CN116938603B - Traffic transmission method, device, equipment and storage medium based on stealth gateway - Google Patents
Traffic transmission method, device, equipment and storage medium based on stealth gateway Download PDFInfo
- Publication number
- CN116938603B CN116938603B CN202311192288.2A CN202311192288A CN116938603B CN 116938603 B CN116938603 B CN 116938603B CN 202311192288 A CN202311192288 A CN 202311192288A CN 116938603 B CN116938603 B CN 116938603B
- Authority
- CN
- China
- Prior art keywords
- user terminal
- data
- traffic
- verification
- gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 108
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000012795 verification Methods 0.000 claims abstract description 109
- 238000012797 qualification Methods 0.000 claims abstract description 39
- 238000004590 computer program Methods 0.000 claims description 14
- 238000001914 filtration Methods 0.000 claims description 5
- 238000013475 authorization Methods 0.000 claims description 3
- 238000012546 transfer Methods 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- JBFLYOLJRKJYNV-MASIZSFYSA-N (1z)-1-[(3,4-diethoxyphenyl)methylidene]-6,7-diethoxy-3,4-dihydro-2h-isoquinoline;hydron;chloride Chemical compound Cl.C1=C(OCC)C(OCC)=CC=C1\C=C/1C2=CC(OCC)=C(OCC)C=C2CCN\1 JBFLYOLJRKJYNV-MASIZSFYSA-N 0.000 description 1
- 238000013524 data verification Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000005641 tunneling Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a traffic transmission method, a device, equipment and a storage medium based on a stealth gateway, which relate to the field of network security and comprise the following steps: judging whether a verification data packet sent by a user side is received, if so, verifying the verification data packet to generate a verification result representing whether the user side has access qualification of a target service system; if the user terminal has access qualification, receiving the credential data sent by the user terminal, and establishing a reverse transmission control protocol channel with the user terminal based on the credential data; receiving encrypted flow data sent by a user terminal based on a reverse transmission control protocol channel, and decrypting the encrypted flow data to obtain decrypted flow data; and sending the decrypted flow data to the target service system so that the user side can complete access to the target service system after receiving the decrypted flow data by the target service system. Therefore, zero exposure of the gateway port can be realized, the network security is effectively improved, and the difficulty of network attack is reduced.
Description
Technical Field
The present application relates to the field of network security, and in particular, to a traffic transmission method, apparatus, device, and storage medium based on a stealth gateway.
Background
With the continuous development of technology, the legislation layer has higher and higher requirements on data security, and the zero-trust technology has received wider and wider acceptance, and the scenario of remote office through the zero-trust SDP (Software Defined Perimeter, software defined boundary) terminal has also been more and more. However, in the conventional zero-trust SDP system, when a user accesses the service system of the internal network through the external network, the traffic needs to be forwarded to one port of the zero-trust SDP gateway through the secure tunnel, and then forwarded to the service system of the internal network by the zero-trust SDP gateway, so that the zero-trust SDP gateway needs to provide a fixed port for forwarding the traffic. Although the zero-trust SDP gateway can realize limited release of the port by the port stealth and SPA (single page web application, single-packet authorization authentication) single-packet authentication technology, the zero-trust SDP gateway becomes a unified entry for external access, so that the opposite side is required to provide an access port, and the SDP gateway becomes a target of external risk source attack due to port exposure.
Disclosure of Invention
Therefore, the present application aims to provide a traffic transmission method, apparatus, device and storage medium based on a stealth gateway, which can make a zero-trust SDP gateway not open any inbound port through a reverse tunneling proxy technology, so as to fundamentally solve the external attack risk of the zero-trust SDP gateway due to port exposure. The specific scheme is as follows:
in a first aspect, the application discloses a traffic transmission method based on a stealth gateway, which is applied to a network security gateway and comprises the following steps:
judging whether a verification data packet sent by a user side is received, if so, verifying the verification data packet to generate a verification result representing whether the user side has access qualification of a target service system;
if the verification result represents that the user side has the access qualification, receiving credential data sent by the user side, and establishing a reverse transmission control protocol channel with the user side based on the credential data; the reverse transmission control protocol channel is a data transmission channel established by actively connecting the port of the user through the network security gateway;
receiving encrypted flow data sent by the user terminal based on the reverse transmission control protocol channel, and decrypting the encrypted flow data to obtain decrypted flow data;
and sending the decrypted flow data to the target service system so that the user side can complete access to the target service system after the target service system receives the decrypted flow data.
Optionally, before the determining whether the verification data packet sent by the user terminal is received, if yes, verifying the verification data packet to generate a verification result indicating whether the user terminal has access qualification of the target service system, the method further includes:
the local ingress port is closed based on a preset packet filtering system to prohibit the ingress port from receiving traffic data.
Optionally, the determining whether a verification data packet sent by the user terminal is received or not, if yes, verifying the verification data packet to generate a verification result indicating whether the user terminal has access qualification of the target service system, including:
judging whether a verification data packet sent by a user terminal is received, and if the verification data packet is received, verifying a user terminal signature in the verification data packet;
and if the signature of the user side passes the verification, generating a verification result which represents that the user side has the access qualification of the target service system.
Optionally, the receiving the credential data sent by the user side and establishing a reverse transmission control protocol channel with the user side based on the credential data includes:
receiving a random number and an encryption certificate digest sent by a user terminal, and determining a preset seed secret key through the random number, the encryption certificate digest and the verification data packet;
generating a dynamic password based on the preset seed secret key, and sending the dynamic password to the user terminal, so that after the user terminal receives the dynamic password, a reverse transmission control protocol channel between the user terminal and the user terminal is established.
Optionally, the establishing a reverse transmission control protocol channel with the ue includes:
judging whether an authentication notification sent by a user side is received, if yes, connecting a port of the user side to establish a reverse transmission control protocol channel with the user side; the authentication notice is a notice representing authentication verification of the user passing the dynamic password.
Optionally, the receiving, based on the reverse transmission control protocol channel, the encrypted traffic data sent by the user side, and decrypting the encrypted traffic data to obtain decrypted traffic data, including:
receiving encrypted traffic data which is sent by the user terminal and is encrypted based on the preset seed secret key through the reverse transmission control protocol channel, and judging whether the encrypted traffic data accompanies the dynamic password or not;
and if the encrypted flow data accompanies the dynamic password, decrypting the encrypted flow data based on the preset seed secret key to obtain decrypted flow data.
Optionally, the verification data packet is a single-packet authorization authentication data packet; the network security gateway is a software defined border gateway.
In a second aspect, the present application discloses a traffic transmission device based on a stealth gateway, which is applied to a network security gateway, and includes:
the qualification verification module is used for judging whether a verification data packet sent by the user terminal is received, if so, verifying the verification data packet to generate a verification result representing whether the user terminal has access qualification of the target service system;
the channel establishment module is used for receiving the credential data sent by the user side and establishing a reverse transmission control protocol channel with the user side based on the credential data if the verification result characterizes that the user side has the access qualification; the reverse transmission control protocol channel is a data transmission channel established by actively connecting the port of the user through the network security gateway;
the traffic decryption module is used for receiving the encrypted traffic data sent by the user side based on the reverse transmission control protocol channel, and decrypting the encrypted traffic data to obtain decrypted traffic data;
and the flow forwarding module is used for sending the decrypted flow data to the target service system so that the user side can complete access to the target service system after the target service system receives the decrypted flow data.
In a third aspect, the present application discloses an electronic device, comprising:
a memory for storing a computer program;
and the processor is used for executing the computer program to realize the traffic transmission method based on the stealth gateway.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program, which when executed by a processor implements the aforementioned traffic transmission method based on a stealth gateway.
In the application, firstly judging whether a verification data packet sent by a user terminal is received, if so, verifying the verification data packet to generate a verification result representing whether the user terminal has access qualification of a target service system, if the verification result represents that the user terminal has the access qualification, receiving credential data sent by the user terminal, and establishing a reverse transmission control protocol channel with the user terminal based on the credential data; the reverse transmission control protocol channel is a data transmission channel established by actively connecting the port of the user terminal through the network security gateway, then receives the encrypted flow data sent by the user terminal based on the reverse transmission control protocol channel, decrypts the encrypted flow data to obtain decrypted flow data, and finally sends the decrypted flow data to the target service system, so that the user terminal completes access to the target service system after receiving the decrypted flow data by the target service system. Therefore, after receiving the verification data packet sent by the user terminal, the traffic transmission method based on the stealth gateway can verify the access qualification of the user terminal to the service system based on the verification data packet, if the user terminal is confirmed to pass the verification, the credential data of the user terminal can be received, so that a reverse transmission protocol channel of the network security gateway to the user terminal is created based on the credential data, traffic transmission is realized based on the reverse transmission protocol channel, and further the access of the user terminal to the service system is realized. Therefore, zero exposure of gateway ports can be realized, network security is effectively improved, network attack difficulty is increased, and through a reverse tunnel proxy technology, the zero-trust SDP gateway does not need to open any inbound port, so that the external attack risk caused by port exposure of the zero-trust security gateway is fundamentally solved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a traffic transmission method based on a stealth gateway according to the present disclosure;
fig. 2 is a timing diagram of traffic transmission from a ue to a service system according to the present application;
fig. 3 is a specific flow chart of a flow transmission from a user end to a service system according to the present application;
fig. 4 is a schematic structural diagram of a traffic transmission device based on a stealth gateway according to the present disclosure;
fig. 5 is a block diagram of an electronic device according to the present disclosure.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In the prior art, if a traditional zero-trust SDP system is utilized, when a user accesses a service system of an internal network through an external network, traffic needs to be forwarded to one port of the zero-trust SDP gateway through a secure tunnel, and then forwarded to the service system of the internal network by the zero-trust SDP gateway, and therefore, the zero-trust SDP gateway needs to provide a fixed port for forwarding the traffic. Although the zero-trust SDP gateway can realize limited release of the port by the port stealth and SPA single-packet authentication technology, the zero-trust SDP gateway becomes a unified entry for external access, so that the opposite side is required to provide an access port, and the SDP gateway becomes a target of external risk source attack due to port exposure.
In order to overcome the problems, the application discloses a traffic transmission method, a traffic transmission device, traffic transmission equipment and traffic transmission storage media based on a stealth gateway, which can enable a zero-trust SDP gateway to avoid opening any inbound port through a reverse tunnel proxy technology, thereby fundamentally solving the external attack risk caused by port exposure in the zero-trust security gateway.
Referring to fig. 1, the embodiment of the application discloses a traffic transmission method based on a stealth gateway, which is applied to a network security gateway and comprises the following steps:
and S11, judging whether a verification data packet sent by the user terminal is received, if so, verifying the verification data packet to generate a verification result representing whether the user terminal has access qualification of the target service system.
In this embodiment, before judging whether a verification data packet sent by a user terminal is received, if yes, verifying the verification data packet to generate a verification result indicating whether the user terminal has access qualification of a target service system, the method further includes: the local ingress port is closed based on a preset packet filtering system to prohibit the ingress port from receiving traffic data. That is, in order to achieve the stealth of the SDP gateway, the ingress port of the SDP gateway needs to be closed before interacting with the user side, and all ingress traffic is disabled through the random port egress and through the iptables, and it needs to be explained that the stealth of the gateway refers to avoiding exposing the gateway port, thereby avoiding the gateway port becoming an object that can be attacked.
Further, judging whether a verification data packet sent by a user terminal is received, if so, verifying the verification data packet to generate a verification result representing whether the user terminal has access qualification of a target service system, including: judging whether a verification data packet sent by a user terminal is received, and if the verification data packet is received, verifying a user terminal signature in the verification data packet; and if the signature of the user side passes the verification, generating a verification result which represents that the user side has the access qualification of the target service system. That is, after the SDP gateway closes its own inbound port, it may interact with the user side, first the user side may initiate an SPA single-packet knock to the random port of the SDP gateway, that is, send an authentication packet, after the SDP gateway receives the authentication packet sent by the user side, it does not respond to the packet, and the SDP gateway does not respond to all the SPA knock packets, so that the port stealth is achieved. It should be noted that, the SPA single packet data adopts a data packet of a first handshake of a custom TCP (Transmission Control Protocol ), and for the SDP gateway, the receiving of the SPA single packet data is not affected after the inbound traffic is forbidden. And the user terminal signature is carried in the verification data packet, after the SDP receives the verification data packet, the user terminal can be verified through the user terminal signature in the verification data packet so as to determine the validity of the user terminal, and a corresponding verification result is generated.
Step S12, if the verification result represents that the user side has the access qualification, receiving the credential data sent by the user side, and establishing a reverse transmission control protocol channel with the user side based on the credential data; the reverse transmission control protocol channel is a data transmission channel established by actively connecting the port of the user terminal through the network security gateway.
In this embodiment, if the generated verification result indicates that the ue is legal, the ue has qualification of accessing the service system, and may receive the credential data packet sent again by the ue, specifically receive the credential data sent by the ue, and establish a reverse transmission control protocol channel with the ue based on the credential data, including: receiving a random number and an encryption certificate digest sent by a user terminal, and determining a preset seed secret key through the random number, the encryption certificate digest and the verification data packet; generating a dynamic password based on the preset seed secret key, and sending the dynamic password to the user terminal, so that after the user terminal receives the dynamic password, a reverse transmission control protocol channel between the user terminal and the user terminal is established. That is, the SPA credential data packet sent again by the user side may be received, where the credential data packet includes an encrypted credential digest and a random number for verification, after the SDP gateway receives the credential data packet, a preset seed key, that is, a otp (One Time Password, one-time password) seed key, may be calculated according to the encrypted credential digest and the random number in the credential data packet and a signature in the verification data packet, and then a otp dynamic password is generated by using the otp seed key, and a reverse TCP tunnel connection is initiated to the client side with the otp dynamic password, specifically, the dynamic password may be sent to the client side, after the client side receives the dynamic password, the identity of the client side is confirmed based on the dynamic password, and the reverse TCP tunnel connection is initiated.
It should be noted that, establishing a reverse transmission control protocol channel with the ue includes: judging whether an authentication notification sent by a user side is received, if yes, connecting a port of the user side to establish a reverse transmission control protocol channel with the user side; the authentication notice is a notice representing authentication verification of the user passing the dynamic password. That is, before establishing the reverse TCP tunnel connection with the ue, in order to confirm the identity of the ue, the ue may wait to receive the authentication notification sent by the ue, and if the authentication notification sent by the ue is received, the token may confirm the identity of the ue and may establish the reverse TCP tunnel connection with the ue. Therefore, the security of the traffic transmission method based on the stealth gateway is effectively improved.
And step S13, receiving the encrypted flow data sent by the user terminal based on the reverse transmission control protocol channel, and decrypting the encrypted flow data to obtain decrypted flow data.
In this embodiment, receiving the encrypted traffic data sent by the client based on the reverse transmission control protocol channel, and decrypting the encrypted traffic data to obtain decrypted traffic data, including: receiving encrypted traffic data which is sent by the user terminal and is encrypted based on the preset seed secret key through the reverse transmission control protocol channel, and judging whether the encrypted traffic data accompanies the dynamic password or not; and if the encrypted flow data accompanies the dynamic password, decrypting the encrypted flow data based on the preset seed secret key to obtain decrypted flow data. That is, when accessing the service system, the user side encrypts the traffic and forwards the encrypted traffic to the TCP port of the SDP gateway through the reverse TCP tunnel connection with the SDP gateway, and it is further emphasized that, because the SDP gateway disables the inbound traffic, the TCP port of the SDP gateway may receive the data packet from the client side at this time, but cannot directly connect with the port, so that the zero-trust tunnel port stealth is achieved. After receiving the encrypted traffic data, the TCP port needs to decrypt the encrypted traffic data through a preset seed secret key to obtain decrypted traffic data.
And step S14, the decrypted flow data is sent to the target service system, so that the user side completes access to the target service system after the target service system receives the decrypted flow data.
In this embodiment, after the TCP gateway finishes decrypting the encrypted traffic data, the traffic data that is legal to be decrypted and authenticated by the TCP gateway needs to be forwarded to the service system of the internal network, so as to achieve access of the user side to the service system of the internal network.
It can be seen that in this embodiment, whether a verification data packet sent by a user terminal is received is first determined, if yes, the verification data packet is verified to generate a verification result indicating whether the user terminal has access qualification of a target service system, if the verification result indicates that the user terminal has the access qualification, credential data sent by the user terminal is received, and a reverse transmission control protocol channel with the user terminal is established based on the credential data; the reverse transmission control protocol channel is a data transmission channel established by actively connecting the port of the user terminal through the network security gateway, then receives the encrypted flow data sent by the user terminal based on the reverse transmission control protocol channel, decrypts the encrypted flow data to obtain decrypted flow data, and finally sends the decrypted flow data to the target service system, so that the user terminal completes access to the target service system after receiving the decrypted flow data by the target service system. Therefore, after receiving the verification data packet sent by the user terminal, the traffic transmission method based on the stealth gateway can verify the access qualification of the user terminal to the service system based on the verification data packet, if the user terminal is confirmed to pass the verification, the credential data of the user terminal can be received, so that a reverse transmission protocol channel of the network security gateway to the user terminal is created based on the credential data, traffic transmission is realized based on the reverse transmission protocol channel, and further the access of the user terminal to the service system is realized. In this way, on one hand, no SPA knock data packet is required to be responded, and the ingress port of the gateway is closed in advance, so that zero exposure of the gateway port can be realized; on the other hand, the SDP gateway uses random port outbound, thereby effectively improving network security and increasing difficulty of network attack; on the other hand, the application establishes reverse TCP tunnel connection with the user, so that the zero-trust SDP gateway does not need to open any inbound port, thereby fundamentally solving the external attack risk caused by the port exposure existing in the zero-trust security gateway.
Referring to fig. 2 and fig. 3, the embodiment of the application discloses a traffic transmission method based on a stealth gateway, which comprises the following steps:
in this embodiment, as shown in fig. 2, a timing chart for implementing traffic transmission from a user end to a service system through a stealth SDP gateway is shown in fig. 3, and as shown in fig. 3, the user end initiates a SPA single packet knock to the SDP gateway, specifically, the SPA data packet carries a user end signature, after receiving the SPA data packet, the SDP gateway does not respond to the SPA data packet, and verifies the user end by verifying the user end signature in the data packet, so as to determine validity of the user end. If the ue passes the verification, the ue sends an SPA credential packet to the SDP gateway, where the credential packet includes an encrypted credential digest and a random number for verification, and after the SDP network manager receives the SPA credential packet, the SDP network manager may calculate a otp seed key according to the encrypted credential digest in the credential packet, the random number and a signature in the verification packet, and then generate otp a dynamic password by using the otp seed key, and then establish a reverse TCP tunnel connection with the ue, as shown in fig. 2. The user side returns an authentication notice through reverse TCP tunnel connection, encrypts the access flow, forwards the encrypted flow to the SDP gateway through reverse TCP tunnel connection between the SDP gateway and the gateway, decrypts the flow after receiving the encrypted flow, and sends the decrypted flow to the service system so as to realize the access of the user side to the service system.
Referring to fig. 4, the embodiment of the application discloses a traffic transmission device based on a stealth gateway, which is applied to a network security gateway and comprises:
the qualification verification module 11 is configured to determine whether a verification data packet sent by a user terminal is received, and if yes, verify the verification data packet to generate a verification result that characterizes whether the user terminal has access qualification of a target service system;
a channel establishment module 12, configured to receive credential data sent by the user side if the verification result indicates that the user side has the access qualification, and establish a reverse transmission control protocol channel with the user side based on the credential data; the reverse transmission control protocol channel is a data transmission channel established by actively connecting the port of the user through the network security gateway;
the traffic decryption module 13 is configured to receive encrypted traffic data sent by the client based on the reverse transmission control protocol channel, and decrypt the encrypted traffic data to obtain decrypted traffic data;
and the traffic forwarding module 14 is configured to send the decrypted traffic data to the target service system, so that the user side completes access to the target service system after the target service system receives the decrypted traffic data.
It can be seen that in this embodiment, whether a verification data packet sent by a user terminal is received is first determined, if yes, the verification data packet is verified to generate a verification result indicating whether the user terminal has access qualification of a target service system, if the verification result indicates that the user terminal has the access qualification, credential data sent by the user terminal is received, and a reverse transmission control protocol channel with the user terminal is established based on the credential data; the reverse transmission control protocol channel is a data transmission channel established by actively connecting the port of the user terminal through the network security gateway, then receives the encrypted flow data sent by the user terminal based on the reverse transmission control protocol channel, decrypts the encrypted flow data to obtain decrypted flow data, and finally sends the decrypted flow data to the target service system, so that the user terminal completes access to the target service system after receiving the decrypted flow data by the target service system. Therefore, after receiving the verification data packet sent by the user terminal, the traffic transmission method based on the stealth gateway can verify the access qualification of the user terminal to the service system based on the verification data packet, if the user terminal is confirmed to pass the verification, the credential data of the user terminal can be received, so that a reverse transmission protocol channel of the network security gateway to the user terminal is created based on the credential data, traffic transmission is realized based on the reverse transmission protocol channel, and further the access of the user terminal to the service system is realized. Therefore, zero exposure of gateway ports can be realized, network security is effectively improved, network attack difficulty is increased, and through a reverse tunnel proxy technology, the zero-trust SDP gateway does not need to open any inbound port, so that the external attack risk caused by port exposure of the zero-trust security gateway is fundamentally solved.
In some embodiments, the traffic transmission device based on the stealth gateway may further include:
and the port closing unit is used for closing the local inbound port based on a preset packet filtering system so as to inhibit the inbound port from receiving the traffic data.
In some embodiments, the qualification module 11 may specifically include:
the data verification unit is used for judging whether a verification data packet sent by the user terminal is received or not, and if the verification data packet is received, verifying the user terminal signature in the verification data packet;
and the qualification confirming unit is used for generating a verification result representing that the user terminal has access qualification of the target service system if the user terminal signature passes verification.
In some embodiments, the channel establishment module 12 may specifically include:
the data receiving sub-module is used for receiving the random number and the encryption certificate digest sent by the user terminal so as to determine a preset seed secret key through the random number, the encryption certificate digest and the verification data packet;
and the channel establishment sub-module is used for generating a dynamic password based on the preset seed secret key and sending the dynamic password to the user terminal, so that after the user terminal receives the dynamic password, a reverse transmission control protocol channel between the user terminal and the channel establishment sub-module is established.
In some embodiments, the channel-establishing submodule may specifically include:
the channel establishment unit is used for judging whether an authentication notification sent by the user terminal is received or not, if yes, the channel establishment unit is connected with a port of the user terminal so as to establish a reverse transmission control protocol channel with the user terminal; the authentication notice is a notice representing authentication verification of the user passing the dynamic password.
In some embodiments, the traffic decryption module 13 may specifically include:
the flow receiving unit is used for receiving encrypted flow data which is sent by the user side and is encrypted based on the preset seed secret key through the reverse transmission control protocol channel, and judging whether the encrypted flow data accompanies the dynamic password or not;
and the traffic decryption unit is used for decrypting the encrypted traffic data based on the preset seed secret key to obtain decrypted traffic data if the encrypted traffic data accompanies the dynamic password.
Further, the embodiment of the present application further discloses an electronic device, and fig. 5 is a block diagram of an electronic device 20 according to an exemplary embodiment, where the content of the figure is not to be considered as any limitation on the scope of use of the present application.
Fig. 5 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. The memory 22 is configured to store a computer program, where the computer program is loaded and executed by the processor 21 to implement relevant steps in the stealth gateway-based traffic transmission method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 23 is configured to provide an operating voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and the communication protocol in which the communication interface is in compliance is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein; the input/output interface 25 is used for acquiring external input data or outputting external output data, and the specific interface type thereof may be selected according to the specific application requirement, which is not limited herein.
The memory 22 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the resources stored thereon may include an operating system 221, a computer program 222, and the like, and the storage may be temporary storage or permanent storage.
The operating system 221 is used for managing and controlling various hardware devices on the electronic device 20 and computer programs 222, which may be Windows Server, netware, unix, linux, etc. The computer program 222 may further comprise a computer program capable of performing other specific tasks in addition to the computer program capable of performing the stealth gateway-based traffic transfer method performed by the electronic device 20 as disclosed in any of the previous embodiments.
Further, the application also discloses a computer readable storage medium for storing a computer program; the traffic transmission method based on the stealth gateway is disclosed, wherein the traffic transmission method based on the stealth gateway is disclosed. For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing has outlined rather broadly the more detailed description of the application in order that the detailed description of the application that follows may be better understood, and in order that the present principles and embodiments may be better understood; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.
Claims (9)
1. The traffic transmission method based on the stealth gateway is characterized by being applied to a network security gateway and comprising the following steps:
judging whether a verification data packet sent by a user side is received, if so, verifying the verification data packet to generate a verification result representing whether the user side has access qualification of a target service system;
if the verification result represents that the user side has the access qualification, receiving credential data sent by the user side, and establishing a reverse transmission control protocol channel with the user side based on the credential data; the reverse transmission control protocol channel is a data transmission channel established by actively connecting a random outbound port of the network security gateway with a port of the user terminal;
receiving encrypted flow data sent by the user terminal based on the reverse transmission control protocol channel, and decrypting the encrypted flow data to obtain decrypted flow data;
sending the decrypted traffic data to the target service system so that the user side can complete access to the target service system after the target service system receives the decrypted traffic data;
the method comprises the steps of judging whether a verification data packet sent by a user terminal is received or not, and if so, verifying the verification data packet to generate a verification result representing whether the user terminal has access qualification of a target service system, wherein the method further comprises the following steps:
the local ingress port is closed based on a preset packet filtering system to prohibit the ingress port from receiving traffic data.
2. The traffic transmission method according to claim 1, wherein the determining whether a verification data packet sent by a user terminal is received, if so, verifying the verification data packet to generate a verification result indicating whether the user terminal has access qualification of a target service system, includes:
judging whether a verification data packet sent by a user terminal is received, and if the verification data packet is received, verifying a user terminal signature in the verification data packet;
and if the signature of the user side passes the verification, generating a verification result which represents that the user side has the access qualification of the target service system.
3. The traffic transmission method based on the stealth gateway according to claim 1, wherein the receiving the credential data sent by the client and establishing a reverse transmission control protocol channel with the client based on the credential data includes:
receiving a random number and an encryption certificate digest sent by a user terminal, and determining a preset seed secret key through the random number, the encryption certificate digest and the verification data packet;
generating a dynamic password based on the preset seed secret key, and sending the dynamic password to the user terminal, so that after the user terminal receives the dynamic password, a reverse transmission control protocol channel between the user terminal and the user terminal is established.
4. A traffic transmission method based on a stealth gateway according to claim 3, wherein the establishing a reverse transmission control protocol channel with the client comprises:
judging whether an authentication notification sent by a user side is received, if yes, connecting a port of the user side to establish a reverse transmission control protocol channel with the user side; the authentication notice is a notice representing authentication verification of the user passing the dynamic password.
5. The traffic transmission method based on the stealth gateway according to claim 3, wherein the receiving, based on the reverse transmission control protocol channel, the encrypted traffic data sent by the user terminal, and decrypting the encrypted traffic data, to obtain decrypted traffic data, includes:
receiving encrypted traffic data which is sent by the user terminal and is encrypted based on the preset seed secret key through the reverse transmission control protocol channel, and judging whether the encrypted traffic data accompanies the dynamic password or not;
and if the encrypted flow data accompanies the dynamic password, decrypting the encrypted flow data based on the preset seed secret key to obtain decrypted flow data.
6. The stealth gateway-based traffic transmission method according to any one of claims 1 to 5, wherein the verification packet is a single packet authorization authentication packet; the network security gateway is a software defined border gateway.
7. The utility model provides a traffic transmission device based on stealthy gateway which characterized in that is applied to network security gateway, includes:
the qualification verification module is used for judging whether a verification data packet sent by the user terminal is received, if so, verifying the verification data packet to generate a verification result representing whether the user terminal has access qualification of the target service system;
the channel establishment module is used for receiving the credential data sent by the user side and establishing a reverse transmission control protocol channel with the user side based on the credential data if the verification result characterizes that the user side has the access qualification; the reverse transmission control protocol channel is a data transmission channel established by actively connecting a random outbound port of the network security gateway with a port of the user terminal;
the traffic decryption module is used for receiving the encrypted traffic data sent by the user side based on the reverse transmission control protocol channel, and decrypting the encrypted traffic data to obtain decrypted traffic data;
the traffic forwarding module is used for sending the decrypted traffic data to the target service system so that the user side can complete access to the target service system after the target service system receives the decrypted traffic data;
wherein, the traffic transmission device based on stealth gateway still includes:
and the port closing unit is used for closing the local inbound port based on a preset packet filtering system so as to inhibit the inbound port from receiving the traffic data.
8. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the stealth gateway-based traffic transmission method as claimed in any one of claims 1 to 6.
9. A computer readable storage medium for storing a computer program which when executed by a processor implements the stealth gateway based traffic transfer method according to any one of claims 1 to 6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311192288.2A CN116938603B (en) | 2023-09-15 | 2023-09-15 | Traffic transmission method, device, equipment and storage medium based on stealth gateway |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311192288.2A CN116938603B (en) | 2023-09-15 | 2023-09-15 | Traffic transmission method, device, equipment and storage medium based on stealth gateway |
Publications (2)
Publication Number | Publication Date |
---|---|
CN116938603A CN116938603A (en) | 2023-10-24 |
CN116938603B true CN116938603B (en) | 2023-12-05 |
Family
ID=88386485
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202311192288.2A Active CN116938603B (en) | 2023-09-15 | 2023-09-15 | Traffic transmission method, device, equipment and storage medium based on stealth gateway |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116938603B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111490993A (en) * | 2020-04-13 | 2020-08-04 | 江苏易安联网络技术有限公司 | Application access control security system and method |
WO2021196915A1 (en) * | 2020-04-02 | 2021-10-07 | 深圳壹账通智能科技有限公司 | Encryption and decryption operation-based data transmission methods and systems, and computer device |
CN114553568A (en) * | 2022-02-25 | 2022-05-27 | 重庆邮电大学 | Resource access control method based on zero-trust single packet authentication and authorization |
CN114629692A (en) * | 2022-02-25 | 2022-06-14 | 国家电网有限公司 | Access authentication method and system of power Internet of things based on SDP |
CN115694960A (en) * | 2022-10-26 | 2023-02-03 | 杭州安恒信息技术股份有限公司 | Application proxy method, device, equipment and readable storage medium |
CN115811510A (en) * | 2022-11-30 | 2023-03-17 | 中国电信股份有限公司 | Method and device for realizing talkback service and talkback service system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150281122A1 (en) * | 2014-03-31 | 2015-10-01 | Byron L. Hoffman | Method and Apparatus for Facilitating Accessing Home Surveillance Data by Remote Devices |
-
2023
- 2023-09-15 CN CN202311192288.2A patent/CN116938603B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2021196915A1 (en) * | 2020-04-02 | 2021-10-07 | 深圳壹账通智能科技有限公司 | Encryption and decryption operation-based data transmission methods and systems, and computer device |
CN111490993A (en) * | 2020-04-13 | 2020-08-04 | 江苏易安联网络技术有限公司 | Application access control security system and method |
CN114553568A (en) * | 2022-02-25 | 2022-05-27 | 重庆邮电大学 | Resource access control method based on zero-trust single packet authentication and authorization |
CN114629692A (en) * | 2022-02-25 | 2022-06-14 | 国家电网有限公司 | Access authentication method and system of power Internet of things based on SDP |
CN115694960A (en) * | 2022-10-26 | 2023-02-03 | 杭州安恒信息技术股份有限公司 | Application proxy method, device, equipment and readable storage medium |
CN115811510A (en) * | 2022-11-30 | 2023-03-17 | 中国电信股份有限公司 | Method and device for realizing talkback service and talkback service system |
Also Published As
Publication number | Publication date |
---|---|
CN116938603A (en) | 2023-10-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Aboba et al. | RADIUS (remote authentication dial in user service) support for extensible authentication protocol (EAP) | |
US7661131B1 (en) | Authentication of tunneled connections | |
US8201233B2 (en) | Secure extended authentication bypass | |
US8689301B2 (en) | SIP signaling without constant re-authentication | |
US8549300B1 (en) | Virtual single sign-on for certificate-protected resources | |
US20160072787A1 (en) | Method for creating secure subnetworks on a general purpose network | |
Jeong et al. | Integrated OTP-based user authentication scheme using smart cards in home networks | |
US20060259759A1 (en) | Method and apparatus for securely extending a protected network through secure intermediation of AAA information | |
US20080126794A1 (en) | Transparent proxy of encrypted sessions | |
EP3711274B1 (en) | Message queuing telemetry transport (mqtt) data transmission method, apparatus, and system | |
KR20050071359A (en) | Method and system for authentication using infrastructureless certificates | |
JP2005027312A (en) | Reduction of network configuration complexity using transparent virtual private networks | |
US20080137859A1 (en) | Public key passing | |
US20150249639A1 (en) | Method and devices for registering a client to a server | |
KR100819024B1 (en) | Method for authenticating user using ID/password | |
CN116938603B (en) | Traffic transmission method, device, equipment and storage medium based on stealth gateway | |
CN111416824A (en) | Network access authentication control system | |
EP1836559B1 (en) | Apparatus and method for traversing gateway device using a plurality of batons | |
CA2595191C (en) | Negotiating vpn tunnel establishment parameters on user's interaction | |
Eronen et al. | An Extension for EAP-Only Authentication in IKEv2 | |
KR100759813B1 (en) | Method for authenticating user using biometrics information | |
Aboba et al. | RFC3579: RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP) | |
EP3780535A1 (en) | Process to establish a communication channel between a client and a server | |
CN116827885A (en) | Resource access method, device, system, electronic equipment and readable storage medium | |
Kim | A survey of Kerberos V and public-key Kerberos security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |