The content of the invention
The technical problem to be solved in the present invention and the technical assignment proposed are prior art to be improved with being improved,
Power marketing mobile application security guard system is provided, to reach the purpose of outer net secure access Electric Power Marketing System.Therefore, this
Following technical scheme is taken in invention.
Power marketing mobile application security guard system, it is characterised in that including:
Security terminal layer:Mobile terminal uses AES, and preserves private key or digital certificate on mobile terminals;Move
Escape way is established by mobile public network and safe access gateway group during dynamic terminal called, carrying out identity using digital certificate recognizes
Card, and transmission is encrypted to communication critical data;
Escape way layer:Realize that each external linkage is connected with system access net, by routeing access control, and pass through
The encrypted virtual designated lane of VPN structures, realizes network level authentication, and ensure data confidentiality and integrality;By anti-
Wall with flues carries out the access control of frontier district, prevents the access application of illegality equipment;Corresponding safety monitoring system is configured, to access
It is monitored, protects and manages using potential safety hazard, it is ensured that secure accessing and the safety of system access mesh portions;To access network with
Isolated between corporate intranet from physical layer to the communication protocol of application layer all levels, established for the application of each permission
With safeguard an exclusive data exchanging mechanism, limit the source of data exchange, purpose, data format, data content, and data are handed over
Change and be monitored;
Secure accessing podium level:To be issued to external information, information gathering, the intermediate region of data exchange, be access terminal
The terminal of network connection, all applications access and terminate at Security Certificate gateway;Secure accessing podium level is to exchanging service log-on, fortune
Market condition carries out safety detection and audit, the network equipment, the configuration management of safety means and day-to-day operation is safeguarded, to safe plan
Slightly management, flow monitoring, statistical analysis, security audit, and be shown with friendly and user-centered interface;
Mobile solution layer:For supporting the service application of mobile terminal, systematic difference safety is realized.
As further improving and supplementing to above-mentioned technical proposal, present invention additionally comprises following additional technical feature.
Described secure accessing podium level is provided with access gateway, data filtering exchange system, authentication server and connect
Enter platform Centralized Monitoring management system, described access gateway includes being used for the safe access gateway of notebook access, is used for
The mobile security access gateway of PDA/ smart mobile phones access, the meter safe access gateway for meter access.
When intelligent terminal is tablet personal computer, PDA or during smart mobile phone, security algorithm private key that security terminal layer uses or
Digital certificate is stored using MicroSD cards;SIM card is set on intelligent terminal, is realized by the SIM card for binding special APN
Network channel safety;And software is specially controlled in intelligent terminal deployment secure, realize escape way foundation, user authentication management.
Mobile solution layer sets mobile application server, application server deployment anti-virus module, ensures that application service area is each
Application server is not infected by virus, wooden horse, prevents the propagation of virus and illegal control.
Described escape way layer, secure accessing podium level, the mobile job platform of Mobile solution development platform composition, it is described
Mobile job platform be provided with information security and protective unit, cross-platform business support unit, using support unit, movement
GIS support unit, mobile working stream support unit, platform management unit;Described information security is used to pacify with protective unit
Full access platform VPN wireless access support, the message encryption communication of application service, the database security of mobile terminal are encrypted with reality
Now efficient and secure accessing;Described cross-platform business support unit is used to support a variety of mobile terminal operating systems, passes through
Several operation systems are supported, while establish the API of a set of unified standard to adapt to each operating system to realize cross-platform support,
And support multiple terminal hardware;Described application support unit supports for hardware bottom layer;Described mobile GIS support unit
For geographical graphic displaying, power network resources displaying, GIS spatial analysis, path navigation, reporting position;Described mobile working stream
Support unit is used for the management for including electric power mobile application distribution platform service end and client;Described platform management unit is used
In equipment control, rights management, service menu management, the condition monitoring of mobile terminal, service monitoring and standardization field operation
Analysis.
It is used for using the hardware bottom layer support unit of support function:Printing, location-based service, bar code scan, firing frequency card are read
Write, the encapsulation of user's electron underwriting authentication, mobile terminal network state notifying, other ardware features;Be equipped with equipment audit log in,
User logs in the audit debarkation authentication of audit and serviced component;It is written to be equipped with video file, image file, pattern management system collection
Part service;Task data issue, download, import examination & verification;User authentication and security policy manager.
Secure accessing podium level security partition third party network and Enterprise information system, realize that the safety of mobile terminal connects
Enter;The certification of secure accessing podium level progress user identity, data encryption, audit/mandate of user data, the online of file add
The closely knit security now transmitted;Secure accessing podium level is provided with vpn gateway access service layer, and vpn gateway access service layer includes
Safe access gateway systemic-function component, identity authorization system functional unit, data encrypting and deciphering functional unit, Centralized Monitoring management
User logic functional unit, communicated by high-speed message bus to realize various security services between above-mentioned functional unit.
Secure accessing podium level carries out segmented combination deployment, and carries out the slitless connection of Internet;Identity authorization system
Two-way authentication is carried out using terminal and vpn gateway, and passes through CA service authentication mandates.
Secure accessing podium level audit/when authorizing work, it is dynamic in real time by the collection, analysis, identification of network data
State monitoring Content of Communication, network behavior and network traffics, find and capture various sensitive informations, unlawful practice, and Realtime Alerts ring
Should, various sessions and the event in network system are recorded comprehensively, realize intelligent association analysis, assessment and safety to the network information
The accurate all-the-way tracking positioning of event, authoritative reliable support is provided for the formulation of overall network security strategy.
Safety/audit work includes:
A) content auditing
For providing deep content auditing function, to website visiting, mail transmission/reception, remote terminal is accessed, database is visited
Ask, data transfer, the complete content detection of offer, the information reverting function such as file-sharing;And key word library is can customize, carry out
Fine-grained audit trail;
B) behavior auditing
For providing comprehensive network behavior audit function, according to setting behavior auditing strategy, website visiting, mail are received
Hair, database access, remote terminal access, data transfer, file-sharing, the network application behavior of Internet resources abuse are supervised
Survey, to meeting the event Real-time Alarm of behavioral strategy and recording;
C) network auditing system
For providing the flow analysis function based on protocol identification, the various message flows that real-time statistics go out in current network
Amount, integrated flow rate analysis is carried out, reliable support is provided for the formulation of flow management strategy.
Beneficial effect:Unified information interaction, centralized configuration management, unified monitoring etc. are realized, realizes and each Terminal Type is accessed
It is credible, controllable.Based on the present invention, realize that power marketing moves operation(Such as live industry expansion, live meter reading, live customer service etc.
Sales service application), the service ability and good service level of sales service curstomer's site are improved, customer service is subjected to space
With the extension of time, marketing service is extended to curstomer's site, good service, the shape of efficiency service are established in client perception
As.The technical program realizes the secure accessing of mobile terminal.By isolating means realize information Intranet, information outer net it is strong every
From cutting off the attack of outer net, effectively improve information security.
Embodiment
Technical scheme is described in further detail below in conjunction with Figure of description.
As shown in figure 1, power marketing mobile application security guard system includes security terminal layer, escape way layer, safety
Access platform layer, Mobile solution development platform, application system etc..
Wherein,
Security terminal layer:Mobile terminal uses AES, and preserves private key or digital certificate on mobile terminals;Move
Escape way is established by mobile public network and safe access gateway group during dynamic terminal called, carrying out identity using digital certificate recognizes
Card, and transmission is encrypted to communication critical data;
Escape way layer:Realize that each external linkage is connected with system access net, by routeing access control, and pass through
The encrypted virtual designated lane of VPN structures, realizes network level authentication, and ensure data confidentiality and integrality;By anti-
Wall with flues carries out the access control of frontier district, prevents the access application of illegality equipment;Corresponding safety monitoring system is configured, to access
It is monitored, protects and manages using potential safety hazard, it is ensured that secure accessing and the safety of system access mesh portions;To access network with
Isolated between corporate intranet from physical layer to the communication protocol of application layer all levels, established for the application of each permission
With safeguard an exclusive data exchanging mechanism, limit the source of data exchange, purpose, data format, data content, and data are handed over
Change and be monitored;
Secure accessing podium level:To be issued to external information, information gathering, the intermediate region of data exchange, be access terminal
The terminal of network connection, all applications access and terminate at Security Certificate gateway;Secure accessing podium level is to exchanging service log-on, fortune
Market condition carries out safety detection and audit, the network equipment, the configuration management of safety means and day-to-day operation is safeguarded, to safe plan
Slightly management, flow monitoring, statistical analysis, security audit, and be shown with friendly and user-centered interface.
Mobile solution layer:For supporting the service application of mobile terminal, systematic difference safety is realized.
Described secure accessing podium level is provided with access gateway, data filtering exchange system, authentication server and connect
Enter platform Centralized Monitoring management system.
To treat the equipment of each access with a certain discrimination, described access gateway includes being used for the secure accessing net of notebook access
Close, the mobile security access gateway for the access of PDA/ smart mobile phones, the meter safe access gateway for meter access.
When intelligent terminal is tablet personal computer, PDA or during smart mobile phone, security algorithm private key that security terminal layer uses or
Digital certificate is stored using MicroSD cards;SIM card is set on intelligent terminal, is realized by the SIM card for binding special APN
Network channel safety;And software is specially controlled in intelligent terminal deployment secure, realize escape way foundation, user authentication management.
Mobile solution layer sets mobile application server, application server deployment anti-virus module, ensures that application service area is each
Application server is not infected by virus, wooden horse, prevents the propagation of virus and illegal control.
Shown in Fig. 2, marketing mobile application security protection hierarchy chart main contents include:
1)Secure accessing is the core of whole platform, and secure accessing is built between third party's network and Enterprise information system
Area, carry out the security partition of network.By the secure accessing of platform, certification, visit the progress secure accessing such as control service.
2)By establishing the secondary encryption tunnel independent of third-party operator, strengthen data transmission security, but
By secure accessing area, the certification of user identity is carried out(Digital certificate system), data encryption(AES is special using close office of state
With security algorithm, crypto-operation intensity is high, and data safety can be effectively ensured), audit/mandate of user data, file
Online encryption.
3)Vpn gateway access service layer is core, mainly include safe access gateway system, identity authorization system,
Data encrypting and deciphering, Centralized Monitoring manage the logic blocks such as user, are led between functional unit by high-speed message bus
Letter, realizes various security services.
4)According to user's request difference, using difference, network rebuilding demand etc., secure accessing plateform system function group, number
According to functional units such as safe protecting systems, segmented combination deployment can be carried out according to access platform thought, and carry out the nothing of Internet
Seam docking.
5)Identity authorization system, terminal carries out two-way authentication with VPN, and passes through CA service authentication mandates.Digital certificate
The user for logging in security platform system is ensured, is all the user by administrative authentication.It is the granting of digital certificate, revocation, expired heavy
Application, can both lead to OCSP protocol online mode;Again can be by offline mode, by special messenger's manual administration.
6)Fire wall, the access border of security platform, this is the first safe mistake to data that user enters security platform
Filter.Fire wall is a kind of comprehensive technology, be related to computer networking technology, cryptographic technique, safe practice, software engineering,
The many-sides such as security protocol;It is a kind of Means of Ensuring of network security;A kind of access control yardstick performed when being network service,
Its main target be exactly by control into, go out the authority of a network, and force all links all to pass through such inspection.
All outsides(User)Data to inside(Corporate intranet)Business Stream be intended to, by fire wall, utilize fire wall
The function of Network address translators and the safety filtering of data, to needing network to be protected to protect.
7)Safe access gateway
IPSEC VPN access gatewaies, safeguard protection is provided for user's remote access network service, major function includes:
Authentication:Coordinate digital certificate system, it is ensured that remote access person is not malicious user;
Access control:Ensure that visitor can only access the service being authorized to and information;
Data encryption:The close algorithm of business that there is provided in SDKey is provided, it is ensured that all data be all in network transmission process by
Encryption, prevent from being cracked;
SSL VPN access gatewaies, safeguard protection is provided for user's remote access network service, major function includes:
Authentication:Coordinate digital certificate system, it is ensured that remote access person is not malicious user;
Access control:Ensure that visitor can only access the service being authorized to and information;
Data encryption:The close algorithm of business that there is provided in SDKey is provided, it is ensured that all data be all in network transmission process by
Encryption, prevent from being cracked.
8)Security isolation system
Security isolation and Information Exchange System, it is commonly called as " gateway ", the target of technology of network isolation, which is to ensure that, attacks harmful
Isolation is hit, on the premise of not leaked with guarantee trustable network internal information outside trustable network, completes the safety of data between net
Exchange.Technology of network isolation grows up on the basis of original safe practice, and it compensate for original safe practice not
Foot, highlights the advantage of oneself, and it is the security isolation system of secured sub-network and corporate intranet, ensures the peace of access service Intranet
Entirely.
9)Audit, authoring system
Safety auditing system passes through the collection, analysis, identification of network data, real-time dynamic monitoring Content of Communication, network row
For and network traffics, find and capture various sensitive informations, unlawful practice, Realtime Alerts response, record comprehensively in network system
Various sessions and event, realize to the analysis of the intelligent association of the network information, assess and the accurate all-the-way tracking of security incident is determined
Position, authoritative reliable support is provided for the formulation of overall network security strategy.Safety auditing system has three zones:
A, content auditing
SAS system provides deep content auditing function, can be to website visiting, mail transmission/reception, remote terminal access, data
The complete content detection of the offer such as storehouse access, data transfer, file-sharing, information reverting function;And key word library is can customize,
Carry out fine-grained audit trail.
B, behavior auditing
SAS system provides comprehensive network behavior audit function, according to setting behavior auditing strategy, to website visiting, postal
Part transmitting-receiving, database access, remote terminal access, data transfer, file-sharing, Internet resources abuse(Instant messaging, forum,
Online Video, P2P downloads, online game etc.)It is monitored Deng network application behavior, the event for meeting behavioral strategy is accused in real time
Warn and record.
C, network auditing system
SAS system provides the flow analysis function based on protocol identification, the various messages that real-time statistics go out in current network
Flow, integrated flow rate analysis is carried out, reliable support is provided for the formulation of flow management strategy.
Escape way layer, secure accessing podium level, the mobile job platform of Mobile solution development platform composition, mobile operation horizontal
Platform builds deployment, mainly includes as follows:
The information security of platform and protection, including State Grid Corporation of China's secure accessing platform, the message of application service
The database security encryption of encryption communication, mobile terminal.
Cross-platform business support, support a variety of mobile terminal operating systems.Such as:ios,windowmobile,
Windowce, android, windowsxp, by supporting several operation systems, while the API of a set of unified standard is established, come
Each operating system is adapted to realize cross-platform support;Support various terminals hardware, such as iphone, ipad, various models
Android mobile phones, the android flat boards of various models, windowsmobile/wince, pad of various models.
Supported using support function, including hardware bottom layer:Printing, location-based service, bar code scan, the read-write of firing frequency card, use
Family electron underwriting authentication, mobile terminal network state notifying, the encapsulation of other ardware features etc.;The audit for being equipped with equipment is logged in, used
Family logs in the audit debarkation authentication of audit and serviced component;It is equipped with the texts such as video file, image file, pattern management system be integrated
Part service function;Task data issue, download, import audit function;User authentication and security policy manager function.
Mobile GIS support function, support and geographical graphic displaying, electricity based on State Grid Corporation of China's GIS service platform
The functions such as the displaying of net resource, GIS spatial analysis, path navigation, reporting position.
Mobile working stream support function, include the management of electric power mobile application distribution platform service end, client.
Platform management functions, including equipment control, rights management, service menu management, the condition monitoring of mobile terminal, clothes
Business monitoring and standardization field operation analytic function.
Application performance is ensured using nine kinds of technological means efficiently, stably, reliably, independent design traffic table, storage user, power
The information such as limit;Asynchronous task scheduling, realize that job note efficient information rate is downloaded in real time;Job note procedure information is real-time by short message
Push, mitigate the impact manually refreshed to system;Independent design traffic table, store mobile job-oriented terminal job note information;It is mobile
Cargo handling operation parameterisable configures, control business coverage;Job note business datum is downloaded can be asynchronous, maximizes reduction pair
BOSS professional systems are impacted;Work data uploads can be asynchronous, improves data transmission success;The detachable upload of batch working list,
The data volume that single uploads is reduced, structural data is separately handled with unstructured data, improves transfer efficiency in data.
Data preserve and interacted with the real time data of the professional BOSS systems of electric power host computer the data using two-way intercommunication
Passage, the form of data transfer use JSON data transfers, and multimedia file is then realized by way of FTP service transmission.
Information security is ensured that safety access system deployment is main to divide by the secure accessing platform of Guo Wang companies certification
For:The built-in customization encryption chip of enterprises end deployment secure gateway device, security terminal, enterprise has two-stage CA systems by oneself, data add
The close cryptographic protocol for doing data channel using SM2 algorithms, using IPSEC/SSL VPN technologies using SM1 algorithms, digital certificate.
Figure 1 above, the power marketing mobile application security guard system shown in 2 are the specific embodiments of the present invention,
Substantive distinguishing features of the present invention and progress are embodied, under the enlightenment of the present invention, shape can be carried out to it according to the use needs of reality
The equivalent modifications of shape, structure etc., this programme protection domain row.