CN101286871A - Isolation system configuring method based on digital certificate and security protocol - Google Patents
Isolation system configuring method based on digital certificate and security protocol Download PDFInfo
- Publication number
- CN101286871A CN101286871A CNA2008100378221A CN200810037822A CN101286871A CN 101286871 A CN101286871 A CN 101286871A CN A2008100378221 A CNA2008100378221 A CN A2008100378221A CN 200810037822 A CN200810037822 A CN 200810037822A CN 101286871 A CN101286871 A CN 101286871A
- Authority
- CN
- China
- Prior art keywords
- configuration
- processing unit
- configuration information
- identity
- office terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention relates to an isolation system configuring method based on a digital certificate and a security protocol which pertains to the field of information security. The method adopts the certificate to validate the validity and reliability of a management terminal and the identity of a user, and realizes the security of the configuring information of the management system and a network isolation system by an SSL protocol; meanwhile, the method realizes the authenticating and transmitting of the configuring information of an processing unit of an external network by an management unit of an internal network, thus two-time configuration is not needed to be carried out by a manager of the isolation system any more. Finally, the configuring information is received by the processing unit of the external network, and the configuring information of the processing unit of the internal network and the processing unit of the external network are sent out by the connecting of different SSL. The method mainly utilizes secure communication protocol and the achievements in the aspect of the digital certificate to ensure the security of the management, thus having extremely high reliability and effectively solving the shortcomings of being inconvenient for management and low security of the existing systems.
Description
Technical field
The present invention relates to a kind of isolation system configuring method, specifically is a kind of isolation system configuring method based on digital certificate and security protocol, belongs to field of information security technology.
Background technology
The application of information technology and network interconnection technology and development bring great convenience on the one hand people's work and life, and on the other hand, network and information security issue become increasingly conspicuous, and network security problem more and more is difficult to be guaranteed.The network security mechanism that generally adopts mainly contains fire compartment wall, VPN, data encryption technology, intrusion detection and network hole scanning etc. at present.But because method of network attack and hacking technique improve constantly and develop, common network security product can't satisfy the demand for security of critical network and data.For finance, government and scientific research institution etc. network security is had the user of high grade requirements, they set up the internal network of a special use often, and adopt physics or logic isolation between the public network.This has brought inconvenience with regard to giving the information exchange between the different trust domain, and various isolation technologies arise at the historic moment.
Two host computer systems are to realize the important aspect of network isolation system, promptly the corresponding Intranet processing unit of a host computer system is responsible for connecting internal network, the corresponding outer net processing unit of another host computer system is responsible for connecting external network, is connected by the secure data interchange channel between two network processing units.Nearly all network isolation system all adopts this scheme at present, and difference is in the implementation difference that connects the secure data interchange channel between two network processing units.
Administration configuration is the important content of network isolation system, has determined the fail safe of network isolation system to a great extent.Because of two network processing units all need management and configuration, this brings challenges for the management security of network isolation system.Present Managed Solution mainly contains: 1) two network management units manage respectively, as passing through serial ports with a PC, be connected to the management of Intranet processing unit realization earlier, be connected to the management of outer net processing unit realization then the outer net processing unit to the Intranet processing unit; 2) only be connected on the network processing unit and manage, managing configuration information sends on the another one network processing unit by the secure data interchange channel, thereby realizes the management to the another one network processing unit.The former is the system management inconvenience at the problem of shielding system Managed Solution maximum, and makes mistakes easily, and similarly security strategy will be carried out twice configuration, the inconsistent situation of configuration occurs through regular meeting.The latter's shielding system Managed Solution brings certain potential safety hazard easily, if connecting that network management unit of configuration is attacked or is illegally controlled, send the managing configuration information of painstakingly designing just can for the another one administrative unit, and then realization is communicated with thereby intranet and extranet are directly illegal the illegal control of another one network processing unit.
Find through literature search prior art, " Network Isolation monitoring management design of Platform and the realization " that Zhao's equality of Tongji University was delivered on the 9th page of " computer security " 2006 11 phase, this article has proposed a kind of management and collocation method of network isolation system, particular content comprises, user management, log management, and the system configuration management etc., concrete grammar is: by ordinary customer service device pattern, realize the communication of configuration information based on windowsocket, its deficiency with: the fail safe of shielding system configuration can not be protected.
Summary of the invention
The present invention is directed to the deficiencies in the prior art and defective, propose a kind of isolation system configuring method, to strengthen the safety management in the present network isolation system based on digital certificate and security protocol.The present invention mainly utilizes secure communication protocols, utilizes the achievement of digital certificate aspect to guarantee the fail safe of managing simultaneously, has extreme high reliability, and it is convenient inadequately effectively to solve present system management, the shortcoming that fail safe is low.
The present invention is achieved by the following technical solutions, the present invention adopts the legitimacy and the reliability of certification authentication office terminal and user identity, and realize the fail safe of office terminal and network isolation system configuration information by ssl protocol, simultaneously by the Intranet administrative unit realize to outer net processing unit configuration information authentication and forwarding, so no longer need the shielding system keeper to carry out twice configuration.Finally configuration information is received by the outer net processing unit.The configuration information of the configuration information of Intranet processing unit and outer net processing unit is connected transmission by different SSL.
Described employing certification authentication office terminal and user identity, be meant the reliability of mainly coming the verification management terminal by letter of identity, letter of identity also is used for verifying user's identity, has only terminal and manager by certification authentication could implement the remote system configuration management.When the keeper carries out the administration configuration of shielding system by the office terminal, the USBkey that requirement will be preserved letter of identity is inserted on the office terminal, letter of identity on this USBkey of office terminal is submitted to the intranet and extranet processing unit, after treating the legitimacy of intranet and extranet processing unit identity verification certificate, the keeper just can carry out the configuration operation of shielding system.
Described by ssl protocol realization office terminal and network isolation system configuration information, be meant based on ssl protocol and certificate and between host computer system and office terminal, set up a virtual escape way.When the configuration data that sends from the office terminal, the office terminal utilizes the private key of letter of identity that configuration data is encrypted, after Intranet net processing unit receives the ciphertext of this configuration data, obtain the proper configuration data thereby can utilize the corresponding PKI of this letter of identity to be decrypted.Even the assailant can obtain the ciphertext of data message, also can only parse the configuration information content by PKI, because the assailant does not know the private key of letter of identity, thereby can not oneself generate corresponding configuration data ciphertext, promptly can not successfully distort configuration data.
Describedly realize authentication and forwarding to outer net processing unit configuration information by the Intranet administrative unit, be specially: the Intranet processing unit is after receiving the configuration information that comes from the configuration management terminal, which is at first distinguished is managing configuration information at this unit, and which is the managing configuration information at the outer net processing unit.To carry out the authentication based on certificate at this unit, the configuration of present networks processing unit is finished in authentication based on configuration information by the back; To the configuration information at the outer net processing unit, oneself does not carry out any processing, directly sends to the outer net processing unit by the secure data interchange channel between Intranet.
Described outer net processing unit receives configuration information, be specially: the outer net processing unit is after receiving the configuration information that forwarding comes from the Intranet processing unit, this unit is carried out authentication based on certificate, and the configuration of present networks processing unit is finished in authentication based on configuration information by the back.
The present invention proposes a kind of safe, collocation method easily, to strengthen the problem of management in the present network isolation system.Emphasis of the present invention has been considered the problem of two aspects: the convenience of administration configuration and the fail safe of administration configuration.The convenience of administration configuration is mainly reflected in two aspects in the present invention: only need be connected on the network processing unit by PC and just can manage whole network isolation system, need not to be connected to successively two network processing units again; Similarly the configuration of network security control strategy once gets final product, and need not to dispose twice, and this can reduce the network isolation system probability of errors to a great extent.The fail safe of administration configuration is also embodied in two aspects: adopt digital certificate technique that management information is carried out corresponding purview certification, only have the configuration management that respective certificate could be implemented network isolation system; Security protocol guarantees the fail safe of managing configuration information in transmission course, even the Intranet processing unit is attacked and illegal control, the assailant can not control the outer net processing unit, can not realize not meeting the exchanges data of set security strategy between intranet and extranet.
Description of drawings
Fig. 1 is the system configuration schematic diagram that the embodiment of the invention adopts.
Embodiment
Below in conjunction with accompanying drawing embodiments of the invention are elaborated: present embodiment is being to implement under the prerequisite with the technical solution of the present invention, provided detailed execution mode and concrete operating process, but protection scope of the present invention is not limited to following embodiment.
As shown in Figure 1, the network isolation system configuration that combines based on digital certificate technique and security protocol implements mainly to comprise the work of three aspects: the office terminal operation is implemented, and the Intranet processing unit operation is implemented, and the outer net processing unit operation is implemented.
(1) the office terminal operation is implemented
The office terminal offers the corresponding administration configuration of keeper interface, and the keeper is by the management of this interface realization to system.Before the implementation system management, the keeper need submit the digital identity certificate to the office terminal, then keeper's letter of identity is submitted to the administration configuration server, after checking is passed through, office terminal and administration configuration server negotiate go out a session key, communicate to connect reliably thereby utilize this session key to set up one, promptly the management information of being transmitted is carried out encryption by session key.
Idiographic flow mainly comprises: administration interface receiving management person configuration, form corresponding configuration information, and be connected based on setting up SSL between letter of identity and Intranet processing unit then, the configuration information of network isolation system is sent to the Intranet processing unit.In the process of setting up SSL connection and configuration information, the configuration information of the configuration information of Intranet processing unit and outer net processing unit is connected transmission by different SSL.
(2) Intranet processing unit configuration process
Intranet processing unit configuration process is mainly implemented corresponding to the configuration of Intranet processing unit, and will distinguish corresponding to the configuration information of outer net processing unit, and is transmitted to the outer net processing unit.Intranet processing unit configuration process specifically comprises following function:
1. configuration distribution: according to the difference that SSL connects, the SSL that distinguishes corresponding outer net processing unit connects, and these is connected corresponding SSL data forwarding give the outer net processing unit; Other SSL is connected the ssl protocol processing module that data are given this unit.
2. ssl protocol is handled: receive SSL and connect the configuration information that transmits, based on the function that the certification authentication module provides, whether checking configuration management information is legal, gives configuration information enforcement module for legal configuration information and handle.
3. certification authentication: be mainly used in the authentication of finishing letter of identity, thereby prevent illegally distorting of configuration information.
4. configuration is implemented: at the operation requests that send the office terminal, administration configuration is implemented module and is carried out concrete bookkeeping according to different operation requests, thereby satisfies the operation requests that send the office terminal, realizes keeper's management intention.
(3) outer net processing unit configuration process
Outer net processing unit configuration process is mainly implemented corresponding to the configuration of outer net processing unit, specifically comprises following flow process:
1. ssl protocol is handled: receive SSL and connect the configuration information that transmits, based on the function that the certification authentication module provides, whether checking configuration management information is legal, gives configuration information enforcement module for legal configuration information and handle.
2. certification authentication: be mainly used in the authentication of finishing letter of identity, thereby prevent illegally distorting of configuration information.
3. configuration is implemented: at the operation requests that send the office terminal, administration configuration is implemented module need carry out concrete bookkeeping according to different operation requests, thereby satisfies the operation requests that send the office terminal, realizes keeper's management intention.
The present invention can provide system management configuration mode easily, the intranet and extranet processing unit is configured, no longer need the configurating terminal while or carry out physical connection with the intranet and extranet unit respectively successively, as long as the network of office terminal is connected with the configuring network interface of Intranet processing unit, has ease for use preferably.On the other hand, network security is isolated and the configuration safety of data exchange system is also well guaranteed, even the Intranet processing unit is illegally controlled fully, the assailant can not forge configuration data and give the outer net processing unit, can not reach the purpose of control outer net processing unit.
Claims (8)
1, a kind of isolation system configuring method based on digital certificate and security protocol, it is characterized in that: the legitimacy and the reliability that adopt certification authentication office terminal and user identity, and utilize ssl protocol to realize the fail safe of office terminal and network isolation system configuration information, simultaneously by the Intranet administrative unit realize to outer net processing unit configuration information authentication and forwarding, finally by the outer net processing unit configuration information is received, the configuration information of the configuration information of Intranet processing unit and outer net processing unit is connected transmission by different SSL.
2, isolation system configuring method based on digital certificate and security protocol according to claim 1, it is characterized in that: described employing certification authentication office terminal and user identity, be meant the reliability of coming the verification management terminal by letter of identity, letter of identity also is used for verifying user's identity, have only terminal and manager could implement the remote system configuration management by certification authentication, when the keeper carries out the administration configuration of shielding system by the office terminal, the USBkey that requirement will be preserved letter of identity is inserted on the office terminal, letter of identity on this USBkey of office terminal is submitted to the intranet and extranet processing unit, after treating the legitimacy of intranet and extranet processing unit identity verification certificate, the keeper just can carry out the configuration operation of shielding system.
3, isolation system configuring method based on digital certificate and security protocol according to claim 1, it is characterized in that, described by ssl protocol realization office terminal and network isolation system configuration information, be meant based on ssl protocol and certificate and between host computer system and office terminal, set up a virtual escape way, when the configuration data that sends from the office terminal, the office terminal utilizes the private key of letter of identity that configuration data is encrypted, after Intranet net processing unit receives the ciphertext of this configuration data, thereby the corresponding PKI that can utilize this letter of identity is decrypted and obtains the proper configuration data, even the assailant can obtain the ciphertext of data message, also can only parse the configuration information content by PKI, because the assailant does not know the private key of letter of identity, thereby can not oneself generate corresponding configuration data ciphertext, promptly can not successfully distort configuration data.
4, according to claim 1 or 2 or 3 described isolation system configuring methods based on digital certificate and security protocol, it is characterized in that, described office terminal offers the corresponding administration configuration of keeper interface, the keeper is by the management of this interface realization to system, before the implementation system management, the keeper need submit the digital identity certificate to the office terminal, then keeper's letter of identity is submitted to the administration configuration server, after checking is passed through, office terminal and administration configuration server negotiate go out a session key, communicate to connect reliably thereby utilize this session key to set up one, promptly the management information of being transmitted is carried out encryption by session key.
5, isolation system configuring method based on digital certificate and security protocol according to claim 1, it is characterized in that, describedly realize authentication and forwarding to outer net processing unit configuration information by the Intranet administrative unit, be specially: the Intranet processing unit is after receiving the configuration information that comes from the configuration management terminal, which is at first distinguished is managing configuration information at this unit, which is the managing configuration information at the outer net processing unit, to carry out the authentication based on certificate at this unit, the configuration of present networks processing unit is finished in authentication based on configuration information by the back; To the configuration information at the outer net processing unit, oneself does not carry out any processing, directly sends to the outer net processing unit by the secure data interchange channel between Intranet.
6, according to claim 1 or 5 based on the isolation system configuring method of digital certificate and security protocol, it is characterized in that, described Intranet processing unit, its configuration process content comprises:
1. configuration distribution: according to the difference that SSL connects, the SSL that distinguishes corresponding outer net processing unit connects, and these is connected corresponding SSL data forwarding give the outer net processing unit, and other SSL is connected the ssl protocol processing module that data are given this unit;
2. ssl protocol is handled: receive SSL and connect the configuration information that transmits, based on the function that certification authentication provides, whether checking configuration management information is legal, is configured for legal configuration information and implements to handle;
3. certification authentication: be used to finish the authentication of letter of identity, thereby prevent illegally distorting of configuration information;
4. configuration is implemented: at the operation requests that send the office terminal, administration configuration is implemented module and is carried out concrete bookkeeping according to operation requests, thereby satisfies the operation requests that send the office terminal, realizes keeper's management intention.
7, the isolation system configuring method based on digital certificate and security protocol according to claim 1, it is characterized in that, described outer net processing unit receives configuration information, be specially: the outer net processing unit is after receiving the configuration information that forwarding comes from the Intranet processing unit, this unit is carried out authentication based on certificate, and the configuration of present networks processing unit is finished in authentication based on configuration information by the back.
8, according to claim 1 or 5 or 7 described isolation system configuring methods, it is characterized in that based on digital certificate and security protocol, described outer net processing unit, its configuration process content comprises:
1. ssl protocol is handled: receive SSL and connect the configuration information that transmits, based on the function that certification authentication provides, whether checking configuration management information is legal, is configured for legal configuration information and implements to handle;
2. certification authentication: be used to finish the authentication of letter of identity, thereby prevent illegally distorting of configuration information;
3. configuration is implemented: at the operation requests that send the office terminal, administration configuration is implemented module need carry out concrete bookkeeping according to operation requests, thereby satisfies the operation requests that send the office terminal, realizes keeper's management intention.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100378221A CN101286871B (en) | 2008-05-22 | 2008-05-22 | Isolation system configuring method based on digital certificate and security protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100378221A CN101286871B (en) | 2008-05-22 | 2008-05-22 | Isolation system configuring method based on digital certificate and security protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101286871A true CN101286871A (en) | 2008-10-15 |
| CN101286871B CN101286871B (en) | 2010-12-01 |
Family
ID=40058853
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008100378221A Expired - Fee Related CN101286871B (en) | 2008-05-22 | 2008-05-22 | Isolation system configuring method based on digital certificate and security protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101286871B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101459559B (en) * | 2008-12-26 | 2011-05-11 | 中兴通讯股份有限公司 | Method and system for storing and managing monitored user configuration information |
| CN104092743A (en) * | 2014-06-27 | 2014-10-08 | 清华大学 | User data protecting method and system in cloud environment |
| CN104578422A (en) * | 2015-01-13 | 2015-04-29 | 国电南瑞科技股份有限公司 | Remote maintenance method for transformer substation telecontrol forwarding table |
| WO2017177866A1 (en) * | 2016-04-11 | 2017-10-19 | Huawei Technologies Co., Ltd. | Activation of mobile devices in enterprise mobile management |
| CN113329002A (en) * | 2021-05-20 | 2021-08-31 | 普天通信有限责任公司 | Internet of things data aggregation system |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1305271C (en) * | 2004-04-29 | 2007-03-14 | 上海交通大学 | Network safety isolating and information exchanging system and method based on proxy mapping |
| CN1905460A (en) * | 2005-07-29 | 2007-01-31 | 上海恩梯梯通信工程有限公司 | Higher quarantine network system |
| CN101083607B (en) * | 2006-05-30 | 2010-12-08 | 倪海生 | Internet accessing server for inside and outside network isolation and its processing method |
| CN101083669A (en) * | 2007-07-10 | 2007-12-05 | 梁雁文 | Computer network isolated system and its control and switch method |
-
2008
- 2008-05-22 CN CN2008100378221A patent/CN101286871B/en not_active Expired - Fee Related
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101459559B (en) * | 2008-12-26 | 2011-05-11 | 中兴通讯股份有限公司 | Method and system for storing and managing monitored user configuration information |
| CN104092743A (en) * | 2014-06-27 | 2014-10-08 | 清华大学 | User data protecting method and system in cloud environment |
| CN104092743B (en) * | 2014-06-27 | 2017-08-11 | 清华大学 | The guard method of user data and system under cloud environment |
| CN104578422A (en) * | 2015-01-13 | 2015-04-29 | 国电南瑞科技股份有限公司 | Remote maintenance method for transformer substation telecontrol forwarding table |
| WO2017177866A1 (en) * | 2016-04-11 | 2017-10-19 | Huawei Technologies Co., Ltd. | Activation of mobile devices in enterprise mobile management |
| CN108886530A (en) * | 2016-04-11 | 2018-11-23 | 华为技术有限公司 | The activation of mobile device in Enterprise Mobile management |
| US10142323B2 (en) | 2016-04-11 | 2018-11-27 | Huawei Technologies Co., Ltd. | Activation of mobile devices in enterprise mobile management |
| CN108886530B (en) * | 2016-04-11 | 2021-02-12 | 华为技术有限公司 | Method for activating mobile device in enterprise mobile management and mobile device |
| CN113329002A (en) * | 2021-05-20 | 2021-08-31 | 普天通信有限责任公司 | Internet of things data aggregation system |
| CN113329002B (en) * | 2021-05-20 | 2022-06-21 | 普天通信有限责任公司 | Internet of things data aggregation system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101286871B (en) | 2010-12-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102215221B (en) | Methods and systems for secure remote wake, boot, and login to a computer from a mobile device | |
| CN1926837B (en) | Method and apparatuses for sharing cryptographic key with an embedded agent on a network endpoint in a network domain | |
| CN100534036C (en) | A trusted network connection method based on three-element peer authentication | |
| CN102075522B (en) | Secure certification and transaction method with combination of digital certificate and one-time password | |
| CN100496025C (en) | Ternary equal identification based reliable network access control method | |
| KR101198120B1 (en) | Iris information based 3-factor user authentication method for otp generation and secure two way authentication system of wireless communication device authentication using otp | |
| CN101005361B (en) | Server and software protection method and system | |
| CN100566252C (en) | A kind of trusted network connection system of differentiating based on the ternary equity | |
| US20190096210A1 (en) | Methods and Apparatus for Management of Intrusion Detection Systems using Verified Identity | |
| CN103229452A (en) | Mobile handset identification and communication authentication | |
| US8838800B2 (en) | Binding resources in a shared computing environment | |
| CN104767731A (en) | Identity authentication protection method of Restful mobile transaction system | |
| CN103312691A (en) | Method and system for authenticating and accessing cloud platform | |
| CN101393628A (en) | Novel network safe transaction system and method | |
| CN101286871B (en) | Isolation system configuring method based on digital certificate and security protocol | |
| CN107332671A (en) | A kind of safety mobile terminal system and method for secure transactions based on safety chip | |
| CN104079413A (en) | Enhancement type one-time dynamic password authentication method and system | |
| CN110147666A (en) | Lightweight NFC identity identifying method, Internet of Things communications platform under scenes of internet of things | |
| CN101478547A (en) | Apparatus for trustable digital signature to intelligent cipher key and working method thereof | |
| CN101867588A (en) | Access control system based on 802.1x | |
| CN101123509B (en) | Information interaction system and method | |
| CN202206419U (en) | Network security terminal and interactive system based on terminal | |
| CN110519222A (en) | Outer net access identity authentication method and system based on disposable asymmetric key pair and key card | |
| CN102819799A (en) | Multi-channel safety authenticating system and authenticating method based on U-Key | |
| CN100589384C (en) | Safety interacting method for user terminal access softswitch system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20101201 Termination date: 20130522 |