CN106888189A - Secure border management system and its management method - Google Patents
Secure border management system and its management method Download PDFInfo
- Publication number
- CN106888189A CN106888189A CN201510942581.5A CN201510942581A CN106888189A CN 106888189 A CN106888189 A CN 106888189A CN 201510942581 A CN201510942581 A CN 201510942581A CN 106888189 A CN106888189 A CN 106888189A
- Authority
- CN
- China
- Prior art keywords
- submodule
- information
- audit
- cross
- access control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of secure border management system and its management method, the system includes application proxy submodule, information landing submodule, Information encapsulation submodule, cross-domain access control submodule, audit submodule, information filtering submodule, internal agreement transmission submodule, and application proxy submodule and information landing submodule are unidirectionally connected;Information lands submodule and cross-domain access control submodule, audit submodule, information filtering submodule are unidirectionally connected;Cross-domain access control submodule, audit submodule, information filtering submodule and Information encapsulation submodule are unidirectionally connected;Information encapsulation submodule and application proxy submodule are unidirectionally connected.According to the given access configuration strategy of safety management platform, the information to all cross-border access carries out effective safe access control to the present invention.Ensure that internet information is exchanged is carried out under safely controllable environment, authentication is carried out to visitor, and retain the audit information that can investigate person directly responsible.
Description
Technical field
The present invention relates to a kind of management system and its management method, more particularly to a kind of secure border management system and its management method.
Background technology
At present, Mobile Market has sharp changed the general layout of IT industries, the mobile devices such as smart mobile phone, panel computer and lightweight notebook computer more and more important role of performer in our live and work, they have become the important tool that data sharing is carried out in live and work.For example, people carry out sharing for business meetings data by with mobile phone, and business meetings often relate to some trade secrets, trade secret is happened occasionally by the thing that participant's malice is divulged a secret, at present, the approach one for tracing blabber is that blabber oneself recognizes, another is exactly that other people expose, typically less when voluntarily recognizing for blabber, the in the case of of exposing for other people, easily occur slandering, and easily allow thing to disclose and cause party ugly.
The content of the invention
The technical problems to be solved by the invention are to provide a kind of secure border management system and its management method, it is according to the given access configuration strategy of safety management platform, information to all cross-border access carries out effective safe access control, ensure that internet information is exchanged is carried out under safely controllable environment, authentication is carried out to visitor, and retains the audit information that can investigate person directly responsible.The security domain that guarantee information is protected in exchanging, not by the interference and destruction of other unauthorized access.
The present invention is to solve above-mentioned technical problem by following technical proposals:
A kind of secure border management system, it includes application proxy submodule, information landing submodule, Information encapsulation submodule, cross-domain access control submodule, audit submodule, information filtering submodule, internal agreement transmission submodule;Application proxy submodule and information landing submodule are unidirectionally connected;Information lands submodule and cross-domain access control submodule, audit submodule, information filtering submodule are unidirectionally connected;Cross-domain access control submodule, audit submodule, information filtering submodule and Information encapsulation submodule are unidirectionally connected;Information encapsulation submodule and application proxy submodule are unidirectionally connected.
Preferably, described information landing submodule is used to reduce the cross-domain network information to application layer, obtains subject and object information;The data come from application proxy submodule are received, and according to data category different disposal, if authentication information, obtains subject and object information;If the cross-domain network information, then be reduced into application layer data.
Preferably, described information encapsulation submodule is used for the application layer data that would allow through, and being configured by the inside for setting carries out protocol encapsulation.
Preferably, the cross-domain access control submodule is used to, according to Mandatory Access Control and Subjective and Objective label information, realize the forced symmetric centralization to information in protected security domain, it is ensured that the confidentiality and integrity of information system is not damaged;Secure identity authentication scheme based on Security Strategies, can be bound identity and authorization privilege by authentication mechanism.
Preferably, the Mandatory Access Control mainly completes following functions:The access of cross-border main object file is controlled, the confidentiality and integrality of information system are not damaged in protected field, the access operation of wherein main object file includes:The download of file, the upload of file, the establishment of file, the deletion of file, the renaming of file.
Preferably, the audit submodule is used for the audit carried out to all operations by border, and submits audit information to audit server;According to audit strategy, the dependent event to occurring in system carries out a series of audit action, for auditor provides information specific enough, to the problem of the generation of discrimination system;The audit-trail record of cross-border access is created and safeguarded, and unauthorized user can be prevented to access or destroy it;The all dependent events for occurring are recorded, is examined for auditor.
Preferably, described information filter submodule is used to carry out a series of safety filtering to information according to Security Strategies;According to the strategy of configured in advance, a series of filtering is carried out to stripped data message.
Preferably, the data transfer that the internal agreement transmission submodule is used between three machine inside;Internal agreement transmission submodule is transmitted using special non-network card chip, and the intercommunication inside three machines is realized to other modules, and simple read-write interface is provided to top;Reading and writing, three kinds of interfaces of control that it provides internal transmission agreement.
The present invention also provides a kind of management method of secure border management system, and the data flow when information request of the secure border management system and its management method goes out border is comprised the following steps that:
Step one:Application proxy submodule receive information is connected, and is given information to land submodule information data and is processed;
Step 2:Information landing submodule analyzes the relevant informations such as corresponding identity, main body, object, sends internal agreement transmission submodule to;
Step 3:The internal agreement transmission submodule application data of home agent carries out a series for the treatment of, ferry-boat to arbitration machine;
Step 4:Identity identification function in cross-domain access control submodule discriminates one's identification the legitimacy of information, judges the legitimacy of connection, and this judged result information is used to control the break-make of application proxy submodule;After identity differentiates, forced symmetric centralization function in cross-domain access control submodule conducts interviews effect to corresponding request body and object information, if operation is legal, allows operation, otherwise interrupt operation;
Step 5:The result of cross-domain access control passes home agent control back, takes corresponding operational control application proxy submodule;
Step 6:Application data information after securing permission is transferred to information filtering submodule, and information filtering submodule carries out safety filtering according to filtering policy, application data;
Step 7:Ferried to external agent by arbitration machine internal agreement transmission submodule again by the application data for filtering;
Step 8:Application data is strategically configured and carries out data encapsulation by external agent;
Step 9:Packaged information is sent by application proxy submodule;
Step 10:Audit submodule needs to record a series of relevant informations that all submodules occur;
Step 11:All audit informations are transmitted to arbitration machine by internal agreement transmission submodule, and arbitration machine is processed and deposited according to corresponding strategy;
Step 12:Safety management acquisition of information:After access that security management center is credible, related strategy is sent to internal agreement transmission submodule, is respectively sent to need each submodule of this type of information by the submodule;
Step 13:Audit information sends:By special transmission channel, log information is sent to auditing system.
The beneficial effects of the present invention are:, according to the given access configuration strategy of safety management platform, the information to all cross-border access carries out effective safe access control for secure border management system of the present invention and its management method.Ensure that internet information is exchanged is carried out under safely controllable environment, authentication is carried out to visitor, and retain the audit information that can investigate person directly responsible.The security domain that guarantee information is protected in exchanging, not by the interference and destruction of other unauthorized access.
Brief description of the drawings
Fig. 1 is the subsystem module composition figure of secure border management system of the present invention.
Fig. 2 is the subsystem schematic flow sheet of secure border management system of the present invention.
Fig. 3 is the programmed logic figure of cross-domain access control submodule in the present invention.
Fig. 4 is the logic chart of application proxy submodule in the present invention.
Fig. 5 is the logic chart of audit submodule in the present invention.
Fig. 6 is the logic chart of information landing submodule in the present invention.
Fig. 7 is the logic chart of Information encapsulation submodule in the present invention.
Fig. 8 is the logic chart of information filtering submodule in the present invention.
Fig. 9 is the programmed logic figure of internal agreement transmission submodule in the present invention.
Specific embodiment
Present pre-ferred embodiments are given below in conjunction with the accompanying drawings, to describe technical scheme in detail.
As shown in Figures 1 to 9, secure border management system of the present invention includes application proxy submodule, information landing submodule, Information encapsulation submodule, cross-domain access control submodule, audit submodule, information filtering submodule, internal agreement transmission submodule.Application proxy submodule and information landing submodule are unidirectionally connected;Information lands submodule and cross-domain access control submodule, audit submodule, information filtering submodule are unidirectionally connected;Cross-domain access control submodule, audit submodule, information filtering submodule and Information encapsulation submodule are unidirectionally connected;Information encapsulation submodule and application proxy submodule are unidirectionally connected.Application proxy submodule opens the service of monitoring according to the configuration of security management center, receive or send the cross-domain network information, and need according to identity identification module and the control information of forced symmetric centralization module, to judge the legitimacy of connection user, the access of validated user is received, refuses the connection of disabled user.Information landing submodule is used to reduce the cross-domain network information to application layer, obtains subject and object information;It receives the data come from application proxy module, and according to data category different disposal, if authentication information, subject and object information is obtained, if the cross-domain network information, is reduced into application layer data.Information encapsulation submodule is used for the application layer data that would allow through, and being configured by the inside for setting carries out protocol encapsulation.Cross-domain access control submodule is used for(Forced symmetric centralization function)According to Mandatory Access Control and Subjective and Objective label information, the forced symmetric centralization to information in protected security domain is realized, it is ensured that the confidentiality and integrity of information system is not damaged.(Identity identification function)Secure identity authentication scheme based on Security Strategies, can be bound identity and authorization privilege by authentication mechanism;Forced symmetric centralization module mainly completes following functions:The access of cross-border main object file is controlled, the confidentiality and integrality of information system are not damaged in protected field.Access operation of the theme to object file includes:The download of file, the upload of file, the establishment of file, the deletion of file, the renaming of file.Audit submodule is used for the audit carried out to all operations by border, and submits audit information to audit server;According to audit strategy, the dependent event to occurring in system carries out a series of audit action.Its information specific enough for auditor provides, to the problem of the generation of discrimination system;The audit-trail record that it can create and safeguard cross-border access, and unauthorized user can be prevented to access it or destroy, it is necessary to record all dependent events of generation, examined for auditor.Information filtering submodule is used to carry out a series of safety filtering to information according to Security Strategies;According to the strategy of configured in advance, a series of filtering is carried out to stripped data message.The data transfer that internal agreement transmission submodule is used between three machine inside;It uses special non-network card chip to be transmitted, and the intercommunication inside three machines is realized to other modules, and simple read-write interface is provided to top.
Further embodiment of this invention comprises the following steps there is provided a kind of management method of secure border management system:
Step one:Application proxy submodule receive information connection first, then gives information to land submodule information data and processes.
Step 2:Information landing submodule analyzes the relevant informations such as corresponding identity, main body, object, sends internal agreement transmission submodule to.
Step 3:The internal agreement transmission submodule application data of home agent carries out a series for the treatment of, ferry-boat to arbitration machine.
Step 4:Identity identification function in cross-domain access control submodule discriminates one's identification the legitimacy of information, judges the legitimacy of connection, and this judged result information is used to control the break-make of application proxy submodule;After identity differentiates, forced symmetric centralization function in cross-domain access control submodule conducts interviews effect to corresponding request body and object information, if operation is legal, allows operation, otherwise interrupt operation.
Step 5:The result of cross-domain access control passes home agent control back, takes corresponding operational control application proxy submodule.
Step 6:Application data information after securing permission is transferred to information filtering submodule, and information filtering submodule carries out safety filtering according to filtering policy, application data.
Step 7:Ferried to external agent by arbitration machine internal agreement transmission submodule again by the application data for filtering.
Step 8:Application data is strategically configured and carries out data encapsulation by external agent.
Step 9:Packaged information is sent by application proxy submodule again.
Step 10:Audit submodule needs to record a series of relevant informations that all submodules occur.
Step 11:All audit informations are transmitted to arbitration machine by internal agreement transmission submodule.Arbitration machine is processed and deposited according to corresponding strategy.
Step 12:Safety management acquisition of information:After access that security management center is credible, related strategy is sent to internal agreement transmission submodule, is respectively sent to need each submodule of this type of information by the submodule.
Step 13:Audit information sends:By special transmission channel, log information is sent to auditing system.
, according to the given access configuration strategy of safety management platform, the information to all cross-border access carries out effective safe access control for secure border management system of the present invention and its management method.Ensure that internet information is exchanged is carried out under safely controllable environment, authentication is carried out to visitor, and retain the audit information that can investigate person directly responsible.The security domain that guarantee information is protected in exchanging, not by the interference and destruction of other unauthorized access.
Particular embodiments described above; technical problem, technical scheme and beneficial effect to solution of the invention are further described; should be understood that; the foregoing is only specific embodiment of the invention; it is not intended to limit the invention; all any modification, equivalent substitution and improvements within the spirit and principles in the present invention, done etc., should be included within the scope of the present invention.
Claims (9)
1. a kind of secure border management system, it is characterised in that it includes application proxy submodule, information landing submodule, Information encapsulation submodule, cross-domain access control submodule, audit submodule, information filtering submodule, internal agreement transmission submodule;Application proxy submodule and information landing submodule are unidirectionally connected;Information lands submodule and cross-domain access control submodule, audit submodule, information filtering submodule are unidirectionally connected;Cross-domain access control submodule, audit submodule, information filtering submodule and Information encapsulation submodule are unidirectionally connected;Information encapsulation submodule and application proxy submodule are unidirectionally connected.
2. secure border management system as claimed in claim 1, it is characterised in that described information landing submodule is used to reduce the cross-domain network information to application layer, obtains subject and object information;The data come from application proxy submodule are received, and according to data category different disposal, if authentication information, obtains subject and object information;If the cross-domain network information, then be reduced into application layer data.
3. secure border management system as claimed in claim 1, it is characterised in that described information encapsulation submodule is used for the application layer data that would allow through, and being configured by the inside for setting carries out protocol encapsulation.
4. secure border management system as claimed in claim 1; it is characterized in that; the cross-domain access control submodule is used for according to Mandatory Access Control and Subjective and Objective label information; realize the forced symmetric centralization to information in protected security domain, it is ensured that the confidentiality and integrity of information system is not damaged;Secure identity authentication scheme based on Security Strategies, can be bound identity and authorization privilege by authentication mechanism.
5. secure border management system according to claim 4, it is characterised in that the Mandatory Access Control mainly completes following functions:The access of cross-border main object file is controlled, the confidentiality and integrality of information system are not damaged in protected field, the access operation of wherein main object file includes:The download of file, the upload of file, the establishment of file, the deletion of file, the renaming of file.
6. secure border management system as claimed in claim 1, it is characterised in that the audit submodule is used for the audit carried out to all operations by border, and submits audit information to audit server;According to audit strategy, the dependent event to occurring in system carries out a series of audit action, for auditor provides information specific enough, to the problem of the generation of discrimination system;The audit-trail record of cross-border access is created and safeguarded, and unauthorized user can be prevented to access or destroy it;The all dependent events for occurring are recorded, is examined for auditor.
7. secure border management system as claimed in claim 1, it is characterised in that described information filter submodule is used to carry out a series of safety filtering to information according to Security Strategies;According to the strategy of configured in advance, a series of filtering is carried out to stripped data message.
8. secure border management system as claimed in claim 1, it is characterised in that the data transfer that the internal agreement transmission submodule is used between three machine inside;Internal agreement transmission submodule is transmitted using special non-network card chip, and the intercommunication inside three machines is realized to other modules, and simple read-write interface is provided to top;Reading and writing, three kinds of interfaces of control that it provides internal transmission agreement.
9. a kind of management method of secure border management system, it is characterised in that the data flow when information request of the secure border management system and its management method goes out border is comprised the following steps that:
Step one:Application proxy submodule receive information is connected, and is given information to land submodule information data and is processed;
Step 2:Information landing submodule analyzes the relevant informations such as corresponding identity, main body, object, sends internal agreement transmission submodule to;
Step 3:The internal agreement transmission submodule application data of home agent carries out a series for the treatment of, ferry-boat to arbitration machine;
Step 4:Identity identification function in cross-domain access control submodule discriminates one's identification the legitimacy of information, judges the legitimacy of connection, and this judged result information is used to control the break-make of application proxy submodule;After identity differentiates, forced symmetric centralization function in cross-domain access control submodule conducts interviews effect to corresponding request body and object information, if operation is legal, allows operation, otherwise interrupt operation;
Step 5:The result of cross-domain access control passes home agent control back, takes corresponding operational control application proxy submodule;
Step 6:Application data information after securing permission is transferred to information filtering submodule, and information filtering submodule carries out safety filtering according to filtering policy, application data;
Step 7:Ferried to external agent by arbitration machine internal agreement transmission submodule again by the application data for filtering;
Step 8:Application data is strategically configured and carries out data encapsulation by external agent;
Step 9:Packaged information is sent by application proxy submodule;
Step 10:Audit submodule needs to record a series of relevant informations that all submodules occur;
Step 11:All audit informations are transmitted to arbitration machine by internal agreement transmission submodule, and arbitration machine is processed and deposited according to corresponding strategy;
Step 12:Safety management acquisition of information:After access that security management center is credible, related strategy is sent to internal agreement transmission submodule, is respectively sent to need each submodule of this type of information by the submodule;
Step 13:Audit information sends:By special transmission channel, log information is sent to auditing system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510942581.5A CN106888189A (en) | 2015-12-16 | 2015-12-16 | Secure border management system and its management method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510942581.5A CN106888189A (en) | 2015-12-16 | 2015-12-16 | Secure border management system and its management method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106888189A true CN106888189A (en) | 2017-06-23 |
Family
ID=59174089
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510942581.5A Pending CN106888189A (en) | 2015-12-16 | 2015-12-16 | Secure border management system and its management method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106888189A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108173830A (en) * | 2017-12-22 | 2018-06-15 | 北京明朝万达科技股份有限公司 | A kind of data safety between net is shared and management method and system |
| CN108600178A (en) * | 2018-03-28 | 2018-09-28 | 深圳市银之杰科技股份有限公司 | A kind of method for protecting and system, reference platform of collage-credit data |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101272281A (en) * | 2008-04-22 | 2008-09-24 | 北京邮电大学 | System and method for providing network service relating to four parties |
| CN102299926A (en) * | 2011-08-29 | 2011-12-28 | 浙江中烟工业有限责任公司 | Data exchange prepositioning subsystem of multistage safe interconnection platform |
-
2015
- 2015-12-16 CN CN201510942581.5A patent/CN106888189A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101272281A (en) * | 2008-04-22 | 2008-09-24 | 北京邮电大学 | System and method for providing network service relating to four parties |
| CN102299926A (en) * | 2011-08-29 | 2011-12-28 | 浙江中烟工业有限责任公司 | Data exchange prepositioning subsystem of multistage safe interconnection platform |
Non-Patent Citations (2)
| Title |
|---|
| 范红: "信息系统整体保护安全设计技术实现", 《警察技术》 * |
| 蔡智勇: "高安全等级网络中信息隐蔽分析和实用抵抗模型", 《中国博士学位论文全文数据库》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108173830A (en) * | 2017-12-22 | 2018-06-15 | 北京明朝万达科技股份有限公司 | A kind of data safety between net is shared and management method and system |
| CN108600178A (en) * | 2018-03-28 | 2018-09-28 | 深圳市银之杰科技股份有限公司 | A kind of method for protecting and system, reference platform of collage-credit data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Nieto et al. | Digital witness: Safeguarding digital evidence by using secure architectures in personal devices | |
| CN104113595B (en) | A kind of mixing cloud storage system and method based on safety status classification | |
| King et al. | What do They Really Know about Me in the Cloud: A Comparative Law Perspective on Protecting Privacy and Security of Sensitive Consumer Data | |
| CN101488952A (en) | Mobile storage apparatus, data secured transmission method and system | |
| CN101986599B (en) | Network security control method based on cloud service and cloud security gateway | |
| CN100399739C (en) | Method and system for realizing trust identification based on negotiation communication | |
| CN103618693B (en) | A cloud manufacturing user data management and control method based on labels | |
| RU2573211C2 (en) | Execution method and universal electronic card and smart card system | |
| CN103942478A (en) | Method and device for identity verification and authority management | |
| CN109741800A (en) | The method for security protection of medical data intranet and extranet interaction based on block chain technology | |
| CN103812649A (en) | Method and system for safety access control of machine-card interface, and handset terminal | |
| CN103905402B (en) | A kind of secret and safe management method based on safety label | |
| KR101318170B1 (en) | data sharing system using a tablets apparatus and controlling method therefor | |
| CN104219077A (en) | Information management system for middle and small-sized enterprises | |
| CN104239812A (en) | Local area network data safety protection method and system | |
| CA2702220C (en) | Method of establishing protected electronic communication between various electronic devices, especially between electronic devices of electronic service providers and electronic devices of users of electronic service | |
| Shehu et al. | On the interoperability of european national identity cards | |
| CN102790770A (en) | Electronic document concentrated preservation and takeout safety management system and method | |
| CN104506480A (en) | Cross-domain access control method and system based on marking and auditing combination | |
| KR20110126953A (en) | Apparatus for safely distributing an internal document and methods thereof | |
| CN106888189A (en) | Secure border management system and its management method | |
| Otterbein et al. | The German eID as an authentication token on android devices | |
| CN203164961U (en) | Safe portable storage device | |
| KR101349762B1 (en) | Method for protecting and menaging a personal information | |
| DE102009027268B3 (en) | Method for generating an identifier |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170623 |