CN100531095C - Service gateway system - Google Patents
Service gateway system Download PDFInfo
- Publication number
- CN100531095C CN100531095C CNB2006100628105A CN200610062810A CN100531095C CN 100531095 C CN100531095 C CN 100531095C CN B2006100628105 A CNB2006100628105 A CN B2006100628105A CN 200610062810 A CN200610062810 A CN 200610062810A CN 100531095 C CN100531095 C CN 100531095C
- Authority
- CN
- China
- Prior art keywords
- network
- data
- module
- service gateway
- layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a service gateway system, comprising: a. hardware platform providing operation and storage for system and supporting software operating and calculating; b. network layer, comprising network safety, maintaining and routing systems; c. application layer, implementing various concrete network applications, and comprising: website, E-mail and file transmission systems and various client- selfdeveloped application systems, where intranet or extranet connected to the hardware platform need make data transmission via the network layer and application layer. And it integrates multiple services in a platform, enhancing network security and management. And it provides the informationization basis for medium- and small- sized industrial enterprises.
Description
[technical field]
The present invention relates to computer network system, especially relate to a kind of service gateway system.
[background technology]
Traditional network model as shown in Figure 1, the respective services merit is independently, every service realizes respectively that all it doesn't matter between the various servers, resource can not be shared.Building network work complexity causes management very difficult.Such as buying the network equipment, computer is installed, the install software system, the application adsl line, the planning internal network is set up company's site, sets up the corporate mail system, management employee online, file and print service system, or the like.These services are provided by how tame mechanism, and network operation is a family, and virus killing is a family, and data security is again an other family, and the website mail is again a family, in case go wrong, can not must carry out collaborative work effectively, safeguard very difficult.Owing to adopt multiple parts to constitute, the cooperation between the system is conflict easily often.The purchase cost of subitem buying also having increased enterprise.
[summary of the invention]
Technical problem to be solved by this invention is to provide a kind of service gateway system with virus killing, filtration and network operation, management function.
For solving the problems of the technologies described above, the technical solution adopted in the present invention is:
Service gateway system comprises:
A, hardware layer, for system provides computing and storage, support software operation and calculating;
B, network layer comprise network security, network operation and network route system;
C, application layer realize various concrete network applications, comprising: website, mail, the various application systems of document transmission system and client oneself exploitation;
Internal network and external network are connected in hardware layer, must carry out transfer of data via network layer and application layer;
Described network safety system has comprised: FWSM, IPS module and checking and killing virus module, each module has the identical data mechanism of entering and data flow out mechanism, data flow flows out the filtration formation that enters network safety system successively later from hardware layer, enters application layer at last; If do not register any module at the network security layer, data flow is equivalent to flow through the pipeline of a sky, directly enters the upper strata; In each safety corridor, module is checked data according to oneself algorithm and wish, filters, and merges, and abandons change; System influences final result by the generation of disposing each module, but system does not participate in the processing of data directly;
Described network operation system is divided into the two large divisions: data analysis part and system tool part; Data record is partly carried out in data analysis, protocal analysis and report, data analysis partly comprises at least one analysis module and a module registration interface, if do not need data are not carried out Collection and analysis, this analysis module is the pipeline or the formation of a sky, directly data are sent to the upper strata, form the pipeline formation of similar network safe floor by registration series of analysis module; The system tool part is made of tool software, and these tool software are the test of carrying out various network conditions on the one hand, are that network security rule and routing rule are set on the other hand;
Described network route system is realized the smooth transmission of data, and the data that this service gateway system is accepted enter this service gateway system; The data of non-service gateway system reenter internal network or external network;
Described service gateway system front end is provided with the internet access device, and the rear end is provided with the internal network access device, and internal network directly is not connected with the internet, carries out exchanges data by service gateway system.
This system has unified configuration management interface, can change various configurations by once unified interface.
The invention has the beneficial effects as follows:, multinomial service assembly in a platform, has been strengthened network security and network management because service gateway system of the present invention organically combines hardware layer, network layer, application layer.Between hardware layer and the application layer network layer is set and does not directly carry out exchanges data, network security, network operation and network route system have guaranteed the safety of system.Internal network and external network are connected in hardware layer, must carry out transfer of data via network layer and application layer.Constitute a kind of device systems that safe network insertion and management can be provided, can the assisted diagnosis network failure, provide enterprise website mail service commonly used simultaneously, can increase attendant application freely.This system is a kind of information integral device systems, has realized the informationalized a lot of demands of middle and small scale organization with single equipment, makes these organizations can be absorbed in the information construction of specialized aspect.This service gateway system has solved fail safe, stability of network, the ease for maintenance of network and the price problem of enforcement of the network of sme informatization.For medium-sized and small enterprises realize that informationization provides the foundation.
[description of drawings]
Fig. 1 is the organization chart of service gateway system of the present invention;
Fig. 2 is that service gateway system and external equipment are disposed schematic diagram;
Fig. 3 is the system service flow chart;
Fig. 4 is the service gateway system management process.
Below in conjunction with accompanying drawing the present invention is described further:
[embodiment]
See also Fig. 1, be the organization chart of service gateway system of the present invention, comprise hardware layer, network layer, application layer.
Hardware layer, for system provides computing and storage, support software moves and calculates, and can adopt the market common apparatus of standard, also can be the hardware device of researching and developing voluntarily.
Network layer, these modules are similar to data pipe in system.Each module has the identical data mechanism of entering and data flow out mechanism, realizes the function of oneself separately, and the order difference that data enter disparate modules can not have influence on final result.Data flow enters the filtration formation that enters security module successively after hardware layer flows out, enter last layer at last.If do not register any module at the network security layer, data flow is equivalent to flow through the pipeline of a sky, directly enters the upper strata.In each safety corridor, module is checked data according to oneself algorithm and wish, filters, and merges, and abandons change.System influences final result by the generation of disposing each module, but system does not participate in the processing of data directly.
The network operation layer is divided into the two large divisions: data analysis part and system tool part.Data record, protocal analysis and report are partly carried out in data analysis.Data analysis partly comprises at least one analysis module and a module registration interface.If need not carry out Collection and analysis for data, this analysis module is the pipeline or the formation of a sky, directly data is sent to the upper strata.Can form the pipeline formation of similar network safe floor by registration series of analysis module, data flow through these pipelines successively and finally arrive application layer, form a series of report accordingly.Different with the network security layer is that data are just no longer changed after entering this layer.The another one distinguishing feature of this layer is to possess many system tool softwares.These system tool parts are made of a series of little tool software, and these tool software are the test of carrying out various network conditions on the one hand, are that network security rule and routing rule are set on the other hand.Rely on and these instruments, the system manager can directly control for network.
Network route system is realized the smooth transmission of data, and the data that this machine is accepted enter this machine system.The data of non-machine system reenter internal network or external network.
Application layer, application layer realize various concrete network applications, comprising: website, mail, the various application systems of document transmission system and client oneself exploitation.May have various mutual dependences between these application systems, but and middle three layers do not have direct dependence, these application software do not know not need to know that data have been passed through and so on handles yet.
Data flow between the system is divided into four classes:
A. from the external network to the service platform,
B. service platform is to external network,
C. external network is to internal network,
D. internal network is to external network.
The processing sequence of four class data flow is:
Category-A: external network->hardware layer->network safety system->the network operation system->route system->application service.
Category-B: application service->route system->the network operation system->network safety system->external network.
The C class: external network->hardware layer->network safety system->the network operation system->route system->the network operation system->network safety system->hardware layer->internal network.
The D class: internal network->hardware layer->network safety system->the network operation system->route system->the network operation system->network safety system->hardware layer->external network.
Like this, between hardware layer and the application layer network layer is set and does not directly carry out exchanges data, network security, network operation and network route system have guaranteed the safety of system.Internal network and external network are connected in hardware layer, must carry out transfer of data via network layer and application layer.
Describe the function of this system below in detail:
Gateway function makes network internal user capture Internet become possibility.The provider of network service can be various, and the mode of online and authentication method also are various.For example ISP comprises China Telecom in China, China Netcom, and Great Wall Broadband Network Service Company Limited, wired video signal or the like, network access can be ADSL, broadband, sub-district and special line or the like.
Dynamic territory analyzing provides dynamic internet-ip address to resolve to ISP and organizes own fixed domain name, makes user capture native system all over the world become possibility.For the enterprise that possesses static ip address, such as adopting DDN lines, this function there is no need to use.
WEB service, Email and data storage function make the data of organization internal, data information can be issued on network.Even there has been the website in company, the function of WEB service also needs, and provides the WEB service to strengthen the ability of enterprise self-determining exploitation and use proprietary software greatly.
Network security capability, data security and organization's network internal safety of data on the protection gateway.Network security requirement provides the protection of sufficient intensity must for service platform gateway itself and organization inside.Different enterprises have the requirement of different secure contexts, and the content of concrete selection is the combination of following one or more tool systems:
● firewall system, protection service platform gateway self and organization's internal network are not subjected to external attack, the Internet resources that the control internal staff can enjoy.
● virus killing system, protection system itself are not subjected to the attack of virus and trojan horse program.
● the IPS system, protection service platform gateway self and organization's internal network are not subjected to external attack.
● the data stream filtering system, the inner crucial and sensitive data of protective tissue does not leak internally, virus and some internal staff intentionally or involuntary act be that organization faces such threat.
● data flow virus killing system, kill virus for the data that enter with outflow system, eliminate because the improper internet usage resource of internal staff is introduced virus, to the greatest extent but organization faces the threat of data leak.
● customer certification system, protection have only the validated user through authorizing could use this system.
● the access log record, review user's behaviour in service, trace hacker and attack.
● enterprise oneself exploitation or the safety system of buying, competent organization can customize some fail-safe softwares at the demand of oneself, and then is the safety that organization reaches higher degree.
Network diagnostic function can be judged and get rid of the various unusual of organization internal network, analyzes reason, helps enterprise's queueing problem.Various different tissues mechanism is also very inequality for the requirement of network stabilization and maintenance.Small-sized enterprise network is simple, but may have only amateurish attendant, may exceed the large enterprise that professional maintenance personnel is arranged for the requirement of this respect.Generally speaking medium-scale and do not have professional attendant organization be the strongest for the demand of this respect.Large corporation does not have and does not have professional attendant's situation too rare.The concrete grammar that network diagnosis is carried out in help is the combination of following one or more tool systems:
● the traffic monitoring analysis, check to enter the data that flow out network that form the report about the internal network behaviour in service, the attendant can judge network failure according to the abnormal conditions of flow.
● the network test instrument, help the network maintenance staff to verify the state of network, analog network goes wrong, and the state of testing the node of certain network, such as speed, quantity, quality or the like.
● the network control tool and method helps network operation can solve the instability of network from this link of platform after analysis is finished.Although not every fault can both solve from gateway, such as the switch problem.But the fault of a lot of software aspects comprises virus problems, problem of hackers, if can be minimum from the gateway workout cost, the work of this part remains very important for organization.
● enterprise self-determining exploitation or the network diagnostic tool of buying.
Data backup function, service platform gateway need can automatic data backup, is beneficial to enterprise and carries out disaster recovery, guarantees carrying out smoothly of business event.Because automatic backup function is provided, organization just need not consider the influence of this respect again in the application software of oneself developing simultaneously, thereby realizes exploitation fast.
The regarded as output controlling ability makes that organization can be according to the demand customized development unique function voluntarily of oneself.Organization can use general developing instrument such as C, C++, JAVA, the software that exploitation such as PHP needs oneself.Organization also can use special-purpose developing instrument, as long as the development function of this special use can run on the gateway.Service gateway platform provides the running environment of enterprise software, and the component environment of software development is provided, such as the compiler of C++, and SQL database, java development library or the like, these integrated systems have reduced the development cost of enterprise.
● the combination of multiple function makes that the network architecture of enterprise is very simple, helps the stable of enterprise network.
● single equipment makes that the buying of enterprise is very simple, and cost reduces.
● single equipment provides and makes the responsibility of maintenance problem of enterprise can be good at solving.
● dynamic territory analyzing has been removed the dependence of enterprise for static ip address, makes the expense of network insertion reduce greatly.
● the providing of ripe development approach can be developed enterprise to meet the personalized software of oneself needs.
● the integrated enterprise's cost of developing that reduced of system development environment.
● comprehensive network security and management system have increased the fail safe of enterprise network.
● network diagnosis and troubleshooting function make the maintenance cost that greatly reduces enterprise, make the professional and technical personnel can safeguard bigger network system, non-specialized-technical personnel can better adapt to network operation work, and part small business has realized that the zero dimension of network protects.
Fig. 2 is that service gateway system and external equipment are disposed schematic diagram, and service gateway system is positioned at the inlet of company's internal network, has one or more network card equipment interfaces.The outside connects Internet, the internal interface intranet.Before the enterprises service gateway, the front end access device can be arranged, such as ADSL Modem, fiber optical transceiver, extra safety means.The access device that the rear end also can be arranged after enterprise gateway, such as internal router, extra Network Security Device, switch or the like.Data comprise in the path of flowing of enterprises:
● the order with 1-2-3-4 enters enterprise, enters external network with the order of 4-3-2-1.
● the order with 1-2-3-4 enters enterprise, enters external network with the order of 6-2-1.
● the order with 5-3-4 enters enterprise, enters external network with the order of 4-3-2-1.
● the order with 5-3-4 enters enterprise, enters external network with the order of 6-2-1.
But all paths can arrive the service platform gateway all can not allow directly to enter bipartite network, gateway service platform is to realize a key node of network security.
Fig. 3 is the system service flow chart, and after the system start-up, loading application programs enters system call at last item by item.In system call, check more capable function and configuration, guarantee the stable operation of the stable and respective services of self system.
The another one aspect that network service system is different from traditional network configuration is, is to separate between traditional respective services, account number, and configuration all is to have carried out separately.And the network application service platform provides unified configuration management administration interface, can change various configurations by once unified interface, has simplified administering and maintaining.The step of the execution of management as shown in Figure 4.Part of module is such as network configuration, and domain name configuration or the like is fairly simple, and change only relates to a function, only just need verify and can keep and start.The independent config option of user's configuration and module is a lot, can carry out the adjustment of details, makes system reach optimization at aspect of performance.Wherein part is set is optionally to module, even do not provide or openly also need the stable operation of the system that can guarantee to the user, such benefit is for network manager, and system maintenance is very simple, can reach zero dimension under the best situation and protect.
The subscriber management function most important function is the relation of coordinating between each application program, only increases account number concerning the user one time, and system finishes the distribution and the coordination of all account numbers on the backstage.
When the keeper selects the concrete configuration of each module, just change the defined corresponding module of n over to.Because the parameter and the method for the configuration that each module is concrete have nothing in common with each other, concrete implementation procedure will independently be made according to the own characteristic of module and application.
This service gateway system has solved fail safe, stability of network, the ease for maintenance of network and the price problem of enforcement of the network of sme informatization.For medium-sized and small enterprises realize that informationization provides the foundation.
Claims (2)
1, a kind of service gateway system is characterized in that: this service gateway system comprises:
A, hardware layer, for system provides computing and storage, support software operation and calculating;
B, network layer comprise network security, network operation and network route system;
C, application layer realize various concrete network applications, comprising: website, mail, the various application systems of document transmission system and client oneself exploitation;
Internal network and external network are connected in hardware layer, must carry out transfer of data via network layer and application layer;
Described network safety system has comprised: FWSM, IPS module and checking and killing virus module, each module has the identical data mechanism of entering and data flow out mechanism, data flow flows out the filtration formation that enters network safety system successively later from hardware layer, enters application layer at last; If do not register any module at the network security layer, data flow is equivalent to flow through the pipeline of a sky, directly enters the upper strata; In each safety corridor, module is checked data according to oneself algorithm and wish, filters, and merges, and abandons change; System influences final result by the generation of disposing each module, but system does not participate in the processing of data directly;
Described network operation system is divided into the two large divisions: data analysis part and system tool part; Data record is partly carried out in data analysis, protocal analysis and report, data analysis partly comprises at least one analysis module and a module registration interface, if do not need data are not carried out Collection and analysis, this analysis module is the pipeline or the formation of a sky, directly data are sent to the upper strata, form the pipeline formation of similar network safe floor by registration series of analysis module; The system tool part is made of tool software, and these tool software are the test of carrying out various network conditions on the one hand, are that network security rule and routing rule are set on the other hand;
Described network route system is realized the smooth transmission of data, and the data that this service gateway system is accepted enter this service gateway system; The data of non-service gateway system reenter internal network or external network;
Described service gateway system front end is provided with the internet access device, and the rear end is provided with the internal network access device, and internal network directly is not connected with the internet, carries out exchanges data by service gateway system.
2, service gateway system as claimed in claim 1 is characterized in that: this system has unified configuration management interface, can change various configurations by unified interface.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100628105A CN100531095C (en) | 2006-09-27 | 2006-09-27 | Service gateway system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100628105A CN100531095C (en) | 2006-09-27 | 2006-09-27 | Service gateway system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1937565A CN1937565A (en) | 2007-03-28 |
| CN100531095C true CN100531095C (en) | 2009-08-19 |
Family
ID=37954841
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006100628105A Active CN100531095C (en) | 2006-09-27 | 2006-09-27 | Service gateway system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100531095C (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP5427497B2 (en) * | 2009-07-09 | 2014-02-26 | 株式会社日立製作所 | Mail gateway |
| CN101789948B (en) * | 2010-02-21 | 2013-03-20 | 浪潮通信信息系统有限公司 | Hierarchical type mobile internet security monitoring and protecting system |
| CN102780676A (en) * | 2011-05-09 | 2012-11-14 | 贵州空中黔信科技有限公司 | Super integrate point (SIP) network management terminal |
| CN103326932A (en) * | 2013-07-08 | 2013-09-25 | 苏州奇可思信息科技有限公司 | Official mail management system |
-
2006
- 2006-09-27 CN CNB2006100628105A patent/CN100531095C/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN1937565A (en) | 2007-03-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Nelson et al. | The Margrave tool for firewall analysis | |
| JP4789933B2 (en) | Apparatus and method for developing, testing and monitoring secure software | |
| US11477093B2 (en) | Coupling of a business component model to an information technology model | |
| US7467198B2 (en) | Architectures for netcentric computing systems | |
| US8121996B2 (en) | Optimization of aspects of information technology structures | |
| US8578017B2 (en) | Automatic correlation of service level agreement and operating level agreement | |
| CN109040037A (en) | A kind of safety auditing system based on strategy and rule | |
| JP7189236B2 (en) | Automatic packetless network reachability analysis | |
| US11392873B2 (en) | Systems and methods for simulating orders and workflows in an order entry and management system to test order scenarios | |
| CN101553821B (en) | Method and system for analyzing safety status of data processing environment | |
| CA2388624C (en) | Architectures for netcentric computing systems | |
| CN110188132B (en) | Data exchange method and system | |
| CN101562609A (en) | VPN network security loophole detection and global admittance controlling system | |
| CN100531095C (en) | Service gateway system | |
| WO2002061653A2 (en) | System and method for resource provisioning | |
| CN109787844A (en) | A kind of distribution master station communication fault fast positioning system | |
| Raptis et al. | The CORAS approach for model-based risk management applied to e-commerce domain | |
| KR100984639B1 (en) | Automatic security assessment system and its implementation method | |
| Herrmann et al. | Trust-adapted enforcement of security policies in distributed component-structured applications | |
| Majumdar et al. | Cloud security auditing: Major approaches and existing challenges | |
| CN116170313A (en) | Verification method and device for security policy, electronic equipment and storage medium | |
| Pozo et al. | Confiddent: A model-driven consistent and non-redundant layer-3 firewall acl design, development and maintenance framework | |
| CN113238736A (en) | Method for generating integrated platform | |
| Qin et al. | Development of archives management information system based on. NET multi-tier architecture | |
| Lin et al. | An analysis of using state of the art technologies to implement real-time continuous assurance |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| DD01 | Delivery of document by public notice |
Addressee: Haofeng Communication Technology Co., Ltd., Shenzhen Document name: Notification to Pay the Fees |