CN102333042A - Method, security gateway and system for preventing data leakage - Google Patents

Method, security gateway and system for preventing data leakage Download PDF

Info

Publication number
CN102333042A
CN102333042A CN201110336734A CN201110336734A CN102333042A CN 102333042 A CN102333042 A CN 102333042A CN 201110336734 A CN201110336734 A CN 201110336734A CN 201110336734 A CN201110336734 A CN 201110336734A CN 102333042 A CN102333042 A CN 102333042A
Authority
CN
China
Prior art keywords
packet
data
data packet
field
security gateway
Prior art date
Application number
CN201110336734A
Other languages
Chinese (zh)
Inventor
张武健
郑磊
Original Assignee
深信服网络科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深信服网络科技(深圳)有限公司 filed Critical 深信服网络科技(深圳)有限公司
Priority to CN201110336734A priority Critical patent/CN102333042A/en
Publication of CN102333042A publication Critical patent/CN102333042A/en

Links

Abstract

The invention discloses a method, a security gateway and a system for preventing data leakage, wherein the method for preventing data leakage comprises the following steps of: receiving a data packet from a user of an Intranet; identifying whether the data packet is a key data packet containing a characteristic field; when the data packet is the key data packet containing the characteristic field, tampering the characteristic field of the data packet according to different transmission protocols of the data packet; and transmitting a tampered data packet. By the method, silent control of file transmission (or a session) is realized by tampering the data packet on the premise of no connection interruption and no influence on a non-secret-involved service of a client user and the leakage of the internal data of an enterprise is prevented.

Description

一种防止数据泄密的方法、安全网关及系统 A method for preventing leakage of data, and the security gateway system

技术领域 FIELD

[0001] 本发明涉及通信领域,尤其涉及一种防止数据泄密的方法、安全网关及系统。 [0001] The present invention relates to communication field, and particularly relates to a method of leak data, and a system to prevent the security gateway. 背景技术 Background technique

[0002] 随着互联网的发展,各种即时通讯工具,如QQ、MSN、Gtalk等,给人们的日常交流带来了极大便利,各种即时通讯工具已成为组织内部人员开展工作的重要日常办公手段。 [0002] With the development of the Internet, a variety of instant messaging tools such as QQ, MSN, Gtalk, etc. to people's daily communication has brought great convenience, a variety of instant messaging has become an important tool within the organization's daily work office means.

[0003] 但事物都有其两面性,网络为日常办公带来便捷的同时,通过网络将内部资料泄密的行为越来越多,给组织的信息安全带来的风险也是越来越高,通过即时通讯软件如MSN 等进行传文件就是其中一种常见的泄密途径。 [0003] However, everything has its two sides, the network brings convenient for everyday office at the same time, the internal information leaks through network behavior more and more, the risk to the organization's information security also brings higher and higher, through instant communications software such as MSN, etc. one common way is to leak the file transfer.

[0004] 如何防止内部用户通过即时通讯工具如MSN、Gtalk等传文件泄密,又不影响其正常的MSN聊天通信成为了一个难题。 [0004] how to prevent internal users via instant messaging such as MSN, Gtalk and other transfer documents leaked, without affecting their normal MSN chat communication becomes a problem.

[0005] 目前业界通用的方案是在企业的网络出口部署安全网关,进行安全控制。 [0005] the current general plan in the industry is export enterprise network security gateway deployment, security control. 以MSN 为例,现有如下技术方案来封堵即时通讯软件传文件: To MSN, for example, following the existing technical solution to block instant messaging software to transfer files:

[0006] 第一种方案是在安全网关上通过行为和内容特征识别出MSN传文件这个行为之后,安全网关上丢掉这些数据包。 [0006] The first embodiment is then characterized by behavioral and content identified the MSN behavior file transfer, the data packets lost on the security gateway on the security gateway. 但多数情况下由于MSN聊天消息和MSN传文件都采用同一个端口一1863端口,那么如果采用丢包断开连接的方式来拒绝文件的话,聊天消息也跟着会丢失,甚至会断掉聊天的会话连接,导致客户体验非常差。 But in most cases due MSN MSN chat messages and transfer files using the same port, a 1863 port, so if by way of packet loss disconnected to reject documents, chat messages followed lost, broken or even chat session connection, resulting in very poor customer experience.

[0007] 第二种方案,在安全网关上采用发现MSN传文件就发送tcp reset包给会话双方的方式,结果该连接被断掉后,文件发送方在发送消息时,会自动创建新连接,并且在新连接中不断尝试重传之前没有传输成功的文件,从而造成循环的reset。 [0007] The second program, on the security gateway using traditional paper found that MSN sends tcp reset packet mode session between the two sides, after the result of the connection is broken, the file sender when sending messages, automatically create a new connection, and new connections keep trying without success to transfer files before retransmission, causing reset cycle. 文件接收方的聊天消息则永远不能发送到文件的发送方。 File receiver chat message is never sent to the file sender.

发明内容 SUMMARY

[0008] 本发明要解决的技术问题在于,针对现有技术中防止通过即时通讯工具传送文件导致组织内部信息泄密的技术手段容易影响终端用户的会话行为的缺陷,提供一种能够保证终端用户的正常会话,且可以保证企业数据不被外发泄密的防止数据泄密的方法、安全网关及系统。 [0008] The present invention to solve the technical problems that prevent the transmission of documents via instant messaging technology to lead the internal organization of information leaks likely to affect the behavior of the end-user session deficiencies in the prior art, to provide an end-user guarantee normal conversation, and can ensure corporate data is not compromised outgoing method of preventing data leaks, security gateways and systems.

[0009] 本发明解决其技术问题所采用的技术方案是: [0009] aspect of the present invention to solve the technical problem are:

[0010] 提供一种防止数据泄密的方法,包括以下步骤: [0010] provides a method for preventing leakage of data, comprising the steps of:

[0011] Si、接收内网用户发送的数据包; [0011] Si, the network receives the data packets sent by a user;

[0012] S2、识别所述数据包是否为包含特征字段的关键数据包; [0012] S2, identifying the packet is a critical packet containing the characteristic field;

[0013] S3、在所述数据包为包含特征字段的关键数据包时,根据数据包传送协议的不同, 篡改数据包的特征字段; [0013] S3, the data packet is the packet contains critical features in a field, depending on the data packet transfer protocol, tampering characteristics field of the packet;

[0014] S4、将篡改后的数据包发送出去。 [0014] S4, the tampered data packet sent.

[0015] 本发明所述的防止数据泄密的方法中,步骤S3中,在所述数据包为包含特征字段的关键数据包时,若该关键数据包为MSN传文件数据包,则检测所述MSN传文件数据包中是否含有“ INVITE”字段,若是,则将该字段替换为等长度的非特征码字符串。 When critical data packet [0015] method of preventing leakage of the data of the present invention, in step S3, the data packet comprising the characteristics field, if the data packet is a key file MSN transmitted data packet, the detection of the MSN file transfer packet if it contains "INVITE" fields, if non-pattern string, then the field is replaced with the equal length.

[0016] 本发明所述的防止数据泄密的方法中,步骤S3中,在所述数据包为包含特征字段的关键数据包时,若该关键数据包为Gtalk加密聊天数据包时,向内网用户发送不支持tls加密传输的协议的信息,以使内网用户改用明文传输;同时检测所述传文件数据数据包中是否含有字段〈starttlsxmlns = 〃 urn: ietf :params:xml :ns:xmpp_tls〃 Xrequire d/X/starttls〉,若是,则将该字段替换为等长度的非特征码字符串。 [0016] A method for preventing the leakage of data according to the present invention, in step S3, the data packet when the packet contains critical features in a field, if the data packet is a key Gtalk encrypted chat data packets, network inwardly user information transmission protocol does not support tls encrypted transmission, so that users within the network switch cleartext; simultaneously detecting said transmitted data packets whether the file contains fields <starttlsxmlns = 〃 urn: ietf: params: xml: ns: xmpp_tls 〃 Xrequire d / X / starttls>, if yes, the signature field is replaced with a non string length.

[0017] 本发明所述的防止数据泄密的方法中,步骤S3中,在所述MSN传文件数据包中没有“INVITE”字段或所述Gtalk加密聊天数据包中没有〈starttls xmlns =" urn: ietf :pa rams: xml:ns: xmpp-tls" ><required/X/starttls> 字段时,直接将该数据包发送出去。 Method [0017] The present invention prevents the data leaks, the step S3 is not in the file transfer packet MSN "INVITE" field or the encrypted chat data packets Gtalk no <starttls xmlns = "urn: ietf: pa rams: xml: ns: xmpp-tls "> when <required / X / starttls> field, the data packet is directly sent.

[0018] 本发明所述的防止数据泄密的方法中,步骤S3中,在所述数据包被识别为MSN传文件数据包时,将其进行标记。 [0018] A method for preventing the leakage of data according to the present invention, in step S3, when the data packet is identified as MSN file transfer packet, which is labeled.

[0019] 本发明解决其技术问题所采用的另一技术方案是: [0019] Another aspect of the present invention to solve the technical problem are:

[0020] 提供一种防止数据泄密的安全网关,所述安全网关具体包括: [0020] A data compromised security gateway, the gateway security preventing comprises:

[0021] 收发模块,用于接收内网用户发送的数据包; [0021] The transceiver module, for receiving network data packets sent by a user;

[0022] 应用识别模块,用于识别所述数据包是否为包含特征字段的关键数据包; [0022] Application identification module for identifying whether the packet is a critical packet containing the characteristic field;

[0023] 应用服务控制模块,用于在所述数据包为包含特征字段的关键数据包时,根据数据包传送协议的不同,篡改数据包的特征字段,并通过所述收发模块发送出去。 When the [0023] application service control module for the data packet is a critical packet contains characteristics field, depending on the data packet transfer protocol, packet data tampering characteristics field, and sent through the transceiver module.

[0024] 本发明所述的防止数据泄密的安全网关中,应用服务控制模块具体用于在所述数据包为包含特征字段的关键数据包时,若该关键数据包为MSN传文件数据包,则检测所述MSN传文件数据包中是否含有“INVITE”字段,若是,则将该字段替换为等长度的非特征码字符串。 To [0024] prevent data leakage security gateway according to the present invention, the application service control module is configured in the data packet is a critical packet contains the characteristics field, if the data packet is a critical packet MSN file transfer, MSN file transfer is detected the data packet if it contains "INVITE" fields, if non-pattern string, then the field is replaced with the equal length.

[0025] 本发明所述的防止数据泄密的安全网关中,应用服务控制模块具体用于在所述数据包为包含特征字段的关键数据包时,若该关键数据包为Gtalk加密聊天数据包时,向内网用户发送不支持tls加密传输的信息,以使内网用户改用明文传输;同时检测所述传文件数据数据包中是否含有字段<starttls xmlns =〃 urn: ietf: params: xml :ns: xmpp-tls “Xrequired/X/starttls〉,若是,则将该字段替换为等长度的任意字符串。 When [0025] The security gateway according to the present invention prevent data leak, the application service control module is configured in the data packet is a packet containing the key features of the field, if the data packet is a key encrypted chat data packets Gtalk transmitting network user does not support the inwardly tls encrypted transmission, to enable users to switch plaintext transmission network; simultaneously detecting said transmitted data packets whether the file contains fields <starttls xmlns = 〃 urn: ietf: params: xml: ns: xmpp-tls "Xrequired / X / starttls>, if yes, the field replace any string of equal length.

[0026] 本发明所述的防止数据泄密的安全网关中,所述应用识别模块还用于在所述数据包被识别为所述MSN传文件数据包时,将其进行标记。 [0026] The security gateway to prevent leakage of the data of the present invention, the application identification module is further configured to, when the data packet is identified as the MSN file transfer packet, which is labeled.

[0027] 本发明解决其技术问题采用的第三技术方案是: [0027] The third aspect of solving the technical problems of the present invention is:

[0028] 提供一种防止数据泄密的系统,包括内网发送端、安全网关、外网服务器和外网接收端,其中, [0028] A data system to prevent leaks, the network comprising the sending end, the security gateway, external network server and the external network receiving terminal, wherein

[0029] 所述内网发送端,用于发起请求并发送数据包; [0029] The inner end of the transmission network, for initiating and transmitting a request packet;

[0030] 所述安全网关,用于接收所述内网发送端的数据包,并识别所述数据包是否为包含特征字段的关键数据包,在该数据包为包含特征字段的关键数据包,将该数据包中的特征字段替换为等长的非特征码字符串并发送出去; [0030] The security gateway for the transmitting side receives the data packet network, and identifies the packet is a critical packet containing the characteristics field in the packet is a characteristics field containing critical data packet, characteristics field in the data packet replaces the string of equal length and non-sent signature;

[0031] 所述外网服务器,用于接收所述安全网关发送的数据包,并转发给所述外网接收端;若数据包中的特征字段被非特征码字符串替换,则无法识别和接收该数据包; [0031] The external network server, for receiving said secure data packet sent by the gateway and forwarded to the external network receiving terminal; if the feature field of the packet is replaced with a non-string pattern, and is not recognized receiving the data packet;

[0032] 所述外网接收端,用于接收所述外网服务器转发的数据包。 The [0032] receiving end outside the network, for receiving data packets forwarded by the external network server.

[0033] 本发明产生的有益效果是:本发明通过识别通过内网安全网关的数据包是否为包含特征字段的关键数据包,若是,则根据数据包传送协议的不同,篡改数据包的特征字段; 再将修改后的数据包发送给服务器(如MSN服务器),而一般服务器无法识别经过篡改后的数据包,从而无法响应客户端的传文件(或会话)动作,则接收方无法看到传输请求,实现了在不断开连接、不影响终端客户非泄密业务的前提下,通过篡改数据包对传文件(或会话)的静默控制,防止了数据的外泄。 [0033] Advantageous effects of the present invention produced are: the present invention is by identifying the data packet within the network security gateway is a critical packet containing the characteristic fields, wherein the fields and if yes, according to the different data packet transmission protocol, tampering with the data packet ; modified data packet is then transmitted to the server (such as MSN server), the server does not recognize the general packet through tampered and thus can not respond to the client's file transfer (or session) operation, the recipient can not see the transmission request achieved in not disconnected, leakage does not affect the end-client business premise, by tampering of the data packet transmission muting control file (or session), preventing data leakage.

附图说明 BRIEF DESCRIPTION

[0034] 下面将结合附图及实施例对本发明作进一步说明,附图中: [0034] The accompanying drawings and the following embodiments of the present invention is further illustrated drawings in which:

[0035] 图1是本发明实施例防止数据泄密的方法流程图; [0035] FIG. 1 is an embodiment of the present invention is a method of preventing leaks of data flowchart;

[0036] 图2是本发明实施例防止MSN传文件泄密的方法流程图; [0036] FIG. 2 is an embodiment of the present invention a method of preventing leaks flowchart MSN file transfer;

[0037] 图3是本发明实施例防止Gtalk会话泄密的方法流程图; [0037] FIG. 3 is a process embodiment of the present invention to prevent leakage of the flowchart Gtalk session;

[0038] 图4是本发明实施例防止数据泄密的安全网关的结构示意图; [0038] FIG. 4 is a schematic structural diagram of embodiment of the invention data leak prevention security gateway;

[0039] 图5是本发明实施例防止数据泄密的系统结构示意图。 [0039] FIG. 5 is a schematic diagram of embodiments of the present invention to prevent leakage system configuration data.

具体实施方式 Detailed ways

[0040] 为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。 [0040] To make the objectives, technical solutions and advantages of the present invention will become more apparent hereinafter in conjunction with the accompanying drawings and embodiments of the present invention will be further described in detail. 应当理解,此处所描述的具体实施例仅用以解释本发明,并不用于限定本发明。 It should be understood that the specific embodiments described herein are merely used to explain the present invention and are not intended to limit the present invention.

[0041] 本发明主要是为了防止组织如企业内部的数据外泄,可根据数据包传送协议的不同,篡改数据包的特征字段,使得服务器或者接收端无法识别或无法接收用户发送的数据包,从而防止了组织内部人员的泄密。 [0041] The present invention is mainly to prevent tissue within the enterprise data such as leakage, may be different according to the packet transfer protocol, packet data tampering characteristics field, so that the server or the receiving end unrecognized or receive packets sent by the user, thereby preventing leaks within their organizations.

[0042] 如图1所示,防止数据泄密的方法主要包括以下步骤: Method [0042] As shown in FIG 1, to prevent leakage of data includes the following steps:

[0043] Si、组织内部的网络监控设备如安全网关接收内网用户发送的数据包; [0043] Si, the data within the organization, such as the security gateway within the network monitoring apparatus receives the network packet sent by a user;

[0044] S2、安全网关识别所述数据包是否为包含特征字段的关键数据包,该关键数据包为传文件数据包或者会话数据包; [0044] S2, the security gateway identifies the packet is a critical packet containing a characteristics field, the data packet is a key file transfer session data packet or data packet;

[0045] S3、在所述数据包为包含特征字段的关键数据包时,安全网关根据数据包传送协议的不同,篡改数据包的特征字段; [0045] S3, the data packet is the packet contains critical features in the field, depending on the security gateway packet transfer protocol, tampering characteristics field of the data packet;

[0046] S4、安全网关将篡改后的数据包发送出去,如发送给外网的服务器,通过服务器再将数据包发给外网接收端。 [0046] S4, the security gateway tampered packets sent, as transmitted to the external server, the server then forwards the packet to the external network receiver.

[0047] 在本发明的一个实施例中,用户使用MSN的方式进行通讯,如图2所示,该实施例中防止数据泄密的方法主要包括以下步骤: [0047] In one embodiment of the present invention, the user uses MSN way communication, shown in Figure 2, the method described in this embodiment to prevent leakage of data includes the following steps:

[0048] S101、组织内部的网络监控设备如安全网关接收内网用户发送的数据包; [0048] S101, the security gateway as an internal data organization within the network monitoring apparatus receives the network packet sent by a user;

[0049] S102、安全网关识别所述数据包是否为包含特征字段的MSN传文件数据包; [0049] S102, the security gateway identifies whether the data packet contains a field of characteristic MSN file transfer packet;

[0050] S103、在数据包为MSN传文件数据包时,进一步检测传文件数据包中是否含有“INVITE”字段。 [0050] S103, when the packet is a data packet transfer files MSN, further detects whether the transmitted data packet contains a file "INVITE" field. 在数据包为传文件数据包时,在本发明的其他实施例中可将被识别为传文件的数据包进行标记,以便于对该数据包数据进行相应的修改。 When the packet is a data packet transfer a file, in other embodiments of the present invention it may be identified as a data packet transfer files are marked to make the appropriate changes to the data packet.

[0051] S104、在安全网关检测到传文件数据包中含有“INVITE”字段时,则将该字段替换为等长度的非特征码字符串,如替换为“aaaaaa”。 [0051] S104, the security gateway detects when the file transfer packet data contains "INVITE" field, the field of non-replacement pattern string of equal length, such as replacing "aaaaaa". 通过非特征码字符串的替换,并通过安全网关将篡改后的数据包发送出去。 Data packet sent by the security gateway by the replacement of non-tampering signature string, and. 当然在发送前需要重新计算数据包的校验和等。 Of course, before sending the data packet to recalculate the checksum and the like. 经过篡改后的数据包到达MSN服务器以后,MSN服务器无法识别该传文件行为而无法响应客户端传文件的动作。 After the data packet after arrival tampered MSN server, MSN server can not recognize the file transfer can not conduct the operation in response to the file transfer client. MSN服务器再将数据包转发到接收方的PC上,此步由MSN服务器自动进行;接收方PC上的MSN客户端得到该请求数据包,但是由于特征码已经被篡改,因此无法识别该请求数据包为MSN传文件从而无法响应,因此不会接收或在客户端上面显示出MSN传文件请求,接收方用户无法看到请求,则无法接收文件。 MSN server then forwards the packet to the recipient's PC, this step is performed automatically by the MSN server; MSN client PC on the receiving side to obtain the request packet, but due to the signature has been tampered with, and therefore does not recognize the requested data MSN package for file transfer and thus can not respond, it will not receive or transfer files exhibit MSN request, the recipient user can not see the request, the client can not receive the above file.

[0052] 另外,还可以包括步骤S105 :若安全网关检测传文件数据包中并不含有“INVITE” 字段,说明没有传送文件或者传送文件失败,则无需对数据包进行任何修改,可直接通过安全网关将数据包直接发送给MSN服务器。 [0052] Further, the step may further include S105: detecting if the security gateway does not transfer the file containing the data packet "INVITE" field, indicating that no file transfer or file transfer fails, the packet without any modification, can be directly through the security gateway sends the packet directly to the MSN server.

[0053] 采用了数据包篡改的方案,可以不需要断开原有的连接,从而可以实现细化到单方向的文件拒绝和允许,比如允许外网可以发文件进来,而内网不能发文件出去,或者相反。 [0053] The data packets program tampering may be no need to remove the existing connections, which can be refined to achieve in one direction and allows file rejection, such as allowing the external network can send a file in, the network can not send a file out, or vice versa. 这对目前最常用的丢包断连接方案是一个很好的改进。 This is a great improvement on the loss off the most commonly used connectivity solutions.

[0054] 在本发明另一实施例中,用户通过Gtalk进行即时通讯,如图3所示, [0054] In another embodiment of the present invention, the user chat via Gtalk, shown in Figure 3,

[0055] 该实施例中防止数据泄密的方法主要包括以下步骤: Method [0055] This embodiment prevents leakage of data includes the following steps:

[0056] S201、安全网关接收内网用户发送的数据包; [0056] S201, the security gateway receives data packets sent by the network user;

[0057] S202、安全网关识别数据包是否为包含特征字段识的Gtalk加密聊天数据包; [0057] S202, the security gateway identification data packet is a characteristics field containing the identification Gtalk encrypted chat data packets;

[0058] S203、在数据包为Gtalk加密聊天数据包时,安全网关进一步检测传文件数据包中是否含有〈starttls xmlns = “ urn: ietf :params:xml :ns:xmpp-tls" ><required/></ starttls〉字段。 [0058] S203, the packet chat data packet is Gtalk encryption, the security gateway further detects file transfer packet for containing <starttls xmlns = "urn: ietf: params: xml: ns: xmpp-tls"> <required / > </ starttls> field. 根据Gtalk文件传输协议可得到上述会话传输请求数据包的字符特征码。 The obtained transfer Gtalk said session file transfer protocol request packet character pattern. 由于Gtalk的文件传输协议采用tls进行加密传输,在篡改数据包之前,安全网关也可以采用TCP会话劫持的原理,给客户端发送不支持tls加密传输的提示,强迫客户端进行明文传输,这样解析比较方便,根据聊天内容可以及时阻止员工的泄密。 Because Gtalk file transfer protocol uses tls encrypted transmission, before tampering with the data packet, the security gateway can also principles of TCP session hijacking adoption, to the client to send does not support the prompt tls encrypted transmission, forcing the client transmitted in the clear, so parsing more convenient, according to the chat content can be time to stop leaks staff. 如果聊天内容中没有涉及任何秘密,则可以放行。 If the chat does not involve any secret, it can be released.

[0059] S204、在安全网关检测传文件数据包中含有〈starttls xmlns = " urn: ietf :para ms : xml : ns : xmpp-t 1 s “ Xrequired/X/startt 1 s>字段时,则利用TCP会话劫持方法将该字段替换为等长度的非特征码字符串,如等长度的任意字母。 [0059] S204, containing <starttls xmlns = "urn: ietf: para ms: xml: ns: xmpp-t 1 s" Xrequired / X / startt 1 s> security gateway detection file transfer packet when the field is the use of the TCP session hijacking method of replacing non-field signature string of equal length, such as letters and the like of any length.

[0060] 安全网关将篡改后的数据包发送到原来的公网Gtalk服务器上,当然在发送前需要重新计算数据包的校验和等,Gtalk服务器再将接收的数据包转发到接收方的PC上,此步由Gtalk服务器自动进行;接收方PC上的Gtalk客户端得到该请求数据包,但是由于特征码已经被篡改,因此无法识别该请求数据包为Gtalk会话数据包从而无法响应,因此不会接收或在客户端上面显示出Gtalk会话请求,接收方用户也无法看到请求,无法接收会话。 [0060] If a packet is sent to the security gateway to tamper the original Gtalk public network server, of course, before sending the data packet to recalculate the checksum and the like, Gtalk server then forwards the received data packet to the receiving party's PC on this step automatically by the server Gtalk; Gtalk client PC on the receiving side to obtain the request packet, but due to the signature has been tampered with and therefore can not recognize that the request packet is a packet which can not Gtalk session response, which is not receives the client or display Gtalk above session request, the recipient user can not see the request, the session can not be received.

[0061] 另外,还可以包括步骤S205若安全网关检测传文件数据包中并不含有〈starttls xmlns = “ urn: ietf :params:xml :ns: xmpp-t Is " ><required/></starttls> 字段,说明会话失败,则无需对数据包进行任何修改,可直接通过安全网关将数据包直接发送给Gtalk 服务器。 [0061] In addition, step S205 may further include detecting if the security gateway does not transfer the file containing the data packet <starttls xmlns = "urn: ietf: params: xml: ns: xmpp-t Is"> <required /> </ starttls > field, described session fails, there is no need for any modification of the packet may be sent directly via the data packet directly to the security gateway server Gtalk.

[0062] 如图4所示,本发明还提供了一种防止数据泄密的安全网关20,具体包括: [0062] As shown in FIG 4, the present invention also provides a method of preventing data leakage security gateway 20, specifically comprising:

[0063] 收发模块21,用于接收内网用户发送的数据包; [0063] The transceiver module 21, for receiving network data packets sent by a user;

[0064] 应用识别模块22,用于识别所述数据包是否为包含特征字段的关键数据包; [0064] Application identification module 22, for identifying whether the packet is a critical packet containing the characteristic field;

[0065] 应用服务控制模块23,用于在所述数据包为包含特征字段的关键数据包时,根据数据包传送协议的不同,篡改数据包的特征字段,并通过收发模块21发送出去。 When the [0065] application service control module 23, for the data packet is a critical packet contains characteristics field, depending on the data packet transfer protocol, packet data tampering characteristics field, and sent through the transceiver module 21.

[0066] 进一步地,应用服务控制模块23具体用于在数据包为MSN传文件数据包,检测MSN 传文件数据包中是否含有“ INVITE”字段,若是,则将该字段替换为等长的非特征码字符串。 Long non [0066] Further, the application service control module 23 is specifically configured to MSN file transfer packet data packet, file transfer MSN detecting whether the packet contains a "INVITE" field, and if so, then the field is replaced with other signature string.

[0067] 进一步地,应用服务控制模块23具体用于在数据包为Gtalk加密聊天数据包时, 向内网用户发送不支持tls加密传输的信息,以使内网用户改用明文传输;同时检测数据包中是否含有字段〈starttls xmlns = ” urn: ietf :params:xml :ns:xmpp-tls〃 Xrequire d/X/starttls〉,若是,则将该字段替换为等长度的任意字符串。 [0067] Further, the application service control module 23 specifically for the data packet Gtalk chat data packet is encrypted, sending the message is not encrypted transmission tls inwardly network users, so that users within the network switch cleartext; simultaneously detecting whether the packet contains fields <starttls xmlns = "urn: ietf: params: xml: ns: xmpp-tls〃 Xrequire d / X / starttls>, if yes, the field replace any string of equal length.

[0068] 另外,应用识别模块22还用于在数据包被识别为MSN传文件数据包时,将其进行标记。 [0068] Further, application identification module 22 is also configured to, when the data packet is identified as MSN file transfer packet, which is labeled.

[0069] 本发明采用数据包篡改技术,可以不需要断开原有的连接,可实现细化到单方向的文件(或会话)拒绝和允许,如允许外网可以发文件(或会话)进来,而内网不能发文件(或会话)出去,或者相反,简单易行。 [0069] The present invention employs a packet-tampering technology, may not need to disconnect the existing connection, the file can be realized (or session) and allowed to reject, such as allowing the external network can send a file (or session) to come down to a single direction , the network can not send a file (or session) to go out, or, conversely, easy.

[0070] 如图4所示,本发明实施例防止数据泄密的系统包括内网发送端10、安全网关20、 外网服务器30和外网接收端40,其中, [0070] As shown in FIG 4, the embodiment prevents leakage data transmission system includes a network terminal 10, the security gateway 20, external network 30 and the Internet server 40 receiving end, wherein the present invention,

[0071] 内网发送端10,用于发起请求并发送数据包; [0071] transmitting end network 10, and transmits a request for initiating a packet;

[0072] 安全网关20,用于接收内网发送端10的数据包,并识别所述数据包是否为包含特征字段的关键数据包,在该数据包为包含特征字段的关键数据包时,将该关键数据包中的特征字段替换为等长的非特征码字符串并发送出去;安全网关20即为上述实施例中的安全网关,在此不再赘述。 [0072] The security gateway 20, for receiving the packet data network sends the terminal 10, and identifies the packet is a critical packet containing a characteristics field, when the packet is a characteristics field containing critical data packet, the key features of the data fields in the packet replacement of equal length and a non-sent signature string; security gateway security gateway 20 is the above-described embodiments, not described herein again.

[0073] 外网服务器30,用于接收安全网关20发送的数据包,并转发给外网接收端40 ;若数据包中的特征字段被非特征码字符串替换,则无法识别和接收该数据包。 Packet [0073] The external network server 30, 20 for receiving a transmitted security gateway, and forwards the receiving terminal 40 to the external network; if the feature field of the data packet is replaced with a non-string signature can not recognize and receive the data package.

[0074] 外网接收端40,用于接收外网服务器转发的数据包。 [0074] The terminal 40 receiving the external network, the external network for receiving data packets forwarded by the server.

[0075] 本发明防止数据泄密的系统通过篡改数据包中的特征字段的方式来防止组织内部泄密,且篡改数据包的同时不影响原有的通话连接,简单易实现。 System [0075] The present invention prevents leakage of data within the organization to prevent leakage characteristics field by way of tampering with the data packet, and the packet data tampering without affecting the original call connection, simple and easy to implement.

[0076] 应当理解的是,对本领域普通技术人员来说,可以根据上述说明加以改进或变换, 而所有这些改进和变换都应属于本发明所附权利要求的保护范围。 [0076] It should be understood that those of ordinary skill in the art, can be modified or converted according to the above description, and all such modifications and variations shall fall within the scope of the appended claims of the invention.

Claims (10)

1. 一种防止数据泄密的方法,其特征在于,包括以下步骤:51、接收内网用户发送的数据包;52、识别所述数据包是否为包含特征字段的关键数据包;53、在所述数据包为包含特征字段的关键数据包时,根据数据包传送协议的不同,篡改数据包的特征字段;54、将篡改后的数据包发送出去。 1. A method for preventing leakage of data, characterized by comprising the steps of: 51, receiving network data packets sent by a user; 52 identifying the packet is a critical packet containing the characteristic field; 53, in the when said data packet is a critical packet contains characteristics field, depending on the data packet transfer protocol, packet data tampering characteristics field; 54, tamper data packet will be sent.
2.根据权利要求1所述的防止数据泄密的方法,其特征在于,步骤S3中,在所述数据包为包含特征字段的关键数据包时,若该关键数据包为MSN传文件数据包,则检测所述MSN传文件数据包中是否含有“ INVITE”字段,若是,则将该字段替换为等长度的非特征码字符串。 2. The method of preventing data leakage as claimed in claim, wherein the step S3, the data packet is a data packet comprising a key feature of the field, the key if the data packet is a data packet transfer files MSN, MSN file transfer is detected the data packet if it contains "INVITE" fields, if non-pattern string, then the field is replaced with the equal length.
3.根据权利要求1所述的防止数据泄密的方法,其特征在于,步骤S3中,在所述数据包为包含特征字段的关键数据包时,若该关键数据包为Gtalk加密聊天数据包时,向内网用户发送不支持tls加密传输的协议的信息,以使内网用户改用明文传输;同时检测所述传文件数据数据包中是否含有字段<starttls Xmlns=^urn: ietf:params : xml :ns : xmpp-tls" Xrequired/X/starttls〉,若是,则将该字段替换为等长度的非特征码字符串。 3. The method of claim 1 prevents a data leakage as claimed in claim, wherein the step S3, the data packet is a data packet comprising a key feature of the field, the key if the data packet is encrypted chat data packets Gtalk , user information transmission network does not support the inwardly tls encrypted transmission protocol, so that users within the network switch cleartext; simultaneously detecting said transmitted data packets whether the file contains fields <starttls Xmlns = ^ urn: ietf: params: xml: ns: xmpp-tls "Xrequired / X / starttls>, if yes, the signature field is replaced with a non string length.
4.根据权利要求2或3所述的防止数据泄密的方法,其特征在于,在所述MSN传文件数据包中没有“INVITE”字段或所述Gtalk加密聊天数据包中没有〈starttls Xmlns=^urniie tf:params : xml :ns : xmpp_tls〃> <required/X/starttls> 字段时,直接将该数据包发送出去。 4. The method of claim 2 or 3 to prevent data leakage as claimed in claim, characterized in that there is no "INVITE" field in the file transfer packet MSN or Gtalk chat data packets not encrypted <starttls Xmlns = ^ urniie tf: params: xml: ns: xmpp_tls〃> when <required / X / starttls> field, the data packet is directly sent.
5.根据权利要求2所述的防止数据泄密的方法,其特征在于,在所述数据包被识别为MSN传文件数据包时,将其进行标记。 5. The method of preventing data leakage of claim 2, wherein, when the data packet is identified as MSN file transfer packet, which is labeled as claimed in claim.
6. 一种防止数据泄密的安全网关,其特征在于,所述安全网关具体包括:收发模块,用于接收内网用户发送的数据包;应用识别模块,用于识别所述数据包是否为包含特征字段的关键数据包;应用服务控制模块,用于在所述数据包为包含特征字段的关键数据包时,根据数据包传送协议的不同,篡改数据包的特征字段,并通过所述收发模块发送出去。 6. A method of preventing leaks of data security gateway, wherein the security gateway comprises: a transceiver module for receiving network data packets sent by a user; application identification means for identifying whether the data packet comprising key characteristics field of the packet; application service control module for the data packet is a critical packet contains characteristics field, depending on the data packet transfer protocol, packet data tampering characteristics field, and through the transceiver module sent out.
7.根据权利要求6所述的防止数据泄密的安全网关,其特征在于,应用服务控制模块具体用于在所述数据包为包含特征字段的关键数据包时,若该关键数据包为MSN传文件数据包,则检测所述MSN传文件数据包中是否含有“ INVITE”字段,若是,则将该字段替换为等长度的非特征码字符串。 7. prevent data leakage security gateway according to claim 6, wherein the application service control module is configured in the data packet is a critical packet contains fields wherein, if the data packet is a critical mass MSN file packet, the MSN file transfer is detected whether the data packet contains a "INVITE" fields, if non-pattern string, then the field is replaced with the equal length.
8.根据权利要求6所述的防止数据泄密的安全网关,其特征在于,应用服务控制模块具体用于在所述数据包为包含特征字段的关键数据包时,若该关键数据包为Gtalk加密聊天数据包时,向内网用户发送不支持tls加密传输的信息,以使内网用户改用明文传输;同时检测所述传文件数据数据包中是否含有字段〈starttls Xmlns=^urn: ietf :params : xml : ns : xmpp-tlVXrequired/X/starttls〉,若是,则将该字段替换为等长度的任意字符串。 8. The data of claim prevent leakage of the security gateway of claim 6, wherein the application service control module is configured in the data packet is a critical packet contains fields wherein, if the encrypted key packet to Gtalk chat packet network user transmits information tls inwardly encrypted transmission is not supported, so that users within the network switch cleartext; simultaneously detecting said transmitted data packets whether the file contains fields <starttls Xmlns = ^ urn: ietf: params: xml: ns: xmpp-tlVXrequired / X / starttls>, if yes, then the field is replaced with a string of any length and the like.
9.根据权利要求7或8所述的防止数据泄密的安全网关,其特征在于,所述应用识别模块还用于在所述数据包被识别为所述MSN传文件数据包时,将其进行标记。 According to claim prevent leakage of data security gateway 7 or 8, characterized in that the application identification module is further configured to, when the data packet is identified as the MSN file transfer packet, which was mark.
10. 一种防止数据泄密的系统,其特征在于,包括内网发送端、安全网关、外网服务器和外网接收端,其中,所述内网发送端,用于发起请求并发送数据包;所述安全网关,用于接收所述内网发送端的数据包,并识别所述数据包是否为包含特征字段的关键数据包,在该数据包为包含特征字段的关键数据包,将该数据包中的特征字段替换为等长的非特征码字符串并发送出去;所述外网服务器,用于接收所述安全网关发送的数据包,并转发给所述外网接收端;若数据包中的特征字段被非特征码字符串替换,则无法识别和接收该数据包; 所述外网接收端,用于接收所述外网服务器转发的数据包。 10. A method of preventing leakage of the data system, wherein the network comprises a transmitting end, the security gateway, external network server and the external network receiving terminal, wherein said network sending end, for initiating and transmitting a request packet; the security gateway for the transmitting side receives the data packet network, and identifies the packet is a critical packet containing the characteristics field in the packet is a characteristics field containing key data packets, the data packet the characteristics field replacement of equal length and a non-sent signature string; the external network server, for receiving said secure data packet sent by the gateway and forwarded to the external network receiving terminal; if the data packet the feature field is replaced non-pattern string, and can not recognize the received data packet; receiving end of the external network, for receiving data packets forwarded by the external network server.
CN201110336734A 2011-10-31 2011-10-31 Method, security gateway and system for preventing data leakage CN102333042A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110336734A CN102333042A (en) 2011-10-31 2011-10-31 Method, security gateway and system for preventing data leakage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110336734A CN102333042A (en) 2011-10-31 2011-10-31 Method, security gateway and system for preventing data leakage

Publications (1)

Publication Number Publication Date
CN102333042A true CN102333042A (en) 2012-01-25

Family

ID=45484651

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110336734A CN102333042A (en) 2011-10-31 2011-10-31 Method, security gateway and system for preventing data leakage

Country Status (1)

Country Link
CN (1) CN102333042A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103685284A (en) * 2013-12-18 2014-03-26 上海普华诚信软件技术有限公司 Data interception and conversion method and system
CN104023075A (en) * 2014-06-16 2014-09-03 南威软件股份有限公司 Internet online secret acquisition system and method
CN106936814A (en) * 2017-01-20 2017-07-07 北京海泰方圆科技股份有限公司 A kind of network protection methods, devices and systems
WO2017166420A1 (en) * 2016-03-31 2017-10-05 宇龙计算机通信科技(深圳)有限公司 Voice encryption method and voice transmission terminal
CN108243198A (en) * 2018-01-31 2018-07-03 北京深思数盾科技股份有限公司 A kind of data distribution, retransmission method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003063443A1 (en) * 2002-01-22 2003-07-31 Intrasecure Networks Oy Method and system for sending a message through a secure connection
CN101431521A (en) * 2008-11-26 2009-05-13 北京网康科技有限公司 Anti-Trojan network security system and method
CN101610259A (en) * 2009-07-28 2009-12-23 北京网康科技有限公司 Network behavior control system and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003063443A1 (en) * 2002-01-22 2003-07-31 Intrasecure Networks Oy Method and system for sending a message through a secure connection
CN101431521A (en) * 2008-11-26 2009-05-13 北京网康科技有限公司 Anti-Trojan network security system and method
CN101610259A (en) * 2009-07-28 2009-12-23 北京网康科技有限公司 Network behavior control system and method

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103685284A (en) * 2013-12-18 2014-03-26 上海普华诚信软件技术有限公司 Data interception and conversion method and system
CN104023075A (en) * 2014-06-16 2014-09-03 南威软件股份有限公司 Internet online secret acquisition system and method
WO2017166420A1 (en) * 2016-03-31 2017-10-05 宇龙计算机通信科技(深圳)有限公司 Voice encryption method and voice transmission terminal
CN106936814A (en) * 2017-01-20 2017-07-07 北京海泰方圆科技股份有限公司 A kind of network protection methods, devices and systems
CN106936814B (en) * 2017-01-20 2018-07-06 北京海泰方圆科技股份有限公司 A kind of network protection methods, devices and systems
CN108243198A (en) * 2018-01-31 2018-07-03 北京深思数盾科技股份有限公司 A kind of data distribution, retransmission method and device

Similar Documents

Publication Publication Date Title
Rosenberg et al. SIP: session initiation protocol
EP1267548B1 (en) Method and system for integrating security mechanisms into session initiation protocol request messages for client-proxy authentication
US8595383B2 (en) System and method to associate a private user identity with a public user identity
KR101109276B1 (en) Sustaining session connections
CN1722657B (en) Network system, data transmission device, session monitor system and packet monitor transmission device
US7680120B2 (en) Connected communication terminal, connecting communication terminal, session management server and trigger server
US20070078986A1 (en) Techniques for reducing session set-up for real-time communications over a network
US20130254412A1 (en) Unified communication aware networks
CN1653764B (en) Method and system for transmitting and utilizing attachments
CA2437894A1 (en) Method and apparatus for providing secure streaming data transmission facilities using unreliable protocols
US20070101414A1 (en) Method for stateful firewall inspection of ice messages
WO2006124267A2 (en) Relay server for sip/rtp messages with buffer management
US8364772B1 (en) System, device and method for dynamically securing instant messages
CN101841519B (en) Multimedia communication session coordination across heterogeneous transport networks
EP2215755B1 (en) Ip-based call content intercept using repeaters
Campbell et al. The message session relay protocol (MSRP)
WO2004114631A1 (en) System and method for dynamically creating pinholes in a firewall of a sip-based
CN101040497A (en) Firewall system and firewall control method
CN101515949B (en) Methods and systems for facilitating transfer of sessions between user devices
CN101355524A (en) Method, system, server and terminal for processing information
CN100463405C (en) Communication method and system based on group
CN101465856B (en) Method and system for controlling user access
Schooler et al. SIP: Session initiation protocol
WO2009092105A3 (en) Systems, methods and computer readable media for application-level authentication of messages in a telecommunications network
US7792065B2 (en) Securely establishing sessions over secure paths

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C12 Rejection of a patent application after its publication