CN116938603B - Traffic transmission method, device, equipment and storage medium based on stealth gateway - Google Patents

Traffic transmission method, device, equipment and storage medium based on stealth gateway Download PDF

Info

Publication number
CN116938603B
CN116938603B CN202311192288.2A CN202311192288A CN116938603B CN 116938603 B CN116938603 B CN 116938603B CN 202311192288 A CN202311192288 A CN 202311192288A CN 116938603 B CN116938603 B CN 116938603B
Authority
CN
China
Prior art keywords
user terminal
data
traffic
verification
gateway
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311192288.2A
Other languages
Chinese (zh)
Other versions
CN116938603A (en
Inventor
刘威
王泰星
理翰文
赵国强
方庆红
刘莹
倪山登
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202311192288.2A priority Critical patent/CN116938603B/en
Publication of CN116938603A publication Critical patent/CN116938603A/en
Application granted granted Critical
Publication of CN116938603B publication Critical patent/CN116938603B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a traffic transmission method, a device, equipment and a storage medium based on a stealth gateway, which relate to the field of network security and comprise the following steps: judging whether a verification data packet sent by a user side is received, if so, verifying the verification data packet to generate a verification result representing whether the user side has access qualification of a target service system; if the user terminal has access qualification, receiving the credential data sent by the user terminal, and establishing a reverse transmission control protocol channel with the user terminal based on the credential data; receiving encrypted flow data sent by a user terminal based on a reverse transmission control protocol channel, and decrypting the encrypted flow data to obtain decrypted flow data; and sending the decrypted flow data to the target service system so that the user side can complete access to the target service system after receiving the decrypted flow data by the target service system. Therefore, zero exposure of the gateway port can be realized, the network security is effectively improved, and the difficulty of network attack is reduced.

Description

Traffic transmission method, device, equipment and storage medium based on stealth gateway
Technical Field
The present application relates to the field of network security, and in particular, to a traffic transmission method, apparatus, device, and storage medium based on a stealth gateway.
Background
With the continuous development of technology, the legislation layer has higher and higher requirements on data security, and the zero-trust technology has received wider and wider acceptance, and the scenario of remote office through the zero-trust SDP (Software Defined Perimeter, software defined boundary) terminal has also been more and more. However, in the conventional zero-trust SDP system, when a user accesses the service system of the internal network through the external network, the traffic needs to be forwarded to one port of the zero-trust SDP gateway through the secure tunnel, and then forwarded to the service system of the internal network by the zero-trust SDP gateway, so that the zero-trust SDP gateway needs to provide a fixed port for forwarding the traffic. Although the zero-trust SDP gateway can realize limited release of the port by the port stealth and SPA (single page web application, single-packet authorization authentication) single-packet authentication technology, the zero-trust SDP gateway becomes a unified entry for external access, so that the opposite side is required to provide an access port, and the SDP gateway becomes a target of external risk source attack due to port exposure.
Disclosure of Invention
Therefore, the present application aims to provide a traffic transmission method, apparatus, device and storage medium based on a stealth gateway, which can make a zero-trust SDP gateway not open any inbound port through a reverse tunneling proxy technology, so as to fundamentally solve the external attack risk of the zero-trust SDP gateway due to port exposure. The specific scheme is as follows:
in a first aspect, the application discloses a traffic transmission method based on a stealth gateway, which is applied to a network security gateway and comprises the following steps:
judging whether a verification data packet sent by a user side is received, if so, verifying the verification data packet to generate a verification result representing whether the user side has access qualification of a target service system;
if the verification result represents that the user side has the access qualification, receiving credential data sent by the user side, and establishing a reverse transmission control protocol channel with the user side based on the credential data; the reverse transmission control protocol channel is a data transmission channel established by actively connecting the port of the user through the network security gateway;
receiving encrypted flow data sent by the user terminal based on the reverse transmission control protocol channel, and decrypting the encrypted flow data to obtain decrypted flow data;
and sending the decrypted flow data to the target service system so that the user side can complete access to the target service system after the target service system receives the decrypted flow data.
Optionally, before the determining whether the verification data packet sent by the user terminal is received, if yes, verifying the verification data packet to generate a verification result indicating whether the user terminal has access qualification of the target service system, the method further includes:
the local ingress port is closed based on a preset packet filtering system to prohibit the ingress port from receiving traffic data.
Optionally, the determining whether a verification data packet sent by the user terminal is received or not, if yes, verifying the verification data packet to generate a verification result indicating whether the user terminal has access qualification of the target service system, including:
judging whether a verification data packet sent by a user terminal is received, and if the verification data packet is received, verifying a user terminal signature in the verification data packet;
and if the signature of the user side passes the verification, generating a verification result which represents that the user side has the access qualification of the target service system.
Optionally, the receiving the credential data sent by the user side and establishing a reverse transmission control protocol channel with the user side based on the credential data includes:
receiving a random number and an encryption certificate digest sent by a user terminal, and determining a preset seed secret key through the random number, the encryption certificate digest and the verification data packet;
generating a dynamic password based on the preset seed secret key, and sending the dynamic password to the user terminal, so that after the user terminal receives the dynamic password, a reverse transmission control protocol channel between the user terminal and the user terminal is established.
Optionally, the establishing a reverse transmission control protocol channel with the ue includes:
judging whether an authentication notification sent by a user side is received, if yes, connecting a port of the user side to establish a reverse transmission control protocol channel with the user side; the authentication notice is a notice representing authentication verification of the user passing the dynamic password.
Optionally, the receiving, based on the reverse transmission control protocol channel, the encrypted traffic data sent by the user side, and decrypting the encrypted traffic data to obtain decrypted traffic data, including:
receiving encrypted traffic data which is sent by the user terminal and is encrypted based on the preset seed secret key through the reverse transmission control protocol channel, and judging whether the encrypted traffic data accompanies the dynamic password or not;
and if the encrypted flow data accompanies the dynamic password, decrypting the encrypted flow data based on the preset seed secret key to obtain decrypted flow data.
Optionally, the verification data packet is a single-packet authorization authentication data packet; the network security gateway is a software defined border gateway.
In a second aspect, the present application discloses a traffic transmission device based on a stealth gateway, which is applied to a network security gateway, and includes:
the qualification verification module is used for judging whether a verification data packet sent by the user terminal is received, if so, verifying the verification data packet to generate a verification result representing whether the user terminal has access qualification of the target service system;
the channel establishment module is used for receiving the credential data sent by the user side and establishing a reverse transmission control protocol channel with the user side based on the credential data if the verification result characterizes that the user side has the access qualification; the reverse transmission control protocol channel is a data transmission channel established by actively connecting the port of the user through the network security gateway;
the traffic decryption module is used for receiving the encrypted traffic data sent by the user side based on the reverse transmission control protocol channel, and decrypting the encrypted traffic data to obtain decrypted traffic data;
and the flow forwarding module is used for sending the decrypted flow data to the target service system so that the user side can complete access to the target service system after the target service system receives the decrypted flow data.
In a third aspect, the present application discloses an electronic device, comprising:
a memory for storing a computer program;
and the processor is used for executing the computer program to realize the traffic transmission method based on the stealth gateway.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program, which when executed by a processor implements the aforementioned traffic transmission method based on a stealth gateway.
In the application, firstly judging whether a verification data packet sent by a user terminal is received, if so, verifying the verification data packet to generate a verification result representing whether the user terminal has access qualification of a target service system, if the verification result represents that the user terminal has the access qualification, receiving credential data sent by the user terminal, and establishing a reverse transmission control protocol channel with the user terminal based on the credential data; the reverse transmission control protocol channel is a data transmission channel established by actively connecting the port of the user terminal through the network security gateway, then receives the encrypted flow data sent by the user terminal based on the reverse transmission control protocol channel, decrypts the encrypted flow data to obtain decrypted flow data, and finally sends the decrypted flow data to the target service system, so that the user terminal completes access to the target service system after receiving the decrypted flow data by the target service system. Therefore, after receiving the verification data packet sent by the user terminal, the traffic transmission method based on the stealth gateway can verify the access qualification of the user terminal to the service system based on the verification data packet, if the user terminal is confirmed to pass the verification, the credential data of the user terminal can be received, so that a reverse transmission protocol channel of the network security gateway to the user terminal is created based on the credential data, traffic transmission is realized based on the reverse transmission protocol channel, and further the access of the user terminal to the service system is realized. Therefore, zero exposure of gateway ports can be realized, network security is effectively improved, network attack difficulty is increased, and through a reverse tunnel proxy technology, the zero-trust SDP gateway does not need to open any inbound port, so that the external attack risk caused by port exposure of the zero-trust security gateway is fundamentally solved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a traffic transmission method based on a stealth gateway according to the present disclosure;
fig. 2 is a timing diagram of traffic transmission from a ue to a service system according to the present application;
fig. 3 is a specific flow chart of a flow transmission from a user end to a service system according to the present application;
fig. 4 is a schematic structural diagram of a traffic transmission device based on a stealth gateway according to the present disclosure;
fig. 5 is a block diagram of an electronic device according to the present disclosure.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In the prior art, if a traditional zero-trust SDP system is utilized, when a user accesses a service system of an internal network through an external network, traffic needs to be forwarded to one port of the zero-trust SDP gateway through a secure tunnel, and then forwarded to the service system of the internal network by the zero-trust SDP gateway, and therefore, the zero-trust SDP gateway needs to provide a fixed port for forwarding the traffic. Although the zero-trust SDP gateway can realize limited release of the port by the port stealth and SPA single-packet authentication technology, the zero-trust SDP gateway becomes a unified entry for external access, so that the opposite side is required to provide an access port, and the SDP gateway becomes a target of external risk source attack due to port exposure.
In order to overcome the problems, the application discloses a traffic transmission method, a traffic transmission device, traffic transmission equipment and traffic transmission storage media based on a stealth gateway, which can enable a zero-trust SDP gateway to avoid opening any inbound port through a reverse tunnel proxy technology, thereby fundamentally solving the external attack risk caused by port exposure in the zero-trust security gateway.
Referring to fig. 1, the embodiment of the application discloses a traffic transmission method based on a stealth gateway, which is applied to a network security gateway and comprises the following steps:
and S11, judging whether a verification data packet sent by the user terminal is received, if so, verifying the verification data packet to generate a verification result representing whether the user terminal has access qualification of the target service system.
In this embodiment, before judging whether a verification data packet sent by a user terminal is received, if yes, verifying the verification data packet to generate a verification result indicating whether the user terminal has access qualification of a target service system, the method further includes: the local ingress port is closed based on a preset packet filtering system to prohibit the ingress port from receiving traffic data. That is, in order to achieve the stealth of the SDP gateway, the ingress port of the SDP gateway needs to be closed before interacting with the user side, and all ingress traffic is disabled through the random port egress and through the iptables, and it needs to be explained that the stealth of the gateway refers to avoiding exposing the gateway port, thereby avoiding the gateway port becoming an object that can be attacked.
Further, judging whether a verification data packet sent by a user terminal is received, if so, verifying the verification data packet to generate a verification result representing whether the user terminal has access qualification of a target service system, including: judging whether a verification data packet sent by a user terminal is received, and if the verification data packet is received, verifying a user terminal signature in the verification data packet; and if the signature of the user side passes the verification, generating a verification result which represents that the user side has the access qualification of the target service system. That is, after the SDP gateway closes its own inbound port, it may interact with the user side, first the user side may initiate an SPA single-packet knock to the random port of the SDP gateway, that is, send an authentication packet, after the SDP gateway receives the authentication packet sent by the user side, it does not respond to the packet, and the SDP gateway does not respond to all the SPA knock packets, so that the port stealth is achieved. It should be noted that, the SPA single packet data adopts a data packet of a first handshake of a custom TCP (Transmission Control Protocol ), and for the SDP gateway, the receiving of the SPA single packet data is not affected after the inbound traffic is forbidden. And the user terminal signature is carried in the verification data packet, after the SDP receives the verification data packet, the user terminal can be verified through the user terminal signature in the verification data packet so as to determine the validity of the user terminal, and a corresponding verification result is generated.
Step S12, if the verification result represents that the user side has the access qualification, receiving the credential data sent by the user side, and establishing a reverse transmission control protocol channel with the user side based on the credential data; the reverse transmission control protocol channel is a data transmission channel established by actively connecting the port of the user terminal through the network security gateway.
In this embodiment, if the generated verification result indicates that the ue is legal, the ue has qualification of accessing the service system, and may receive the credential data packet sent again by the ue, specifically receive the credential data sent by the ue, and establish a reverse transmission control protocol channel with the ue based on the credential data, including: receiving a random number and an encryption certificate digest sent by a user terminal, and determining a preset seed secret key through the random number, the encryption certificate digest and the verification data packet; generating a dynamic password based on the preset seed secret key, and sending the dynamic password to the user terminal, so that after the user terminal receives the dynamic password, a reverse transmission control protocol channel between the user terminal and the user terminal is established. That is, the SPA credential data packet sent again by the user side may be received, where the credential data packet includes an encrypted credential digest and a random number for verification, after the SDP gateway receives the credential data packet, a preset seed key, that is, a otp (One Time Password, one-time password) seed key, may be calculated according to the encrypted credential digest and the random number in the credential data packet and a signature in the verification data packet, and then a otp dynamic password is generated by using the otp seed key, and a reverse TCP tunnel connection is initiated to the client side with the otp dynamic password, specifically, the dynamic password may be sent to the client side, after the client side receives the dynamic password, the identity of the client side is confirmed based on the dynamic password, and the reverse TCP tunnel connection is initiated.
It should be noted that, establishing a reverse transmission control protocol channel with the ue includes: judging whether an authentication notification sent by a user side is received, if yes, connecting a port of the user side to establish a reverse transmission control protocol channel with the user side; the authentication notice is a notice representing authentication verification of the user passing the dynamic password. That is, before establishing the reverse TCP tunnel connection with the ue, in order to confirm the identity of the ue, the ue may wait to receive the authentication notification sent by the ue, and if the authentication notification sent by the ue is received, the token may confirm the identity of the ue and may establish the reverse TCP tunnel connection with the ue. Therefore, the security of the traffic transmission method based on the stealth gateway is effectively improved.
And step S13, receiving the encrypted flow data sent by the user terminal based on the reverse transmission control protocol channel, and decrypting the encrypted flow data to obtain decrypted flow data.
In this embodiment, receiving the encrypted traffic data sent by the client based on the reverse transmission control protocol channel, and decrypting the encrypted traffic data to obtain decrypted traffic data, including: receiving encrypted traffic data which is sent by the user terminal and is encrypted based on the preset seed secret key through the reverse transmission control protocol channel, and judging whether the encrypted traffic data accompanies the dynamic password or not; and if the encrypted flow data accompanies the dynamic password, decrypting the encrypted flow data based on the preset seed secret key to obtain decrypted flow data. That is, when accessing the service system, the user side encrypts the traffic and forwards the encrypted traffic to the TCP port of the SDP gateway through the reverse TCP tunnel connection with the SDP gateway, and it is further emphasized that, because the SDP gateway disables the inbound traffic, the TCP port of the SDP gateway may receive the data packet from the client side at this time, but cannot directly connect with the port, so that the zero-trust tunnel port stealth is achieved. After receiving the encrypted traffic data, the TCP port needs to decrypt the encrypted traffic data through a preset seed secret key to obtain decrypted traffic data.
And step S14, the decrypted flow data is sent to the target service system, so that the user side completes access to the target service system after the target service system receives the decrypted flow data.
In this embodiment, after the TCP gateway finishes decrypting the encrypted traffic data, the traffic data that is legal to be decrypted and authenticated by the TCP gateway needs to be forwarded to the service system of the internal network, so as to achieve access of the user side to the service system of the internal network.
It can be seen that in this embodiment, whether a verification data packet sent by a user terminal is received is first determined, if yes, the verification data packet is verified to generate a verification result indicating whether the user terminal has access qualification of a target service system, if the verification result indicates that the user terminal has the access qualification, credential data sent by the user terminal is received, and a reverse transmission control protocol channel with the user terminal is established based on the credential data; the reverse transmission control protocol channel is a data transmission channel established by actively connecting the port of the user terminal through the network security gateway, then receives the encrypted flow data sent by the user terminal based on the reverse transmission control protocol channel, decrypts the encrypted flow data to obtain decrypted flow data, and finally sends the decrypted flow data to the target service system, so that the user terminal completes access to the target service system after receiving the decrypted flow data by the target service system. Therefore, after receiving the verification data packet sent by the user terminal, the traffic transmission method based on the stealth gateway can verify the access qualification of the user terminal to the service system based on the verification data packet, if the user terminal is confirmed to pass the verification, the credential data of the user terminal can be received, so that a reverse transmission protocol channel of the network security gateway to the user terminal is created based on the credential data, traffic transmission is realized based on the reverse transmission protocol channel, and further the access of the user terminal to the service system is realized. In this way, on one hand, no SPA knock data packet is required to be responded, and the ingress port of the gateway is closed in advance, so that zero exposure of the gateway port can be realized; on the other hand, the SDP gateway uses random port outbound, thereby effectively improving network security and increasing difficulty of network attack; on the other hand, the application establishes reverse TCP tunnel connection with the user, so that the zero-trust SDP gateway does not need to open any inbound port, thereby fundamentally solving the external attack risk caused by the port exposure existing in the zero-trust security gateway.
Referring to fig. 2 and fig. 3, the embodiment of the application discloses a traffic transmission method based on a stealth gateway, which comprises the following steps:
in this embodiment, as shown in fig. 2, a timing chart for implementing traffic transmission from a user end to a service system through a stealth SDP gateway is shown in fig. 3, and as shown in fig. 3, the user end initiates a SPA single packet knock to the SDP gateway, specifically, the SPA data packet carries a user end signature, after receiving the SPA data packet, the SDP gateway does not respond to the SPA data packet, and verifies the user end by verifying the user end signature in the data packet, so as to determine validity of the user end. If the ue passes the verification, the ue sends an SPA credential packet to the SDP gateway, where the credential packet includes an encrypted credential digest and a random number for verification, and after the SDP network manager receives the SPA credential packet, the SDP network manager may calculate a otp seed key according to the encrypted credential digest in the credential packet, the random number and a signature in the verification packet, and then generate otp a dynamic password by using the otp seed key, and then establish a reverse TCP tunnel connection with the ue, as shown in fig. 2. The user side returns an authentication notice through reverse TCP tunnel connection, encrypts the access flow, forwards the encrypted flow to the SDP gateway through reverse TCP tunnel connection between the SDP gateway and the gateway, decrypts the flow after receiving the encrypted flow, and sends the decrypted flow to the service system so as to realize the access of the user side to the service system.
Referring to fig. 4, the embodiment of the application discloses a traffic transmission device based on a stealth gateway, which is applied to a network security gateway and comprises:
the qualification verification module 11 is configured to determine whether a verification data packet sent by a user terminal is received, and if yes, verify the verification data packet to generate a verification result that characterizes whether the user terminal has access qualification of a target service system;
a channel establishment module 12, configured to receive credential data sent by the user side if the verification result indicates that the user side has the access qualification, and establish a reverse transmission control protocol channel with the user side based on the credential data; the reverse transmission control protocol channel is a data transmission channel established by actively connecting the port of the user through the network security gateway;
the traffic decryption module 13 is configured to receive encrypted traffic data sent by the client based on the reverse transmission control protocol channel, and decrypt the encrypted traffic data to obtain decrypted traffic data;
and the traffic forwarding module 14 is configured to send the decrypted traffic data to the target service system, so that the user side completes access to the target service system after the target service system receives the decrypted traffic data.
It can be seen that in this embodiment, whether a verification data packet sent by a user terminal is received is first determined, if yes, the verification data packet is verified to generate a verification result indicating whether the user terminal has access qualification of a target service system, if the verification result indicates that the user terminal has the access qualification, credential data sent by the user terminal is received, and a reverse transmission control protocol channel with the user terminal is established based on the credential data; the reverse transmission control protocol channel is a data transmission channel established by actively connecting the port of the user terminal through the network security gateway, then receives the encrypted flow data sent by the user terminal based on the reverse transmission control protocol channel, decrypts the encrypted flow data to obtain decrypted flow data, and finally sends the decrypted flow data to the target service system, so that the user terminal completes access to the target service system after receiving the decrypted flow data by the target service system. Therefore, after receiving the verification data packet sent by the user terminal, the traffic transmission method based on the stealth gateway can verify the access qualification of the user terminal to the service system based on the verification data packet, if the user terminal is confirmed to pass the verification, the credential data of the user terminal can be received, so that a reverse transmission protocol channel of the network security gateway to the user terminal is created based on the credential data, traffic transmission is realized based on the reverse transmission protocol channel, and further the access of the user terminal to the service system is realized. Therefore, zero exposure of gateway ports can be realized, network security is effectively improved, network attack difficulty is increased, and through a reverse tunnel proxy technology, the zero-trust SDP gateway does not need to open any inbound port, so that the external attack risk caused by port exposure of the zero-trust security gateway is fundamentally solved.
In some embodiments, the traffic transmission device based on the stealth gateway may further include:
and the port closing unit is used for closing the local inbound port based on a preset packet filtering system so as to inhibit the inbound port from receiving the traffic data.
In some embodiments, the qualification module 11 may specifically include:
the data verification unit is used for judging whether a verification data packet sent by the user terminal is received or not, and if the verification data packet is received, verifying the user terminal signature in the verification data packet;
and the qualification confirming unit is used for generating a verification result representing that the user terminal has access qualification of the target service system if the user terminal signature passes verification.
In some embodiments, the channel establishment module 12 may specifically include:
the data receiving sub-module is used for receiving the random number and the encryption certificate digest sent by the user terminal so as to determine a preset seed secret key through the random number, the encryption certificate digest and the verification data packet;
and the channel establishment sub-module is used for generating a dynamic password based on the preset seed secret key and sending the dynamic password to the user terminal, so that after the user terminal receives the dynamic password, a reverse transmission control protocol channel between the user terminal and the channel establishment sub-module is established.
In some embodiments, the channel-establishing submodule may specifically include:
the channel establishment unit is used for judging whether an authentication notification sent by the user terminal is received or not, if yes, the channel establishment unit is connected with a port of the user terminal so as to establish a reverse transmission control protocol channel with the user terminal; the authentication notice is a notice representing authentication verification of the user passing the dynamic password.
In some embodiments, the traffic decryption module 13 may specifically include:
the flow receiving unit is used for receiving encrypted flow data which is sent by the user side and is encrypted based on the preset seed secret key through the reverse transmission control protocol channel, and judging whether the encrypted flow data accompanies the dynamic password or not;
and the traffic decryption unit is used for decrypting the encrypted traffic data based on the preset seed secret key to obtain decrypted traffic data if the encrypted traffic data accompanies the dynamic password.
Further, the embodiment of the present application further discloses an electronic device, and fig. 5 is a block diagram of an electronic device 20 according to an exemplary embodiment, where the content of the figure is not to be considered as any limitation on the scope of use of the present application.
Fig. 5 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. The memory 22 is configured to store a computer program, where the computer program is loaded and executed by the processor 21 to implement relevant steps in the stealth gateway-based traffic transmission method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 23 is configured to provide an operating voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and the communication protocol in which the communication interface is in compliance is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein; the input/output interface 25 is used for acquiring external input data or outputting external output data, and the specific interface type thereof may be selected according to the specific application requirement, which is not limited herein.
The memory 22 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the resources stored thereon may include an operating system 221, a computer program 222, and the like, and the storage may be temporary storage or permanent storage.
The operating system 221 is used for managing and controlling various hardware devices on the electronic device 20 and computer programs 222, which may be Windows Server, netware, unix, linux, etc. The computer program 222 may further comprise a computer program capable of performing other specific tasks in addition to the computer program capable of performing the stealth gateway-based traffic transfer method performed by the electronic device 20 as disclosed in any of the previous embodiments.
Further, the application also discloses a computer readable storage medium for storing a computer program; the traffic transmission method based on the stealth gateway is disclosed, wherein the traffic transmission method based on the stealth gateway is disclosed. For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing has outlined rather broadly the more detailed description of the application in order that the detailed description of the application that follows may be better understood, and in order that the present principles and embodiments may be better understood; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.

Claims (9)

1. The traffic transmission method based on the stealth gateway is characterized by being applied to a network security gateway and comprising the following steps:
judging whether a verification data packet sent by a user side is received, if so, verifying the verification data packet to generate a verification result representing whether the user side has access qualification of a target service system;
if the verification result represents that the user side has the access qualification, receiving credential data sent by the user side, and establishing a reverse transmission control protocol channel with the user side based on the credential data; the reverse transmission control protocol channel is a data transmission channel established by actively connecting a random outbound port of the network security gateway with a port of the user terminal;
receiving encrypted flow data sent by the user terminal based on the reverse transmission control protocol channel, and decrypting the encrypted flow data to obtain decrypted flow data;
sending the decrypted traffic data to the target service system so that the user side can complete access to the target service system after the target service system receives the decrypted traffic data;
the method comprises the steps of judging whether a verification data packet sent by a user terminal is received or not, and if so, verifying the verification data packet to generate a verification result representing whether the user terminal has access qualification of a target service system, wherein the method further comprises the following steps:
the local ingress port is closed based on a preset packet filtering system to prohibit the ingress port from receiving traffic data.
2. The traffic transmission method according to claim 1, wherein the determining whether a verification data packet sent by a user terminal is received, if so, verifying the verification data packet to generate a verification result indicating whether the user terminal has access qualification of a target service system, includes:
judging whether a verification data packet sent by a user terminal is received, and if the verification data packet is received, verifying a user terminal signature in the verification data packet;
and if the signature of the user side passes the verification, generating a verification result which represents that the user side has the access qualification of the target service system.
3. The traffic transmission method based on the stealth gateway according to claim 1, wherein the receiving the credential data sent by the client and establishing a reverse transmission control protocol channel with the client based on the credential data includes:
receiving a random number and an encryption certificate digest sent by a user terminal, and determining a preset seed secret key through the random number, the encryption certificate digest and the verification data packet;
generating a dynamic password based on the preset seed secret key, and sending the dynamic password to the user terminal, so that after the user terminal receives the dynamic password, a reverse transmission control protocol channel between the user terminal and the user terminal is established.
4. A traffic transmission method based on a stealth gateway according to claim 3, wherein the establishing a reverse transmission control protocol channel with the client comprises:
judging whether an authentication notification sent by a user side is received, if yes, connecting a port of the user side to establish a reverse transmission control protocol channel with the user side; the authentication notice is a notice representing authentication verification of the user passing the dynamic password.
5. The traffic transmission method based on the stealth gateway according to claim 3, wherein the receiving, based on the reverse transmission control protocol channel, the encrypted traffic data sent by the user terminal, and decrypting the encrypted traffic data, to obtain decrypted traffic data, includes:
receiving encrypted traffic data which is sent by the user terminal and is encrypted based on the preset seed secret key through the reverse transmission control protocol channel, and judging whether the encrypted traffic data accompanies the dynamic password or not;
and if the encrypted flow data accompanies the dynamic password, decrypting the encrypted flow data based on the preset seed secret key to obtain decrypted flow data.
6. The stealth gateway-based traffic transmission method according to any one of claims 1 to 5, wherein the verification packet is a single packet authorization authentication packet; the network security gateway is a software defined border gateway.
7. The utility model provides a traffic transmission device based on stealthy gateway which characterized in that is applied to network security gateway, includes:
the qualification verification module is used for judging whether a verification data packet sent by the user terminal is received, if so, verifying the verification data packet to generate a verification result representing whether the user terminal has access qualification of the target service system;
the channel establishment module is used for receiving the credential data sent by the user side and establishing a reverse transmission control protocol channel with the user side based on the credential data if the verification result characterizes that the user side has the access qualification; the reverse transmission control protocol channel is a data transmission channel established by actively connecting a random outbound port of the network security gateway with a port of the user terminal;
the traffic decryption module is used for receiving the encrypted traffic data sent by the user side based on the reverse transmission control protocol channel, and decrypting the encrypted traffic data to obtain decrypted traffic data;
the traffic forwarding module is used for sending the decrypted traffic data to the target service system so that the user side can complete access to the target service system after the target service system receives the decrypted traffic data;
wherein, the traffic transmission device based on stealth gateway still includes:
and the port closing unit is used for closing the local inbound port based on a preset packet filtering system so as to inhibit the inbound port from receiving the traffic data.
8. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the stealth gateway-based traffic transmission method as claimed in any one of claims 1 to 6.
9. A computer readable storage medium for storing a computer program which when executed by a processor implements the stealth gateway based traffic transfer method according to any one of claims 1 to 6.
CN202311192288.2A 2023-09-15 2023-09-15 Traffic transmission method, device, equipment and storage medium based on stealth gateway Active CN116938603B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311192288.2A CN116938603B (en) 2023-09-15 2023-09-15 Traffic transmission method, device, equipment and storage medium based on stealth gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311192288.2A CN116938603B (en) 2023-09-15 2023-09-15 Traffic transmission method, device, equipment and storage medium based on stealth gateway

Publications (2)

Publication Number Publication Date
CN116938603A CN116938603A (en) 2023-10-24
CN116938603B true CN116938603B (en) 2023-12-05

Family

ID=88386485

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311192288.2A Active CN116938603B (en) 2023-09-15 2023-09-15 Traffic transmission method, device, equipment and storage medium based on stealth gateway

Country Status (1)

Country Link
CN (1) CN116938603B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111490993A (en) * 2020-04-13 2020-08-04 江苏易安联网络技术有限公司 Application access control security system and method
WO2021196915A1 (en) * 2020-04-02 2021-10-07 深圳壹账通智能科技有限公司 Encryption and decryption operation-based data transmission methods and systems, and computer device
CN114553568A (en) * 2022-02-25 2022-05-27 重庆邮电大学 Resource access control method based on zero-trust single packet authentication and authorization
CN114629692A (en) * 2022-02-25 2022-06-14 国家电网有限公司 Access authentication method and system of power Internet of things based on SDP
CN115694960A (en) * 2022-10-26 2023-02-03 杭州安恒信息技术股份有限公司 Application proxy method, device, equipment and readable storage medium
CN115811510A (en) * 2022-11-30 2023-03-17 中国电信股份有限公司 Method and device for realizing talkback service and talkback service system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150281122A1 (en) * 2014-03-31 2015-10-01 Byron L. Hoffman Method and Apparatus for Facilitating Accessing Home Surveillance Data by Remote Devices

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021196915A1 (en) * 2020-04-02 2021-10-07 深圳壹账通智能科技有限公司 Encryption and decryption operation-based data transmission methods and systems, and computer device
CN111490993A (en) * 2020-04-13 2020-08-04 江苏易安联网络技术有限公司 Application access control security system and method
CN114553568A (en) * 2022-02-25 2022-05-27 重庆邮电大学 Resource access control method based on zero-trust single packet authentication and authorization
CN114629692A (en) * 2022-02-25 2022-06-14 国家电网有限公司 Access authentication method and system of power Internet of things based on SDP
CN115694960A (en) * 2022-10-26 2023-02-03 杭州安恒信息技术股份有限公司 Application proxy method, device, equipment and readable storage medium
CN115811510A (en) * 2022-11-30 2023-03-17 中国电信股份有限公司 Method and device for realizing talkback service and talkback service system

Also Published As

Publication number Publication date
CN116938603A (en) 2023-10-24

Similar Documents

Publication Publication Date Title
Aboba et al. RADIUS (remote authentication dial in user service) support for extensible authentication protocol (EAP)
US7661131B1 (en) Authentication of tunneled connections
US8201233B2 (en) Secure extended authentication bypass
US8689301B2 (en) SIP signaling without constant re-authentication
US8549300B1 (en) Virtual single sign-on for certificate-protected resources
US20160072787A1 (en) Method for creating secure subnetworks on a general purpose network
Jeong et al. Integrated OTP-based user authentication scheme using smart cards in home networks
US20060259759A1 (en) Method and apparatus for securely extending a protected network through secure intermediation of AAA information
US20080126794A1 (en) Transparent proxy of encrypted sessions
EP3711274B1 (en) Message queuing telemetry transport (mqtt) data transmission method, apparatus, and system
KR20050071359A (en) Method and system for authentication using infrastructureless certificates
JP2005027312A (en) Reduction of network configuration complexity using transparent virtual private networks
US20080137859A1 (en) Public key passing
US20150249639A1 (en) Method and devices for registering a client to a server
KR100819024B1 (en) Method for authenticating user using ID/password
CN116938603B (en) Traffic transmission method, device, equipment and storage medium based on stealth gateway
CN111416824A (en) Network access authentication control system
EP1836559B1 (en) Apparatus and method for traversing gateway device using a plurality of batons
CA2595191C (en) Negotiating vpn tunnel establishment parameters on user's interaction
Eronen et al. An Extension for EAP-Only Authentication in IKEv2
KR100759813B1 (en) Method for authenticating user using biometrics information
Aboba et al. RFC3579: RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)
EP3780535A1 (en) Process to establish a communication channel between a client and a server
CN116827885A (en) Resource access method, device, system, electronic equipment and readable storage medium
Kim A survey of Kerberos V and public-key Kerberos security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant