CN105577632B - A kind of safe networking methods and terminal based on Network Isolation - Google Patents

A kind of safe networking methods and terminal based on Network Isolation Download PDF

Info

Publication number
CN105577632B
CN105577632B CN201510367443.9A CN201510367443A CN105577632B CN 105577632 B CN105577632 B CN 105577632B CN 201510367443 A CN201510367443 A CN 201510367443A CN 105577632 B CN105577632 B CN 105577632B
Authority
CN
China
Prior art keywords
data
network
namespace
microsoft loopback
loopback adapter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510367443.9A
Other languages
Chinese (zh)
Other versions
CN105577632A (en
Inventor
胡军杰
申泽奇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yulong Computer Telecommunication Scientific Shenzhen Co Ltd
Original Assignee
Yulong Computer Telecommunication Scientific Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yulong Computer Telecommunication Scientific Shenzhen Co Ltd filed Critical Yulong Computer Telecommunication Scientific Shenzhen Co Ltd
Priority to CN201510367443.9A priority Critical patent/CN105577632B/en
Priority to PCT/CN2015/085873 priority patent/WO2016206171A1/en
Publication of CN105577632A publication Critical patent/CN105577632A/en
Application granted granted Critical
Publication of CN105577632B publication Critical patent/CN105577632B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls

Abstract

The invention discloses a kind of safe networking methods and terminal based on Network Isolation.Method therein includes:According to Internet resources, at least one first NameSpace (Namespace) and the second NameSpace are isolated;Receive the creation request of a corresponding application, the process is from external network requests data or to the external network transmission data;The set belonging to packet name according to the application or the domain where the initiation creation request, determine that the process belongs to the second NameSpace;External network is connected by the mobile data network, to ask or send the data.Also disclose corresponding terminal.The Namespace mechanism that the present invention is provided by using kernel, isolate more than two mutually independent network environments, wherein in the network environment of safety, terminal can only connect network by mobile data network, so as to select suitable network connecting mode for terminal and ensure safe networking, ensure the information security in terminal.

Description

A kind of safe networking methods and terminal based on Network Isolation
Technical field
The present invention relates to field of communication technology more particularly to a kind of safe networking methods and terminal based on Network Isolation.
Background technology
The network connection strategy of existing intelligent terminal such as mobile phone is the preferential selection in the case where there is available Wi-Fi connection Using Wi-Fi network, and when Wi-Fi network is not available, can just go to use carrier network (2G/3G/4G networks).With The development of mobile Internet, the e-commerce classes such as mobile phone on-line payment, mobile phone shopping, mobile phone Web bank are applied in mobile terminal It grows rapidly, and the safety of payment problem that this kind of application is brought is also increasingly prominent, if user is connected to Wi-Fi, can bring peace Full hidden danger, such as hacker can utilize Wi-Fi network, obtain the private informations such as photo, the personal document in user mobile phone, even In sensitive informations such as bank card passwords.If Wi-Fi connection is forbidden the inconvenient to use of user to be caused (to run after all again merely Quotient's network flow is costly, and network speed is slower relative to Wi-Fi).
How to select network connecting mode and ensure safe networking, becomes the current technical issues that need to address.
Invention content
The present invention provides a kind of safe networking methods and terminal based on Network Isolation, with suitably selected network connecting mode And ensure safe networking, ensure the information security in terminal.
On the one hand, a kind of safe networking methods based on Network Isolation are provided, including:
According to Internet resources, at least one first NameSpace and the second NameSpace are isolated, wherein the first name is empty Between in process external network is connected by WLAN or mobile data network, the process in the second NameSpace passes through institute State mobile data network connection external network;
Receive the creation request of a corresponding application, the process is from external network requests data or to described outer Portion's network transmission data;
Set belonging to packet name according to the application initiates domain where the creation request, determine it is described into Journey belongs to the second NameSpace;
External network is connected by the mobile data network, to ask or send the data.
On the other hand, a kind of terminal is provided, the terminal includes:Kernel, at least one first NameSpace and second NameSpace;
The kernel includes:
Isolated location, for according to Internet resources, isolating at least one first NameSpace and the second name being empty Between, wherein the process in the first NameSpace connects external network, the second name by WLAN or mobile data network Process in space connects external network by the mobile data network;
First receiving unit, the creation request for receiving a corresponding application, the process is from external network Request data or to the external network transmission data;
Where determination unit, the set being used for belonging to the packet name according to the application or the initiation creation request Domain determines that the process belongs to the second NameSpace;
Connection unit, for connecting external network by the mobile data network, to ask or send the data.
As it can be seen that according to a kind of safe networking methods and terminal based on Network Isolation provided by the invention, by using interior The Namespace mechanism that core provides, isolates more than two mutually independent network environments, wherein in the network environment of safety In, terminal can only connect network by mobile data network, so as to select suitable network connecting mode for terminal and ensure Safety networking, ensures the information security in terminal.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with Obtain other attached drawings according to these attached drawings.
Fig. 1 is a kind of flow diagram of the safe networking methods based on Network Isolation provided in an embodiment of the present invention;
Fig. 2 is a kind of exemplary system architecture diagram to network safely based on Network Isolation of the embodiment of the present invention;
Fig. 3 be a kind of safe networking methods based on Network Isolation that embodiment illustrated in fig. 1 is provided further specifically Bright flow diagram;
Fig. 4 is a kind of structural schematic diagram of terminal provided in an embodiment of the present invention;
Fig. 5 is the structural schematic diagram that a kind of terminal that embodiment illustrated in fig. 4 provides is further described.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art are obtained every other without creative efforts Embodiment shall fall within the protection scope of the present invention.
Referring to Fig. 1, being that a kind of flow of the safe networking methods based on Network Isolation provided in an embodiment of the present invention is shown It is intended to, this approach includes the following steps:
Step S101 isolates at least one first NameSpace Namespace and second according to Internet resources Namespace, wherein the process in the first Namespace connects external network by WLAN or mobile data network, Process in 2nd Namespace connects external network by the mobile data network.
Namespace (NameSpace) is a kind of resource isolation mechanism that linux kernel provides, and uses Nasmespace machines After system, the system resources such as PID (ID of process), IPC (interprocess communication), Network are no longer of overall importance, but belong to special Resource inside fixed Namespace, each Namespace is transparent to other Namespace.The present embodiment mainly makes The isolation of network is carried out with Network Namespace therein.One Network Namespace provides for process The view of one completely self-contained network protocol stack, including network device interface, IPv4 and IPv6 protocol stacks, IP route table are prevented Wall with flues rule, sockets etc..As soon as a Network Namespace provide a independent network environment, with an independence System it is the same.One physical equipment can be only present in a Network Namespace, but can be from one Namespace is moved in another Namespace.Fig. 2 is a kind of exemplary peace based on Network Isolation of the embodiment of the present invention The system architecture diagram to network entirely, operating system or kernel have isolated two network N amespace according to required Internet resources, Respectively Network Namespace A and Network Namespace B, wlan0 therein, which are WLAN WLAN, to be made Physical network card, rmnet0 are the physical network card that uses of data network, and process is received or outward by the two network interface cards Transmission data packet.In figure, APP1, APP2, APP3 representative are relatively high to network security requirements, and this kind of APP is placed on Namespace After B, it is only capable of surfing the Internet by data traffic.
Step S102, receives the creation request of a corresponding application, and the process is from external network requests data Or to the external network transmission data.
If user clicks some APP and carries out networking acquisition data or send data to external network, operating system or interior Core can create a new process, which indicates from external network requests data or external network transmission data.
Step S103, the set belonging to packet name according to the application or the domain where the initiation creation request, Determine that the process belongs to the 2nd Namespace.
There are one packet names for the i.e. each applications of each APP, pre-define multiple set, each collection is combined into the packet of one group of application , the corresponding application of packet name in set A belongs to Namespace A, and the corresponding application of packet name in set B belongs to Namespace B, therefore, what it is according to establishment is the process of which application and the packet name of the application, if the packet name belongs to collection Close B, so that it may to determine that the process belongs to Namespace B.
One terminal has multiple domains, it is specified that the process created by some domain must be networked by mobile network, therefore, just Can according to initiate the creation request where domain, determine that the process belongs to Namespace B.
Step S104 connects external network, to ask or send the data by the mobile data network.
Determine that the requirement belongs to Namespace B from the process of external network requests data or external network transmission data , so that it may to be networked by mobile data network by rmnet0, with request or transmission data.
According to a kind of safe networking methods based on Network Isolation provided by the invention, provided by using kernel Namespace mechanism isolates more than two mutually independent network environments, wherein in the network environment of safety, terminal Network can only be connected by mobile data network, so as to select suitable network connecting mode for terminal and ensure to connect safely Net ensures the information security in terminal.
Referring to Fig. 3, further for a kind of safe networking methods based on Network Isolation provided embodiment illustrated in fig. 1 The flow diagram of detailed description, this approach includes the following steps:
Step S201 isolates at least one first NameSpace Namespace and second according to Internet resources Namespace, wherein the process in the first Namespace connects external network by WLAN or mobile data network, Process in 2nd Namespace connects external network by the mobile data network.
Step S202, receives the creation request of a corresponding application, and the process is from external network requests data Or to the external network transmission data.
Step S203, the set belonging to packet name according to the application or the domain where the initiation creation request, Determine that the process belongs to the 2nd Namespace.
Step S201-S203 is identical as the step S101-S103 of embodiment illustrated in fig. 1, and details are not described herein.
It is described in detail below how by mobile data network connection external network, to ask or send the number According to:
It is virtual to be sent to second connect with the 2nd Namespace by step S204 for the corresponding request of data of the process Network interface card.
The request of data is sent to connect with the first Namespace by step S205, second Microsoft Loopback Adapter One Microsoft Loopback Adapter.
Step S206, first Microsoft Loopback Adapter derives from second Microsoft Loopback Adapter according to the request of data, by institute It states request of data and external network is sent to by the mobile data network, and receive the external network and pass through the movement The data that data network returns, send the data to second Microsoft Loopback Adapter.
Step S207, second Microsoft Loopback Adapter give the data feedback to the process.
Step S208 receives the data of the second Microsoft Loopback Adapter feedback.
The corresponding data sending request of the process is sent to second connect with the 2nd Namespace by step S209 Microsoft Loopback Adapter, the data sending request carry data to be sent.
Step S210, the data sending request is sent to by second Microsoft Loopback Adapter to be connect with the first Namespace The first Microsoft Loopback Adapter.
Step S211, first Microsoft Loopback Adapter derive from second Microsoft Loopback Adapter according to the data sending request, The data to be sent are sent to external network by the mobile data network.
VETH-A (i.e. the first Microsoft Loopback Adapter) shown in Fig. 2 and VETH-B (i.e. the second Microsoft Loopback Adapter) are that type is veth The virtual network device (virtual network device) of type, what which typically occurred in pairs, from one The data packet that veth is sent out can directly reach its peer veth.Veth provides a kind of abstract, Ke Yi of similar pipeline Tunnel is established between different Namespace.Using virtual network device, the physics in other Namespace can be established The bridge joint of equipment.If you do not need to connection external network, only needs to interconnect between two Namespace, then veth is just sufficient It is much of that.
In order to connect external physical network, it is also necessary to introduce Linux bridge, by give Linux bridge and VETH-B distributes IP address respectively, in addition corresponding routing rule and routing table and combining network address switch technology (NAT), it can To realize that the process in two Namespace accesses external network by an identical physical network card rmnet0.
And for physical network card wlan0, if not using veth Microsoft Loopback Adapters and bridge, and configure corresponding routing Rule and NAT address conversions, the process in Namespace B be do not know the existing of this physical network card of wlan0, therefore External network cannot be accessed by waln0, that is to say, that cannot surf the Internet using WIFI network.
Wherein, step S204-S208 is the process of external network request data, and step S209-S211 is to extranets The process of network transmission data.
According to a kind of safe networking methods based on Network Isolation provided by the invention, provided by using kernel Namespace mechanism isolates more than two mutually independent network environments, wherein in the network environment of safety, terminal Network can only be connected by mobile data network, so as to select suitable network connecting mode for terminal and ensure to connect safely Net ensures the information security in terminal.
Referring to Fig. 4, being a kind of structural schematic diagram of terminal provided in an embodiment of the present invention, which includes:It is interior Core 100, the first NameSpace 101, the second NameSpace 102, the kernel 100 include:
Isolated location 11, for according to Internet resources, isolating at least one first NameSpace Namespace and second Namespace, wherein the process in the first Namespace connects external network by WLAN or mobile data network, Process in 2nd Namespace connects external network by the mobile data network.
Namespace is a kind of resource isolation mechanism that linux kernel provides, after Nasmespace mechanism, PID The system resources such as (ID of process), IPC (interprocess communication), Network are no longer of overall importance, but belong to specific Resource inside Namespace, each Namespace is transparent to other Namespace.The present embodiment mainly uses Network Namespace therein carry out the isolation of network.One Network Namespace provides one for process The view of completely self-contained network protocol stack, including network device interface, IPv4 and IPv6 protocol stacks, IP route table, fire wall Rule, sockets etc..As soon as a Network Namespace provide a independent network environment, with an independent system Unified sample.One physical equipment can be only present in a Network Namespace, but can be moved from a Namespace It moves in another Namespace.Fig. 2 is a kind of exemplary system to network safely based on Network Isolation of the embodiment of the present invention Organization Chart, isolated location 11 have isolated two network N amespace, respectively Network according to required Internet resources Namespace A and Network Namespace B, wlan0 therein are the physical network card that WIFI is used, and rmnet0 is data The physical network card of Web vector graphic, process receive by the two network interface cards or are sent out data packet.In figure, APP1, APP2, APP3 represent it is relatively high to network security requirements, this kind of APP is placed on after Namespace B, be only capable of by data traffic come Online.
First receiving unit 12, the creation request for receiving a corresponding application, the process is from extranets Network request data or to the external network transmission data.
If user clicks some APP and carries out networking acquisition data or send data to external network, operating system or interior Core can create a new process, which indicates from external network requests data or external network transmission data.First connects Receive the creation request that unit 12 receives a corresponding application.
Where determination unit 13, the set being used for belonging to the packet name according to the application or the initiation creation request Domain, determine that the process belongs to the 2nd Namespace.
There are one packet names for the i.e. each applications of each APP, pre-define multiple set, each collection is combined into the packet of one group of application , the corresponding application of packet name in set A belongs to Namespace A, and the corresponding application of packet name in set B belongs to Namespace B, accordingly, it is determined that unit 13 is the packet name of process and the application which is applied according to establishment, if be somebody's turn to do Packet name belongs to set B, so that it may to determine that the process belongs to Namespace B.
One terminal has multiple domains, it is specified that the process created by some domain must be networked by mobile network, therefore, just Can according to initiate the creation request where domain, determine that the process belongs to Namespace B.
Connection unit 14, for connecting external network by the mobile data network, to ask or send the data.
Determine that the requirement belongs to Namespace B from the process of external network requests data or external network transmission data , connection unit 14 can be networked by mobile data network by rmnet0, with request or transmission data.
According to a kind of terminal provided by the invention, by using the Namespace mechanism that kernel provides, isolate two with On mutually independent network environment, wherein in the network environment of safety, terminal can only be connected by mobile data network Network ensures the information security in terminal so as to select suitable network connecting mode for terminal and ensure safe networking.
Referring to Fig. 5, the structural schematic diagram that a kind of terminal to provide embodiment illustrated in fig. 4 is further described, The terminal 2000 includes:Kernel 200, the first Microsoft Loopback Adapter 102 and the first name sky being connect with the first Microsoft Loopback Adapter 102 Between the 103, second Microsoft Loopback Adapter 104 and the second NameSpace 105 for being connect with the second Microsoft Loopback Adapter 104.The kernel 200 wraps It includes:
Isolated location 21, for according to Internet resources, isolating at least one first NameSpace Namespace and second Namespace, wherein the process in the first Namespace connects external network by WLAN or mobile data network, Process in 2nd Namespace connects external network by the mobile data network.
First receiving unit 22, the creation request for receiving a corresponding application, the process is from extranets Network request data or to the external network transmission data.
Where determination unit 23, the set being used for belonging to the packet name according to the application or the initiation creation request Domain, determine that the process belongs to the 2nd Namespace.
Isolated location 21, the first receiving unit 22, the function of determination unit 23 and the isolated location of embodiment illustrated in fig. 4 11, the first receiving unit 12, determination unit 13 are identical, and details are not described herein.
Connection unit 24, for connecting external network by the mobile data network, to ask or send the data.
In the present embodiment, connection unit 24 includes:Transmission unit 241 and the second receiving unit 242.
Transmission unit 241, for the corresponding request of data of the process to be sent to connect with the 2nd Namespace Two Microsoft Loopback Adapters.
Second Microsoft Loopback Adapter 104, for the request of data to be sent to connect with the first Namespace first Microsoft Loopback Adapter.
First Microsoft Loopback Adapter 102 will be described for deriving from second Microsoft Loopback Adapter according to the request of data Request of data is sent to external network by the mobile data network, and receives the external network and pass through the mobile number According to the data that network returns, second Microsoft Loopback Adapter is sent the data to.
Second Microsoft Loopback Adapter 104 is additionally operable to the data feedback to the process.
Second receiving unit 242, the data for receiving the second Microsoft Loopback Adapter feedback.
The transmission unit 241 is additionally operable to the corresponding data sending request of the process being sent to and second Second Microsoft Loopback Adapter of Namespace connections, the data sending request carry data to be sent.
Second Microsoft Loopback Adapter 104 is additionally operable to the data sending request being sent to and be connect with the first Namespace The first Microsoft Loopback Adapter.
First Microsoft Loopback Adapter 102 is additionally operable to derive from second Microsoft Loopback Adapter according to the data sending request, The data to be sent are sent to external network by the mobile data network.
VETH-A (i.e. the first Microsoft Loopback Adapter) shown in Fig. 2 and VETH-B (i.e. the second Microsoft Loopback Adapter) are that type is veth The virtual network device (virtual network device) of type, what which typically occurred in pairs, from one The data packet that veth is sent out can directly reach its peer veth.Veth provides a kind of abstract, Ke Yi of similar pipeline Tunnel is established between different Namespace.Using virtual network device, the physics in other Namespace can be established The bridge joint of equipment.If you do not need to connection external network, only needs to interconnect between two Namespace, then veth is just sufficient It is much of that.
In order to connect external physical network, it is also necessary to introduce Linux bridge, by give Linux bridge and VETH-B distributes IP address respectively, in addition corresponding routing rule and routing table and combining network address switch technology (NAT), it can To realize that the process in two Namespace accesses external network by an identical physical network card rmnet0.
And for physical network card wlan0, if not using veth Microsoft Loopback Adapters and bridge, and configure corresponding routing Rule and NAT address conversions, the process in Namespace B be do not know the existing of this physical network card of wlan0, therefore External network cannot be accessed by waln0, that is to say, that cannot surf the Internet using WIFI network.
According to a kind of terminal provided by the invention, by using the Namespace mechanism that kernel provides, isolate two with On mutually independent network environment, wherein in the network environment of safety, terminal can only be connected by mobile data network Network ensures the information security in terminal so as to select suitable network connecting mode for terminal and ensure safe networking.
It should be noted that for each method embodiment above-mentioned, for simple description, therefore it is all expressed as a series of Combination of actions, but those skilled in the art should understand that, the present invention is not limited by the described action sequence because According to the present invention, certain steps can be performed in other orders or simultaneously.Secondly, those skilled in the art should also know It knows, embodiment described in this description belongs to preferred embodiment, and involved action and module are not necessarily of the invention It is necessary.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment Point, it may refer to the associated description of other embodiment.
Through the above description of the embodiments, it is apparent to those skilled in the art that the present invention can be with It is realized with hardware realization or firmware realization or combination thereof mode.It when implemented in software, can be by above-mentioned function Storage in computer-readable medium or as on computer-readable medium one or more instructions or code be transmitted.Meter Calculation machine readable medium includes computer storage media and communication media, and wherein communication media includes convenient for from a place to another Any medium of a place transmission computer program.Storage medium can be any usable medium that computer can access.With For this but it is not limited to:Computer-readable medium may include random access memory (Random Access Memory, RAM), read-only memory (Read-Only Memory, ROM), Electrically Erasable Programmable Read-Only Memory (Electrically Erasable Programmable Read-Only Memory, EEPROM), CD-ROM (Compact Disc Read- Only Memory, CD-ROM) or other optical disc storages, magnetic disk storage medium or other magnetic storage apparatus or can be used in Carry or storage with instruction or data structure form desired program code and can by computer access any other Medium.In addition.Any connection appropriate can become computer-readable medium.For example, if software is using coaxial cable, light Fine optical cable, twisted-pair feeder, Digital Subscriber Line (Digital Subscriber Line, DSL) or such as infrared ray, radio and The wireless technology of microwave etc is transmitted from website, server or other remote sources, then coaxial cable, optical fiber cable, double The wireless technology of twisted wire, DSL or such as infrared ray, wireless and microwave etc is included in the fixing of affiliated medium.Such as this hair Used in bright, disk (Disk) and dish (disc) include compress optical disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), Floppy disk and Blu-ray Disc, the usually magnetic replicate data of which disk, and dish is then with laser come optical replicate data.Group above Conjunction should also be as being included within the protection domain of computer-readable medium.
In short, the foregoing is merely the preferred embodiment of technical solution of the present invention, it is not intended to limit the present invention's Protection domain.All within the spirits and principles of the present invention, any modification, equivalent replacement, improvement and so on should be included in Within protection scope of the present invention.

Claims (6)

1. a kind of safe networking methods based on Network Isolation, which is characterized in that including:
According to Internet resources, at least one first NameSpace and the second NameSpace are isolated, wherein in the first NameSpace Process external network is connected by WLAN Wi-Fi or mobile data network, the process in the second NameSpace passes through The mobile data network connects external network;
Receive the creation request of a corresponding application, the process is from external network requests data or to the extranets Network transmission data;
The set belonging to packet name according to the application or the domain where the initiation creation request, determine the process category In the second NameSpace;
External network is connected by the mobile data network, to ask or send the data;
It is described that external network is connected by the mobile data network, to ask the data, including:
The corresponding request of data of the process is sent to the second Microsoft Loopback Adapter being connect with the second NameSpace;
The request of data is sent to the first Microsoft Loopback Adapter being connect with the first NameSpace by second Microsoft Loopback Adapter;
First Microsoft Loopback Adapter derives from second Microsoft Loopback Adapter according to the request of data, and the request of data is passed through The mobile data network is sent to external network, and receives what the external network was returned by the mobile data network Data send the data to second Microsoft Loopback Adapter;
Second Microsoft Loopback Adapter gives the data feedback to the process;
Receive the data of the second Microsoft Loopback Adapter feedback;
It is described that external network is connected by the mobile data network, to send the data, including:
The corresponding data sending request of the process is sent to the second Microsoft Loopback Adapter being connect with the second NameSpace, the number Data to be sent are carried according to request is sent;
The data sending request is sent to the first Microsoft Loopback Adapter being connect with the first NameSpace by second Microsoft Loopback Adapter;
First Microsoft Loopback Adapter derives from second Microsoft Loopback Adapter according to the data sending request, by the number to be sent It is sent to external network according to by the mobile data network.
2. the method as described in claim 1, which is characterized in that the set includes the packet name of one group of application, the corresponding collection The process of the packet name of application in conjunction belongs to second NameSpace;Or
Second NameSpace corresponds to a domain, and the process initiated in the domain belongs to second NameSpace.
3. the method as described in claim 1, which is characterized in that further include:
If first Microsoft Loopback Adapter receives the data that the external network is returned by the Wi-Fi, the data are lost It abandons.
4. a kind of terminal, which is characterized in that the terminal includes:Kernel, at least one first NameSpace, the second name are empty Between, the first Microsoft Loopback Adapter and the second Microsoft Loopback Adapter;
The kernel includes:
Isolated location, for according to Internet resources, isolating at least one first NameSpace and the second NameSpace, In, the process in the first NameSpace connects external network, the second name by WLAN Wi-Fi or mobile data network Process in space connects external network by the mobile data network;
First receiving unit, the creation request for receiving a corresponding application, the process is from external network requests Data or to the external network transmission data;
Domain where determination unit, the set being used for belonging to the packet name according to the application or the initiation creation request, Determine that the process belongs to the second NameSpace;
Connection unit, for connecting external network by the mobile data network, to ask or send the data;
The connection unit includes:
Transmission unit, for the corresponding request of data of the process to be sent to the second virtual net being connect with the second NameSpace Card;
Second Microsoft Loopback Adapter, for the request of data to be sent to the first virtual net being connect with the first NameSpace Card;
First Microsoft Loopback Adapter asks the data for deriving from second Microsoft Loopback Adapter according to the request of data It asks and external network is sent to by the mobile data network, and receive the external network and pass through the mobile data network The data of return send the data to second Microsoft Loopback Adapter;
Second Microsoft Loopback Adapter is additionally operable to the data feedback to the process;
The connection unit further includes:
Second receiving unit, the data for receiving the second Microsoft Loopback Adapter feedback;
The transmission unit is additionally operable to the corresponding data sending request of the process being sent to be connect with the second NameSpace Second Microsoft Loopback Adapter, the data sending request carry data to be sent;
Second Microsoft Loopback Adapter is additionally operable to for the data sending request to be sent to the first void connecting with the first NameSpace Quasi- network interface card;
First Microsoft Loopback Adapter is additionally operable to derive from second Microsoft Loopback Adapter according to the data sending request, is waited for described Transmission data is sent to external network by the mobile data network.
5. terminal as claimed in claim 4, which is characterized in that the set includes the packet name of one group of application, the corresponding collection The process of the packet name of application in conjunction belongs to second NameSpace;Or
Second NameSpace corresponds to a domain, and the process initiated in the domain belongs to second NameSpace.
6. terminal as claimed in claim 4, it is characterised in that:
It, will be described if first Microsoft Loopback Adapter is additionally operable to receive the data that the external network is returned by the Wi-Fi Data abandon.
CN201510367443.9A 2015-06-26 2015-06-26 A kind of safe networking methods and terminal based on Network Isolation Active CN105577632B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201510367443.9A CN105577632B (en) 2015-06-26 2015-06-26 A kind of safe networking methods and terminal based on Network Isolation
PCT/CN2015/085873 WO2016206171A1 (en) 2015-06-26 2015-07-31 Secure networking method based on network isolation, and terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510367443.9A CN105577632B (en) 2015-06-26 2015-06-26 A kind of safe networking methods and terminal based on Network Isolation

Publications (2)

Publication Number Publication Date
CN105577632A CN105577632A (en) 2016-05-11
CN105577632B true CN105577632B (en) 2018-08-24

Family

ID=55887294

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510367443.9A Active CN105577632B (en) 2015-06-26 2015-06-26 A kind of safe networking methods and terminal based on Network Isolation

Country Status (2)

Country Link
CN (1) CN105577632B (en)
WO (1) WO2016206171A1 (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10176005B2 (en) * 2014-03-31 2019-01-08 Cypherpath, Inc. Environment virtualization
CN106779648B (en) * 2016-12-16 2020-10-16 Oppo广东移动通信有限公司 Network data sending method and mobile terminal
CN111294220B (en) * 2018-12-07 2022-06-21 网宿科技股份有限公司 Nginx-based network isolation configuration method and device
CN111294316B (en) * 2018-12-07 2022-07-01 网宿科技股份有限公司 Network isolation method and device based on user mode protocol stack virtual router
CN111294221B (en) * 2018-12-07 2023-03-03 网宿科技股份有限公司 Network isolation configuration method and device based on haproxy
CN111294827A (en) * 2019-02-28 2020-06-16 展讯通信(上海)有限公司 Adaptive network communication method and device of application program
CN111669355B (en) * 2019-03-08 2023-04-18 厦门网宿有限公司 Method for batch processing of nginx network isolation space and nginx server
CN111835685B (en) * 2019-04-19 2022-10-28 厦门网宿有限公司 Method and server for monitoring running state of Nginx network isolation space
CN111835684B (en) * 2019-04-19 2023-01-20 厦门网宿有限公司 Network isolation monitoring method and system for haproxy equipment
CN111949471A (en) * 2019-05-16 2020-11-17 珠海格力电器股份有限公司 Monitoring control method for terminal process
CN110336758B (en) * 2019-05-28 2022-10-28 厦门网宿有限公司 Data distribution method in virtual router and virtual router
CN111143062A (en) * 2019-12-19 2020-05-12 上海交通大学 Balanced partitioning strategy for external load process by user mode protocol stack

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103796282A (en) * 2014-02-27 2014-05-14 黄晓峰 Network telephony processing method for smart mobile terminal
CN104331329A (en) * 2014-09-30 2015-02-04 上海斐讯数据通信技术有限公司 Mobile office security system and method supporting domain management
CN104394130A (en) * 2014-11-12 2015-03-04 国云科技股份有限公司 A multi-tenant virtual network isolating method
CN104579831A (en) * 2014-12-26 2015-04-29 北京网秦天下科技有限公司 Data transmission processing method and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090276351A1 (en) * 2008-04-30 2009-11-05 Strands, Inc. Scaleable system and method for distributed prediction markets
US9137209B1 (en) * 2008-12-10 2015-09-15 Amazon Technologies, Inc. Providing local secure network access to remote services
CN103618736A (en) * 2013-12-09 2014-03-05 成都达信通通讯设备有限公司 Safety application system for mobile terminal to automatically switch between different channel networking interfaces
CN104239764B (en) * 2014-10-15 2017-07-07 北京奇虎科技有限公司 The management-control method and device of terminal device and its systemic-function
CN104483951B (en) * 2014-12-19 2017-12-15 宇龙计算机通信科技(深圳)有限公司 A kind of method, apparatus and terminal for controlling intelligent home device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103796282A (en) * 2014-02-27 2014-05-14 黄晓峰 Network telephony processing method for smart mobile terminal
CN104331329A (en) * 2014-09-30 2015-02-04 上海斐讯数据通信技术有限公司 Mobile office security system and method supporting domain management
CN104394130A (en) * 2014-11-12 2015-03-04 国云科技股份有限公司 A multi-tenant virtual network isolating method
CN104579831A (en) * 2014-12-26 2015-04-29 北京网秦天下科技有限公司 Data transmission processing method and device

Also Published As

Publication number Publication date
CN105577632A (en) 2016-05-11
WO2016206171A1 (en) 2016-12-29

Similar Documents

Publication Publication Date Title
CN105577632B (en) A kind of safe networking methods and terminal based on Network Isolation
CN106850324B (en) Virtual network interface object
CN103580980B (en) The method and device thereof that virtual network finds and automatically configures automatically
CN110708393B (en) Method, device and system for transmitting data
US11240152B2 (en) Exposing a subset of hosts on an overlay network to components external to the overlay network without exposing another subset of hosts on the overlay network
CN111865621B (en) Method and device for accessing gateway
US20080192648A1 (en) Method and system to create a virtual topology
CN100518125C (en) Communication apparatus, system, method
US20130346591A1 (en) Clientless Cloud Computing
TW201229779A (en) Providing virtual networks using multi-tenant relays
US20080195756A1 (en) Method and system to access a service utilizing a virtual communications device
CN104869043B (en) A kind of method and terminal for establishing VPN connection
CN104221331A (en) Layer 2 packet switching without look-up table for ethernet switches
CN106685949A (en) Container access method, container access device and container access system
CN110177047B (en) Message sending method, device, electronic equipment and computer readable storage medium
CN106844489A (en) A kind of file operation method, device and system
CN107800781A (en) A kind of configuration data processing method and device
CN110996372B (en) Message routing method, device and system and electronic equipment
CN112202744A (en) Multi-system data communication method and device
CN101138215B (en) Asynchronous network stack operation in an operating system independent environment
CN102891900B (en) A kind of method, apparatus and system of the domain name mapping in flow unloading
CN110278558B (en) Message interaction method and WLAN system
CN115665026A (en) Cluster networking method and device
CN101790074B (en) Method for downloading application of digital television receiving terminal, gateway server and system
CN114980262A (en) Access gateway selection method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant