Summary of the invention
The objective of the invention is provides a kind of Safe Architecture For eNet that is used for the power information acquisition system in order to overcome the deficiency of prior art, how could stop the assault from public network, improves the completeness of power information acquisition system operation.
A kind of technical scheme that realizes above-mentioned purpose is: a kind of Safe Architecture For eNet that is used for the power information acquisition system, comprise client and host side, and said client comprises Gateway GPRS Support Node; Said host side comprises: gateway, database server are provided with the power information Intranet between said gateway and the said database server; Said gateway comprises router, Dynamic Host Configuration Protocol server and main frame, and said router is connected said main frame with said Dynamic Host Configuration Protocol server; It is characterized in that: said gateway and said Gateway GPRS Support Node are through the APN private line access; The IP address of said APN special line is distributed by said Dynamic Host Configuration Protocol server, and said router carries out domain name mapping to the corresponding IP address of said APN special line.
Further; Said client also comprises: acquisition terminal, GPRS support point, GPRS serving GPRS support node and GPRS backbone network, said acquisition terminal, said GPRS support point, said GPRS serving GPRS support node, said GPRS backbone network are connected through the GPRS wireless network with said Gateway GPRS Support Node successively.
Further again, the said gateway on the said host side also comprises: master firewall, preposition harvester and radius server; Said preposition harvester is connected said main frame with said radius server; Said master firewall connects said router, and said Gateway GPRS Support Node connects said master firewall.
Further, said GPRS serving GPRS support node becomes the GPRS packet data package with the user power utilization Information Compression of said acquisition terminal collection, and said preposition harvester is separated the packet package operation to said GPRS packet data package.
Further, said radius server carries out authentication and authorization control to the user who visits said database server.
Further, between said gateway and the said power information Intranet first fire compartment wall is arranged.
Further, said database server is connected said acquisition terminal through said power information Intranet with the power information outer net, between said power information Intranet and the said power information outer net second fire compartment wall is arranged.
Adopted a kind of technical scheme that is used for the Safe Architecture For eNet of power information acquisition system of the present invention, host side in the promptly said Safe Architecture For eNet and said client are through the APN private line access.Its technique effect is: owing to set up the APN special line between said client and the said host side, the IP address of said APN special line is the technical scheme of being distributed by said Dynamic Host Configuration Protocol server.Its technique effect is: can stop the assault from public network, improve the completeness of power information acquisition system operation.
Embodiment
See also Fig. 1,, pass through embodiment particularly below, and combine accompanying drawing at length to explain in order to understand technical scheme of the present invention better:
In the present embodiment; Said power information acquisition system adopts GPRS network to communicate; At a kind of Safe Architecture For eNet that is used for the power information acquisition system of the present invention, said client 1 comprises: the acquisition terminal 11, GPRS support point 12, GPRS serving GPRS support node 13, GPRS backbone network 14 and the Gateway GPRS Support Node 15 that connect successively.
Said acquisition terminal 11 is after having gathered user power utilization information; Said power information is passed to said GPRS support point 12 (RSC); Again by said GPRS support point 12 pass to said GPRS serving GPRS support node 13 (Serving GPRS Support Node, SGSN).
The function of said GPRS serving GPRS support node 13 is that said user power utilization information is carried out boil down to GPRS packet data package, and accomplishes said GPRS packet data package routing forwarding.Other function also comprises: said client 1 is carried out session management, Logical Link Management, and authentication ciphering, the ticket of accomplishing said client 1 simultaneously produce and output etc.
The effect of said GPRS backbone network 14 is to accomplish the transmission of power information in said GPRS wireless network.
Said Gateway GPRS Support Node 15 (Gateway GPRS Support Node) is called for short GGSN, the gateway effect that it mainly has been on said client 1.It can carry out protocol conversion to said GPRS packet data package, thereby is sent to said host side 2 to said GPRS packet data package.Said Gateway GPRS Support Node 15 also has the information screen function of network control, can control the information exchange between said host side 2 and the said client 1, so that guarantee the safety of said power information acquisition system.What is more important; Said Gateway GPRS Support Node 15 also has the function of dynamically searching Dynamic Host Configuration Protocol server institute IP address allocated; And this IP address translated and mapping function, said Gateway GPRS Support Node 15 can carry out dns lookup, realizes the parsing to this IP address domain name; For setting up APN special line 3 between said client 1 and the said host side 2 condition is provided.
Said GPRS serving GPRS support node 13 all is connected with said GPRS backbone network 14 through gn interface with Gateway GPRS Support Node 15.Said GPRS serving GPRS support node 13 all is through the GTP agreement with Gateway GPRS Support Node 15, and promptly GPRS Tunnel Protocol transmits with said GPRS backbone network 14 and communicates.
Said client 2 comprises successively the gateway that connects 21, first fire compartment wall 24, power information Intranet 25 and database service 26.
Said gateway 21 comprises master firewall 211, router two 12, preposition harvester 213, Dynamic Host Configuration Protocol server 215, radius server 214 and main frame 216.Said router two 12, said preposition harvester 213, said Dynamic Host Configuration Protocol server 215 are connected with said main frame 216 with said radius server 214 simultaneously; Said master firewall 211 connects said router two 12, the Gateway GPRS Support Node 15 that said master firewall 211 connects on the said client 1 through APN special line 3.
Said power information acquisition system when launching the public outer net of said GPRS, the request that earlier proposes to connect APN special line 3 to mobile operator by the said main frame 216 on the said gateway 21, APN is the abbreviation of access point (Access Point Name).Said Dynamic Host Configuration Protocol server 215 on the said gateway 21 is provided with agreement (Dynamic Host Configuration Protocol, DHCP) the IP address of an APN special line 3 of distribution according to the instruction of mobile operator according to the dynamic duty station.Carry out domain name mapping by the IP address of 12 pairs of these APN special lines 3 of said router two on the said gateway 21 then, thereby find corresponding said Gateway GPRS Support Node 15.Said Gateway GPRS Support Node 15 is according to the IP address of this APN special line 3; The VPDN tunnel of foundation from said Gateway GPRS Support Node 15 to said gateway 21; Said VPDN is exactly the abbreviation of Virtual Private Dialup Network (Virtual Private Dial-up Networks).User power utilization packets of information packet at first transmits through the GTP agreement in the GPRS net, on the APN special line 3 between said Gateway GPRS Support Node 15 and the said gateway 21, transmits through gre tunneling agreement or L2TP Tunnel agreement at last.Said GRE agreement is the abbreviation of generic route encapsulation (Generic Routing Encapsulation) agreement, and said L2TP agreement is the abbreviation of second layer tunnel (Layer 2 Tunneling Protocol) agreement.Like this, just make up between said Gateway GPRS Support Node 15 and the said gateway 21 one virtual, with extraneous special-purpose GPRS communication port of isolating fully, supply said power information acquisition system to use, thus the fail safe that improves said power information acquisition system.Said like this APN special line 3 has made up said client 1 is carried out exchanges data with said host side 2 the protection outpost of the tax office.
The effect of said radius server 214 is: through remote user dialing authentication protocol (Remote Authentication Dial In User Service; RADIUS); Foundation is based on the authenticating user identification and the authorization control mechanism of unified strategy; Distinguishing different user and message reference person, and authorize them different message references and transaction authority.Formulate the strict Password Management system and the record of Operation Log.Through the user of said radius server authentication, said radius server 214 can carry out the parameter setting to said host side 2.
The effect of said preposition harvester 213 is: receive said GPRS packet data package; And said GPRS packet data package is kept in the disk array of said preposition harvester 213; The packet data package of 213 pairs of said power informations of said preposition harvester decompresses, and is converted into the electricity consumption data that said database server 26 can be discerned and read.Simultaneously said electricity consumption data are carried out data encryption.After treating that said APN special line 3 breaks off; After said gateway 21 is connected said power information Intranet 25; Said preposition harvester 213 passes to said database server 26 through said main frame 216 with said power information Intranet 25 with the electricity consumption data; And the instruction that said database server 26 sends is stored in earlier in the disk array of said preposition harvester 213; Treat said gateway 21 with of the be connected disconnection of said gateway 21 with said power information Intranet 25, connect the said APN special line 3 between said gateway 21 and the said client 21 simultaneously after, said preposition harvester 213 transmits acquisition instructions to said acquisition terminal 11.
The effect of said gateway host 216 is: to the radius server on the said gateway 214, Dynamic Host Configuration Protocol server 215, preposition harvester 213 is managed with router two 12, accomplishes the transmission of data in said gateway 21 simultaneously.
The effect of said master firewall 211 is: prevent to invade said power information acquisition system from the assault of public network.In the present embodiment, said master firewall 211 is VPN fire compartment walls
The effect of said first fire compartment wall 24 is that the user who prevents unauthorized access attacks said power information Intranet 25 and said database server 26.In the present embodiment, said first fire compartment wall 24 is VPN fire compartment walls.
The effect of said power information Intranet is: the communication channel that communicates between said gateway 21 and the said database server 26.
The effect of said database server 26 is: said electricity consumption data are deciphered, and input is built in the disk array of said database server 26.Simultaneously, the electricity consumption data that said database server regularly will be kept in the said disk array for 26 every days are kept in the disk array of backup server (not shown), and said database server 26 and said backup server show and link to each other.Can improve the Information Security of said power information acquisition system like this.
In addition; Said security architecture has also connected power information outer net 22; Said power information outer net 22 is electric power dedicated networks of setting up between said power information Intranet 25 and the said acquisition terminal 11; Said power information outer net 22 can be 230MHz power private network or optical fiber private network, also can be power carrier line dedicated network.
Between said power information Intranet 25 and the said power information outer net 22 second fire compartment wall 23 is set, the effect of said second fire compartment wall 23 is that the said hacker of preventing passes through the power information outer net and attacks said database server 26.In the present embodiment, said second fire compartment wall 23 also is the VPN fire compartment wall.
In addition, said database server 26 has intrusion detection capability and anti-virus ability, and can carry out the every day self-timing to the data in the database of said power information acquisition system and carry out data redundancy backup.
Said database server 26, said radius server 214, said Dynamic Host Configuration Protocol server 215; Preposition harvester 213 and said main frame 216 built-in anti-virus software and software firewalls; Said anti-virus software can upgrade in time patch and virus base; And the installation of software and use carried out necessary monitoring, prevent to install the software that has potential safety hazard.
Said database server 26, said radius server 214, said Dynamic Host Configuration Protocol server 215, preposition harvester 213 all is provided with redundant configuration with said main frame 216, and said redundant configuration comprises disk array RAID, cluster etc.
Those of ordinary skill in the art will be appreciated that; Above embodiment is used for explaining the present invention; And be not to be used as qualification of the present invention; As long as in connotation scope of the present invention, all will drop in claims scope of the present invention variation, the modification of the above embodiment.