CN101668013A - Network connection technology and system thereof - Google Patents

Network connection technology and system thereof Download PDF

Info

Publication number
CN101668013A
CN101668013A CN200910111365A CN200910111365A CN101668013A CN 101668013 A CN101668013 A CN 101668013A CN 200910111365 A CN200910111365 A CN 200910111365A CN 200910111365 A CN200910111365 A CN 200910111365A CN 101668013 A CN101668013 A CN 101668013A
Authority
CN
China
Prior art keywords
network
machine
information
technology
computer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN200910111365A
Other languages
Chinese (zh)
Inventor
刘文祥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN200910111365A priority Critical patent/CN101668013A/en
Publication of CN101668013A publication Critical patent/CN101668013A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The task of the invention is to use a conventional computer with special functions to connect various computer networks into an internetwork. The conventional computer with special functions is directly connected with an interface of a conventional computer in a protected network and is connected with another network by a network interface. Due to different connection technologies among various computer networks, various internetworks with different structures and applications are built. An excellent machine is a host in an excellent-machine network. An external host is connected with the excellent machine, but can not be directly connected with other hosts in the excellent-machine network. The main effect of an identification machine physically separates the excellent-machine network andan identification-machine network. The system is often configured to be directly connected with a public network. The identification machine physically separates the excellent-machine network and theidentification-machine network by a computer interface and a network interface which are mutually separated, and realizes safe and accurate information mutual communication between the excellent-machine network and the identification-machine network by computer functions.

Description

Network connection technology and system thereof
Technical field
The present invention relates to modern communication technology, the information processing technology and computer networking technology.Unit (refers to independent body and mechanisms such as government offices, administrative group and undertaking, perhaps individual and organisations and institutions etc. thereof) independent computer network making up or joining computer network system more than two, be called the proprietary network of this unit.Each computer network of unit, be coupled to each other by conventional computer, to realize the technology of interconnected (Interconnection), intercommunication (Intercommunication) and interoperability (Interoperability) between isomery or the homogeneous network, be widely used in fields such as E-Government, ecommerce, electronics military task, electric medical affairs, electronic official, electronic transaction, e-bank, electronics tourism, electronic logistics, automation control.
Background technology
In the present prior art, router is born network interconnection work (internetworking), and the safety between two networks that it can't realize linking is isolated.
Intranet with outreach the fire compartment wall that is provided with between the network (comprising hardware device, relevant software code and security strategy), adopted " anti-port " technology to capture by hacker (HACK) easily, intrude into the computer of the internal network of fire compartment wall back.The destruction that the internal staff has a mind to, perhaps abnormal operation unintentionally all can cause serious threat to internal network.Fire compartment wall can't prevent from the attack of network internal and destruction, also is one of its major defect.Fire compartment wall can not be controlled the information flow that bypass connects (certain computer as Intranet is connected with extranet without authorization); Being not suitable for carrying out virus detects; Can't take precautions against data driven type attacks; Can't defend various new attack behaviors fully.
Intrusion detection (Intrusion Detection) technology can't fully automatically be finished the inspection to all attacks; Can not adapt to the development of attack technology; Be difficult to the real-time response of realization to attacking; Can't remedy the defective of talk various network protocols; Its accuracy of detection depends on system quality of information and integrality is provided; The development speed that can't adapt to modern network software and hardware technology fully; The variation of system safety strategy that can't fast adaptation unit's network, the adjustment process complexity.
(Virtual Private Network, VPN) technology is mainly based on the lan switching technology of developed recently (asynchronous transfer mode and Ethernet exchange) for Virtual Private Network.Switching technology develops into connection-oriented technology with traditional local area network technology based on broadcasting.Ethernet adopts broadcast technology (Broadcasting), and (Virtual LocalArea Network VLAN) after the technology, in fact changes point-to-point communication into but used interchanger and VLAN.There are two kinds of network topology structures at present: center radiation layout and whole network layout.The center radiation layout is linked to each other with many remote sites by a central site.The Customer Edge router that is positioned at the central site position is very expensive, and its price is relevant with the number of the remote site that links to each other.Packet time of delay when simultaneously, substantially exceeding direct communication between two websites its time of delay.The quantity in the tunnel that the whole network layout need be supported (Tunnel) increases along with the number of website is geometric progression.For example, a VPN network of being made up of 100 websites need be set up 4950 tunnels, is unpractical.Fail safe is another significant problem.Each is connected to the Customer Edge router of the Internet, all must take such as the such safety measure of fire compartment wall, so that guarantee the safety of each website.But each fire compartment wall must be open to supplier, so that the visit relevant devices, this itself will be a potential safety hazard.When network size is big, manages each fire compartment wall and will become very difficult simultaneously.(Secure Socket Layer, SSL) VPN only is fit to the connection of website to network to security socket layer, can't realize the safe intercommunication between a plurality of networks.Also have traditional fire compartment wall, can not the encryption of VPN be connected, be decrypted inspection, do not allow VPN information to pass through.
Antivirus techniques comprises that mainly virus precaution, virus detect and virus sweep.Along with the development of virus technology, viral species is more and more, and the invasion approach is more and more, endangers also increasing.In the face of these panoramic viruses, be far from being enough if antivirus techniques is depended prevention, detection and the elimination of virus alone.In case system is by virus attack and lead to disastrous consequence, suffer heavy losses.
Summary of the invention
Task of the present invention is with the conventional computer with specific function, and various computer networks are connected into internet (Internetwork).The conventional computer (distinguishing machine) of specific function directly is connected with the interface of a conventional computer (excellent machine) in the protected network, is connected with another network by network interface.Owing to the different interconnection techniques between the various computer networks, be built into the internet of various different structures and purposes.
1, in unit internal network, have the external service function of this unit needs the most perfect or that this unit basis is externally served and the main frame (host computer) of appointment, be called the conventional computer of advantage function in this network of this unit, be called for short excellent machine.This network is called excellent machine network.Excellent machine also is a main frame in the excellent machine network.External host is connected with excellent machine, and can not directly be connected with other main frames in the excellent machine network.
Excellent facility have network address translation, and (Network Address Translation, NAT) program can be discerned Internet protocol (Internet Protocol, IP) address of each computer name in its network or computer.NAT converts the home address of computer in the excellent machine network legal IP address to and uses on the internet; Also shield the IP address of excellent machine network, excellent machine network is played a protective role.NAT is the standardization program of excellent machine.
Excellent machine has two kinds of physically-isolated interfaces, a kind ofly is used for connecting network and handles transmission and the details that receives, and another kind is used for directly connecting the interface of another computer.
Because excellent machine network directly is not connected with other networks, therefore can be to excellent machine sophistication, with efficient and the reliability that improves this network system.Excellent machine also has the module slot of extendable functions.
Excellent machine network can adopt the non-disk workstation for internal security.The boot of work station is placed in the network adapter (network adapter card), in case energising, server automatic and in the network is connected.The hard disk that the user felt is not the hard disk of this work station, but server-assignment is given its mirror image hard disk.There are two advantages the non-disk workstation: prevent that others from copying program and data in the network arbitrarily; Prevent that virus from entering server from work station.
Excellent machine is the first road barrier that is isolated between excellent machine network and the outer computer.
2, respectively and the excellent machine in the excellent machine network and other networks interconnected and control the main frame of information mutual communication (Intercommunication) between the computer of stipulating in these two networks, the conventional computer that is called the identifying information in this network is called for short the machine of distinguishing.This network (not comprising the machine of distinguishing) of distinguishing that machine connects is called and distinguishes the machine network.
Isolate domain name (Split Domain Name) technology, the name server and the name server of distinguishing the machine network of shielded excellent machine network are isolated, with the IP address of main frame in the hidden excellent machine network.
The machine of distinguishing contains handles various different types of information supervisors.It can have program of a plurality of client-server of concurrent running etc.;
The machine of distinguishing mainly acts on to be the excellent machine network of physical isolation and to distinguish the machine network.It often is configured to directly be connected with common network.Therefore, it is unique computer that is subjected to assault in the common network, thereby protects excellent machine network.
The principle of distinguishing machine is: minimum service principle, monitoring prevention principle, system safety principle, flexible function principle, configuration convenience principle.Its external memory only needs the standardization program of installing operating system and configuration.
If the machine of distinguishing provides homepage browse service faster for its network, then need bigger external memory capacity, can also carry out fine-grained log record.
Distinguish Wide Area Network interface is installed on the machine, support Routing Protocol, realize the function of router.It also has the module slot of extendable functions.
The machine of distinguishing can have a plurality of computer interfaces, and the excellent machine in different with each function respectively excellent machine networks is connected.
The machine of distinguishing can use multiple cryptographic algorithm to come digital signature supporting, authentication, completeness check, and passwords such as key management and safe and secret transmission are used.
3, according to the excellent machine in each excellent machine network of network topology structure connection computer,, be connected with the corresponding machine of distinguishing by mutual physically-isolated computer interface.Each distinguishes another network interface of machine, is connected with same common network.These excellent machine networks, distinguish machine and common network, the common system that makes up, the proprietary network (Private Network) that is called unit is (Fig. 1).
This network interconnection technology makes the machine of distinguishing be in excellent machine network and distinguish on unique passage of machine network interworking.The machine of distinguishing passes through the computer interface and the network interface of isolating mutually, realizes excellent machine network and distinguishes physical isolation between the machine network; Again by computer function, realize excellent machine network and distinguish and carry out safety and information mutual communication accurately between the machine network.
Information adopts digital encryption mechanism in the common network transmission course.The information that source computer from excellent machine network sends; Arrive the machine of distinguishing of source end through excellent machine; After encrypting; Pass through common network; Distinguish machine to Su Duan; After deciphering; Forward the excellent machine of place end to; Arrive the purpose computer at last.
Digital-scrambling techniques has three kinds: symmetric key, unsymmetrical key and one-way function.
The unit proprietary network combines the safety and the service quality of excellent machine network, and advantage such as common network is simple in structure and with low cost, sets up information channel completely.The information flow of this system, transmission is to pass through encryption on common network.This authenticity, integrality and confidentiality with regard to guarantee information.The unit proprietary network has the ability that the opposing hacker attacks by common network.
Computer network system, the handling user identity checking has a lot of methods.
The unit proprietary network can be by the fail safe of application layer, to each file implement security hierarchical management of transmission.
4, the general headquarters of unit and its are distributed in trans-regional each internal networks such as several branches of diverse geographic location, its each excellent machine is respectively by distinguishing that machine and the Internet (Internet) couple together, make up a safe and reliable unit proprietary network, the interconnected network (intranet internet) that is called unit is called for short Intranet.(Fig. 2).Why information mutual communication between two main frames of this network is safety and accurate, is because Intranet is the special case of unit proprietary network.Safety between two main frames of Intranet and the common network of communicating by letter and passing through accurately are appointed as the Internet (Internet).
For the part paragraph in the file, can also carry out corresponding safety encipher according to its different safe class.
5, the Intranet of unit can and the affiliate of unit internal network between, carry out information interchange and to a certain degree safeguard protection be provided, prevent unauthorized access to Intranet.In order to reach this target, can allow affiliate's the excellent machine of one or several internal networks, by the computer that this unit distinguishes the standardization program of machine and increases the control information program is housed, be connected respectively with the Internet.One or several internal networks of the Intranet of this unit and this affiliate so, separately the machine of distinguishing and the Internet, just make up a safe and reliable proprietary network, be called the external the Internet network (extranet internet) of unit, be called for short extranet (Fig. 3).It is used between the internal host of unit main office network and branch office network safety with communicate by letter accurately; Also be used for safety and accurate information interchange between the network of the Intranet of unit and the affiliate of unit appointment.
The machine of distinguishing that is connected with unit excellent machine network, can discern the various information of coming in from the Internet, and only allow the information of the computer in the network of other excellent machine networks of this unit and affiliate's appointment, after deciphering, enter into the receiving computer of this excellent machine network.
The machine of distinguishing that is connected with the network of affiliate's appointment, can discern the various information of coming in, and only allow the information of the computer in the excellent machine network of this unit, after deciphering from the Internet, enter into affiliate's excellent machine, be transmitted to receiving computer again.
6, the remote client of unit, after the Internet is connected, interior network that can the unit of login.The common system that forms in these client computer, Intranet and the Internet is called unit remote access internet, is called for short visit net (access internet) (Fig. 4).It is that unit is connected to the Internet, is used to provide safety and the precise information intercommunication of long-range mobile subscriber to the unit Intranet.
The method of the granted access that the client identity checking will realize; Be exactly the visit information on the Internet, pass through of authentication and the mandate of the machine of distinguishing of visit net client computer.
Between the proprietary net of client computer and unit, carry out safety and accurate information mutual communication by the Internet, should adopt high data encryption of Cipher Strength and identity identifying method.General public key algorithm (Public-Key Crypto-graphicAlgorithms) technology that adopts is carried out authentication and cipher key change; Adopt the symmetric cryptography decryption technology to carry out the encryption and decryption of information.
7, the basic frame structure (Fig. 5) of the E-Government local area network (LAN) of Party committees at all levels and government or the department under it is: government affairs extranets, in-house network and three levels of core net.This electronic government affair network is called the government affairs net.The Internet and extranets, extranets and in-house network, in-house network and core net all are to carry out physically-isolated by the machine of distinguishing.Wherein the computer of the data server of in-house network and inner general personnel operation is a logic isolation; According to circumstances, can adopt the non-disk workstation.Be that the user is when using main frame (client computer or browser etc.), automatic enable logic server, shield the memory devices such as hard disk, CD drive and floppy disk of this main frame, distribute the mirror image hard disk to give main frame by Service Process Server, prevent that the internal staff from arbitrarily duplicating important resource in the net internally.Also can adopt the non-disk workstation in the same core net, prevent that the internal staff from copying the valuable source in the core net arbitrarily.
Excellent machine in the E-Government local area network (LAN) in the distribution whole nation is connected with the Internet by distinguishing machine, is built into the proprietary wide area network of government affairs, is called E-Government internet (Fig. 5), is called for short the government affairs net.
In the government affairs net, external supervision function of interconnected online operation party committee and government and service responsibility system.Server on the Internet of government staff's operation, concrete main application system: government's public information inquiry and issue, economic information inquiry and issue, social information's inquiry and issue, the online tax, online industrial and commercial, online letters and calls, online social security, electronic ID card registration, enterprises registration, urban transportation information, various information statistics, towards the declaring and applying for of every plan of the whole society, all kinds of utility information are issued and enforcement.
The administration office net of outside online operation party committee and government bodies inside.Move all kinds of relatively independent party committees and the government affairs management application system of government on it respectively, its service object mainly is party affairs, government affairs general staff.
In-house network mainly is between the in-house network of Party committees at all levels and government (department), the circulation of official document of government inside, audit, processing and interior business etc.; Official document transmission between the in-house network from central authorities to the city between party committee at county level, information exchange and multimedia messages application etc., its main service object is city, leader at county level and confidential employee.
Core net relates to party committee and governmental leading official's core office system, the very important decision of party and state and the systems such as application of command system, emergency system, government affairs supervision and all kinds of core datas.Its main service system: be the arrangement of leader's affairs; The analysis of major event, decision-making and commander; The analysis of information such as national security, trade secret or individual privacy and preservation etc.Its service object is central authorities and leaders at the provincial or ministerial level and confidential employee.
Party committee and government central and at the provincial and ministerial level have core net, and city government at county level has in-house network, and one-level government in small towns has extranets, and this can determine according to actual needs.
The network of government affairs net is based on the level of confidentiality of institute's loaded information and application system, and level of security is divided into multilayer, and adopts and distinguish that machine carries out the physical isolation measure.
Externally net (information and service issue net) is taked dynamic content monitoring and automatic renewal technology, guarantees information integrity and accuracy.
Take unified high-intensity Network Transmission encrypted tunnel at in-house network (internal application layer); Set up the access control rule of each application system inside; Set up the computer virus control, prevention mechanism and the strict intranet resources visit that cover whole in-house network.
Take very high-intensity Network Transmission encrypted tunnel in core net (security applications layer).
8, with the computer of client, businessman and the network of the bank of deposit separately, link to each other with the Internet respectively, constitute commerce Net (Fig. 6).Commerce Net carries out online transaction and payment on open the Internet, should adopt digital encryption and authentication (digital signature) technology.The general public key algorithm that adopts.Wherein Chang Yong public key encryption algorithm is a RSA Algorithm.
The all covert new method of pair of secret keys (PKI and private key) of businessman, the Hakkas is adopted in commercial affairs online transaction and payment.The buyer in the commerce Net has certain deposit and password the bank of deposit (calling customer bank in the following text); The seller's the bank of deposit (calling bank of businessman in the following text) has the password and the network address of businessman in advance.
The transaction of commerce Net (Fig. 6) and the basic procedure of payment:
(1) client computer (perhaps browser) connects the Internet, carries out browsing, select and ordering of commodity with Web browser, fills in network order (comprising the customer bank title); Submit order to businessman on the net.
(2) business server is checked, is confirmed client's ordering information, and the Bank Name of the network address of the PKI of each commodity price, total price, businessman, businessman, businessman and account, passes to the client on the net.
(3) after client's confirmation, with the password encryption of private key to its customer bank, ciphertext is as digital signature, with the account number of digital signature, customer bank, client's network address, Payment Amount, bank of businessman and account number, client's PKI etc., with the disclosed public key encryption of customer bank, and these ciphertexts are passed to customer bank.
(4) customer bank with decrypt ciphertext, obtains the plaintext of client's transmission and client's digital signature with the private key of oneself; With the client's PKI in the plaintext digital signature is decrypted then.The cryptographic core that password after customer bank will be deciphered and client retain is right, just is confirmed to be the information that the client sends after errorless.
(5) customer bank is with the encrypted private key of businessman's account number with oneself, as digital signature; With collection amount, client's PKI, businessman's PKI disclosed public key encryption of bank of businessman, send to bank of businessman then.
(6) after the ciphertext of customer bank is received by bank of businessman, with decrypt ciphertext, obtain cleartext information and digital signature thereof that customer bank sends with oneself private key, with the PKI that customer bank is openly issued digital signature is decrypted then, if success is confirmed to be then that customer bank sends.
(7) bank of businessman receives businessman with the businessman's PKI in the cleartext information and sends businessman to after the amount of money and the businessman's password encryption.After information is received by businessman, with the private key deciphering of oneself.If businessman confirms that own password is correct, then goods is sent to the client, service perhaps is provided.
(8) client receives goods, will confirm with the PKI of customer bank to send to customer bank after the information and password encryption of payment.Customer bank deducts the shopping money with the client in the account of this bank, bank of businessman is increased this money in the account of bank of the Hakkas, and informs that bank of businessman increases the shopping money on merchant account.
So far, typical electronic business transaction and payment process finish.Businessman and client can be by the balance of fundings of network inquiry oneself.
9. protected network and deployment and the structure of distinguishing machine are the bases of realizing the internal institution network security.Reliability---an excellent machine network breaks down if it is used for increasing sometimes, and the machine of distinguishing still can connect the arrival common network by second excellent machine network.Many caves distinguish that machine also can be used for increasing performance---are connected to a plurality of excellent machine networks, make the router that it can directly send information and avoid blocking sometimes.Many caves distinguish that machine has a plurality of protocol address, and each network connects one, each protocol address sign be that this distinguishes being connected of machine and a network.
The machine of distinguishing can be by special safety measure, further protects that system in the excellent machine network avoids having a mind to or destroys unintentionally.It is mainly user's account and password; For the application program of excellent machine network and function software add new characteristic, improve function, revise wrong and remedy newfound security breaches, check out that the attack of failure is attempted and the account of Duoing than other account login failure number of times etc. from the record daily record of distinguishing machine.
Description of drawings
Fig. 1, is connected with the corresponding machine of distinguishing by mutual physically-isolated computer interface according to the excellent machine in each excellent machine network of network topology structure connection computer.Each distinguishes another network interface of machine, is connected with same common network.These excellent machine networks, distinguish machine and common network, jointly the proprietary network of the unit of structure.
The general headquarters of Fig. 2 unit and its are distributed in trans-regional each internal networks such as several branches of diverse geographic location, and its each excellent machine makes up a safe and reliable Intranet respectively by distinguishing that machine and the Internet (Internet) couple together.
One or several internal networks of the Intranet of Fig. 3 unit and affiliate by the machine of distinguishing and the Internet separately, just make up a safe and reliable extranet.
The common system that forms in the remote client of Fig. 4 unit, Intranet and the Internet is the visit net.
(department) party committee of Fig. 5 central and local governments and government's E-Government local area network (LAN).Three level E-Government local area network (LAN) basic frame structures of government affairs extranets, in-house network and core net are the government affairs net.
The transaction of Fig. 6 ecommerce and payment network.With the computer of client, businessman and the network of the bank of deposit separately, link to each other with the Internet respectively, constitute commerce Net.
Embodiment
According to the concrete condition that is connected various computer networks, adopt conventional computer that these networks are coupled to each other, form various multi-form internet.This conventional computer must be installed the function program of some standards.It can also increase the program that some specific functions are installed according to the needs of setting up the difference in functionality network simultaneously.
1, the internal network of unit is by its geographic range, can constructing local network, metropolitan area network and wide area network.In these networks, according to the needs of the external service function of network, can specify a conventional computer wherein is excellent machine.This computer must increase network address translation program function module.For internal network security, wherein a part of work station can change the non-disk workstation into.The non-disk workstation is used by the general staff, and the tep reel work station is by personnel's use of appointment.
The conventional computer or the work station of " source end encipheror ", " place end decrypted program " and " program of audit program " 2, are housed, directly be connected by its output/input interface, and directly be connected with other networks by its network interface with the input/output interface of excellent machine.This conventional computer is distinguished machine exactly.It can increase other functional programs as required.
Source end encipheror function: the disconnected cleartext information back of distinguishing that machine sends desire by common network, source, the secret key of interpolation symmetric cryptography; With this data splitting input one-way hash function (Message Digest), draw hash (Hash) value (source end hashed value); Then source end hashed value is added in cleartext information (not comprising key) back, encrypt, become ciphertext with key; At last this ciphertext is sent to Su Duan and distinguishes machine.
Place end decrypted program function: Su Duan distinguishes the machine decrypt ciphertext of the cipher key shared of as offered with reception, becomes expressly, obtains cleartext information and source end hashed value; Key is added in cleartext information (not comprising hashed value) back; One-way hash function with this data splitting input is arranged in advance obtains hashed value (place end hashed value); This hashed value is compared with the source end hashed value that receives; If these two hashed values are identical; Confirm that then this information distinguishes that from legal source end machine sends, accept this information; Otherwise abandon this information.
Source end encipheror and place end decrypted program integrate, and are installed on the machine of distinguishing.Make corresponding selection when distinguishing the machine operation, can guarantee the machine of distinguishing safe transmission information on common network.
The program function of audit program: the source end is checked information after distinguishing that machine receives cleartext information, finds they to be arranged in together, and to be presented on the display of computer after the program wherein.If these programs are legal programs, allow its visit; Then the user selects " allowing later on " final election item when prompting occurring for the first time, distinguishes and can not inquire once more when machine is met these programs later on, and allow its visit.When the user does not answer within a certain period of time or selects " not allowing " final election item, the machine of distinguishing just abandons this program.The source end is distinguished prow this program of operation earlier.
The machine of distinguishing is installed " program of audit program " afterwards, just can prevent that virus attack from distinguishing the excellent machine network that organizational security protects.
Backup and disaster recovery procedure also are the standardization programs of distinguishing machine.
3, the professional client computer of several of certain unit, professional browser, vocational work station, service server, database server, Web server etc., with excellent machine according to network technologies such as local area network (LAN) or wide area networks, set up into the internal network of each different location of unit.Excellent machine in each internal network of unit is connected with the machine of distinguishing; Each distinguishes that machine is connected with same common network again, just the unit's of being built into proprietary network (Fig. 1).
If the computerized information in the internal network of unit proprietary network, in the time of being sent to the computer in another internal network, this information arrives the machine of distinguishing of source end earlier through excellent machine; Information is passed through after " program of audit program " carry out virus checking and handle herein, again through the encryption of source end encipheror, become secret literary composition after, be forwarded to and (be generally the internet) on the common network and transmit; Arrive the machine of distinguishing of Su Duan, cipher-text information through the deciphering of the end decrypted program of passing the night, becomes cleartext information at this place.Cleartext information distinguishes that by Su Duan machine is transmitted to excellent machine; Through the network address translation program of excellent machine, send on the receiving computer in this excellent machine network, such message transmission is safe and reliable.
The simple approach of authentication is to distinguish the database of setting up a username and password in the machine at each.
The machine of distinguishing can be distinguished the different security requirement of a concrete file.It has the means of the single file security of flexible processing.For example, unit may need the indivedual paragraphs to its file that sends, and implements digital signature.The safety function that the agreement of lower level provides, the general paragraph structure that can not know any file.Thereby which there is no telling tackled and partly signed.Having only application layer is unique level that this security service can be provided.
4, the networking mode of Intranet is the same with the unit proprietary network.Just the common network of Intranet is appointed as the Internet (Internet).The unit proprietary network can exchange information safely and accurately.So Intranet also can exchange information safely and accurately.
If file to transmitting on the Internet, part paragraph safe class improves one-level, then increase partial function: the higher leveled paragraph of safe class in the cleartext information in the front of the source end encipheror of distinguishing machine, at first this segment section is dropped into row and encrypt methods such as (also) available asymmetric cryptographies with another shared symmetric encipherment algorithm key, in the plaintext back that this part paragraph is encrypted, add the ordered series of numbers of the position indication of encrypting paragraph, add key again, obtain hashed value (source end).Distinguish that at Su Duan the back that the Su Duan of machine separates secret program increases partial function: the encryption paragraph position indication ordered series of numbers of the plaintext back that the part paragraph is encrypted, respectively with another symmetric key of sharing of arranging in advance, to the decrypt ciphertext of relevant position, just draw whole plaintext.
5, in extranet, affiliate's the machine of distinguishing and the Intranet of unit are distinguished machine, identical source end encipheror and place end decrypted program are housed, and each distinguishes the form of the Hostname (perhaps address) in the excellent machine network that these IP address tables of distinguishing machine is all arranged in the machine and be allowed to visit.Like this, distinguish that machine all can monitor the information that passes in and out excellent machine network for every, and refusal is illegally to the visit of internal institution network.
The machine of distinguishing passes through Access Control List (ACL), and (Access Control List ACL) carries out authentication.This tabulation is discerned dissimilar source-end networks (is representative to distinguish machine IP address) identity simply.When the relation of only guaranteed user and IP address is determined, just can come into force based on the authentication of address.
Whom authentication controlling can visit extranet, authorizes (Authorization) to stipulate then what the user after the acquisition visit outreaches Internet resources, can do.The machine of distinguishing also should increase the program of authentication and authorization function except the standardization program of Intranet.
6, the standardization program in the machine distinguished of this unit extranet must be equipped with in the client computer of unit the inside.After client computer connects the Internet, the information mutual communication step of commensurate's proprietary network:
The user encrypts at password and name that unit stays it with private key, and ciphertext is as digital signature; With cleartext information, digital signature, client public key etc.; With shared secret key encryption; Su Duan by the Internet unit of passing to proprietary network distinguishes machine with ciphertext; Unit is with sharing key with decrypt ciphertext, obtains plaintext, digital signature and user's that the user sends PKI etc.; Client public key in using expressly then is decrypted digital signature.Unit contrasts the relevant information in password and address name and the unit data storehouse.If safety is correct, confirm that then this information is that the user sends.
Unit is encrypted in password and organization that unit stays the user with private key, and ciphertext is as digital signature; With cleartext information, digital signature, unit PKI etc., with sharing secret key encryption; Ciphertext is passed to user's client computer by the Internet; The user shares key with decrypt ciphertext, the PKI of plaintext, digital signature and unit that the unit of obtaining sends; Unit PKI in using expressly then is decrypted digital signature.The user is with the relevant information contrast of password and organization and reservation.If entirely true, confirm that then this information is that unit sends.This method adopts user's the PKI and the PKI of unit to exchange in advance, and needn't disclose.
7, the general internal work personnel server on the Internet lines of government affairs net is the computer that general internal work personnel are direct and the public exchanges visits.It comprises the application service door of World Wide Web (WWW) (Web) and all kinds of service application modules of client/server (C/S) structure.These servers directly with the Internet on public's browser, work station and server, general internal work personnel carry out information mutual communication with plaintext with the public.
Server on online each extranets of government affairs is installed the inner office procedure of office of party committee and government respectively.The machine of distinguishing on the Internet, the machine of the distinguishing program module that standard is housed needs the extranets system cipher key shared of intercommunication with each, and exchange PKI mutually, only need the private key of oneself is holded in close confidence management, the information security and the accurately intercommunication of computer between each extranets can be provided.The internal work personnel must use browser, work station and server, divulge a secret in case find private key, must change private key and PKI immediately.
The process of the information mutual communication on each in-house network:
Sending computer will send information, be given to excellent machine, the source end is distinguished machine; The source end is distinguished machine with information encryption, and excellent machine, the source end be given on the extranets are distinguished machine; After encrypting once more, the Su Duan that is given to by the Internet on the Internet of Su Duan distinguishes machine; After Su Duan distinguishes that machine is deciphered for the first time, be given to the machine of distinguishing on the end extranets of place; After deciphering for the second time, become expressly; Be given to end inside, place and accept computer.
Data server on the in-house network, the computer of Service Process Server and general internal staff's operation is the client/server architecture of multilayer.It makes the in-house network of government affairs net to have very strong retractility, robustness and maintainability; Can realize the flexible configuration of application service; With the independent independent deployment of service logic, this system is maintained easily.When the interior business of certain one-level government and functional change, as long as the business logic components of disposing is concentrated in the intermediate layer, carry out updating maintenance, just can realize the maintenance of this system.
Information mutual communication on each core net is guaranteed to be perfectly safe and is accurate.
The process of the information mutual communication on each core net:
Sending computer will send information, be given to in-house network and distinguish machine; With information encryption, be given to the source end of inner network optimization machine, extranets and distinguish machine; The source end distinguishes that machine encrypts information once more, and machine is distinguished in excellent machine, the Internet be given on the extranets; After encrypting for the third time, the Su Duan that is given to by the Internet on the Internet of Su Duan distinguishes machine; After this Su Duan distinguishes that machine is deciphered for the first time, be given to the machine of distinguishing on the end extranets of place; After deciphering for the second time, be given to the machine of distinguishing of in-house network, after the deciphering, become expressly for the third time; Be given to the inner receiving computer of place end core net.
8, ecommerce is the commercial operation pattern of online commodity transaction and E-Payment (Electronic Payment).Wherein key problem is real-time, safe online transaction and payment.This electronic commerce network that directly carries out safety and accurate online payment by the Internet is called commerce Net (Fig. 6).
9, a plurality of interfaces of distinguishing machine are connected to a plurality of networks, are called many caves (multihomed) and distinguish machine.
The machine of distinguishing can be connected with the excellent machine in the protected network; Its several physically-isolated input/output interfaces also can be respectively be connected with excellent machine in protected several networks.In protected network, can also utilize the machine of distinguishing, the higher protected network of level of security is set.The combination of network mode that these are different has embodied the difference in functionality and the safety requirements of system.

Claims (9)

  1. The present invention relates to the network interconnection, computer and ICT (information and communication technology):
    1, the total technical characterictic of excellent machine technology and existing server class computer technology:
    Can handle a plurality of client requests simultaneously; Wait for visit passively from the client.
    The technical characterictic of excellent machine:
    Can discern each computer address (title) of excellent machine network; Between the computer of its network and continuous other extraneous computers, can carry out safety and accurate information mutual communication.
  2. 2, distinguish the total technical characterictic of machine technology and existing client computer technology:
    Can visit required multiple service; Directly being called by the user, only is a session operation.Become the client when needs carry out remote access, the client of same application certain service before this becomes the client of another service later on again temporarily.The client computer of a service also can become the server of another service.
    Distinguish the technical characterictic of machine:
    Can contain a plurality of program functions of gas defence program and concurrent running.It is unique gateway of the main frame intercommunication in main frame and the network that other link to each other in the excellent machine network.It only allows the legal information by being authorized to, and realizes the safeguard protection to excellent machine network.Even it is attacked deadlock, the machine of distinguishing of backup can move immediately, does not influence network system.A plurality of physical isolation interfaces can be arranged, and the excellent machine in different with each function respectively internal networks is connected; Security protection to the excellent machine network implementation of difference different stage.
  3. 3, the total technical characterictic of the proprietary network technology of certain unit and existing virtual private network technology:
    Adopt special-purpose network encryption and communication protocol, authentification of message and authentication; The integrality of guarantee information, legitimacy, and can differentiate user's identity.Access control is provided; Different users has different access rights.Can adopt the information encryption system, safety certification system and access control policy at each layer of Internet protocol stack, particularly application layer; Information and safety of data transmission and accuracy on common network.
    The proprietary network technical characterictic of certain unit:
    Can make up certain unit proprietary network that common network and internal network are respectively local area network (LAN), metropolitan area network and wide area network.Proprietary network have can expand, can cut out, highly reliable, the high credible sharp complicated function that adapts to.Some internal networks that certain unit increases newly can insert common network by distinguishing machine equally, expand its original proprietary network system.This unit also can reduce some internal network, perhaps changes the computer and the equipment of certain internal network; Can not influence its original proprietary network system.
  4. 4, the total technical characterictic of intranet technology and existing internal virtual private network technology:
    With being distributed in each internal network of certain unit (local area network (LAN)) of diverse geographic location, be connected with the internet by distinguishing machine, be built into the wide area network of this internal institution special use.Be used for the secure communication of two main frames between general headquarters of unit and each branch or each branch.
    The technical characterictic of Intranet:
    For the Intranet that has numerous internal networks, satisfy the requirement of interactive application and stability.Intranet has interoperability;
    Can distinguish the different security requirements of a concrete file, the foundation structure that can use public-key authenticates and encryption key distribution.
  5. 5, the total technical characterictic of extranet technology and existing external virtual private technology:
    Can be used for the Intranet of unit and the information interchange between the affiliate of the unit network, and safeguard protection is provided, prevent unauthorized access internal information.
    The technical characterictic of extranet:
    Each layer of computer stack is provided with security strategy and gas defence program, and it has operability; Can recognize the different security requirements of distinguishing a concrete file, can using public-key, foundation structure authenticates and encryption key distribution.
  6. 6, the total technical characterictic of visit network technology and existing remote dummy private network technology:
    Being used to provide the secure access of long-range mobile subscriber to the unit Intranet, is the private network of non-fixed line, for the access technique of new model, as long as upgrade the access strategy of dedicated network, just can realize new technology.
    The technical characterictic of visit net:
    User's client computer increases after digital encryption/decrypted program, and the information that the user sends or receives is transmitted by ciphertext on the internet, and guarantee information transmission safety reliability prevents that significant data is stolen.
  7. 7, the total technical characterictic of government affairs network technology and existing electronic government affair network technology:
    Both guaranteed to talk with on the net with the public and serve; Guarantee that again internal information do not reveal.
    The technical characterictic of government affairs net:
    By distinguishing machine, can make up the multilayer internal network, to adapt to the different stage security needs of different brackets mechanism
  8. 8, the total technical characterictic of commerce Net technology and existing e-commerce technology:
    Transaction such as shopping on the internet, merchandising, auction and online monetary payoff etc.
    The technical characterictic of commerce Net:
    Can use the validity authentication of the realizations such as PKI of digital signature and underground client and businessman to online business each side identity; Can adopt symmetric cryptography key system, carry out the encryption and decryption of information; Can use digital digest (being digital finger-print) algorithm, confirm the true or false of payment electronic information; Can guarantee to participate in the client of ecommerce and the bank of deposit, businessman and the bank of deposit thereof non-repudiation to business or behavior; Businessman can not read client's payment instruction, and bank can not read client's purchase information; Whole online payment and settlement process all is convenient easy-to-use to the client businessman and the bank of deposit, simple procedure.Bank's proprietary network is connected by distinguishing machine with the Internet, can ensure the safety of bank's proprietary network.Its safety, client who embodies clients fund utilizes the safety that Web bank concludes the business and the safety of customer privacy.
  9. 9, distinguish the total technical characterictic of machine and excellent machine network technology and existing firewall technology:
    It is unique passage of the Bidirectional flow of information between heterogeneous networks or the security domain; Have only through the information of authorizing and just can pass through;
    Itself has anti-attack ability.
    Distinguish the technical characterictic of machine and excellent machine network:
    Can prevent the excellent machine network of virus attack.
CN200910111365A 2009-03-30 2009-03-30 Network connection technology and system thereof Pending CN101668013A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200910111365A CN101668013A (en) 2009-03-30 2009-03-30 Network connection technology and system thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910111365A CN101668013A (en) 2009-03-30 2009-03-30 Network connection technology and system thereof

Publications (1)

Publication Number Publication Date
CN101668013A true CN101668013A (en) 2010-03-10

Family

ID=41804453

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910111365A Pending CN101668013A (en) 2009-03-30 2009-03-30 Network connection technology and system thereof

Country Status (1)

Country Link
CN (1) CN101668013A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011091558A1 (en) * 2010-01-13 2011-08-04 Liu Wenxiang Network service
WO2011137559A1 (en) * 2010-05-04 2011-11-10 Liu Wenxiang Network charging system
WO2011147046A1 (en) * 2010-05-25 2011-12-01 Liu Wenxiang Network resource
CN102571779A (en) * 2010-12-31 2012-07-11 雷吉菲股份有限公司 Intermediary node with distribution capability and communication network with federated metering capability
CN106453352A (en) * 2016-10-25 2017-02-22 电子科技大学 Single-system multi-platform authentication method
CN106657289A (en) * 2016-12-02 2017-05-10 航天星图科技(北京)有限公司 Government affairs sharing-exchanging system
CN108833364A (en) * 2018-05-24 2018-11-16 鸿策企业管理咨询(江苏)有限公司 Company's network stand-alone system
CN109981667A (en) * 2019-04-01 2019-07-05 北京纬百科技有限公司 A kind of user data transmission method and device
CN111492640A (en) * 2017-06-20 2020-08-04 艾德克斯实验室公司 System and method for retrieving data from non-networked, remotely located data generating devices

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011091558A1 (en) * 2010-01-13 2011-08-04 Liu Wenxiang Network service
WO2011137559A1 (en) * 2010-05-04 2011-11-10 Liu Wenxiang Network charging system
WO2011147046A1 (en) * 2010-05-25 2011-12-01 Liu Wenxiang Network resource
CN102571779A (en) * 2010-12-31 2012-07-11 雷吉菲股份有限公司 Intermediary node with distribution capability and communication network with federated metering capability
CN106453352A (en) * 2016-10-25 2017-02-22 电子科技大学 Single-system multi-platform authentication method
CN106453352B (en) * 2016-10-25 2020-04-17 电子科技大学 Single-system multi-platform identity authentication method
CN106657289A (en) * 2016-12-02 2017-05-10 航天星图科技(北京)有限公司 Government affairs sharing-exchanging system
CN111492640A (en) * 2017-06-20 2020-08-04 艾德克斯实验室公司 System and method for retrieving data from non-networked, remotely located data generating devices
US12003347B2 (en) 2017-06-20 2024-06-04 Idexx Laboratories, Inc. System and method for retrieving data from a non-networked, remotely-located data generating device
CN108833364A (en) * 2018-05-24 2018-11-16 鸿策企业管理咨询(江苏)有限公司 Company's network stand-alone system
CN109981667A (en) * 2019-04-01 2019-07-05 北京纬百科技有限公司 A kind of user data transmission method and device
CN109981667B (en) * 2019-04-01 2020-07-03 北京纬百科技有限公司 User data transmission method and device

Similar Documents

Publication Publication Date Title
JP7475077B2 (en) Communication system, communication device, management device, and information terminal used therein
CN101668013A (en) Network connection technology and system thereof
US7562222B2 (en) System and method for authenticating entities to users
US6138239A (en) Method and system for authenticating and utilizing secure resources in a computer system
US8667269B2 (en) Efficient, secure, cloud-based identity services
US20180062863A1 (en) Method and system for facilitating authentication
US9043589B2 (en) System and method for safeguarding and processing confidential information
JP2004509398A (en) System for establishing an audit trail for the protection of objects distributed over a network
JP5602165B2 (en) Method and apparatus for protecting network communications
JP2004509399A (en) System for protecting objects distributed over a network
CN102104589A (en) Private network series
Neuman Security, payment, and privacy for network commerce
CN106576050A (en) Three-tiered security and computational architecture
Balenson et al. A new approach to software key escrow encryption
Jabłoński et al. Information systems development and usage with consideration of privacy and cyber security aspects
Sharp Information Security in the Enterprise
US12124560B2 (en) Keystroke cipher password management system and method for managing and protecting master passwords without exposing to others
JP2019161302A (en) Signature system
Subhani et al. Smarter world, bigger threats: Understanding the internet of things
US20220138310A1 (en) Keystroke Cipher Password Management System and Method
TWI802794B (en) Financial business review integration system and method thereof
US11265312B2 (en) Telecommunication system for the secure transmission of data therein and device associated therewith
JP2002207694A (en) Information transfer tracking device, personal information management system and method and recording medium having program recorded thereon
Honda Industrial Control Systems and OPC UA Research on encrypted communication monitoring and inappropriate command detection
Angholt et al. A first security analysis of a Secure Intermodal Goods Transport System

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20100310