CN106790028A - A kind of prison and the data transmission method and system of bank's intranet and extranet security isolation - Google Patents

A kind of prison and the data transmission method and system of bank's intranet and extranet security isolation Download PDF

Info

Publication number
CN106790028A
CN106790028A CN201611157905.5A CN201611157905A CN106790028A CN 106790028 A CN106790028 A CN 106790028A CN 201611157905 A CN201611157905 A CN 201611157905A CN 106790028 A CN106790028 A CN 106790028A
Authority
CN
China
Prior art keywords
network
initial data
bank
network packet
prison
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611157905.5A
Other languages
Chinese (zh)
Inventor
罗永进
杨挺
田承
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guizhou Jianxin Data Development Co Ltd
Original Assignee
Guizhou Jianxin Data Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guizhou Jianxin Data Development Co Ltd filed Critical Guizhou Jianxin Data Development Co Ltd
Priority to CN201611157905.5A priority Critical patent/CN106790028A/en
Publication of CN106790028A publication Critical patent/CN106790028A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures

Abstract

The present invention relates to network safety filed, the data transmission method and system in a kind of prison and bank's intranet and extranet security isolation are disclosed, by obtaining first network packet, carry out authentication;The first network packet is decapsulated, to reduce initial data;Checking treatment is carried out to the initial data;The initial data is encrypted;According to the type of the second network, protocol encapsulation is carried out to the initial data, generate the second network packet;To the second network packet described in the second forwarded.The present invention has prevented the safety problem brought by the inherent hidden danger of TCP/IP procotols fragility and part operation system.Security isolation by the way of data ferry-boat from hardware and software simultaneously between guarantee prison and bank network.

Description

A kind of prison and the data transmission method and system of bank's intranet and extranet security isolation
Technical field
The present invention relates to network safety filed, more particularly to a kind of prison and bank's intranet and extranet security isolation data transfer Method and system.
Background technology
The management of inmate's individual bankroll bankization has turned into a kind of trend in current prison, right due to being related to financial transaction It is higher with the network security requirement of bank in prison, although we can use the peace such as fire wall, proxy server, intrusion detection Full measure, but these technologies are all based on the logic isolation product of software, and being for hacker and internal user possible quilt Manipulate, it is impossible to meet requirement of the financial department to data safety.Along with the computer core software and hardware that current China uses Import is dependent on, who cannot also ensure do not have back door, no leak during these are soft or hard.Therefore, best bet is exactly to allow user Important data and the internet of outside, using physically-isolated mode, allow hacker to have no exploits without connection physically, but It is that can not so realize the intercommunication with external bank network again.So be accomplished by a kind of technology help user can effectively every From internal-external network, the resource of intranet and extranet can be conveniently used again, here it is being completed for task of Physical-separation Technology.
The content of the invention
The present invention provides the data transmission method and system in a kind of prison and bank's intranet and extranet security isolation, solves existing skill Prison network and the technical problem that external bank network interworking is limited, Networked RAID is not enough in art.
The purpose of the present invention is achieved through the following technical solutions:
A kind of prison and the data transmission method of bank's intranet and extranet security isolation, including:
First network packet is obtained, authentication is carried out;
The first network packet is decapsulated, to reduce initial data;
Checking treatment is carried out to the initial data;
The initial data is encrypted;
According to the type of the second network, protocol encapsulation is carried out to the initial data, generate the second network packet;
To the second network packet described in the second forwarded.
A kind of prison and the data transmission system of bank's intranet and extranet security isolation, including:
Acquisition module, for obtaining first network packet, carries out authentication;
Deblocking module, for being decapsulated to the first network packet, to reduce initial data;
Correction verification module, for carrying out checking treatment to the initial data;
Encrypting module, for being encrypted to the initial data;
Package module, for the type according to the second network, protocol encapsulation is carried out to the initial data, generates the second net Network packet;
Sending module, for the second network packet described in the second forwarded.
The present invention provides the data transmission method and system in a kind of prison and bank's intranet and extranet security isolation, by obtaining the One network packet, carries out authentication;The first network packet is decapsulated, to reduce initial data;To institute Stating initial data carries out checking treatment;The initial data is encrypted;According to the type of the second network, to the original Beginning data carry out protocol encapsulation, generate the second network packet;To the second network packet described in the second forwarded.The present invention The safety problem brought by the inherent hidden danger of TCP/IP procotols fragility and part operation system is prevented.Put using data The mode crossed ensures the security isolation between prison and bank network simultaneously from hardware and software.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to institute in embodiment The accompanying drawing for needing to use is briefly described, it should be apparent that, drawings in the following description are only some implementations of the invention Example, for those of ordinary skill in the art, without having to pay creative labor, can also obtain according to these accompanying drawings Obtain other accompanying drawings.
Fig. 1 is a kind of prison of the embodiment of the present invention and the flow of the data transmission method of bank's intranet and extranet security isolation Figure;
Fig. 2 is a kind of prison of the embodiment of the present invention and the structure of the data transmission system of bank's intranet and extranet security isolation Figure.
Specific embodiment
It is below in conjunction with the accompanying drawings and specific real to enable the above objects, features and advantages of the present invention more obvious understandable The present invention is further detailed explanation to apply mode.
As shown in figure 1, be the data transmission method in a kind of prison and bank's intranet and extranet security isolation, including:
Step 101, acquisition first network packet, carry out authentication;
Step 102, the first network packet is decapsulated, to reduce initial data;
Step 103, checking treatment is carried out to the initial data;
Step 104, the initial data is encrypted;
Step 105, the type according to the second network, protocol encapsulation is carried out to the initial data, generates the second network number According to bag;
Step 106, to the second network packet described in the second forwarded.
Wherein, step 101 can specifically include:
Step 101-1, by first network interface obtain first network packet;
Step 101-2, the IP address according to first network packet, port carry out IP certifications, port authentication.
When the first network is bank network, second network is prison network;When the first network is prison During the network of prison, second network is bank network.
Step 105 can specifically include the type according to the second network, and TCP encapsulation is carried out to the initial data, generate Second network packet.
After step 102, before step 103, also include:
Virus scan is carried out to the initial data.Can the implicit security threat of data portion be identified.
The present invention provides the data transmission method in a kind of prison and bank's intranet and extranet security isolation, by obtaining first network Packet, carries out authentication;The first network packet is decapsulated, to reduce initial data;To described original Data carry out checking treatment;The initial data is encrypted;According to the type of the second network, to the initial data Protocol encapsulation is carried out, the second network packet is generated;To the second network packet described in the second forwarded.The present invention prevents The safety problem brought by the inherent hidden danger of TCP/IP procotols fragility and part operation system.The side ferried using data Formula ensures the security isolation between prison and bank network simultaneously from hardware and software.
The embodiment of the present invention additionally provides the data transmission system in a kind of prison and bank's intranet and extranet security isolation, such as Fig. 2 It is shown, including:
Acquisition module 210, for obtaining first network packet, carries out authentication;
Deblocking module 220, for being decapsulated to the first network packet, to reduce initial data;
Correction verification module 230, for carrying out checking treatment to the initial data;
Encrypting module 240, for being encrypted to the initial data;
Package module 250, for the type according to the second network, carries out protocol encapsulation to the initial data, generation the Two network packets;
Sending module 260, for the second network packet described in the second forwarded.
Wherein, the acquisition module 210 includes:
Receiving unit 211, for obtaining first network packet by first network interface;
Authentication unit 212, IP certifications, port authentication are carried out for the IP address according to first network packet, port.
Package module 250 carries out TCP encapsulation to the initial data specifically for the type according to the second network, generation Second network packet.
The system can also include virus scan module 270, for being decapsulated to the first network packet Afterwards, before carrying out checking treatment to the initial data, virus scan is carried out to the initial data.
Through the above description of the embodiments, those skilled in the art can be understood that the present invention can be by Software adds the mode of required hardware platform to realize, naturally it is also possible to all implemented by hardware, but in many cases before Person is more preferably implementation method.Based on such understanding, whole that technical scheme contributes to background technology or Person part can be embodied in the form of software product, and the computer software product can be stored in storage medium, such as ROM/RAM, magnetic disc, CD etc., including some instructions are used to so that a computer equipment (can be personal computer, service Device, or the network equipment etc.) perform method described in some parts of each embodiment of the invention or embodiment.
The present invention is described in detail above, specific case used herein is to principle of the invention and embodiment party Formula is set forth, and the explanation of above example is only intended to help and understands the method for the present invention and its core concept;Meanwhile, it is right In those of ordinary skill in the art, according to thought of the invention, change is had in specific embodiments and applications Part, in sum, this specification content should not be construed as limiting the invention.

Claims (9)

1. the data transmission method of a kind of prison and bank's intranet and extranet security isolation, it is characterised in that including:
First network packet is obtained, authentication is carried out;
The first network packet is decapsulated, to reduce initial data;
Checking treatment is carried out to the initial data;
The initial data is encrypted;
According to the type of the second network, protocol encapsulation is carried out to the initial data, generate the second network packet;
To the second network packet described in the second forwarded.
2. the data transmission method of prison according to claim 1 and bank's intranet and extranet security isolation, it is characterised in that institute Acquisition first network packet is stated, authentication is carried out, including:
First network packet is obtained by first network interface;
IP address, port according to first network packet carry out IP certifications, port authentication.
3. the data transmission method of prison according to claim 1 and bank's intranet and extranet security isolation, it is characterised in that when When the first network is bank network, second network is prison network;When the first network is prison network, institute The second network is stated for bank network.
4. the data transmission method of prison according to claim 1 and bank's intranet and extranet security isolation, it is characterised in that root According to the type of the second network, TCP encapsulation is carried out to the initial data, generate the second network packet.
5. the data transmission method of prison according to claim 1 and bank's intranet and extranet security isolation, it is characterised in that After being decapsulated to the first network packet, before carrying out checking treatment to the initial data, also include:To institute Stating initial data carries out virus scan.
6. the data transmission system of a kind of prison and bank's intranet and extranet security isolation, it is characterised in that including:
Acquisition module, for obtaining first network packet, carries out authentication;
Deblocking module, for being decapsulated to the first network packet, to reduce initial data;
Correction verification module, for carrying out checking treatment to the initial data;
Encrypting module, for being encrypted to the initial data;
Package module, for the type according to the second network, protocol encapsulation is carried out to the initial data, generates the second network number According to bag;
Sending module, for the second network packet described in the second forwarded.
7. the data transmission system of prison according to claim 6 and bank's intranet and extranet security isolation, it is characterised in that institute Stating acquisition module includes:
Receiving unit, for obtaining first network packet by first network interface;
Authentication unit, IP certifications, port authentication are carried out for the IP address according to first network packet, port.
8. the data transmission system of prison according to claim 6 and bank's intranet and extranet security isolation, it is characterised in that envelope Die-filling piece, specifically for the type according to the second network, TCP encapsulation is carried out to the initial data, generates the second network data Bag.
9. the data transmission system of prison according to claim 6 and bank's intranet and extranet security isolation, it is characterised in that also Including virus scan module, for after being decapsulated to the first network packet, being carried out to the initial data Before checking treatment, virus scan is carried out to the initial data.
CN201611157905.5A 2016-12-15 2016-12-15 A kind of prison and the data transmission method and system of bank's intranet and extranet security isolation Pending CN106790028A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611157905.5A CN106790028A (en) 2016-12-15 2016-12-15 A kind of prison and the data transmission method and system of bank's intranet and extranet security isolation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611157905.5A CN106790028A (en) 2016-12-15 2016-12-15 A kind of prison and the data transmission method and system of bank's intranet and extranet security isolation

Publications (1)

Publication Number Publication Date
CN106790028A true CN106790028A (en) 2017-05-31

Family

ID=58889084

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611157905.5A Pending CN106790028A (en) 2016-12-15 2016-12-15 A kind of prison and the data transmission method and system of bank's intranet and extranet security isolation

Country Status (1)

Country Link
CN (1) CN106790028A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110855634A (en) * 2019-10-24 2020-02-28 北京电信易通信息技术股份有限公司 Cross-network switching service system and method based on secure network
CN114389866A (en) * 2021-12-29 2022-04-22 北京连山科技股份有限公司 System and method for realizing high-speed isolation network gate data ferrying

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1953395A (en) * 2006-09-18 2007-04-25 北京明朝万达科技有限公司 A method to control network separation based on mode switch
CN103812861A (en) * 2014-01-20 2014-05-21 广东电网公司电力科学研究院 IPSEC (internet protocol security) VPN (virtual private network) device, isolation method thereof and isolation system thereof
CN104683352A (en) * 2015-03-18 2015-06-03 宁波科安网信通讯科技有限公司 Industrial communication isolation gap with double-channel ferrying function
US20160087933A1 (en) * 2006-09-25 2016-03-24 Weaved, Inc. Techniques for the deployment and management of network connected devices
CN105656883A (en) * 2015-12-25 2016-06-08 冶金自动化研究设计院 Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1953395A (en) * 2006-09-18 2007-04-25 北京明朝万达科技有限公司 A method to control network separation based on mode switch
US20160087933A1 (en) * 2006-09-25 2016-03-24 Weaved, Inc. Techniques for the deployment and management of network connected devices
CN103812861A (en) * 2014-01-20 2014-05-21 广东电网公司电力科学研究院 IPSEC (internet protocol security) VPN (virtual private network) device, isolation method thereof and isolation system thereof
CN104683352A (en) * 2015-03-18 2015-06-03 宁波科安网信通讯科技有限公司 Industrial communication isolation gap with double-channel ferrying function
CN105656883A (en) * 2015-12-25 2016-06-08 冶金自动化研究设计院 Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110855634A (en) * 2019-10-24 2020-02-28 北京电信易通信息技术股份有限公司 Cross-network switching service system and method based on secure network
CN114389866A (en) * 2021-12-29 2022-04-22 北京连山科技股份有限公司 System and method for realizing high-speed isolation network gate data ferrying

Similar Documents

Publication Publication Date Title
CN104639534B (en) The loading method and browser device of web portal security information
CN103581108B (en) Login authentication method, login authentication client, login authentication server and login authentication system
JP2022524709A (en) Second element of customer support calls Systems and methods for authentication
WO2020258837A1 (en) Unlocking method, device for realizing unlocking, and computer readable medium
CN104869102B (en) Authorization method, device and system based on xAuth agreement
CN107743133A (en) Mobile terminal and its access control method and system based on trustable security environment
US10263782B2 (en) Soft-token authentication system
US10257171B2 (en) Server public key pinning by URL
CN103297437A (en) Safety server access method for mobile intelligent terminal
CN104837150B (en) IPv6 wireless sense network safety test systems
CN107508847A (en) One kind connection method for building up, device and equipment
CN110430065B (en) Application service calling method, device and system
CN107547559A (en) A kind of message processing method and device
CN106850517A (en) A kind of method, apparatus and system for solving intranet and extranet repeat logon
CN104463584B (en) The method for realizing mobile terminal App secure payments
CN107196906A (en) A kind of security domain network connection control method and system
CN109040059A (en) Shielded TCP communication method, communication device and storage medium
CN109150906A (en) A kind of real-time data communication safety method
WO2015120769A1 (en) Password management method and system
Darwish et al. A model to authenticate requests for online banking transactions
CN106790028A (en) A kind of prison and the data transmission method and system of bank's intranet and extranet security isolation
CN113055357B (en) Method and device for verifying credibility of communication link by single packet, computing equipment and storage medium
CN104270346B (en) The methods, devices and systems of two-way authentication
CN107251520A (en) Method for the polymerization authentication protocol in M2M communication
CN109495458A (en) A kind of method, system and the associated component of data transmission

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20170531

WD01 Invention patent application deemed withdrawn after publication