CN101350814A - Safety remote access technology and gateway thereof - Google Patents
Safety remote access technology and gateway thereof Download PDFInfo
- Publication number
- CN101350814A CN101350814A CNA200810045896XA CN200810045896A CN101350814A CN 101350814 A CN101350814 A CN 101350814A CN A200810045896X A CNA200810045896X A CN A200810045896XA CN 200810045896 A CN200810045896 A CN 200810045896A CN 101350814 A CN101350814 A CN 101350814A
- Authority
- CN
- China
- Prior art keywords
- request
- module
- user
- authentication
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a secure remote access technology and a gateway thereof; the secure remote access technology comprises the following procedures: a SSL monitoring service module forwards the SSL handshaking request from wide area network to an identification authentication module, a security detection module at the client terminal carries out the security monitoring on a remote access client machine after the request from the user passes the authentication, and a request treatment module carries out the sorting treatment on the user request after the security monitoring; for the request of accessing the intranet, the user request is sent to an access control module and sent to the different service platforms of the intranet according to the permission if the request is judged as the access request with permission. The invention provides a multiple-level security and protection method, and better eliminates the security trouble caused by accessing the terminal machine into the intranet. The invention has the advantages of low construction and maintenance cost, convenient application and good market prospect.
Description
Technical field
The present invention relates to information security field, especially a kind of safety remote access technology and gateway thereof that is used for open network.
Background technology
It is present popular research topic now that safety long-distance inserts.Along with the expansion of business event, branch is on the increase, and the demand of channel, affiliate, long-range or mobile office is also in continuous increase.If an enterprise can guarantee that the employee also can insert corporate intranet and obtain required data information timely and accurately in the strange land as convenient in office, will improve the operating efficiency of enterprise greatly.
Traditional long-range access way is to use private network, enterprise tended to adopt the solution of newer VPN technologies as the remote access and the network interconnection gradually in recent years, VPN is the abbreviation of Virtual Private Network, be meant and in public interference networks, set up privately owned dedicated network, be also referred to as " Virtual Private Network ", because still in public network, propagate after data are encrypted, rather than real private network of isolating physically.Owing to use the public network transmission, compare the cheap of VPN with the expense of special line, can effectively save cost for enterprise.VPN has safety, flexibly and characteristics such as extensibility is strong, can fully satisfy the demand of enterprise branch office, mobile office secure communication, so is used fast recent years and develop.
The applying date is 2002.12.26, application number is " 02128102.5 ", name is called a kind of safety remote access technology that " surrogate mode safety remote access technology " discloses a kind of proxy mode, pci interface, seamless embedding WIN2000/XP system kernel, is a kind of technology that realizes VPN at the IP layer specifically.This invention has solved the problem of setting up the safety long-distance incoming tunnel, but configuration is complicated, and client need install complicated software, and when number of users increases, the management difficulty of VPN will increase by geometric progression.Therefore have in the practical application and dispose and the high problem of maintenance cost.
The applying date is 2003.9.29; application number is 03151410.3; name is called " realizing the quick deployment method that the WEB application safety is reinforced " and discloses and a kind ofly reinforce visit WEB service method with SSL, but realizes that reinforcing other C/S uses, and can only be used to protect backstage WEB service.
Summary of the invention
The objective of the invention is: a kind of safe, convenient, easily is provided, and deployment and the cheap safety remote access technology of maintenance cost.
Another object of the present invention provides a kind of safety long-distance IAD.
The objective of the invention is to realize by the enforcement following technical proposals:
A kind of safety remote access technology is characterized in that, comprises the steps:
After SSL monitoring service module listens to SSL handshake request from wide area network, transmit user's ID authentication request, and handle all https packets;
Authentication module is carried out authentication to the request of above-mentioned forwarding, after authentication, enters next step, otherwise refusing user's request;
By the client secure detection module long-range access client computer is carried out safety monitoring, after safety monitoring, enter next step, otherwise refusing user's request;
By request processing module the user is asked to classify processing: for the Web application request, then change the WEB application processing module over to, enter the WEB page; Request to the visit internal lan then turns to access control module;
Access control module is by obtaining user's access strategy from policy library, the user request control that conducts interviews is judged, be judged as the access request of lack of competence, refusing user's request, be judged as the access request of authority, then turn to the internal application processing module,, enter the different service platforms of internal lan at the different rights that the user provides.
Wherein above-mentioned user's ID authentication request is to enter third party's authentication module, after authentication, enters the client secure detection module, otherwise refusing user's request.
Safety long-distance IAD provided by the present invention comprises SSL monitoring service module, authentication module, client secure detection module, request processing module, policy database, WEB application processing module, access control module, application processing module;
Described SSL monitoring service module is used to intercept the SSL handshake request from wide area network, and handles all https packets;
Described authentication module is used for user's identity is verified; Also can adopt third party's authentication module, be used for user's identity is verified.
Described client secure detection module is responsible for long-range access client computer is carried out security sweep;
The described request processing module, user's request is handled, if the Web application request directly turns to the WEB application processing module, if the visit internal lan then turns to access control module;
The WEB application processing module according to user's request, forwards WEB to and uses the page;
Policy database is deposited the access control policy that inserts internal lan;
Access control module obtains user's access strategy from policy library, the control that conducts interviews is judged to request permissions;
Application processing module according to client's authority, is handled and is transmitted the request of visit local area network (LAN) and the response of backstage service.
Only need install in the place of local area network (LAN) and wide area network handing-over and dispose gateway of the present invention, need not in client any software to be installed, the long-distance user just can utilize the secure browser access to LAN.The present invention is on the basis of setting up the strong security vpn tunneling, multi-level security protection means are provided, support more fine-grained authentication, mandate and access control, simultaneously in conjunction with the safety detection of terminal machine, can better eliminate the potential safety hazard that the access of terminal machine brings to internal lan.The present invention has and realizes the same security intensity of VPN at the IP layer, and the better thinner control to the remote access user is but arranged, and need not client software, and deployment and maintenance cost are low, and it is convenient to use, and good marketing prospect is arranged.
Description of drawings
Be illustrated as functional block diagram of the present invention.
Embodiment
As shown in the figure, the safety long-distance connecting system is made up of client computer, safety long-distance IAD and third party's authentication module.The outer network interface of client computer and safety long-distance IAD all is to link to each other with wide area network, and the interior network interface of safety long-distance IAD links to each other with internal lan.Wherein the safety long-distance gateway is by forming with lower module:
(a): SSL monitoring service module, be responsible for intercepting SSL handshake request, and handle all https packets from wide area network;
(b): authentication module, user's identity is verified, can insert third party's authentication module 5 by expansion.
(c): the client secure detection module, be responsible for long-range access client computer is carried out security sweep.
(d): request processing module mainly is that request is handled, if the Web application request directly turns to the WEB application processing module, if the visit internal lan is used, then directly turns to access control module.
(e): policy database, deposited the access control policy that inserts internal lan.
(f): the WEB application processing module, the request of the visit web page is handled.
(g): access control module, from policy library, obtain user's access strategy, the request control that conducts interviews is judged.
(h): application processing module, carry out necessary processing and forwarding to the request of visit backstage service and the response of backstage service.
The present invention realizes that the concrete steps of safety long-distance access are as follows:
The first step: the address that the safety long-distance IAD distributes wide area network to visit, when remote client access internal lan resource, open any browser (1a) at first, the WEB by HTTPS channel access safety long-distance IAD uses.Set up secure HTTP S passage between browser and safety long-distance IAD.
Second step: the HTTPS passage at first requires the user to login after setting up, and the long-distance user must submit legal login account number and password to; SSL monitoring service module is intercepted the SSL handshake request from wide area network, transmits user's ID authentication request, and handles all https packets.
The 3rd step: after the authentication module of safety long-distance IAD receives the logging request of remote client, user's identity is verified.If the authentication failure is then directly refused this user's login system behavior, otherwise is entered next step.
The 4th step: the client secure detection module is downloaded the security client detection module automatically by webpage and is moved in client, and client computer is carried out safety monitoring according to named policer.If the safety monitoring failure, the then directly login of refusing user's, otherwise enter next step.
The 5th step: the safety long-distance IAD is set up session information for this user, and this user signs in to system, and the request that this user is follow-up is handled by request processing module.The request that the request processing module support is handled mainly comprises accessing page request and background application access request.If page request handles with regard to directly request being turned to the WEB application module, if the backstage service request just directly turns to request the access control processing module.
The 6th step: access control module is by obtaining user's access strategy from policy library, the user request control that conducts interviews is judged, be judged as the access request of lack of competence, refusing user's request, be judged as the access request of authority, then turn to the internal application processing module,, enter the different service platforms of internal lan at the different rights that the user provides.
The safety long-distance IAD is passed to customer end A gent module by the page under automatically in the diagram, is the small routine that operates in client computer by client browser.Small routine is along with the foundation of login sessions begins life cycle, along with closing of browser logs off.Other application except visit internal lan WEB resource provide the client process function, can support the remote secure access based on the C/S application of TCP/IP.
Adopt safety long-distance IAD of the present invention and technology, it has following characteristics: based on the SSL technology, and utilize the secure cryptographic algorithm module that the SSL channel algorithm is reinforced; Client software need not be installed, directly get final product by the browser access; Support multiple identification authentication mode; Support can be controlled the authority of user capture internal resource remote access user's fine granularity control; Support the long-distance user to insert and detect and withdraw from the removing function; Support comprises application such as WEB application, FTP, People Near Me, mail based on the multiple application of TCP/IP technology.Its deployment and maintenance cost are low, and it is convenient to use, and good marketing prospect is arranged.
Need to prove: though the foregoing description has been described structure of the present invention in detail; but the present invention is not limited to the foregoing description; the replacement structure that every those skilled in the art just can expect without creative work from the foregoing description all belongs to protection scope of the present invention.
Claims (4)
1, a kind of safety remote access technology is characterized in that, comprises the steps:
After SSL monitoring service module listens to SSL handshake request from wide area network, transmit user's ID authentication request, and handle all https packets;
Authentication module is carried out authentication to the request of above-mentioned forwarding, after authentication, enters next step, otherwise refusing user's request;
By the client secure detection module long-range access client computer is carried out safety monitoring, after safety monitoring, enter next step, otherwise refusing user's request;
By request processing module the user is asked to classify processing: for the Web application request, then change the WEB application processing module over to, enter the WEB page; Request to the visit internal lan then turns to access control module;
Access control module is by obtaining user's access strategy from policy library, the user request control that conducts interviews is judged, be judged as the access request of lack of competence, refusing user's request, be judged as the access request of authority, then turn to the internal application processing module,, enter the different service platforms of internal lan at the different rights that the user provides.
2, a kind of safety remote access technology as claimed in claim 1, it is characterized in that: user's ID authentication request enters third party's authentication module, after authentication, enters the client secure detection module, otherwise refusing user's request.
3, a kind of realization claim 1 or 2 described a kind of safety long-distance IADs, it is characterized in that, comprise SSL monitoring service module, authentication module, client secure detection module, request processing module, policy database, WEB application processing module, access control module, application processing module;
Described SSL monitoring service module is used to intercept the SSL handshake request from wide area network, and handles all https packets;
Described authentication module is used for user's identity is verified;
Described client secure detection module is responsible for long-range access client computer is carried out security sweep;
The described request processing module, user's request is handled, if the Web application request directly turns to the WEB application processing module, if the visit internal lan then turns to access control module;
The WEB application processing module according to user's request, forwards WEB to and uses the page;
Policy database is deposited the access control policy that inserts internal lan;
Access control module obtains user's access strategy from policy library, the control that conducts interviews is judged to request permissions;
Application processing module according to client's authority, is handled and is transmitted the request of visit local area network (LAN) and the response of backstage service.
4, a kind of realization claim 1 or 2 described a kind of safety long-distance IADs is characterized in that described authentication module is third party's authentication module, are used for user's identity is verified.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA200810045896XA CN101350814A (en) | 2008-08-26 | 2008-08-26 | Safety remote access technology and gateway thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA200810045896XA CN101350814A (en) | 2008-08-26 | 2008-08-26 | Safety remote access technology and gateway thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101350814A true CN101350814A (en) | 2009-01-21 |
Family
ID=40269391
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA200810045896XA Pending CN101350814A (en) | 2008-08-26 | 2008-08-26 | Safety remote access technology and gateway thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101350814A (en) |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
| CN101827090A (en) * | 2010-03-25 | 2010-09-08 | 浙江中烟工业有限责任公司 | External user login and backup system |
| CN102546794A (en) * | 2011-12-30 | 2012-07-04 | 华为技术有限公司 | Method for directly communicating browser client with back-end server as well as gateway and communication system |
| CN103634396A (en) * | 2013-11-28 | 2014-03-12 | 武汉钢铁(集团)公司 | Method, gateway equipment and system for accessing intranet webpage service data |
| CN103716325A (en) * | 2013-12-31 | 2014-04-09 | 网神信息技术(北京)股份有限公司 | Security control method, device and system for network access |
| CN103905581A (en) * | 2014-02-26 | 2014-07-02 | 曾宪钊 | DNS high-speed analytical solution based on behavior differences and matched flow class attack resistance safety solution |
| CN103945010A (en) * | 2014-05-13 | 2014-07-23 | 国家电网公司 | Extension module supporting remote browsing and maintenance to station-side host |
| CN104901928A (en) * | 2014-03-07 | 2015-09-09 | 中国移动通信集团浙江有限公司 | Data interaction method, device and system |
| CN104904178A (en) * | 2012-10-15 | 2015-09-09 | 思杰系统有限公司 | Providing virtualized private network tunnels |
| CN105429807A (en) * | 2015-12-29 | 2016-03-23 | Tcl集团股份有限公司 | Local area network resource access method and device |
| CN105721481A (en) * | 2016-03-02 | 2016-06-29 | 清华大学 | Transparent-computing-based network access system and method |
| US9858428B2 (en) | 2012-10-16 | 2018-01-02 | Citrix Systems, Inc. | Controlling mobile device access to secure data |
| US9948657B2 (en) | 2013-03-29 | 2018-04-17 | Citrix Systems, Inc. | Providing an enterprise application store |
| US9973489B2 (en) | 2012-10-15 | 2018-05-15 | Citrix Systems, Inc. | Providing virtualized private network tunnels |
| US9971585B2 (en) | 2012-10-16 | 2018-05-15 | Citrix Systems, Inc. | Wrapping unmanaged applications on a mobile device |
| US9985850B2 (en) | 2013-03-29 | 2018-05-29 | Citrix Systems, Inc. | Providing mobile device management functionalities |
| US10044757B2 (en) | 2011-10-11 | 2018-08-07 | Citrix Systems, Inc. | Secure execution of enterprise applications on mobile devices |
| US10097584B2 (en) | 2013-03-29 | 2018-10-09 | Citrix Systems, Inc. | Providing a managed browser |
| CN109347855A (en) * | 2018-11-09 | 2019-02-15 | 南京医渡云医学技术有限公司 | Data access method, device, system, Electronic Design and computer-readable medium |
| US10284627B2 (en) | 2013-03-29 | 2019-05-07 | Citrix Systems, Inc. | Data management for an application with multiple operation modes |
| US10476885B2 (en) | 2013-03-29 | 2019-11-12 | Citrix Systems, Inc. | Application with multiple operation modes |
| CN110852611A (en) * | 2019-11-08 | 2020-02-28 | 国网上海市电力公司 | Real-time management and control system for construction workers on capital construction project site |
| US10908896B2 (en) | 2012-10-16 | 2021-02-02 | Citrix Systems, Inc. | Application wrapping for application management framework |
-
2008
- 2008-08-26 CN CNA200810045896XA patent/CN101350814A/en active Pending
Cited By (35)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
| CN101827090A (en) * | 2010-03-25 | 2010-09-08 | 浙江中烟工业有限责任公司 | External user login and backup system |
| CN101827090B (en) * | 2010-03-25 | 2012-10-24 | 浙江中烟工业有限责任公司 | External user login and backup system |
| US11134104B2 (en) | 2011-10-11 | 2021-09-28 | Citrix Systems, Inc. | Secure execution of enterprise applications on mobile devices |
| US10469534B2 (en) | 2011-10-11 | 2019-11-05 | Citrix Systems, Inc. | Secure execution of enterprise applications on mobile devices |
| US10402546B1 (en) | 2011-10-11 | 2019-09-03 | Citrix Systems, Inc. | Secure execution of enterprise applications on mobile devices |
| US10063595B1 (en) | 2011-10-11 | 2018-08-28 | Citrix Systems, Inc. | Secure execution of enterprise applications on mobile devices |
| US10044757B2 (en) | 2011-10-11 | 2018-08-07 | Citrix Systems, Inc. | Secure execution of enterprise applications on mobile devices |
| CN102546794A (en) * | 2011-12-30 | 2012-07-04 | 华为技术有限公司 | Method for directly communicating browser client with back-end server as well as gateway and communication system |
| US9973489B2 (en) | 2012-10-15 | 2018-05-15 | Citrix Systems, Inc. | Providing virtualized private network tunnels |
| CN104904178B (en) * | 2012-10-15 | 2018-09-25 | 思杰系统有限公司 | The method and apparatus and computer-readable medium of virtual private network tunnel are provided |
| CN104904178A (en) * | 2012-10-15 | 2015-09-09 | 思杰系统有限公司 | Providing virtualized private network tunnels |
| US9971585B2 (en) | 2012-10-16 | 2018-05-15 | Citrix Systems, Inc. | Wrapping unmanaged applications on a mobile device |
| US9858428B2 (en) | 2012-10-16 | 2018-01-02 | Citrix Systems, Inc. | Controlling mobile device access to secure data |
| US10908896B2 (en) | 2012-10-16 | 2021-02-02 | Citrix Systems, Inc. | Application wrapping for application management framework |
| US10545748B2 (en) | 2012-10-16 | 2020-01-28 | Citrix Systems, Inc. | Wrapping unmanaged applications on a mobile device |
| US10284627B2 (en) | 2013-03-29 | 2019-05-07 | Citrix Systems, Inc. | Data management for an application with multiple operation modes |
| US9985850B2 (en) | 2013-03-29 | 2018-05-29 | Citrix Systems, Inc. | Providing mobile device management functionalities |
| US10965734B2 (en) | 2013-03-29 | 2021-03-30 | Citrix Systems, Inc. | Data management for an application with multiple operation modes |
| US9948657B2 (en) | 2013-03-29 | 2018-04-17 | Citrix Systems, Inc. | Providing an enterprise application store |
| US10097584B2 (en) | 2013-03-29 | 2018-10-09 | Citrix Systems, Inc. | Providing a managed browser |
| US10701082B2 (en) | 2013-03-29 | 2020-06-30 | Citrix Systems, Inc. | Application with multiple operation modes |
| US10476885B2 (en) | 2013-03-29 | 2019-11-12 | Citrix Systems, Inc. | Application with multiple operation modes |
| CN103634396A (en) * | 2013-11-28 | 2014-03-12 | 武汉钢铁(集团)公司 | Method, gateway equipment and system for accessing intranet webpage service data |
| CN103716325A (en) * | 2013-12-31 | 2014-04-09 | 网神信息技术(北京)股份有限公司 | Security control method, device and system for network access |
| CN103905581A (en) * | 2014-02-26 | 2014-07-02 | 曾宪钊 | DNS high-speed analytical solution based on behavior differences and matched flow class attack resistance safety solution |
| CN104901928A (en) * | 2014-03-07 | 2015-09-09 | 中国移动通信集团浙江有限公司 | Data interaction method, device and system |
| CN103945010B (en) * | 2014-05-13 | 2017-06-06 | 国家电网公司 | Support to the remote browse of end main frame and the extension element of maintenance of standing |
| CN103945010A (en) * | 2014-05-13 | 2014-07-23 | 国家电网公司 | Extension module supporting remote browsing and maintenance to station-side host |
| CN105429807B (en) * | 2015-12-29 | 2019-11-29 | Tcl集团股份有限公司 | The access method and device of local network resource |
| CN105429807A (en) * | 2015-12-29 | 2016-03-23 | Tcl集团股份有限公司 | Local area network resource access method and device |
| CN105721481A (en) * | 2016-03-02 | 2016-06-29 | 清华大学 | Transparent-computing-based network access system and method |
| CN109347855B (en) * | 2018-11-09 | 2020-06-05 | 南京医渡云医学技术有限公司 | Data access method, device, system, electronic design and computer readable medium |
| CN109347855A (en) * | 2018-11-09 | 2019-02-15 | 南京医渡云医学技术有限公司 | Data access method, device, system, Electronic Design and computer-readable medium |
| CN110852611A (en) * | 2019-11-08 | 2020-02-28 | 国网上海市电力公司 | Real-time management and control system for construction workers on capital construction project site |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101350814A (en) | Safety remote access technology and gateway thereof | |
| CN104753887B (en) | Security management and control implementation method, system and cloud desktop system | |
| CN106992984A (en) | A kind of method of the mobile terminal safety access information Intranet based on electric power acquisition net | |
| CN103441991A (en) | Mobile terminal security access platform | |
| CN101714927B (en) | Network access control method for comprehensive safety management of inner network | |
| CN101651597B (en) | Deployment method of IPSec-VPN in address discrete mapping network | |
| CN101047599B (en) | Distribution SSL VPN system and construction method | |
| US8479279B2 (en) | Security policy enforcement for mobile devices connecting to a virtual private network gateway | |
| CN100401706C (en) | Access method and system for client end of virtual private network | |
| CN110995448A (en) | Block chain-based Internet of things equipment identity authentication method and system | |
| CN106302371A (en) | A kind of firewall control method based on subscriber service system and system | |
| CN111385326B (en) | Rail transit communication system | |
| CN107046577B (en) | Cloud mixing method and system | |
| CN106330479A (en) | Equipment operation and maintenance method and equipment operation and maintenance system | |
| CN110971622A (en) | Bidirectional access method and system between public network application system and intranet application system | |
| CN109995769B (en) | Multi-stage heterogeneous trans-regional full-real-time safety management and control method and system | |
| CN115549932B (en) | Security access system and access method for massive heterogeneous Internet of things terminals | |
| CN106302413A (en) | Corporate intranet access method, ios terminal, transfer processing method, transfer server | |
| CN109165508A (en) | A kind of external device access safety control system and its control method | |
| CN202652534U (en) | Mobile terminal safety access platform | |
| CN115941236A (en) | Zero trust safety protection method for edge side of power distribution network | |
| CN106302416A (en) | Corporate intranet access method, Android terminal, transfer processing method, transfer server | |
| Gao et al. | Research on zero-trust based network security protection for power internet of things | |
| CN101917414B (en) | BGP (Border Gateway Protocol) classification gateway device and method for realizing gateway function by using same | |
| CN109120619A (en) | A kind of computer network communications system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20090121 |