CN100385885C - Safety gateway with SSL protection function and method - Google Patents
Safety gateway with SSL protection function and method Download PDFInfo
- Publication number
- CN100385885C CN100385885C CNB2004100637961A CN200410063796A CN100385885C CN 100385885 C CN100385885 C CN 100385885C CN B2004100637961 A CNB2004100637961 A CN B2004100637961A CN 200410063796 A CN200410063796 A CN 200410063796A CN 100385885 C CN100385885 C CN 100385885C
- Authority
- CN
- China
- Prior art keywords
- client
- driver element
- ssl
- vpn
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a safety gateway with an SSL protection function and a method thereof, which is suitable for a network system connecting a client and a server. The present invention comprises an operation interface, an SSL VPN drive unit, a connecting interface and an IPSEC VPN drive unit. When any client wants to establish IPSEC VPN with the server, a web browser which supports an SSL security protocol and is used by most of clients is used, and the secure gateway firstly carries out identity verification concerning the SSL safety protocol of the client to establish an SSL VPN channel between the server and the client. After the safety gateway confirms that the identity verification of the client is legal, the security association (SA) of the client is automatically and safely transferred to the client in a set file layout under the protection of the SSL VPN channel, and after a user of the client executes the set file, the IPSEC VPN channel is established between the server and the client.
Description
Technical field
The present invention relates to the security gateway and the method for a kind of tool SSL (Secure Socket Layer, security socket layer) defencive function, relate in particular to the security gateway and the method for a kind of SSL of having concurrently and two kinds of security protocols of IPSEC.
Background technology
Along with making rapid progress of network technical development, though brought up the convenience that numerical data transmits, but the package (Packet) that has also comprised many carrying private datas such as company's secret, individual ID or password simultaneously is to and among the network system such as internet (Internet) of public's use, and may face the problem of therefrom being invaded or stealing by unworthy hacker (Hacker), therefore how the transmission safety of maintaining network data has been very important problem.At present at network security; existing all types of networking products (InternetAppliance; IA) constantly weed out the old and bring forth the new; similarly be that a kind of security gateway (Security Gateway) or fire compartment wall (Firewall) device can be installed in arbitrary receiving terminal of this network system and/or send end is prepared transmission with protection data; and adopt specific safety standard such as FTP, HTTP or a Telent mostly.
In addition, also common a kind of virtual private network gateway (the Virtual Private NetworkGateway in market, VPN Gateway), the mechanism of VPN (virtual private network) (VPN) is provided, its major function is: arbitraryly be positioned at long-range use side computer system, as be arranged in a LAN, utilize this mechanism, via a public network environment such as internet (Internet) or asynchronous transmission (ATM) network, and when being connected with a server end computer system, can between these two ends, set up a VPN passage (Tunnel) to transmit the data of secret, its transmission environment as the LAN that is both the company of being in as Intranet or Extranet, so can take into account the fail safe of the convenience and the internal network of public network simultaneously.Therefore, utilize this type of VPN (virtual private network), any authorized long-range user can set up exclusive binding passage respectively with other user, company, branch, dealer or customers via the internet, to transmit important each other information.For example; when a long-range use side computer system is desired computer system in the outside enters company as a server end computer system; initially the VPN (virtual private network) (VPN) under is separately set up a VPN channel between installing as gateway earlier; its principle adopts a kind of Channel Technology (Tunneling); similarly be common IPSEC; PPTP; one of them of three kinds of communications protocol such as L2TP; in public network such as internet, construct out one as the safe lane that uses in the internal network environment; wherein and the data packet (Packet) of the private data that transmits with packing forms (Encapsulation) protection use side; prevent to give and stolen by stranger such as hacker attacks transmitting data; the transmission of this private data simultaneously also can cooperate other mechanism as safety certification; status checking (IDAuthentication) or enciphering/deciphering mechanism (Decryption/Encryption) etc.; these enciphering/deciphering mechanism are used following two kinds of coding patterns mostly: a kind of is the secret key encryption (Secret keycryptography) that is symmetrical expression, and a kind of public key encryption (Public key cryptography) of asymmetric.
With network security protocol (IPSEC, Internet Protocol Security) be example, it is (the Internet Engineering Task Force of network engineering group, IETF) ordered for integrating different standards, the enciphering/deciphering technology is applied in the end-to-end communication of network layer (IP Layer), to guarantee qualification testing (Authentication), integrality (Integrity), access control (Access Control) and the confidentiality (Confidentially) when transmitting data between client and/or the server end.Aforementioned IPSEC communications protocol comprises that (Security Association SA), carries out authentication, links up the encryption/decryption algorithm of sharing and produces, exchanges and set up golden key each other for both sides a security association.And each meets security association (the Security Association of the vpn gateway of IPSEC communications protocol, SA) be recorded in mostly the driving of a kind of IPSECVPN unit such as this IPSEC vpn gateway soft/firmware in, and different IPSEC vpn gateways can use different security association (SA) separately, if will set up the IPSEC VPN passage of two-way communication between this client and server end two ends the time, then these two ends security association (SA) that all need hold the other side just can carry out.Obtain in the process of security association (SA) of IPSEC vpn gateway of the other end such as server end at the IPSEC of arbitrary end such as client vpn gateway, the IPSEC vpn gateway of this client will receive and set the configuration parameters (Configuration Parameter) of the security association that this IP at server end SEC vpn gateway transmits earlier; Yet following point takes place through regular meeting in known IPSEC vpn gateway when setting up IPSEC VPN passage:
(1) in the network architecture of website to website (site-to-site), client is during as the configuration parameters of the security association of the IPSEC vpn gateway that will obtain a remote server end, be to set mostly from the IPSEC vpn gateway that a public network such as internet (Internet) are sent to a client, or even by both party the IT personnel directly use the logical limit of phone gutter to set, but this kind transmission means lacks the mechanism of protection, fail safe is relatively poor, so that the configuration parameters of this security association is therefrom intercepted by the hacker easily; And the configuration parameters of security association is set very complicated, is very easy to make mistakes for new hand, so very inconvenient on setting operation.
(2) in the network architecture of remote access (Remote Access), as the mobile user who uses mobile computer desires and a remote server end such as company between set up an IPSEC VPN passage, then may need to obtain the configuration parameters of the security association (SA) of the vpn gateway of this server end via non-safe pipelines such as phone or Emails earlier, and be set in the configuration parameters of this security association (SA) in the IPSEC VPN software of mobile computer one by one with manual mode; But the process that obtains of this kind security association is same dangerous and operation is difficult.
Summary of the invention
For solving the problem of above-mentioned known technology, a main purpose of the present invention is to provide a kind of security gateway and method of tool SSL defencive function, be applicable to and connect in the network architecture of a client to server end (Client-To-Server), because of this security gateway that is adjacent to server end is supported SSL and two kinds of security protocols of IPSEC simultaneously, when this arbitrary client desire is set up IPSEC VPN with server end, utilize the most use of client can support the web browser of SSL security protocol, one SSL VPN driver element of this security gateway can carry out the authentication of relevant SSL security protocol earlier to client, and sets up a SSL VPN passage between server end and customer side; The SSL VPN driver element for the treatment of security gateway confirm the authentication of this client belong to legal errorless after; i.e. representative is further with being intended to set up between server end and the client IPSEC VPN passage; then an IPSEC VPN driver element of this security gateway can be automatically with its security association (SA); and be made into enactment document and under the protection of SSL VPN passage, transmit safely and give this client via SSL VPN driver element, so the fail safe of data transmission is high.When the user of this client receives this enactment document that comprises security association, only need to be started the setting that to finish security association (SA), promptly between server end and client, set up IPSEC VPN passage, so its setting operation is very convenient and accurate.
For realizing aforementioned purpose, the invention provides a kind of security gateway of supporting SSL and two kinds of security protocols of IPSEC simultaneously, it is applicable in the network system that connects a client and a server end, comprises: an operation-interface, SSL VPN driver element, binding interface and IPSEC VPN driver element.Aforementioned this security gateway device is adjacent to this server end, and this client further has a web browser of supporting the SSL security protocol with the SSL VPN driver element to security gateway that should server end, and an IPSEC vpn gateway or IPSEC VPN application software are with the IPSEC VPN driver element to security gateway that should server end.
The operation-interface of aforementioned security gateway, on a web browser of aforementioned client, produce a webpage picture via network system, and this webpage picture provides a remote access automatic setting mechanism, requires user's automatic network browser of this client to import an identity verification msg and verifies with the SSLVPN driver element that is sent to this security gateway.This SSL VPN driver element, the traction that started by aforementioned remote access automatic setting mechanism, on the network system between server end and the client, set up a SSL VPN passage, receive aforementioned certificate data, and judge whether this certificate data is legal, whether agree further to set up between client and the server end IPSEC VPN passage with decision.When the SSL VPN driver element of the security gateway of server end judges that this certificate data is legal, promptly notify this client that one safety certification data are sent to this SSL VPN driver element via this SSL VPN channel security and handle.This links interface, and the data between this SSL VPN driver element of intermediary and the IPSEC VPN driver element transmit, as described above the safety certification data.This IPSEC VPN driver element; the aforementioned safety certification data that transmit according to this binding interface produce a security association; and further be made into one by SSL VPN driver element and comprise the enactment document of security association, and under protection, transfer to this client via this SSL VPN passage.When this client is received this enactment document that comprises security association and is carried out, can on the IPSEC of client vpn gateway and application software, finish setting, and then make and set up an IPSEC VPN passage between this client and the server end security association.
In addition, the present invention further provides a kind of method that makes security gateway have the SSL defencive function, be applicable to that wherein this security gateway is positioned at server end, comprising in the network system that connects an at least one client and a server end:
Make an operation-interface of the security gateway of server end on the web browser of a support SSL security protocol of this client, produce a particular Web page picture, and this webpage picture has a remote access automatic setting mechanism, and the user who is used for the requirement client imports its certificate data to be sent to a SSL VPN driver element of this security gateway;
Start this remote access automatic setting mechanism, and then the SSL VPN driver element that draws this security gateway is set up a SSL VPN passage to transmit certificate data between this server end and client;
Make SSL VPN driver element meet the authentication of SSL security protocol to this certificate data, whether legal with the certificate data of judging this client, and then whether decision agrees to set up between client and the server end IPSEC VPN passage;
When this SSL VPN driver element when to judge this certificate data be legal, then require client via the SSL VPN driver element of these its safety certification data of SSL VPN channel transfer to this security gateway;
This SSL VPN driver element is via the data intermediary of a binding interface, and an IPSEC VPN driver element that these safety certification data is transferred to this security gateway is handled;
This IPSEC VPN driver element produces a security association according to these safety certification data, and be made into one by this SSL VPN driver element and comprise the enactment document of security association, and transmit this enactment document that comprises security association under the protection via this SSL VPN passage safely and give client; And
This enactment document that comprises security association of client executing to be finishing the setting to security association, and then makes and set up an IPSEC VPN passage between this client and the server end.
For above-mentioned purpose of the present invention, feature and advantage can be become apparent, embodiment cited below particularly, and conjunction with figs. are described in detail as follows:
Description of drawings
Fig. 1 shows the security gateway of the tool SSL defencive function of a kind of foundation one first embodiment of the present invention, applies in the network architecture of a client to server end (Client-To-Server), and wherein this client is equipped with an IPSEC VPN application software;
Fig. 2 shows the security gateway of the tool SSL defencive function of a kind of foundation one second embodiment of the present invention, applies in the network architecture of a client to server end (Client-To-Server), and wherein this client is equipped with an IPSEC vpn gateway; And
Fig. 3 and 4 figure are continuous flow chart, according to the security gateway of earlier figures 1 and 2 figure, make security gateway have the method for SSL defencive function.
Wherein, description of reference numerals is as follows:
10,20 server ends, 12,22 internets
14,24 clients
The security gateway of 100,200 tool SSL defencive functions
102,202 server end computer systems, 142,242 client computer system
144,244 web browsers, 146 IPSEC VPN application software
246 IPSEC vpn gateways, 1002,2002 operation-interfaces
1004,2004 SSL VPN driver elements 1006,2006 link interface
1008,2008 IPSEC VPN driver elements
S104, S108, S110, S114, S120, S130, S140, S150, S160, S170, S180, S190, S204, S208, S210, S214, S220, S230, S240, S250, S260, S270, S280 and S290 are method step
Embodiment
At first as shown in Figure 1, be a security gateway 100 according to one first preferred embodiment of the present invention, it supports SSL and two kinds of security protocols of IPSEC simultaneously, and be applicable to that it mainly comprises in the network architecture such as internet 12 that connects a server end 10 and a client 14: an operation-interface 1002, a SSL VPN driver element 1004, link an interface 1006 and an IPSEC VPN driver element 1008.In addition, aforementioned security gateway 100 devices are contiguous is located at a computer system 102 of this server end 10 as server, and this client 14 further has a computer system 142 as mobile computer, one supports the SSL VPN driver element 1004 of the security gateway 100 that 144 pairs of the web browsers of SSL security protocol should server end 10, between server end 10 and client 14, to set up a SSLVPN passage, and an IPSEC VPN application software 146 or an IPSEC vpn gateway 246 (see figure 2)s, be used for IPSEC VPN driver element 1008, between server end 10 and client 14, to set up an IPSEC VPN passage to security gateway 100 that should server end 10.
The operation-interface of aforementioned security gateway 100 (UI) 1002, on a web browser 144 of the computer system 142 of aforementioned client 14, produce a webpage picture via internet 12, and this webpage picture provides a remote access automatic setting mechanism, when this mechanism is clicked startup by the user of client 14, can require this user's automatic network browser 144 inputs one identity verification msg, further receive and transmit the SSL VPN driver element 1004 of this certificate data for this mechanism, to meet the authentication of SSL security protocol to this security gateway 100.Aforementioned this certificate data comprises: authorize the individual number of the account and/or the password that can carry out on-line access in advance through this server end 10.
This SSL VPN driver element 1004; according to present embodiment is the VPN driving firmware (Firmware) of a support SSL security protocol; the data that are mainly used in application layer in the protecting network transmission architecture (ApplicationLayer) transmit, thus can with the web browser 144 corresponding protections that produce the SSL security protocols of client 14.When aforementioned remote access automatic setting mechanism starts, promptly draw this SSL VPN driver element 1004 and on the internet 12 between server end 10 and the client 14, set up a SSL VPN passage, so with aforementioned certificate data via this SSL VPN channel security be sent to SSL VPN driver element 1004.When this SSL VPN driver element 1004 receives aforementioned certificate data, can judge earlier whether the client 14 of holding this certificate data belongs to the legitimate client of authorizing in advance, with decision whether with being intended to further set up between server end 10 and the client 14 IPSEC VPN passage, with the private data of transmission or access server end such as company's confidential data etc.When this SSL VPN driver element 1004 judges that this certificate data is legal really, promptly sending an information via this web browser 144 notifies this client 14 that one safety certification data are sent to this SSL VPN driver element 1004 processing via this SSL VPN channel security, wherein these safety certification data can comprise: the network address of client 14 (IP), golden key or voucher etc., it can initiatively detect or manually be uploaded by this user by the computer system 102,142 of this server end 10 or client 14.Otherwise, when SSL VPN driver element 1004 judges that this certificate data is not legal, then sending a warning message and give this client 14, refusal is further set up IPSEC VPN passage.
This links interface 1006, according to present embodiment is a kind of socket program (Socket), manage in the network transmission architecture and transmit about the data between application layer (Application Layer) and the network layer (IP Layer), so the data that can be used between this SSL VPN driver element 1004 of intermediary and the IPSEC VPN driver element 1008 transmit, comprising aforementioned safety certification data.
This IPSEC VPN driver element 1008 is the VPN driving firmware (Firmware) of a support IPSEC security protocol according to present embodiment, and the data that are used for protecting network transmission architecture network layer (IP Layer) transmit.This IPSEC VPN driver element 1008 produces a security association (SA) according to the aforementioned safety certification data that this binding interface 1006 transmits; and further be made into one by this SSL VPN driver element 1004 and comprise the enactment document carried out of security association, and under protection, pass this client 14 back via this SSL VPN passage.
When this client 14 is received this enactment document that comprises security association and is carried out, can on the IPSEC of client 14 vpn gateway 246 (see figure 2)s or application software 146 (see figure 1)s, finish setting, and then make and set up an IPSEC VPN passage between this client 14 and the server end 10 security association.
Please further with reference to figure 2, show a security gateway 200 according to one second preferred embodiment of the present invention, apply to connect on the internet 22 of a client 24 and a server end 20 equally, the difference of itself and aforementioned first embodiment is only at the client 24 configurations one IPSEC vpn gateway 246 of second embodiment, and the client 14 configurations one IPSEC VPN application software 146 of first embodiment, all the other are all identical.
In addition, Fig. 3 and Fig. 4 show the security gateway 100,200 according to Fig. 1 and Fig. 2; make this security gateway 100; 200 carry out the method for SSL defencive function, and it is applicable to and connects an at least one client 14,24 and a server end 10; 20 network system 12; in 22, wherein this security gateway 100,200 is positioned at server end 10; 20, its step comprises:
Step S104, S204, make server end 10, one operation- interface 1002,2002 of 20 security gateway 100,200 is from distant place client 14,24 computer systems 142, produce a particular Web page picture on the web browser 144,244 of a support SSL security protocol of 242, and this webpage picture has a remote access automatic setting mechanism;
Step S106, S206 starts the remote access automatic setting mechanism of this webpage picture, and the user who promptly sends this client 14,24 of information requirements imports its certificate data;
Step S108, S208 makes the machine-processed certificate data that the user imported that receives this client 14,24 of this remote access automatic setting, to be sent to a SSL VPN driver element 1004,2004 of this security gateway 100,200;
Step S110, S210, be subjected to the traction that this remote access automatic setting mechanism starts, the SSL VPN driver element 1004,2004 that makes this security gateway 100,200 is at this server end 10,20 and client 14, set up a SSL VPN passage between 24, and make this certificate data be sent to SSL VPN driver element 1004,2004 by the protection of this SSL VPN passage;
Step S112, S212, make SSL VPN driver element 1004,2004 meet the authentication of SSL security protocol to this certificate data, whether legal with the certificate data of judging this client 14,24, and then whether decision agrees client 14,24 with server end 10,20 between set up an IPSEC VPN passage;
Step S114, S214 is when this SSL VPN driver element 1004,2004 when to judge this certificate data be legal, it is representative server end 10,20 SSL VPN driver element 1004,2004 is agreed further to set up IPSEC VPN passage with client 14,24, so require client 14,24 via the SSL VPN driver element 1004,2004 of these its safety certification data of SSL VPN channel transfer to this security gateway 100,200; Otherwise, when the certificate data of finding this client 14,24 when being not legal, then sending the web browser 144,244 that a warning message is given client 14,24, the expression refusal is further set up IPSEC VPN passage;
Step S120, S220, this SSL VPN driver element 1004,2004 are by the data intermediary of a binding interface 1006,2006, and an IPSECVPN driver element 1008,2008 that these safety certification data is transferred to this security gateway 100,200 is handled;
Step S130, S230, this IPSEC VPN driver element 1008,2008 produces a security association (SA) according to these safety certification data, and transfers to this SSL VPN driver element 1004,2004 by this binding interface 1006,2006;
Step S132, S232, this SSL VPN driver element 1004,2004 is made into an enactment document carried out that comprises security association with this security association (SA); And
Step S140, S240 under the protection of this SSL VPN passage, transmits in the computer system 142,242 that this enactment document that comprises security association gives client 14,24 safely.
Please further with reference to the step S160 of figure 4, S260, client 14,24 is in its computer system 142, carry out these in 243 and comprise the enactment document of security association, to finish setting in IPSEC vpn gateway 246 (see figure 2)s or IPSEC VPN application software 146 (see figure 1)s security association;
Step S170, S270, client 14,24 is set up an IPSEC VPN passage according to this security association between the IPSEC VPN driver element 1008,2008 of the security gateway 100,200 of request server end 10,20 and this client 14,24;
Step S180, S280, the IPSEC VPN driver element 1008,2008 of this security gateway 100,200 is agreed to set up IPSEC VPN passage with this client 14,24; And
Step S190, S290 begins to set up IPSEC VPN passage to transmit private data between this client 14,24 and the server end 10,20.
In sum; security gateway and method according to the tool SSL defencive function of preferred embodiment of the present invention; support SSL and two kinds of security protocols of IPSEC simultaneously by this security gateway; and the general networking browser that utilizes client is all extensively supported the characteristic of SSL security protocol; when making arbitrary client desire set up IPSEC VPN with server end; earlier by the SSL security protocol that exists between SSL VPN driver element of the security gateway of this server end and the client network browser; the user of client is carried out the authentication of relevant SSL security protocol, between server end and customer side, to set up a SSL VPN passage.When the SSL of security gateway VPN driver element confirm the authentication of this client belong to legal errorless after; promptly with being intended to set up between server end and the client IPSEC VPN passage; wherein an IPSEC VPN driver element of this security gateway is automatically with its security association (SA); and be made into enactment document and under the protection of SSL VPN passage, transmit safely and give this client via SSL VPN driver element, so the data transmission has higher fail safe.When the user of this client receives this enactment document that comprises security association, only need to be started the setting that to finish security association (SA), make and set up IPSEC VPN passage between server end and the client, so its setting operation is also very convenient and accurate.
Though the present invention discloses as above with preferred embodiment, yet it is not in order to qualification the present invention, and any those skilled in the art without departing from the spirit and scope of the present invention, changes and retouching can do some.
Claims (28)
1. security gateway is applicable to that this security gateway is located at this server end, comprising in the network system that connects an at least one client and a server end:
One operation-interface produces a webpage picture via network system at a web browser of described client, and this webpage picture provides remote access automatic setting mechanism to start for the user of this client;
One SSL VPN driver element, the traction that started by described remote access automatic setting mechanism, on the network system between server end and the client, set up a SSL VPN passage, and make safety certification data of this client be sent to this SSL VPN driver element via this SSL VPN channel security;
One links interface, and the data between this a SSL VPN driver element of intermediary and the IPSEC VPN driver element transmit, comprising these safety certification data; And
This IPSEC VPN driver element, the described safety certification data that transmit according to this binding interface produce a security association, and further be made into an information that comprises this security association by SSL VPN driver element, and transfer to this client via this SSL VPN passage and set, make and set up an IPSEC VPN passage between this client and the server end.
2. security gateway as claimed in claim 1 is characterized in that this security gateway is located at server end.
3. security gateway as claimed in claim 1 is characterized in that this client further is equipped with an IPSEC vpn gateway or an IPSEC VPN application software with the IPSEC VPN driver element to security gateway that should server end.
4. security gateway as claimed in claim 3, the web browser that it is characterized in that this client support the SSL security protocol with the SSL VPN driver element to security gateway that should server end.
5. security gateway as claimed in claim 4, it is characterized in that when this remote access automatic setting mechanism starts, and before setting up described SSL VPN passage, can require user's automatic network browser of this client to import an identity verification msg to be sent to the SSL VPN driver element of this security gateway, wherein this certificate data comprises password at least.
6. security gateway as claimed in claim 5 is characterized in that the certificate data of this client transfers to the SSL VPN driver element of this security gateway via this SSL VPN passage.
7. security gateway as claimed in claim 6 is characterized in that this SSL VPN driver element judges further whether its certificate data of receiving is legal, whether agrees to set up between client and the server end IPSEC VPN passage with decision.
8. security gateway as claimed in claim 7 is characterized in that when this SSL VPN driver element when to judge this certificate data be legal, then require client via these its safety certification data of SSL VPN channel transfer to this SSL VPN driver element.
9. security gateway as claimed in claim 8 is characterized in that these safety certification data comprise: the network address of client, golden key or voucher.
10. security gateway as claimed in claim 1 is characterized in that this SSL VPN driver element is the VPN driving firmware of a support SSL security protocol, is used to protect the data on the application layer to transmit.
11. security gateway as claimed in claim 10 is characterized in that this binding interface is a socket program.
12. security gateway as claimed in claim 11 is characterized in that this IPSEC VPN driver element is the VPN driving firmware of a support IPSEC security protocol, the data that are used on the protecting network layer transmit.
13. security gateway as claimed in claim 1 is characterized in that this information that comprises security association is an executable enactment document.
14. a method that makes security gateway have the SSL defencive function is applicable to that wherein this security gateway is positioned at server end, comprising in the network system that connects an at least one client and a server end:
Make an operation-interface of security gateway produce a particular Web page picture, have a remote access automatic setting mechanism on it through the web browser of this client;
Start the remote access automatic setting mechanism on the webpage picture of this client network browser, and then a SSL VPN driver element that draws this security gateway is set up a SSL VPN passage between this server end and client;
Make safety certification data of this client be sent to the SSL VPN driver element of this security gateway via this SSL VPN channel security;
This SSL VPN driver element is handled the IPSECVPN driver element that these safety certification data transfer to this security gateway;
This IPSEC VPN driver element produces a security association according to these safety certification data, and is made into an information that comprises security association by this SSL VPN driver element, and gives client via this this information that comprises security association of SSL VPN channel transfer and set; And
Set the information that this comprises security association by client, make and set up an IPSEC VPN passage between this client and the server end.
15. method as claimed in claim 14 is characterized in that this client further is equipped with an IPSEC vpn gateway or an IPSEC VPN application software with the IPSEC VPN driver element to security gateway that should server end.
16. method as claimed in claim 15, the web browser that it is characterized in that this client support the SSL security protocol with to SSL VPN driver element that should security gateway.
17. method as claimed in claim 16, it is characterized in that further comprising: when this remote access automatic setting mechanism starts, and before setting up described SSL VPN passage, can require user's automatic network browser of this client to import an identity verification msg to be sent to the SSLVPN driver element of this security gateway, wherein this certificate data comprises password at least.
18. method as claimed in claim 17 is characterized in that the certificate data of this client transfers to this SSL VPN driver element via this SSL VPN passage.
19. method as claimed in claim 18 is characterized in that the SSL VPN driver element of this security gateway judges whether its certificate data of receiving is legal, whether agrees to set up between client and the server end IPSEC VPN passage with decision.
20. method as claimed in claim 19, it is characterized in that then requiring client via the SSL VPN driver element of these its safety certification data of SSL VPN channel transfer to this security gateway when this SSL VPN driver element when to judge this certificate data be legal.
21. method as claimed in claim 20 is characterized in that these safety certification data comprise: the network address of client, golden key or voucher.
22. method as claimed in claim 14 is characterized in that this SSL VPN driver element is the VPN driving firmware of a support SSL security protocol, is used to protect the data on the application layer to transmit.
23. security gateway as claimed in claim 22 is characterized in that this SSL VPN driver element transfers to these safety certification data by a data intermediary that links interface the IPSECVPN driver element processing of this security gateway.
24. method as claimed in claim 23 is characterized in that this IPSEC VPN driver element is the VPN driving firmware of a support IPSEC security protocol, the data that are used on the protecting network layer transmit.
25. method as claimed in claim 14 is characterized in that this information that comprises security association is an executable enactment document.
26. method as claimed in claim 14 is characterized in that before setting up described SSL VPN passage, also comprised the step of an identity verification msg of the user's automatic network browser input that receives this client.
27. method as claimed in claim 26 is characterized in that
This SSL VPN driver element judges whether its certificate data of receiving is legal, whether agrees to set up between client and the server end IPSEC VPN passage with decision.
28. method as claimed in claim 27, it is characterized in that when to judge this certificate data be legal the safety certification data that then require client can set up described IPSEC VPN channel passage via this SSL VPN channel transfer one are given an IPSEC VPN driver element of this security gateway and handled.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100637961A CN100385885C (en) | 2004-07-09 | 2004-07-09 | Safety gateway with SSL protection function and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100637961A CN100385885C (en) | 2004-07-09 | 2004-07-09 | Safety gateway with SSL protection function and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1719813A CN1719813A (en) | 2006-01-11 |
| CN100385885C true CN100385885C (en) | 2008-04-30 |
Family
ID=35931538
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100637961A Expired - Fee Related CN100385885C (en) | 2004-07-09 | 2004-07-09 | Safety gateway with SSL protection function and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100385885C (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101047599B (en) * | 2006-03-31 | 2011-09-07 | 袁初成 | Distribution SSL VPN system and construction method |
| CN100596069C (en) * | 2006-08-15 | 2010-03-24 | 中国电信股份有限公司 | Automatic configuration system and method of IPSec safety tactis in domestic gateway |
| CN101242324B (en) * | 2007-02-09 | 2010-08-11 | 联想网御科技(北京)有限公司 | A remote secure access method and system based on SSL protocol |
| CN101072108B (en) * | 2007-07-17 | 2011-09-28 | 杭州华三通信技术有限公司 | SSL VPN client end safety inspection method, system and device |
| CN101989974A (en) * | 2009-08-04 | 2011-03-23 | 西安交大捷普网络科技有限公司 | Safety control method for intranet WEB access of security socket layer virtual private network (SSL VPN) |
| CN101997835B (en) * | 2009-08-10 | 2014-02-19 | 北京多思科技发展有限公司 | Network security communication method, data security processing device and system for finance |
| CN102244575A (en) * | 2010-05-10 | 2011-11-16 | 航天信息股份有限公司 | Secure transmission system and method for online tax filling data of value-added tax |
| CN102377731A (en) * | 2010-08-10 | 2012-03-14 | 正文科技股份有限公司 | Virtual private network system and network device thereof |
| CN103793658B (en) * | 2012-10-30 | 2016-08-31 | 华耀(中国)科技有限公司 | A kind of protection system and method for off-line files based on VPN |
| CN103716325A (en) * | 2013-12-31 | 2014-04-09 | 网神信息技术(北京)股份有限公司 | Security control method, device and system for network access |
| CN107231336A (en) * | 2016-03-25 | 2017-10-03 | 中兴通讯股份有限公司 | A kind of access control method, device and the gateway device of LAN Intranet resource |
| CN107294935B (en) * | 2016-04-11 | 2020-05-19 | 深信服科技股份有限公司 | Virtual private network access method, device and system |
| CN111884877B (en) * | 2020-07-23 | 2022-02-15 | 厦门爱陆通通信科技有限公司 | Method for enhancing effective gateway detection mechanism of IPSEC link stability |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1350382A (en) * | 2001-11-29 | 2002-05-22 | 东南大学 | PKI-based VPN cipher key exchange implementing method |
| WO2003007524A2 (en) * | 2001-07-10 | 2003-01-23 | Telecom Italia S.P.A. | Virtual private network mechanism incorporating security association processor |
| CN1394042A (en) * | 2001-06-29 | 2003-01-29 | 华为技术有限公司 | Method for ensuring IP security on virtual tunnel interface of VPN |
| CN1399441A (en) * | 2002-06-28 | 2003-02-26 | 成都卫士通信息产业股份有限公司 | Technology of establishing safe multicasting tunnel with IP layer-based special virtual network |
| CN1456006A (en) * | 1999-10-22 | 2003-11-12 | 艾利森电话股份有限公司 | Methods and arrangements in a telecommunications system |
-
2004
- 2004-07-09 CN CNB2004100637961A patent/CN100385885C/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1456006A (en) * | 1999-10-22 | 2003-11-12 | 艾利森电话股份有限公司 | Methods and arrangements in a telecommunications system |
| CN1394042A (en) * | 2001-06-29 | 2003-01-29 | 华为技术有限公司 | Method for ensuring IP security on virtual tunnel interface of VPN |
| WO2003007524A2 (en) * | 2001-07-10 | 2003-01-23 | Telecom Italia S.P.A. | Virtual private network mechanism incorporating security association processor |
| CN1350382A (en) * | 2001-11-29 | 2002-05-22 | 东南大学 | PKI-based VPN cipher key exchange implementing method |
| CN1399441A (en) * | 2002-06-28 | 2003-02-26 | 成都卫士通信息产业股份有限公司 | Technology of establishing safe multicasting tunnel with IP layer-based special virtual network |
Non-Patent Citations (2)
| Title |
|---|
| 两种网络安全协议分析与比较. 王健,姜楠,刘培玉.电视技术,第10期. 2003 |
| 两种网络安全协议分析与比较. 王健,姜楠,刘培玉.电视技术,第10期. 2003 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1719813A (en) | 2006-01-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10326756B2 (en) | Management of certificate authority (CA) certificates | |
| TWI271076B (en) | Security gateway with SSL protection and method for the same | |
| US9917812B2 (en) | Inline inspection of security protocols | |
| US7584505B2 (en) | Inspected secure communication protocol | |
| CN101371550B (en) | Method and system for automatically and freely providing user of mobile communication terminal with service access warrant of on-line service | |
| CN101141244B (en) | Network enciphered data virus detection and elimination system and proxy server and method | |
| US8886934B2 (en) | Authorizing physical access-links for secure network connections | |
| US8136152B2 (en) | Method and system for securely scanning network traffic | |
| US8468347B2 (en) | Secure network communications | |
| CN100385885C (en) | Safety gateway with SSL protection function and method | |
| CN107105060A (en) | A kind of method for realizing electric automobile information security | |
| CN108769007B (en) | Gateway security authentication method, server and gateway | |
| CN102065059B (en) | Security access control method, client and system | |
| CN111935213B (en) | Distributed trusted authentication-based virtual networking system and method | |
| CN102811225A (en) | Method and switch for security socket layer (SSL) intermediate agent to access web resource | |
| CN102348210A (en) | Method and mobile security equipment for security mobile officing | |
| Prandini et al. | Splitting the HTTPS stream to attack secure web connections | |
| US20080133915A1 (en) | Communication apparatus and communication method | |
| CN101621503A (en) | Identity identification system and method being applied under virtual private network framework | |
| CN101938428B (en) | Message transmission method and equipment | |
| CN115835194A (en) | NB-IOT (network B-Internet of things) terminal security access system and access method | |
| JP4608245B2 (en) | Anonymous communication method | |
| JP2008199420A (en) | Gateway device and authentication processing method | |
| Kuihe et al. | Implementation of improved VPN based on SSL | |
| Park | VPN: Privacy and Anonymity for All |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080430 |