocated addresses of different service types are not completely isolated, available concurrent connection between front and rear is increased, and newly-built and throughput performance of cross-network secure data exchange products is improved.
That is, some embodiments of the present application provide a method for improving new and throughput performance of a cross-network secure data exchange product based on an address pool. The original mode of transmitting all data between the front and the rear by a single pair ip is changed into the mode of exchanging data between the front and the rear based on an address pool, the address pool is automatically calculated after the transmission port address is configured, the address of the address pool is pre-allocated according to the relation between the address pool and the service type, and the available addresses are dynamically adjusted according to the address availability condition and the equipment strategy configuration condition, so that the pre-allocated addresses of different service types are incompletely isolated, the available concurrent connection between the front and the rear is increased, thereby improving the newly-built and throughput performance of the cross-network secure data exchange product, and better meeting the data ferrying requirements of mass services.
Referring to fig. 2, fig. 2 is a block diagram of a front-end or rear-end functional module according to some embodiments of the present application, and unlike the related art, the network isolation device according to the embodiments of the present application includes a front-end or rear-end functional module, and dynamically configures an address pool address to implement data message transmission.
As shown in fig. 2, an embodiment of the present application provides a network isolation device (i.e., front-end or rear-end), which includes: configuration module 110, connection module 120, and data transmission module 130.
A configuration module 110 configured to: the address pre-allocation in the address pool is completed, and a local address pre-allocation result is obtained, wherein the local address pre-allocation result is determined by comparing the size relation between the number of local service types and the number of addresses in the local address pool; and maintaining the address pre-allocation result of the local terminal and the address use state of the local terminal address pool.
For example, if the network isolation device is a front-end, the address pre-allocation result is obtained by the configuration module in the front-end, and if the network isolation device is a rear-end, the address pre-allocation result is obtained by the configuration module in the rear-end.
The connection module 120 is configured to obtain the local data transmission address and the port according to the local address pre-allocation result as the data packet to be transmitted of the opposite end.
For example, if the network isolation device is a front-end, the address pre-allocation result of the local end is the address pre-allocation result obtained by the configuration module in the front-end, and the data message to be transmitted of the opposite end is the data message to be transmitted from the rear-end; if the network isolation device is the post-arranged one, the address pre-allocation result of the local end is the address pre-allocation result obtained by the configuration module in the post-arranged one, and the data message to be transmitted of the opposite end is the data message to be transmitted from the pre-arranged one.
The data transmission module 130 is configured to send the data message to be transmitted of the home terminal to the opposite terminal network isolation device according to the opposite terminal data transmission address and the port.
For example, some embodiments of the present application determine an address allocation policy by comparing the size relationship between the number of service types supported by a corresponding network isolation device (e.g., a network isolation device of a home terminal and a network isolation device of an opposite terminal) and the number of addresses in an address pool, and complete pre-allocation of addresses in the address pool according to the allocation policy, so as to obtain a home terminal address pre-allocation result, and then allocate a data transmission address and a port for a data packet to be transmitted according to the home terminal address pre-allocation result, where when the data transmission address and the port are selected from the address pre-allocation result for the data packet to be transmitted, the correspondence between the address and the service type recorded in the address pre-allocation result may be adjusted.
That is, the network isolation device provided in some embodiments of the present application is a front-end or a back-end, and the front-end and the back-end of the embodiments include three modules including a configuration module, a connection module, and a data transmission module, where the configuration module may calculate an address pool address after configuring the front-end and the back-end transmission port addresses (similar to the gateway address), and maintain the usage condition of the address pool address. The connection module is responsible for respectively acquiring the data transmission address and the port in the address pool from the front end and the rear end, and the rear end (or the front end is the equipment of the real service end proxy) sends the data transmission address and the port to the matched opposite end equipment for subsequent data transmission. The data transmission module is responsible for carrying out front and rear data transmission after obtaining front or rear data transmission addresses and ports. And when the message is an ending message, calling a record table module to release the resource update state table.
A functional block diagram of the configuration block is exemplarily described below in connection with fig. 3.
As shown in fig. 3, in some embodiments of the present application, the configuration module further includes: an address module 111 and a log table module 112.
An address pool module 111 configured to: calculating the remaining available addresses of the sub-network where the transmission port address is located, and obtaining an address set to be allocated; dividing all addresses in the address set to be allocated equally to a network isolation device to which an address module belongs and an opposite-end network isolation device to obtain a local-end address pool (namely an address pool corresponding to the network isolation device to which the address module belongs) and an opposite-end address pool; and determining an address pre-allocation strategy according to the size relation between the number of the local service types and the number of the addresses in the local address pool, and completing the pre-allocation of the addresses in the local address pool according to the address pre-allocation strategy to obtain the local address pre-allocation result. It will be appreciated that the peer network isolation device will perform address pre-allocation according to the peer address pool, i.e. the address module of the peer network isolation device is at least configured to: and determining an address pre-allocation strategy according to the size relation between the opposite terminal service type number and the address number in the opposite terminal address pool, and completing pre-allocation of the addresses in the opposite terminal address pool according to the address pre-allocation strategy to obtain the opposite terminal address pre-allocation result.
For example, in some embodiments of the application, the address pool module is further configured to: if the number of the local terminal service types is confirmed to be larger than the number of the addresses of the local terminal address pool, a first mark is allocated for each service type, and the addresses of the local terminal address pool are used as first local terminal address pre-allocation result information; if the number of the local terminal service types is confirmed to be equal to the number of the addresses of the local terminal address pool, pre-distributing each address in the local terminal address pool to one service type to obtain the corresponding relation between each address and each port and the service type, and taking the corresponding relation as at least part of information in pre-distributing result information of a second local terminal address; if the number of the local terminal service types is confirmed to be smaller than the number of the addresses in the local terminal address pool, each address in the local terminal address pool is allocated to one service type, and the rest addresses in the local terminal address pool address are pre-allocated again according to the strategy number of the service type; recording addresses and ports pre-allocated for each service type to obtain a corresponding relation; and taking the corresponding relation as at least part of information in the third home address pre-allocation result.
For example, in some embodiments of the present application, the second home address pre-allocation result and the third home address pre-allocation result are further used to record the number of policies activated by each service type at the current time, respectively. According to some embodiments of the application, the corresponding relation between the address in the address pre-allocation result and the service type can be adjusted according to the recorded policy number, and the purpose that the mapping relation between the address in the address pre-allocation result and the service type can be changed according to the service type and the available address of the data to be transmitted can be adjusted according to the policy configuration is achieved.
That is, some embodiments of the present application determine a policy of pre-allocating addresses by comparing the number of service types supported by the corresponding end with the number of addresses in the address pool, and if the former is greater than the latter, the corresponding addresses are not pre-allocated for each service type, but the address pool address is directly used as a pre-allocation result; if the two types are equal, an address in an address pool is allocated for each service type, a one-to-one correspondence between the service type and the address is obtained, and the one-to-one correspondence is used as part (the number of policies started by each service type can be further included) or all information in an address pre-allocation result; if the former is smaller than the latter, more than one address can be used for supporting more than one service types under the condition that each service type is allocated with one address, the corresponding relation between each service type and the pre-allocated address is obtained, and the one-to-one object relation is used as part (the number of the policies started by each service type can be further included) or all information in the address pre-allocation result. It can be understood that the method for obtaining the address pre-allocation result of the opposite terminal is the same as the strategy of the address pre-allocation result of the home terminal.
A record table module 112 configured to store the home address pre-allocation result and the home address pool address usage status. It can be understood that the record table module of the opposite terminal network isolation device is used for storing the opposite terminal address pre-allocation result and the use state of the opposite terminal address pool address.
According to some embodiments of the application, address pools corresponding to the network isolation devices are obtained through dividing and transmitting addresses in a plurality of addresses of the same subnet, and then address pre-allocation in the address pools of the network isolation devices is realized according to the address pools, so that address pre-allocation results of all ends are obtained.
That is, in some embodiments of the present application, the address pool module 111 is configured to calculate the remaining available addresses of the subnet where the transport port address is located after the user configures the transport port address, and divide the addresses into a front address and a rear address as the address pool address. Comparing the number of addresses of the address pool with the number of service types supported by the device, when the number of the address pools is smaller than the number of the service types, recording that the service types in the table are null (namely the first type), and writing the result into the corresponding table (namely writing the service types into the corresponding table, but not recording the corresponding relation between the service types and the addresses in the corresponding table); when the number of the address pools is equal to the number of the service types, pre-distributing an ip address according to the service types, and writing the result into a corresponding table (namely obtaining a second local end address pre-distribution result or a second opposite end address pre-distribution result); when the number of the address pools is greater than the number of the service types, an ip address is pre-allocated for each service type according to the service types, redundant ip addresses are pre-allocated according to the number of strategies supported by each service type, the service with more strategies is preferentially supported, and the result is written into a corresponding table (namely, a third home address pre-allocation result or a third opposite address pre-allocation result is obtained). The record table module 112 records and maintains usage of corresponding address pools, including address pools and service type correspondence tables (for recording home address pre-allocation results or) and address pool address status tables (for recording home address pool address usage status). The corresponding table is used for recording the relation among the service type, the pre-allocation address and the service type enabling policy number. And when the service type is not null, periodically checking the starting strategy number of the service type, and updating the corresponding table. The status table records address pool address, port, service information, last time of use. And periodically checking the service time of the data transmission address and the port in the state table, and timely releasing the resource update record table when the data transmission address and the port are not used for a long time. It can be understood that the usage state of the address of the opposite terminal address pool or the obtaining mode of the address pre-allocation result of the opposite terminal are the same, and only the network isolation device of the opposite terminal performs the address pre-allocation process, so that the repetition is avoided and redundant description is not made.
The functional block diagram of the address pool module is exemplarily described below in conjunction with fig. 4.
As shown in fig. 4, in some embodiments of the application, the connection module includes: the acquisition address module 122 and the connection judgment module 121.
The address obtaining module 122 is configured to obtain the local data transmission address and the port by querying the local address pre-allocation result as the data to be transmitted of the opposite terminal according to the service type of the data to be transmitted of the opposite terminal.
For example, in some embodiments of the application, the fetch address module 122 is further configured to: and if the service type of the data to be transmitted of the opposite terminal is the first type, reading the next address and the port from the local terminal address pool as the data transmission address and the port. When the number of the service types is larger than the number of the strategies, the embodiments of the application directly and sequentially read the addresses in the address pool to complete the address allocation, thereby improving the use efficiency of the addresses in the address pool and ensuring the efficient use of scarce resources (i.e. addresses).
For example, in some embodiments of the application, the fetch address module 122 is further configured to: if the service type of the data to be transmitted of the opposite terminal is confirmed not to belong to the first type, searching a data transmission address and a port for transmitting the service type of the data to be transmitted of the opposite terminal from the address using state of the local terminal address pool to obtain the local terminal data transmission address and the port, if the data transmission address and the port for transmitting the data to be transmitted of the opposite terminal are not searched from the address using state information of the local terminal address pool, further searching whether the service type without a starting strategy exists in the pre-allocation result of the local terminal address, if so, acquiring the local terminal data transmission address and the port from the pre-allocation address corresponding to the service type without the starting strategy, otherwise, preferentially acquiring the local terminal data transmission address and the port from the pre-allocation address corresponding to the service type with a small number of starting strategies. Some embodiments of the present application adjust the data transmission address and port corresponding to each service type in the address pre-allocation result according to the attribute information of the home terminal when allocating the home terminal data transmission address and port for the data to be transmitted of the opposite terminal, that is, the address pre-allocation result can be adjusted according to the service type and the device policy configuration when searching the data transmission address and port for the data to be transmitted of the opposite terminal, so as to realize sharing.
The connection judging module 121 is configured to obtain the local data transmission address and the port by calling the local address obtaining module if the data message to be transmitted of the opposite terminal belongs to the first message, and obtain the local data transmission address and the port by calling the record table module of the opposite terminal if the data message to be transmitted of the opposite terminal does not belong to the first message, and provide the local data transmission address and the port to the data transmission module of the opposite terminal.
It will be appreciated that the home end and the peer end of the above embodiments are determined for an example, that is, in an example, the peer end is the back end if the home end is the front end, and the peer end is the front end if the home end is the back end.
According to some embodiments of the application, when a specific data message needs to be transmitted, the data transmission address and the port of the opposite-end network isolation device are obtained through the opposite-end address pre-allocation result, so that the data message to be transmitted is provided to the opposite end.
That is, the connection module of some embodiments of the present application includes a connection determination module and an address acquisition module, for example, the connection determination module determines whether a message sent by the client is a new connection. If the connection is a new connection, an address acquisition module is called to acquire a data transmission address and a port and update a state table, wherein the data transmission address and the port are transmitted to matched opposite terminal equipment for subsequent data transmission by a rear-mounted device (or a front-mounted device which is a real service terminal proxy device); and calling the record table module instead of a new connection, reading the data transmission address and the port corresponding to the service from the state table, updating the last use time, and delivering the updated last use time to the data transmission module for data transmission. The address acquisition module calls the record table module, reads the corresponding table, and acquires the data transmission address and the port according to the service type. If the service type is null (namely the first type of mark), the address and the port are acquired from the address pool according to the state table sequence; if not null, firstly, obtaining an address and a port in a pre-allocation address corresponding to the service type according to a state table (used for recording the use state of a corresponding address pool address); if the service type is failed, inquiring whether the service type without the starting strategy exists in a corresponding table (used for recording the corresponding address pre-allocation result), if the service type without the starting strategy exists, acquiring the address and the port from a pre-allocation address state table corresponding to the service type, otherwise, preferentially acquiring the address and the port from a pre-allocation address state table corresponding to the service type with a small number of the starting strategies. And returning the acquired transmission port address and port to the connection judging module.
The data transmission method operating on the network isolation device at both ends of fig. 2 is exemplarily described below with reference to fig. 5.
As shown in fig. 5, some embodiments of the present application provide a method of transmitting data between network isolation systems including a first network isolation device in communication with a client and a second network isolation device in communication with a server, the method comprising: s101, receiving a message to be transmitted; s102, if the fact that new connection needs to be established for the message to be transmitted is confirmed, an opposite-end data transmission address and a port are obtained by inquiring an opposite-end address pre-allocation result or an opposite-end address pool address use state, wherein the opposite-end address pre-allocation result is determined by comparing the size relation between the number of opposite-end service types and the number of addresses in the opposite-end address pool; s103, sending the data message to be transmitted of the local terminal to the opposite terminal network isolation device through the opposite terminal data transmission address and the port.
The following illustrates a method for obtaining the address pre-allocation result of the opposite terminal, and it can be understood that the method for obtaining the address pre-allocation result of the home terminal is the same as the method but is different from the network isolation device that is executed.
In some embodiments of the present application, before the obtaining the peer data transmission address and the port by querying the peer address pre-allocation result information or the peer address pool address use state information in S102, the method further includes a method for obtaining the peer address pre-allocation result, where the method may be performed by the peer network isolation device:
first, configuring the address of the opposite terminal transmission port.
And secondly, calculating the remaining available addresses of the sub-network where the opposite-end transmission port addresses are located, and obtaining an address set to be allocated.
And thirdly, dividing all addresses in the address set to be allocated into the first network isolation device and the second network isolation device in a sharing mode to serve as an address pool of the corresponding network isolation device.
And fourthly, completing the pre-allocation of the addresses of the opposite terminal address pool according to the size relation between the number of opposite terminal service types and the number of addresses in the opposite terminal address pool, and obtaining the pre-allocation result of the opposite terminal addresses.
For example, in some embodiments of the present application, the fourth step of completing the pre-allocation of the address pool address according to the size relationship between the number of service types and the number of addresses in the address pool, and obtaining the address pre-allocation result includes: if the number of the opposite terminal service types is confirmed to be larger than the number of the addresses of the opposite terminal address pools, a first type mark is allocated for each service type, and the addresses of the opposite terminal address pools are used as an opposite terminal address pre-allocation result; if the number of the opposite terminal service types is confirmed to be equal to the number of the addresses of the opposite terminal address pool, pre-distributing each address in the opposite terminal address pool to one service type to obtain the corresponding relation between each address and the port and the service type, and taking the corresponding relation as at least part of information in the pre-distribution result of the opposite terminal address; if the number of the opposite terminal service types is confirmed to be smaller than the number of the addresses in the opposite terminal address pool, each address in the opposite terminal address pool is allocated to one service type, and the rest addresses in the opposite terminal address pool address are pre-allocated again according to the strategy number of the service types; recording addresses and ports pre-allocated for each service type to obtain a corresponding relation; and taking the corresponding relation as at least part of information in the opposite-end address pre-allocation result.
The implementation procedure of S102 is exemplarily set forth below.
In some embodiments of the present application, the step S102 of obtaining the peer data transmission address and the port by querying the peer address pre-allocation result or the peer address pool address use state includes: and if the service type of the data message to be transmitted of the local terminal is confirmed to be the first type, reading the next address and port from the address pre-allocation result of the first opposite terminal as the data transmission address and the port. If the service type of the data to be transmitted does not belong to the first type, searching a pre-allocation address and a port of the service type of the data to be transmitted from the address using state of the opposite end address pool to obtain the data transmission address and the port of the opposite end, if the process of searching the data transmission address and the port of the opposite end from the address using state of the opposite end address pool fails, inquiring whether the service type without a starting strategy exists in the pre-allocation result of the address of the opposite end, if so, acquiring the data transmission address and the port of the opposite end from the pre-allocation address corresponding to the service type without the starting strategy, otherwise, preferentially acquiring the data transmission address and the port of the opposite end from the pre-allocation address corresponding to the service type with a small number of the starting strategies.
In some embodiments of the present application, after the sending, to the peer network isolation device, the data packet to be transmitted of the home terminal through the peer data transmission address and the port, the method further includes: and releasing the data transmission address and the port when the message to be transmitted of the local terminal is confirmed to belong to the ending message.
The method of transferring data between network isolated systems according to some embodiments of the application is described below with reference to fig. 6.
As shown in fig. 5, a method for transmitting data between network isolation systems according to some embodiments of the present application is a method for improving performance of a cross-network secure data exchange product based on an address pool, including the following steps:
s111, user configures front and rear transmission port addresses
The user configures the pre-and post-transport port addresses for communication of the pre-and post-devices.
S112, calculating the address usable in the address pool
For example, based on the transport port address, the available ip addresses are automatically calculated based on the subnet mask, and are equally allocated to the front and rear as the address pool addresses.
S113, comparing the IP number of the address pool with the service type number, for example, acquiring the service type and the service type number according to the front or rear license file.
Comparing the number of the available ips of the address pool with the number of the service types supported by the device, and executing S114 if the number of the ips of the address pool is smaller than the number of the service types; the number of address pools ip is equal to the number of service types, and S115 is executed; the number of address pools ip is smaller than the number of service types, and S116 is executed.
S114, updating the correspondence table, and executing S117, wherein the service type is null (i.e., the first type flag).
S115, updating the corresponding table, pre-allocating an ip for data transmission for each service, recording the strategy number started by each service type, and executing S117.
S116, updating a corresponding table, pre-distributing one ip for each service type, pre-distributing redundant ips according to the strategy number supported by each service type, and recording the strategy number started by each service type.
S117, operating the corresponding table.
The table is used to record the address pre-allocation results. It should be noted that, the address usage status of the address pool is updated to obtain the corresponding status table. The operation of this step includes storing the table and initiating a process of querying the table contents, it being understood that the data transfer address and port need only be queried if the opposite end has data to be transferred.
S121, the front end (or the back end, namely the equipment of the real client agent) receives the client message.
S122, judging whether the connection is new or not
And judging whether a new connection needs to be established according to the client message, executing S123 if the new connection needs to be established, otherwise executing S127.
S123, the front end (or the rear end is the equipment of the real client agent) communicates with the transmission port address and the monitoring port of the opposite terminal equipment through the transmission port address and the random port number, and requests the opposite terminal data transmission address and the port of the opposite terminal equipment.
S124, after receiving the request, the rear-end (or front-end, namely the device of the real server agent) acquires the data transmission address and the port.
The process of acquiring the opposite-end data transfer address and port exemplarily includes the processes of S131 to S135 of fig. 6.
S131, judging whether the acquisition of the address and the port is successful or not according to the service type, namely inquiring the data transmission address and the port for transmitting the service type data according to the service type of the data to be transmitted.
And (3) inquiring the corresponding table, acquiring an address and a port according to the service type, and if the service type is null, acquiring according to the state table sequence, and executing S135. If the service type is not null, the address and the port are acquired from the pre-allocation address corresponding to the service type according to the state table, and if the service type is successful, S135 is executed, and S132 is failed.
S132, inquiring a corresponding table, if the service type with no strategy is enabled, executing S134 if the service type with no strategy is enabled, otherwise executing S133.
S134, the address and the port are obtained from the state table at the pre-allocation address corresponding to the service type without the enabling strategy, and S135 is continuously executed.
S133, obtaining the address and the port in the pre-allocation address corresponding to the service type with a small number of starting strategies according to the state table.
S135, returning the obtained address and port, and updating the state table.
And S125, the rear-end (or front-end, namely the equipment of the real service end proxy) returns the data transmission address and the port to the opposite-end equipment.
S126, the front-end (or back-end, namely the equipment of the real client agent) synchronizes the corresponding process to acquire the data transmission address and the port of the opposite end.
S128, the front-end (or rear-end, namely the device of the real client agent) has own data transmission address and port and the data transmission address and port of the opposite terminal device, and can transfer the message of the client to the opposite terminal for subsequent data transmission.
And S129, the post (or pre, namely the equipment of the real server proxy) transfers the client message to the server.
S127, judging whether the message is an end message. Instead of S128, S130 is performed.
S130, after the communication is completed, address ports of the address pools are released from the front and rear positions, and a state table is updated.
The method for transmitting data provided by some embodiments of the present application is described below in conjunction with a specific example.
The application takes the data exchange product support to contain 4 kinds of service classes of protocol agents, the supported policy proportion is 10:10:1:1 (wherein the protocol agents are 10 parts), after the http agent policy is added, the data exchange direction is the front-end to transfer the http message of the client to the rear-end, and the rear-end to send the http message of the client to the server is taken as an example to describe the flow of the agent. According to the detailed description of the application, the specific flow is as follows:
1) The user configures the pre-and post-port addresses to be 1.1.2.1/28 and 1.1.2.2/28 for communications of the pre-and post-devices.
2) After the transmission port addresses are configured, the available ip addresses are automatically calculated to be 12 according to the subnet mask, and are distributed to 6 in front and rear in average as address pool addresses.
3) And comparing 6 available ip numbers of the address pool with 4 service type numbers supported by the equipment, wherein the ip number of the address pool is larger than the service type number.
4) And pre-distributing one ip and more than 2 ips for each service type, supporting the service with more strategy numbers preferentially according to the strategy proportion of 3:3:1:1 supported by the service types, and recording the strategy numbers started by each service type and updating the corresponding table according to the distribution results of 2, 1 and 1.
5) And the front end receives the client message.
6) And judging whether the connection is new according to the client message. The new connection proceeds to step 7 and not to step 16.
7) The front-end requests the data transmission address and port of the opposite terminal device through the communication of the transmission port address and random port number and the transmission port address and monitoring port of the opposite terminal device.
8) And after the request is received, acquiring the data transmission address and the port.
9) And (3) inquiring a corresponding table, acquiring an address and a port according to the service type of the protocol agent, acquiring the address and the port according to the state table in the pre-allocation address corresponding to the service type, and executing step 15) if the operation is successful, and executing step 12 if the operation is unsuccessful.
10 If there is a traffic type for which no policy is enabled, step 11 is performed, otherwise step 12 is performed).
11 Acquiring an address and a port in the pre-allocation address corresponding to the service type without enabling the strategy according to the state table, and performing step 12).
12 The address and the port are obtained from the state table at the pre-allocation address corresponding to the service type with less starting policy number.
13 Returning the obtained address and port, and updating the state table.
14 Back-end data transmission address and port to the opposite terminal equipment.
15 Preamble step 10) to step 13) acquire the data transfer address and port.
16 At this time, the front-end has own data transmission address and port and the data transmission address and port of the opposite terminal equipment, and can transfer the message of the client to the opposite terminal for subsequent data transmission.
17 Post-transfer client message to server.
18 Judging whether the message is an end message. Not step 16), step 19).
19 Front and rear release address pool address ports after communication is completed, updating the state table.
As shown in fig. 7, some of the present application provides an electronic device comprising a memory 510 and a processor 520, wherein the memory 510 stores a computer program, and the processor 520, when reading the program from the memory via a bus 530 and executing the computer program, can implement the following operations: the address pre-allocation in the address pool is completed, and a local address pre-allocation result is obtained, wherein the local address pre-allocation result is determined by comparing the size relation between the number of local service types and the number of addresses in the local address pool; maintaining the address pre-allocation result of the home terminal and the address use state of the home terminal address pool; acquiring a local end data transmission address and a port according to the local end address pre-allocation result as a data message to be transmitted of an opposite end; and sending the data message to be transmitted of the local terminal to the opposite terminal network isolation device according to the opposite terminal data transmission address and the port.
Processor 520 may process the digital signals and may include various computing structures. Such as a complex instruction set computer architecture, a reduced instruction set computer architecture, or an architecture that implements a combination of instruction sets. In some examples, processor 520 may be a microprocessor.
Memory 510 may be used for storing instructions to be executed by processor 520 or data related to execution of the instructions. Such instructions and/or data may include code to implement some or all of the functions of one or more of the modules described in embodiments of the present application. The processor 520 of the disclosed embodiments may be used to execute instructions in the memory 510 to implement the methods shown in fig. 5 or 6. Memory 510 includes dynamic random access memory, static random access memory, flash memory, optical memory, or other memory known to those skilled in the art.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, of the flowcharts and block diagrams in the figures that illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Claims (14)

1. A network isolation device, the network isolation device comprising:
a configuration module configured to:
the address pre-allocation in the address pool is completed, and a local address pre-allocation result is obtained, wherein the local address pre-allocation result is determined by comparing the size relation between the number of local service types and the number of addresses in the local address pool;
maintaining the address pre-allocation result of the home terminal and the address use state of the home terminal address pool;
the connection module is configured to acquire a local end data transmission address and a port according to the local end address pre-allocation result as a data message to be transmitted of the opposite end;
and the data transmission module is configured to send the data message to be transmitted of the local terminal to the opposite terminal network isolation device according to the opposite terminal data transmission address and the port.
2. The network isolation device of claim 1, wherein the configuration module further comprises:
an address pool module configured to:
calculating the remaining available addresses of the sub-network where the transmission port address is located, and obtaining an address set to be allocated;
dividing all addresses in the address set to be allocated into the network isolation device and the opposite-end network isolation device in a sharing mode to obtain the local-end address pool and the opposite-end address pool;
Determining an address pre-allocation strategy according to the size relation between the number of the local service types and the number of the addresses in the local address pool, and completing pre-allocation of the addresses in the local address pool according to the address pre-allocation strategy to obtain the local address pre-allocation result;
and the record table module is configured to store the local address pre-allocation result and the local address pool address use state.
3. The network isolation device of claim 2, wherein,
the address pool module is further configured to:
if the number of the local terminal service types is confirmed to be larger than the number of the addresses of the local terminal address pool, a first mark is allocated for each service type, and the addresses of the local terminal address pool are used as a first local terminal address pre-allocation result;
if the number of the local terminal service types is confirmed to be equal to the number of the addresses of the local terminal address pool, pre-distributing each address in the local terminal address pool to one service type to obtain the corresponding relation between each address and each port and the service type, and taking the corresponding relation as at least part of information in pre-distributing result information of a second local terminal address;
if the number of the local terminal service types is confirmed to be smaller than the number of the addresses in the local terminal address pool, each address in the local terminal address pool is allocated to one service type, and the rest addresses in the local terminal address pool address are pre-allocated again according to the strategy number of the service type; recording addresses and ports pre-allocated for each service type to obtain a corresponding relation; and taking the corresponding relation as at least part of information in the third home address pre-allocation result.
4. The network isolation device of claim 3, wherein the second home address pre-allocation result and the third home address pre-allocation result are further used to record a policy number for each service type start at the current time, respectively.
5. The network isolation device of claim 1, wherein the connection module comprises:
the address acquisition module is configured to acquire the local data transmission address and the port by inquiring the local address pre-allocation result as the data to be transmitted of the opposite terminal according to the service type of the data to be transmitted of the opposite terminal;
and the connection judging module is configured to acquire the local data transmission address and the port by calling the address acquisition module if the data message to be transmitted of the opposite terminal belongs to the first message, acquire the local data transmission address and the port by calling the record table module if the data message to be transmitted of the opposite terminal does not belong to the first message, and provide the local data transmission address and the port for the data transmission module of the opposite terminal.
6. The network isolation device of claim 5, wherein the fetch address module is further configured to:
And if the service type of the data to be transmitted of the opposite terminal is the first type, reading the next address and the port from the local terminal address pool as the data transmission address and the port.
7. The network isolation device of claim 6, wherein the fetch address module is further configured to:
if the service type of the data to be transmitted of the opposite terminal is confirmed not to belong to the first type, searching a data transmission address and a port for transmitting the service type of the data to be transmitted of the opposite terminal from the address using state of the local terminal address pool to obtain the local terminal data transmission address and the port, if the data transmission address and the port for transmitting the data to be transmitted of the opposite terminal are not searched from the address using state information of the local terminal address pool, further searching whether the service type without a starting strategy exists in the pre-allocation result of the local terminal address, if so, acquiring the local terminal data transmission address and the port from the pre-allocation address corresponding to the service type without the starting strategy, otherwise, preferentially acquiring the local terminal data transmission address and the port from the pre-allocation address corresponding to the service type with a small number of starting strategies.
8. A method of transmitting data between network isolated systems, the network isolated systems including a first network isolated device in communication with a client and a second network isolated device in communication with a server, the method comprising:
receiving a message to be transmitted;
if the fact that new connection needs to be established for the message to be transmitted is confirmed, acquiring an opposite-end data transmission address and a port by inquiring an opposite-end address pre-allocation result or an opposite-end address pool address use state, wherein the opposite-end address pre-allocation result is determined by comparing the size relation between the number of opposite-end service types and the number of addresses in an opposite-end address pool;
and sending the data message to be transmitted of the local terminal to the opposite terminal network isolation device through the opposite terminal data transmission address and the port.
9. The method of claim 8, wherein prior to said obtaining the peer data transfer address and port by querying the peer address pre-allocation result or the peer address pool address usage status, the method further comprises:
configuring an opposite terminal transmission port address;
calculating the remaining available addresses of the sub-network where the opposite-end transmission port addresses are located, and obtaining an address set to be allocated;
Dividing all addresses in the address set to be allocated into the first network isolation device and the second network isolation device in a sharing mode to serve as an address pool of the corresponding network isolation device;
and completing the pre-allocation of the addresses of the opposite terminal address pool according to the size relation between the number of the opposite terminal service types and the number of the addresses in the opposite terminal address pool, and obtaining the opposite terminal address pre-allocation result.
10. The method of claim 9, wherein the pre-allocation of the addresses of the opposite address pool according to the size relationship between the number of opposite service types and the number of addresses in the opposite address pool, to obtain the pre-allocation result of the opposite address, comprises:
if the number of the opposite terminal service types is confirmed to be larger than the number of the addresses of the opposite terminal address pools, a first type mark is allocated for each service type, and the addresses of the opposite terminal address pools are used as a first opposite terminal address pre-allocation result;
if the number of the opposite terminal service types is confirmed to be equal to the number of the addresses of the opposite terminal address pool, pre-distributing each address in the opposite terminal address pool to one service type to obtain the corresponding relation between each address and the corresponding relation between the port and the service type, and taking the corresponding relation as at least part of information in a second opposite terminal address pre-distribution result;
If the number of the opposite terminal service types is confirmed to be smaller than the number of the addresses in the opposite terminal address pool, each address in the opposite terminal address pool is allocated to one service type, and the rest addresses in the opposite terminal address pool address are pre-allocated again according to the strategy number of the service types; recording addresses and ports pre-allocated for each service type to obtain a corresponding relation; and taking the corresponding relation as at least part of information in the third opposite-end address pre-allocation result.
11. The method of claim 8, wherein the obtaining the peer data transfer address and port by querying a peer address pre-allocation result or a peer address pool address usage status comprises:
and if the service type of the data message to be transmitted of the local terminal is confirmed to be the first type, reading the next address and the port from the address pre-allocation result of the first opposite terminal as the data transmission address and the port.
12. The method of claim 8, wherein the obtaining the peer data transfer address and port by querying a peer address pre-allocation result or a peer address pool address usage status comprises:
if the service type of the data to be transmitted does not belong to the first type, searching a pre-allocation address and a port of the service type of the data to be transmitted from the address using state of the opposite terminal address pool to obtain the opposite terminal data transmission address and the port, if the process of searching the opposite terminal data transmission address and the port from the address using state of the opposite terminal address pool fails, inquiring whether the service type without a starting strategy exists in the pre-allocation result of the opposite terminal address, if so, acquiring the opposite terminal data transmission address and the port from the pre-allocation address corresponding to the service type without the starting strategy, otherwise, preferentially acquiring the opposite terminal data transmission address and the port from the pre-allocation address corresponding to the service type with a small number of the starting strategies.
13. The method of claim 8, wherein after the sending the home pending data message to a peer network isolation device via the peer data transfer address and the port, the method further comprises:
and releasing the data transmission address and the port when the message to be transmitted of the local terminal is confirmed to belong to the ending message.
14. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, the processor when executing the computer program being operable to:
the address pre-allocation in the address pool is completed, and a local address pre-allocation result is obtained, wherein the local address pre-allocation result is determined by comparing the size relation between the number of local service types and the number of addresses in the local address pool;
maintaining the address pre-allocation result of the home terminal and the address use state of the home terminal address pool;
acquiring a local end data transmission address and a port according to the local end address pre-allocation result as a data message to be transmitted of an opposite end;
and sending the data message to be transmitted of the local terminal to the opposite terminal network isolation device according to the opposite terminal data transmission address and the port.
CN202310557993.1A 2023-05-15 2023-05-15 Network isolation device and method for transmitting data between network isolation systems Pending CN116582328A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310557993.1A CN116582328A (en) 2023-05-15 2023-05-15 Network isolation device and method for transmitting data between network isolation systems

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310557993.1A CN116582328A (en) 2023-05-15 2023-05-15 Network isolation device and method for transmitting data between network isolation systems

Publications (1)

Publication Number Publication Date
CN116582328A true CN116582328A (en) 2023-08-11

Family

ID=87537328

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310557993.1A Pending CN116582328A (en) 2023-05-15 2023-05-15 Network isolation device and method for transmitting data between network isolation systems

Country Status (1)

Country Link
CN (1) CN116582328A (en)

Similar Documents

Publication Publication Date Title
US6061713A (en) Communications system for client-server data processing systems
US5715395A (en) Method and apparatus for reducing network resource location traffic in a network
EP2063598A1 (en) A resource delivery method, system and edge server
JP3488347B2 (en) Automatic address distribution system and address distribution server
US6151331A (en) System and method for providing a proxy FARP for legacy storage devices
US20060235972A1 (en) System, network device, method, and computer program product for active load balancing using clustered nodes as authoritative domain name servers
JP7036899B2 (en) Alias management method and device
US20100235519A1 (en) Policy and charging rules function management method, management network element, and network system
CN102025630A (en) Load balancing method and load balancing system
EP1701263A1 (en) Computer system and data backup method in computer system
CN111327668B (en) Network management method, device, equipment and storage medium
CN114095430B (en) Access message processing method, system and working node
CN112637332B (en) Service registration discovery method and system
CN109120741B (en) Duplicate address detection method and device and computer readable storage medium
US6952735B1 (en) Dynamically distributed IP-pool in GPRS
CN100414936C (en) Method for balancing load between multi network cards of network file system server
CN107547688B (en) Message processing method and device
CN114364031B (en) Service providing method, device and storage medium
CN101018193A (en) Load distribution method and system and device for allocating the backup packet and virtual IP address
EP1178643B1 (en) Using a centralized server to coordinate assignment of identifiers in a distributed system
CN110909030A (en) Information processing method and server cluster
JP2009518883A (en) Distributed service site registration method and registration system
US7082128B1 (en) Method and apparatus for non-stop forwarding with labels
CN116582328A (en) Network isolation device and method for transmitting data between network isolation systems
CN111064819B (en) Address backup method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination