CN107046495B - Method, device and system for constructing virtual private network - Google Patents

Method, device and system for constructing virtual private network Download PDF

Info

Publication number
CN107046495B
CN107046495B CN201610084105.9A CN201610084105A CN107046495B CN 107046495 B CN107046495 B CN 107046495B CN 201610084105 A CN201610084105 A CN 201610084105A CN 107046495 B CN107046495 B CN 107046495B
Authority
CN
China
Prior art keywords
type
message
protocol message
protocol
sending
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610084105.9A
Other languages
Chinese (zh)
Other versions
CN107046495A (en
Inventor
屠一凡
周欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201610084105.9A priority Critical patent/CN107046495B/en
Publication of CN107046495A publication Critical patent/CN107046495A/en
Application granted granted Critical
Publication of CN107046495B publication Critical patent/CN107046495B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields

Abstract

The invention discloses a method, a device and a system for constructing a virtual private network. Wherein, the method comprises the following steps: detecting the message type of a protocol message received in advance; when the message type of the protocol message is a first type protocol message, converting the protocol message into a second type protocol message used for communication in the virtual private network; detecting message parameters in the second type protocol messages, and judging whether the message parameters have attack characteristics of network attack or not; and sending the second type protocol message under the condition that the judgment result is negative. The invention solves the technical problem that the VPN tunnel can not be established due to the incompatibility of the equipment at two sides of the VPN network to a specific communication protocol.

Description

Method, device and system for constructing virtual private network
Technical Field
The present invention relates to the field of communication technology application, and in particular, to a method, an apparatus, and a system for constructing a virtual private network.
Background
With the wide use of internet technology, besides facilitating people to get information on the internet, how to ensure the security in the process of using the internet is also a problem that the internet security is always concerned about.
In order to ensure the security of the internet between enterprises and enterprises at the enterprise level, between groups or between individuals and enterprises, a Virtual Private Network (VPN) is a communication method commonly used for connecting Private networks at the enterprise level or between groups, and the information of the VPN Network transmits the Network information of an intranet through a public Network architecture, for example, in the framework of the internet, Private message security effects such as confidentiality, sender authentication, message accuracy and the like are achieved by using an encrypted channel Protocol (Tunneling Protocol). VPN technology enables reliable, secure messaging through the use of unsecured networks (e.g., the internet). VPNs have a variety of classification schemes, mainly by protocol. A VPN may be implemented in a number of ways, including server, hardware, software, etc. Currently, the most common software VPNs are used, and common software protocols include: a Point-to-Point Tunneling Protocol (PPTP), a Layer 2 Tunneling Protocol (Layer 2, L2TP for short), an Internet Security Protocol (IPSEC for short), a Generic Routing Encapsulation Protocol (GRE for short), and the like.
However, in the related art, the implementation process of the VPN is complex, and devices such as a virtual network card need to be added at the client side and the server side. The use requirement cannot be met under a specific application scene. For example, in the environment of a diskless workstation, hardware devices such as a network card are added and need to be restarted, but all changes are restored once the hardware devices are restarted under the condition of the diskless workstation. Therefore, plug and play cannot be achieved in such a scenario, and most importantly, in the process of establishing a VPN tunnel, if a network device does not support a specific tunneling protocol, the tunnel cannot be established. The most typical application scenario is that most home routers cannot support Generic Routing Encapsulation (GRE) tunnels. It can be seen that when the devices on both sides of the VPN network are not compatible with a particular communication protocol, the VPN tunnel cannot be established.
In view of the above-mentioned problem in the related art that a VPN tunnel cannot be established due to the incompatibility of devices on both sides of a VPN network with a specific communication protocol, an effective solution has not been proposed at present.
Disclosure of Invention
The embodiment of the invention provides a method, a device and a system for constructing a virtual private network, which at least solve the technical problem that a VPN tunnel cannot be established due to the incompatibility of equipment on two sides of a VPN network to a specific communication protocol.
According to an aspect of an embodiment of the present invention, there is provided a method for constructing a virtual private network, including: detecting the message type of a protocol message received in advance; when the message type of the protocol message is a first type protocol message, converting the protocol message into a second type protocol message used for communication in the virtual private network; detecting message parameters in the second type protocol messages, and judging whether the message parameters have attack characteristics of network attack or not; and sending the second type protocol message under the condition that the judgment result is negative.
According to an aspect of an embodiment of the present invention, there is provided another method for constructing a virtual private network, including: receiving a second type protocol message sent by a client; judging whether the message parameters in the second type protocol message have the attack characteristics of the network attack; and under the condition that the judgment result is negative, sending the second type protocol message to the corresponding sending port according to the type of the server.
According to another aspect of the embodiments of the present invention, there is also provided an apparatus for constructing a virtual private network, including: the detection module is used for detecting the message type of the protocol message received in advance; the conversion module is used for converting the protocol message into a second protocol message used for communication in the virtual private network when the message type of the protocol message is a first protocol message; the judging module is used for detecting message parameters in the second type protocol messages and judging whether the message parameters have attack characteristics of network attack or not; and the sending module is used for sending the second type protocol message under the condition that the judgment result is negative.
Optionally, the conversion module comprises: an obtaining unit, configured to obtain data in the protocol message; and the packaging unit is used for packaging the data according to the format of the second type protocol message to obtain the protocol message with the message type of the second type protocol message.
Optionally, the apparatus further comprises: and the encryption module is used for obtaining a corresponding encryption rule according to the service type matching of the protocol message before detecting the message parameter in the second type of protocol message, and encrypting the second type of protocol message according to the encryption rule, wherein the encryption rule is used for indicating that the encryption security level is changed according to the service type in the encryption process.
Optionally, the encryption module includes: and the encryption unit is used for executing characteristic encryption on the second type protocol message according to the encryption rule, wherein the characteristic encryption is carried out according to message parameters in the second type protocol message.
Optionally, the determining module includes: a detection unit, configured to detect a message length, a feature value, a sending rate, and a data size in the message parameter in the second type protocol message; a first judging unit, configured to judge whether at least one of a message length, a feature value, a sending rate, and a data size in the message parameter matches a preset attack feature; and the second judging unit is used for judging whether the protocol message has the network attack according to the matching result of the message parameters and the attack characteristics.
Optionally, the apparatus further comprises: and the execution module is used for discarding the protocol message under the condition that the judgment result is yes.
Optionally, the apparatus further comprises: the receiving module is used for receiving the second type protocol message returned by the server; the matching module is used for matching the corresponding forwarding port according to the destination address of the second type protocol message; and the feedback module is used for returning the second type protocol message through the forwarding port.
Optionally, the feedback module comprises: a type detection unit, configured to detect a type of a protocol packet supported by a forwarding port corresponding to the destination address; and the sending unit is used for sending the second type of protocol message according to the type of the protocol message supported by the forwarding port.
Optionally, the sending unit includes: an obtaining subunit, configured to obtain data in the second type of protocol packet when it is detected that the type of the protocol packet supported by the forwarding port is a first type of protocol packet; and the first sending subunit is configured to return the data through the corresponding forwarding port.
Optionally, the sending unit includes: and the second sending subunit is configured to, when it is detected that the type of the protocol packet supported by the forwarding port is a second type protocol packet, return the second type protocol packet through the corresponding forwarding port.
According to another aspect of the embodiments of the present invention, there is provided another apparatus for constructing a virtual private network, including: the receiving module is used for receiving a second type protocol message sent by the client; the judging module is used for judging whether the message parameters in the second type protocol message have the attack characteristics of the network attack; and the sending module is used for sending the second type of protocol message to the corresponding sending port according to the type of the server under the condition that the judgment result is negative.
Optionally, the apparatus further comprises: and the decryption module is used for decrypting the second type of protocol message according to a preset decryption rule before sending the second type of protocol message to a corresponding sending port according to the type of the server.
Optionally, the decryption module includes: the matching unit is used for matching the corresponding decryption rule according to the service type of the second type protocol message; a decryption unit, configured to perform feature decryption on the second type protocol packet according to the decryption rule, where the feature decryption is configured to instruct to perform decryption according to a packet parameter in the second type protocol packet, where the packet parameter includes: at least one of message length, eigenvalue, sending rate and data size.
Optionally, the sending module includes: the first sending unit is used for sending the second type of protocol message to the server through a first type of sending port when the type of the server supports the second type of protocol message, wherein the first type of sending port is a port corresponding to the server supporting the second type of protocol message; and the second sending unit is used for acquiring data in the second type of protocol message and sending the data to the server through a second type of sending port when the type of the server supports the first type of protocol message, wherein the second type of sending port is a port corresponding to the server supporting the first type of protocol message.
According to still another aspect of the embodiments of the present invention, there is also provided a system for constructing a virtual private network, including: the client tunnel device is used for converting a protocol message of which the message type is a first type protocol message into a second type protocol message used for communication in a virtual private network by detecting the message type of the received protocol message, judging whether the protocol message has attack characteristics of network attack or not by detecting the message parameter in the second type protocol message, and sending the protocol message under the condition that the judgment result is negative; the tunnel network equipment is in communication connection with the client tunnel device and is used for receiving the second type of protocol message sent by the client tunnel device, detecting whether the second type of protocol message has network attack or not, and sending the decrypted second type of protocol message to a corresponding sending port according to the type of the server under the condition that the judgment result is negative; the client tunnel device is the device for constructing the virtual private network; the tunnel network device is another device for constructing a virtual private network.
In the embodiment of the invention, the message type of the protocol message received in advance is detected; when the message type of the protocol message is a first type protocol message, converting the protocol message into a second type protocol message used for communication in the virtual private network; detecting message parameters in the second type protocol messages, and judging whether the message parameters have attack characteristics of network attack or not; and under the condition that the judgment result is negative, sending the second type of protocol message to achieve the aim that the two sides in the VPN network support the compatibility of the devices with different communication protocols, thereby realizing the technical effect of establishing the VPN tunnel and further solving the technical problem that the VPN tunnel cannot be established due to the incompatibility of the devices at the two sides of the VPN network to the specific communication protocol.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 is a block diagram of a hardware configuration of a computer terminal of a method for constructing a virtual private network according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for constructing a virtual private network according to a first embodiment of the present invention;
fig. 3 is a schematic structural diagram of a client tunneling apparatus in a method for constructing a virtual private network according to a first embodiment of the present invention;
fig. 4 is a schematic structural diagram of a tunneling service device in a client tunneling device in a method for constructing a virtual private network according to a first embodiment of the present invention;
fig. 5 is a flowchart of a method for constructing a virtual private network according to a second embodiment of the present invention;
fig. 6(a) is a schematic structural diagram of a tunnel terminating device in the method for constructing a virtual private network according to the second embodiment of the present invention;
FIG. 6(b) is a flow diagram of a method for constructing a virtual private network according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an apparatus for constructing a virtual private network according to a third embodiment of the present invention;
fig. 8 is a schematic structural diagram of an apparatus for constructing a virtual private network according to a third embodiment of the present invention;
fig. 9 is a schematic structural diagram of another apparatus for constructing a virtual private network according to a third embodiment of the present invention;
fig. 10 is a schematic structural diagram of another apparatus for constructing a virtual private network according to a third embodiment of the present invention;
fig. 11 is a schematic structural diagram of another apparatus for constructing a virtual private network according to a third embodiment of the present invention;
fig. 12 is a schematic structural diagram of an apparatus for constructing a virtual private network according to a fourth embodiment of the present invention;
fig. 13 is a schematic structural diagram of an apparatus for constructing a virtual private network according to a fourth embodiment of the present invention;
fig. 14 is a schematic structural diagram of another apparatus for constructing a virtual private network according to a fourth embodiment of the present invention;
fig. 15 is a schematic structural diagram of another apparatus for constructing a virtual private network according to a fourth embodiment of the present invention;
fig. 16 is a schematic structural diagram of a system for constructing a virtual private network according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For the purpose of facilitating understanding of the embodiments of the present application, the technical terms referred to in the embodiments of the present application are explained below:
virtual Private Network, VPN for short, is a secure and stable tunnel that runs through a chaotic public Network by establishing a temporary secure connection through the public Network. It can be understood as a virtual out-of-business private line. It can establish a special communication line between two or more enterprise intranets connected to the Internet at different places through a special encrypted communication protocol;
a User Datagram Protocol, UDP for short, is a connectionless transport layer Protocol in an Open System Interconnection (OSI) reference model, and provides a transaction-oriented simple unreliable information transfer service;
a Transmission Control Protocol, TCP for short, is a connection-oriented, reliable transport layer communication Protocol based on byte stream;
cyclic Redundancy Check (CRC), which refers to error detection by using the principle of division and remainder;
network attack: the method is characterized in that the method utilizes the loophole and security defect existing in the network to attack the hardware, software and data in the system of the network system;
attack characteristics of network attacks: including network packet sniffing, address spoofing, cryptographic attacks, denial of service attacks, and the like.
Example 1
There is also provided, in accordance with an embodiment of the present invention, a method embodiment of a method for constructing a virtual private network, it being noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Taking the example of running on a computer terminal, fig. 1 is a hardware structure block diagram of a computer terminal of a method for constructing a virtual private network according to an embodiment of the present invention. As shown in fig. 1, the computer terminal 10 may include one or more (only one shown) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), a memory 104 for storing data, and a transmission module 106 for communication functions. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be configured to store software programs and modules of application software, such as program instructions/modules corresponding to the method for constructing a virtual private network in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the software programs and modules stored in the memory 104, that is, implementing the vulnerability detection method of the application program. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC), which can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
In the above operating environment, the present application provides a method for constructing a virtual private network as shown in fig. 2. Fig. 2 is a flowchart of a method for constructing a virtual private network according to a first embodiment of the present invention.
Step S202, detecting the message type of the protocol message received in advance;
the method for constructing the Virtual Private Network provided by the embodiment of the application can be suitable for establishing a Virtual Private Network (VPN), wherein a User Datagram Protocol (UDP) is used as a VPN tunnel communication protocol, and the problem that devices on two sides of a VPN tunnel are incompatible with a specific communication protocol is solved.
In the foregoing step S202 of the present application, at a client side, a client tunnel device is configured in an application layer of the client, and a packet type of a received protocol packet is detected by an application layer protocol docking device, where in the client provided in this application embodiment, the client may include: notebook computers, desktop computers, tablet computers, and Personal Computers (PCs) can access clients supporting the UDP protocol. In the embodiment of the present application, a PC is taken as an example for the terminal, and the following details are provided: the application layer protocol docking device of the PC detects the message type of a protocol message sent by an application program of the PC, and detects whether the message type of the current protocol message is a UDP protocol or a TCP protocol.
The method for constructing a virtual private network provided in the embodiment of the present application takes how a docking device handles a tunnel and an active 7-layer protocol (TCP and UDP) are docked as an example, and solves the problem that devices on both sides of a VPN tunnel are incompatible with a specific communication protocol.
The message types of the protocol message in the embodiment of the present application include: in the embodiment of the present application, a packet encapsulated by a TCP Protocol structure is used as a first type of Protocol packet, and a packet encapsulated by a UDP Protocol structure is used as a second type of Protocol packet.
In the embodiment of the present application, the communication protocol of the VPN tunnel is a UDP protocol, and since the UDP protocol is a common protocol, all network devices support the protocol, thereby solving the risk of compatibility.
Step S204, when the message type of the protocol message is a first type protocol message, converting the protocol message into a second type protocol message used for communication in the virtual private network;
based on step S202, the packet type still uses UDP protocol and TCP protocol as an example, in step S204 of the present application, when the application layer protocol docking device detects that the packet type of the received protocol packet is a TCP protocol packet, in order to avoid that the server on the other side of the VPN tunnel is a device supporting UDP protocol, the TCP protocol packet is converted into a packet encapsulated in a UDP protocol structure, so as to obtain a packet converted into a UDP protocol packet. The second type of protocol packet is a UDP protocol packet.
Step S206, detecting message parameters in the second type protocol message, and judging whether the message parameters have attack characteristics of network attack;
the method for constructing the virtual private network provided by the embodiment of the application solves the compatibility problem when the VPN network is established, and also solves the problem whether the UDP protocol message sent by the PC has network attack on the server at the other end of the VPN tunnel when the VPN network is established.
Based on step S204, after obtaining the UDP protocol packet suitable for the VPN tunnel to perform communication, in step S206 of the present application, before the PC sends the UDP protocol packet, data detection needs to be performed on the UDP protocol packet through the tunnel service device in the PC, and by detecting a packet parameter in the UDP protocol packet, it is determined whether the packet parameter has a feature matching an attack feature of a network attack.
Here, the message parameters in the UDP protocol message may include: data information such as a parity Check value of data, a Cyclic Redundancy Check (CRC) value of data, a message length, a destination IP used for communication, a destination port, and the like in the UDP protocol message.
If at least one item of the message parameters is judged to be the same as the attack characteristics of the network attack, the UDP protocol message is indicated to be a protocol message for realizing the network attack. If the judgment result is yes, discarding the UDP protocol packet, that is, when it is judged that at least one of the packet parameters in the UDP protocol packet matches the attack characteristics of the network attack, judging that the UDP protocol packet has a network attack threat, and therefore discarding the UDP protocol packet, thereby ensuring the security of the VPN network, and particularly ensuring that the server side is not attacked by the client side.
Here, if the tunnel service device determines that the message parameters in the UDP protocol message do not match the attack features of the network attack, step S208 is executed.
And step S208, sending the second type protocol message under the condition that the judgment result is negative.
Based on step S206, on the basis of determining whether the message parameter has the attack feature of the network attack, in step S208, when the tunnel service device determines that the message parameter in the UDP protocol message does not have the attack feature matching the network attack, the UDP message is sent.
With reference to steps S202 to S208, in the method for constructing a virtual private network provided in this embodiment of the present application, a tunnel device, that is, the above-mentioned client tunnel device, is provided at a client, and fig. 3 is a schematic structural diagram of the client tunnel device in the method for constructing a virtual private network according to the first embodiment of the present invention, as shown in fig. 3, where the client tunnel device includes: an application program protocol docking device and a tunnel service device, wherein the application layer protocol docking device is used for checking the received protocol message, judging the message type of the protocol message, and converting the protocol message into a UDP protocol message when the message type is a TCP protocol message, namely, executing the step S202 and the step S204; the tunnel service device is configured to detect whether a network attack threat exists in a packet whose packet type is converted into a UDP protocol packet, and send the UDP protocol packet if the network attack threat does not exist in the UDP protocol packet, that is, execute the step S206 and the step S208.
As can be seen from the above, in the solution provided in the first embodiment of the present application, the message type of the protocol message received in advance is detected; when the message type of the protocol message is a first type protocol message, converting the protocol message into a second type protocol message used for communication in the virtual private network; detecting message parameters in the second type protocol messages, and judging whether the message parameters have attack characteristics of network attack or not; and under the condition that the judgment result is negative, sending the second type of protocol message to achieve the aim that the two sides in the VPN network support the compatibility of the devices with different communication protocols, thereby realizing the technical effect of establishing the VPN tunnel and further solving the technical problem that the VPN tunnel cannot be established due to the incompatibility of the devices at the two sides of the VPN network to the specific communication protocol. The network attack provided by the embodiment of the present application at least includes a secret level data transmission attack or a specific application layer data protocol attack, and is not particularly limited on the basis of implementing the method for constructing the virtual private network provided by the embodiment of the present application.
Optionally, the step S204 of converting the protocol packet into a second type of protocol packet for communication in the virtual private network includes:
step1, acquiring data in the protocol message;
in Step1 in the above Step S204, as shown in fig. 3, when the message type of the protocol message is a TCP protocol message, the TCP tunnel conversion device in the application layer protocol pairing device acquires data in the protocol message. The process of acquiring the data in the protocol message by the TCP tunnel conversion device is as follows:
firstly, a TCP server is established locally;
and secondly, obtaining data required to be transmitted by the TCP protocol through the TCP server.
And Step2, encapsulating the data according to the format of the second type protocol message to obtain the protocol message with the message type of the second type protocol message.
After acquiring the data in the protocol message based on Step1, in Step2 of the present application, if the data is to be sent to the server through the VPN tunnel, the data needs to be encapsulated into a protocol message in the same protocol format as the communication protocol used by the VPN tunnel, so that the data is encapsulated in a UDP protocol structure, and a UDP protocol message that can be transmitted through the VPN tunnel is obtained.
Optionally, before detecting the message parameter in the second-type protocol message in step S206, the method for constructing a virtual private network provided in the embodiment of the present application further includes:
step S205, obtaining a corresponding encryption rule according to the service type matching of the protocol message, and encrypting the second type protocol message according to the encryption rule, wherein the encryption rule is used for indicating that the encryption security level is changed according to the service type in the encryption process.
In the above step S205 of the present application, before detecting the message parameter in the UDP protocol message, the UDP protocol message needs to be encrypted to ensure that the UDP protocol message is not easily intercepted and decrypted in the transmission process, so as to ensure information security, as shown in fig. 4, fig. 4 is a schematic structural diagram of a tunnel service device in a client tunnel device in the method for constructing a virtual private network according to the embodiment of the present invention, where the tunnel service device acquires the UDP protocol message through a tunnel pipeline device in an application layer protocol pairing device, dynamically matches a corresponding encryption rule according to a service type of the UDP protocol message through a tunnel core configuration module in the tunnel service device, and encrypts the UDP protocol message through a data encryption module according to the encryption rule.
Specifically, the tunnel core configuration module can acquire the working state of the data encryption module through the data encryption module, so that the working state can be informed to the data encryption module according to the security level and the delay sensitive information, and then the data encryption module can flexibly generate an encryption rule according to the requirements and encrypt the UDP protocol message.
Further, optionally, the encrypting the second type protocol packet according to the encryption rule in step S205 includes:
and Step1, performing characteristic encryption on the second type protocol message according to the encryption rule, wherein the characteristic encryption is performed according to the message parameters in the second type protocol message.
In Step1 in Step S205 of the present application, the encryption rule defines an encryption manner and an encryption security level of the UDP protocol packet, and it should be noted that the feature encryption is to dynamically encrypt according to features of each part in the UDP protocol packet in the UDP protocol structure, that is, according to a service type of the UDP protocol packet, adjust a complexity of the encryption process, for example, a request packet sent only for establishing a communication process may be set to have a low security level, so that the server can quickly detect and decrypt the request packet, and feed back a response packet according to the request packet, thereby improving a data transmission efficiency of the entire VPN network; or, when the service packet of the client is transmitted, in order to ensure that the content in the UDP protocol packet is not leaked, the encryption level may be raised by an encryption rule, and the encryption is performed by a plurality of features (packet parameters) on the UDP protocol structure.
Specifically, in the method for constructing a virtual private network provided in the embodiment of the present application, the data encryption module performs abstract calculation according to characteristics in the data (for example, data information such as a parity Check value of the data, a cyclic Redundancy Check value (CRC) of the data, a message length, a destination IP used for communication, a destination port, and the like) to calculate the information, and then the calculated information is carried as an encrypted result and a characteristic value inside the encrypted data, and is mainly provided to the data detection module on the server side to perform rapid screening on the data. In addition, according to the configuration of the encryption rule, a plurality of such points are embedded in the UDP protocol message for detection. The advantage of this is that the pressure of the server-side processing is reduced, and the processing performance is improved compared with the traditional whole encryption. Therefore, when suffering from a large-scale CC attack, data detection is carried out based on the set of mechanism, the pressure of the server can be relieved to the greatest extent, and the anti-attack performance is improved.
Optionally, the step S206 of detecting the message parameter in the second type protocol message and determining whether the message parameter has the attack feature of the network attack includes:
step1, detecting the message length, the characteristic value, the sending rate and the data size in the message parameters in the second type protocol message;
in Step1 in the above S206 of the present application, as shown in fig. 3, the data detection module detects the message parameters in the UDP protocol message, for example, detects the message length, the characteristic value, the sending rate, and the data size in the message parameters.
In addition, the data detection module can also detect the message content in the UDP protocol message, so that before the UDP protocol message is sent to the server, if the network attack threat exists, the occurrence of the network attack threat can be prevented in time, and the security of the server side can be ensured.
Step2, judging whether at least one of the message length, the characteristic value, the sending rate and the data size in the message parameters is matched with the preset attack characteristics;
in Step2, it is determined whether the UDP protocol packet has a network attack according to a matching result by determining whether the packet parameters in the UDP protocol packet match the preset attack features, which is specifically referred to as Step 3.
And Step3, judging whether the protocol message has network attack according to the matching result of the message parameters and the attack characteristics.
Based on the matching result in Step2, in Step3, when at least one of the message length, the characteristic value, the sending rate, and the data size in the message parameters obtained by judgment in Step2 matches with the preset attack characteristics, the protocol message will have network attack.
As shown in fig. 4, in the method for constructing a virtual private network provided in the embodiment of the present application, a data detection module of a client tunnel device itself can prevent a malicious client tunnel device from initiating an attack.
Optionally, the method for constructing a virtual private network provided in the embodiment of the present application further includes:
and step S209, discarding the second type protocol message under the condition that the judgment result is yes.
Based on step S206, on the basis of determining whether the message parameter has the attack feature of the network attack, in step S209 of the present application, when the tunnel service device determines that the message parameter in the UDP protocol message has the attack feature matching the network attack, the UDP message is discarded.
Optionally, the method for constructing a virtual private network provided in the embodiment of the present application further includes:
step S301, receiving a second type protocol message returned by the server;
in the above step S301 of the present application, different from the step S208, as shown in fig. 4, in the process of sending the UDP protocol packet, when it is detected that a packet parameter in the UDP protocol packet does not match an attack characteristic of a network attack, the UDP protocol packet is sent by the sending module, in the step S301, the UDP protocol packet returned by the server is received by the receiving module, and by setting data from the server as security data, the processing speed is accelerated, and further by characteristic decryption, the decrypted UDP protocol packet is transmitted to the application layer protocol docking device.
Specifically, in the method for constructing a virtual private network provided in the embodiment of the present application, when a UDP protocol packet reaches a receiving module in a tunnel service device, the UDP protocol packet is directly sent to a data monitoring module for validity detection. Or, if the module can directly skip at the client to speed up the processing speed, the data sent by the server is unconditionally trusted.
Step S302, matching a corresponding forwarding port according to the destination address of the second type protocol message;
different from step S206, as shown in fig. 4, when receiving the UDP protocol packet, the tunnel core configuration module may configure the data detection module to directly skip the detection, unconditionally believe the data sent by the server, decrypt the received UDP protocol packet through the data decryption module, and then receive the decrypted UDP protocol packet by the tunnel pipe device in the application layer protocol pairing device, in order to accelerate the processing speed.
In the above step S302, after receiving the decrypted UDP protocol packet, the tunnel pipe device matches the forwarding port according to the destination address in the protocol packet, and if the UDP protocol packet returned by the server corresponds to the UDP protocol packet sent by the TCP tunnel conversion device of the client, after receiving the decrypted UDP protocol packet, the tunnel pipe device returns the UDP protocol packet to the TCP tunnel conversion device, and sends the UDP protocol packet to the client application program through the local TCP server created in the TCP tunnel conversion device; similarly, if the UDP protocol packet returned by the server corresponds to the UDP takeover device of the client and sends the UDP protocol packet, after the tunnel pipe device receives the decrypted UDP protocol packet, the UDP protocol packet is returned to the UDP takeover device, and the UDP takeover device sends the UDP protocol packet to the client application program.
Step S303, returning the second type protocol message through the forwarding port.
Based on the step S302, the tunnel pipe apparatus matches the destination address of the UDP to obtain a forwarding port, and in the step S303, the obtained forwarding port returns the UDP protocol packet to the client application program through the forwarding port.
Further, optionally, the returning the second type protocol packet through the forwarding port in step S303 includes:
step1, detecting the type of protocol message supported by the forwarding port corresponding to the destination address;
in Step1 in Step S303 of the present application, if a second type of protocol packet is to be returned through the forwarding port, it is determined that the type of the protocol packet supported by the forwarding port corresponding to the destination address in the UDP protocol packet is a TCP protocol packet or a UDP protocol packet by detecting the type of the protocol packet supported by the forwarding port corresponding to the destination address.
And Step2, sending the second type protocol message according to the type of the protocol message supported by the forwarding port.
Based on the detection of the type of the protocol packet supported by the forwarding port in Step1, in Step2, the UDP protocol packet is sent through the corresponding forwarding port by detecting the type of the protocol packet supported by the forwarding port, and specifically, how to send the second type of protocol packet according to the type of the protocol packet supported by the forwarding port is shown in Step a and Step B, or Step a'.
Optionally, sending the second type of protocol packet according to the type of the protocol packet supported by the forwarding port in Step2 includes:
step A, when detecting that the type of a protocol message supported by a forwarding port is a first type of protocol message, acquiring data in a second type of protocol message;
and step B, returning data through the corresponding forwarding port.
And combining the step A and the step B, when the tunnel pipeline device detects that the protocol message type supported by the forwarding port is a TCP protocol message, the TCP tunnel conversion device acquires data in the UDP protocol message through a local TCP server, and then returns the acquired data in the UDP protocol message through the forwarding port corresponding to the TCP tunnel conversion device.
Optionally, sending the second type of protocol packet according to the type of the protocol packet supported by the forwarding port in Step2 includes:
and step A', when the type of the protocol message supported by the forwarding port is detected to be the second type of protocol message, returning the second type of protocol message through the corresponding forwarding port.
In step a', when the tunnel pipe device detects that the type of the protocol packet supported by the forwarding port is a UDP protocol packet, the UDP takeover device returns the received UDP protocol packet through the corresponding port.
In the method for constructing a virtual private network provided in this embodiment of the present application, a client short tunnel device shown in fig. 2 is configured on a client side, whether a packet type of a protocol packet is a packet type used for communication in a VPN tunnel is determined by detecting a packet type of the received protocol packet, and if the determination result is negative, the protocol packet is converted into a packet type used for communication in the VPN tunnel, and whether the protocol packet is sent to a server is determined by matching a corresponding encryption rule for the protocol packet according to a service type of the protocol packet and encrypting the protocol packet according to the encryption rule, and further determining whether an attack characteristic of a network attack exists in the protocol packet or not. CC for short) environment, and the attack by malicious tunnel devices is prevented by deploying a data detection module at a client, and in the embodiment of the application, the compatibility problem of the VPN network is solved by using a communication protocol supported by all network devices such as UDP protocol messages, and the encryption range and measurement can be flexibly adjusted by matching the service type of the protocol messages with the corresponding encryption rules, so that the data processing time is shortened in the detection and decryption processes at the server side, and the data processing efficiency is improved.
In addition, the method for constructing the virtual private network provided by the embodiment of the present application is based on the UDP protocol, and is equivalent to a program of an application layer, so that the method is different from the related art in a diskless workstation environment, and since hardware devices such as a network card are added and need to be restarted, all changes are restored once the hardware devices are restarted under the diskless workstation condition, so that the method for constructing the virtual private network provided by the embodiment of the present application does not need to add hardware devices such as a network card and the like.
Example 2
The present application provides a method for constructing a virtual private network as shown in fig. 5. Fig. 5 is a flowchart of a method for constructing a virtual private network according to a second embodiment of the present invention.
Step S502, receiving a second type protocol message sent by a client;
the method for constructing the Virtual Private Network provided by the embodiment of the application can be suitable for establishing a Virtual Private Network (VPN), wherein a User Datagram Protocol (UDP) is used as a VPN tunnel communication protocol, and the problem that devices on two sides of a VPN tunnel are incompatible with a specific communication protocol is solved.
In the above step S502 of the present application, corresponding to the client tunnel device configured on the client side in the first embodiment, fig. 6(a) is a schematic structural diagram of a tunnel terminating device in the method for constructing a virtual private network according to the second embodiment of the present invention, as shown in fig. 6(a), in the second embodiment of the present application, the tunnel terminating device is configured on the network device side to receive a second type of Protocol packet sent by the client tunnel device, and analyze and process the second type of Protocol packet, where in the second embodiment of the present application, the second type of Protocol packet is a User Data Protocol (UDP) packet, and in the process of configuring the tunnel terminating device on the network device side, as with the client, the UDP packet is used as a general communication Protocol, so as to achieve an effect that the client is compatible with the network device side, and avoid an incompatibility problem caused by that devices on both sides of a VPN tunnel do not support a specific communication Protocol in the related art, the phenomenon that the VPN tunnel is failed to be established is avoided.
The message types of the protocol message in the embodiment of the present application include: in the embodiment of the present application, a packet encapsulated by a TCP Protocol structure is used as a first type of Protocol packet, and a packet encapsulated by a UDP Protocol structure is used as a second type of Protocol packet.
Step S504, judge whether the message parameter in the second type protocol message has the attack characteristic of the network attack;
based on step S502, a UDP protocol packet sent from the client is received through a packet receiving and sending module in the tunnel terminating device, and in step S504, whether a message parameter in the UDP protocol packet has an attack feature of a network attack in the UDP protocol packet is determined through a data detection module in the tunnel terminating device.
Different from the client side, on the network device side, the data detection module is an un-skippable module, that is, the data detection module needs to check the validity of the UDP protocol packet received by the packet transceiving module in step S502, so as to detect the validity of the packet at the fastest speed and discard illegal data. The pressure of the data decryption module and the overall system load are reduced.
Step S506, if the determination result is negative, the second type protocol packet is sent to the corresponding sending port according to the type of the server.
Based on the determination and check of the security of the UDP protocol packet in step S504, when a determination result that the packet parameter in the UDP protocol packet does not have the attack characteristic of the network attack is obtained, a corresponding sending port is allocated to the UDP protocol packet by the member device in the tunnel terminating device according to the type of the server.
When the judgment result is yes, the network equipment side discards illegal UDP protocol messages through the data detection module, and the safety of the server side is guaranteed on the basis of reducing the pressure of the data decryption module.
As can be seen from the above, in the solution provided by the second embodiment of the present application, the second type protocol packet sent by the client is received; judging whether the message parameters in the second type protocol message have the attack characteristics of the network attack; and under the condition that the judgment result is negative, sending the second type protocol message to the corresponding sending port according to the type of the server. The purpose that the devices supporting different communication protocols on two sides in the VPN network are compatible is achieved, the technical effect of establishing the VPN tunnel is achieved, and the technical problem that the VPN tunnel cannot be established due to the fact that the devices on the two sides of the VPN network are incompatible with the specific communication protocols is solved.
Optionally, before sending the second type of protocol packet to the corresponding sending port according to the type of the server in step S506, the method for constructing the virtual private network provided in the embodiment of the present application includes:
and step S505, decrypting the second type protocol message according to a preset decryption rule.
In step S505 of the present application, before sending the second type of protocol packet to the corresponding sending port according to the type of the server in step S506, as shown in fig. 6(a), the tunnel terminating device further needs to decrypt, by using the data decryption module, the UDP protocol packet that is detected to be qualified by the data detection module.
The decryption rule is used for matching the UDP protocol message with the corresponding decryption rule according to the service type of the UDP protocol message, so that the instruction data decryption module executes the feature decryption according to the decryption rule. See Step1 and Step2 in Step S505.
Further, optionally, in step S505, decrypting the second type protocol packet according to the preset decryption rule includes:
step1, matching the corresponding decryption rule according to the service type of the second type protocol message;
in Step1 in Step S505, because the service types of the UDP protocol packets are different, the encryption manner of the UDP protocol packets may also change along with the difference of the service types, that is, the protocol packets used by the client and the network device side to establish the communication link may be regarded as applying a simple encryption rule, so that the network device side performs simple decryption according to the service types of the protocol packets, thereby saving data processing time and reducing data processing burden of the system; when actual service data transmission is carried out, by performing multi-bit encryption on the service data in the UDP protocol message, multi-bit decryption is correspondingly performed on the network device side, so as to ensure the security of the data, wherein the multi-bit encryption can be performed according to the characteristics of each message parameter in the UDP protocol message, and similarly, the multi-bit decryption can perform a corresponding decryption behavior for the multi-bit encryption.
As can be seen from the above, the decryption rule corresponding to the UDP protocol packet is obtained by obtaining the service type of the UDP protocol packet and matching the service type.
Step2, performing feature decryption on the second type protocol message according to the decryption rule, where the feature decryption is used to instruct to perform decryption according to the message parameters in the second type protocol message, and the message parameters include: at least one of message length, eigenvalue, sending rate and data size.
Based on the decryption rule obtained in Step1, in Step2 of the present application, a decryption rule corresponding to the UDP protocol packet is obtained, and feature decryption is performed on the UDP protocol packet according to the decryption rule, wherein according to the decryption rule, a corresponding encryption region in the UDP protocol packet is extracted, the encryption region corresponds to a corresponding packet parameter in the UDP protocol packet structure, for example, at least one of a packet length, a feature value, a transmission rate, and a data size, and according to an instruction of the decryption rule, decryption is performed on the corresponding feature in the UDP protocol packet.
Here, the characteristic value in the message parameter may be a parity check value in the UDP protocol message.
In addition, as shown in fig. 6(a), after the UDP protocol packet is decrypted, in order to avoid the UDP protocol packet from being damaged in the decryption process, the data reduction module performs data reduction on the decrypted UDP protocol packet to obtain a decrypted complete UDP protocol packet, so as to ensure that the UDP protocol packet received by the server is accurate and complete.
Optionally, the step S506 of sending the decrypted second-type protocol packet to the corresponding sending port according to the type of the server includes:
step1, when the type of the server is the type supporting the second type of protocol message, sending the second type of protocol message to the server through the first type of sending port, wherein the first type of sending port is a port corresponding to the server supporting the second type of protocol message;
in Step1, if the decrypted second-type protocol packet is sent to the corresponding sending port according to the type of the server, the type of the server needs to be determined, so that the corresponding sending port is allocated for the UDP protocol packet according to different server types.
When the type of the server is UDP protocol message supported, the UDP protocol message is sent to the server through the first sending port, where the first sending port may be a sending port of the data forwarding module shown in fig. 6 (a).
Step2, when the type of the server is the type supporting the first type of protocol message, acquiring data in the second type of protocol message, and sending the data to the server through a second type of sending port, wherein the second type of sending port is a port corresponding to the server supporting the first type of protocol message.
In Step2, when the type of the server is TCP protocol supported, the TCP protocol packet is sent to the server through a second sending port, where the second sending port may be a sending port of the data proxy module shown in fig. 6 (a).
In combination with Step1 and Step2, as shown in fig. 6(a), the source returning device includes: the data proxy mode and the data forwarding module are selected in two different modes. The data forwarding module and the data proxy module are different from whether the heterogeneous problems of the tunnel and the server protocol can be solved or not. When the server side provides services by adopting a TCP protocol, the proxy module is required to perform conversion. When the server side provides service by using a UDP protocol, the data can be transmitted by using the forwarding module. The source returning device ensures the compatibility between the server and the client, avoids the incompatibility problem caused by the fact that devices on two sides of the VPN tunnel do not support a specific communication protocol in the related technology, and avoids the phenomenon of VPN tunnel establishment failure.
The method for constructing the virtual private network provided in the embodiment of the present application may also be merged and deployed with the server side, so that the method for constructing the virtual private network in the embodiment of the present application is only described by taking the method applicable to the network device side as an example, so as to implement the method for constructing the virtual private network in the embodiment of the present application, and is not particularly limited.
In an alternative solution provided by the foregoing embodiment of the present application, as shown in fig. 6(b), the method for constructing a virtual private network according to the embodiment of the present application may include the following steps:
step a, the client detects the message type of the protocol message received in advance.
The method includes configuring a client tunnel device in an application layer of a client, and detecting a packet type of a received protocol packet through an application layer protocol docking device, where in the client provided in an embodiment of the present application, the client may include: a notebook Computer, a desktop Computer, a tablet Computer, a Personal Computer (PC), and the like can access a client supporting the UDP protocol.
And b, when the message type of the protocol message is the first type of protocol message, converting the protocol message into a second type of protocol message used for communication in the virtual private network.
And c, detecting message parameters in the second type protocol messages, and judging whether the message parameters have attack characteristics of network attack.
And d, sending the second type protocol message to the server under the condition that the judgment result is negative.
And discarding the second type protocol message under the condition that the judgment result is yes.
And e, the server judges whether the message parameters in the second type protocol message have the attack characteristics of the network attack.
And f, under the condition that the judgment result is negative, sending the second type protocol message to the corresponding sending port according to the type of the server.
When the judgment result is yes, the server discards illegal UDP protocol messages through the data detection module, and the safety of the server is guaranteed on the basis of reducing the pressure of the data decryption module.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method for constructing a virtual private network according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 3
According to an embodiment of the present invention, an embodiment of an apparatus for implementing the foregoing method is further provided, and the apparatus provided by the foregoing embodiment of the present application may be run on a client.
Fig. 7 is a schematic structural diagram of an apparatus for constructing a virtual private network according to a third embodiment of the present invention.
As shown in fig. 7, the apparatus includes: a detection module 72, a conversion module 74, a determination module 76, and a transmission module 78.
The detection module 72 is configured to detect a message type of a protocol message received in advance; a conversion module 74, configured to, when the packet type of the protocol packet is a first type of protocol packet, convert the protocol packet into a second type of protocol packet used for communication in the virtual private network; a judging module 76, configured to detect a message parameter in the second-type protocol message, and judge whether the message parameter has an attack feature of a network attack; and a sending module 78, configured to send the second type protocol packet if the determination result is negative.
As can be seen from the above, in the scheme provided in the third embodiment of the present application, the message type of the protocol message received in advance is detected; when the message type of the protocol message is a first type protocol message, converting the protocol message into a second type protocol message used for communication in the virtual private network; detecting message parameters in the second type protocol messages, and judging whether the message parameters have attack characteristics of network attack or not; and under the condition that the judgment result is negative, sending the second type of protocol message to achieve the aim that the two sides in the VPN network support the compatibility of the devices with different communication protocols, thereby realizing the technical effect of establishing the VPN tunnel and further solving the technical problem that the VPN tunnel cannot be established due to the incompatibility of the devices at the two sides of the VPN network to the specific communication protocol.
It should be noted here that the detecting module 72, the converting module 74, the determining module 76, and the sending module 78 correspond to steps S202 to S208 in the first embodiment, and the four modules are the same as the corresponding steps in the implementation example and the application scenario, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as a part of the apparatus may operate in the client tunneling apparatus provided in the first embodiment, and may be implemented by software or hardware.
Optionally, fig. 8 is a schematic structural diagram of an apparatus for constructing a virtual private network according to a third embodiment of the present invention. As shown in fig. 8, the conversion module 74 includes: a fetch unit 741 and an encapsulate unit 742,
the acquiring unit 741 is configured to acquire data in the protocol message; an encapsulating unit 742 is configured to encapsulate data according to the format of the second type protocol packet, so as to obtain a protocol packet whose packet type is the second type protocol packet.
It should be noted here that the obtaining unit 741 and the encapsulating unit 742 correspond to Step1 and Step2 in Step S204 in the first embodiment, and the two modules are the same as the corresponding steps in the example and application scenarios, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as a part of the apparatus may operate in the client tunneling apparatus provided in the first embodiment, and may be implemented by software or hardware.
Optionally, fig. 9 is a schematic structural diagram of another apparatus for constructing a virtual private network according to a third embodiment of the present invention. As shown in fig. 9, the apparatus for constructing a virtual private network according to an embodiment of the present application further includes: the encryption module (95) is provided with a function,
the encryption module 95 is configured to, before detecting a message parameter in the second type of protocol message, obtain a corresponding encryption rule according to service type matching of the protocol message, and encrypt the second type of protocol message according to the encryption rule, where the encryption rule is used to instruct to change an encryption security level according to the service type in an encryption process.
It should be noted that the encryption module 95 corresponds to the step S205 in the first embodiment, and the module is the same as the example and the application scenario realized by the corresponding step, but is not limited to the disclosure of the first embodiment. It should be noted that the modules described above as a part of the apparatus may operate in the client tunneling apparatus provided in the first embodiment, and may be implemented by software or hardware.
Further, optionally, fig. 10 is a schematic structural diagram of another apparatus for constructing a virtual private network according to a third embodiment of the present invention. As shown in fig. 10, the encryption module 95 includes: the encryption unit 951 is used for encrypting the data,
the encryption unit 951 is configured to perform feature encryption on the second type of protocol packet according to an encryption rule, where the feature encryption is performed according to packet parameters in the second type of protocol packet.
It should be noted that the encryption unit 951 corresponds to Step1 in Step S205 in the first embodiment, and the module is the same as the example and application scenario realized by the corresponding Step, but is not limited to the disclosure in the first embodiment. It should be noted that the modules described above as a part of the apparatus may operate in the client tunneling apparatus provided in the first embodiment, and may be implemented by software or hardware.
Optionally, fig. 11 is a schematic structural diagram of another apparatus for constructing a virtual private network according to a third embodiment of the present invention. As shown in fig. 11, the determination module 76 includes: a detection unit 761, a first judgment unit 762, and a second judgment unit 963,
the detecting unit 761 is configured to detect a message length, a feature value, a sending rate, and a data size in a message parameter in a second type protocol message; a first determining unit 762, configured to determine whether at least one of a message length, a feature value, a sending rate, and a data size in a message parameter matches a preset attack feature; a second determining unit 763, configured to determine whether a network attack exists in the protocol packet according to a matching result between the packet parameter and the attack feature.
It should be noted here that the detection unit 761, the first determination unit 762, and the second determination unit 763 correspond to steps 1 to Step3 in Step S206 in the first embodiment, and the three modules are the same as the corresponding steps in the implementation example and the application scenario, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as a part of the apparatus may operate in the client tunneling apparatus provided in the first embodiment, and may be implemented by software or hardware.
Optionally, the apparatus for constructing a virtual private network provided in this embodiment of the present application further includes: an execution module for executing the program code of the program code,
and the execution module is used for discarding the protocol message under the condition that the judgment result is yes.
It should be noted here that the above-mentioned execution module corresponds to step S209 in the first embodiment, and the module is the same as the example and application scenario realized by the corresponding step, but is not limited to the disclosure of the first embodiment. It should be noted that the modules described above as a part of the apparatus may operate in the client tunneling apparatus provided in the first embodiment, and may be implemented by software or hardware.
Optionally, the apparatus for constructing a virtual private network provided in this embodiment of the present application further includes: a receiving module, a matching module and a feedback module,
the receiving module is used for receiving a second type protocol message returned by the server; the matching module is used for matching the corresponding forwarding port according to the destination address of the second type protocol message; and the feedback module is used for returning the second type protocol message through the forwarding port.
It should be noted here that the receiving module, the matching module and the feedback module correspond to steps S301 to S303 in the first embodiment, and the three modules are the same as the corresponding steps in the example and application scenarios, but are not limited to the disclosure of the first embodiment. It should be noted that the modules described above as a part of the apparatus may operate in the client tunneling apparatus provided in the first embodiment, and may be implemented by software or hardware.
Further, optionally, the feedback module includes: a type detection unit and a transmission unit,
the type detection unit is used for detecting the type of the protocol message supported by the forwarding port corresponding to the destination address; and the sending unit is used for sending the second type of protocol message according to the type of the protocol message supported by the forwarding port.
It should be noted here that the type detecting unit and the sending unit correspond to Step1 and Step2 in Step S303 in the first embodiment, and the two modules are the same as the corresponding steps in the implementation example and application scenarios, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as a part of the apparatus may operate in the client tunneling apparatus provided in the first embodiment, and may be implemented by software or hardware.
Optionally, the sending unit includes: an acquisition sub-unit and a first sending sub-unit,
the obtaining subunit is configured to obtain data in a second protocol packet when it is detected that the type of the protocol packet supported by the forwarding port is the first protocol packet; and the first sending subunit is used for returning the data through the corresponding forwarding port.
It should be noted here that, what should be noted here is that, the type detection unit and the sending unit described above correspond to Step a and Step B in Step2 in the first embodiment, and the two modules are the same as the corresponding steps in the implementation example and application scenarios, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as a part of the apparatus may operate in the client tunneling apparatus provided in the first embodiment, and may be implemented by software or hardware.
Optionally, the sending unit includes: a second transmission sub-unit for transmitting the data,
and the second sending subunit is configured to, when it is detected that the type of the protocol packet supported by the forwarding port is a second type protocol packet, return the second type protocol packet through the corresponding forwarding port.
It should be noted here that, in the above description, it is to be noted that, the second sending subunit corresponds to Step a' in Step2 in the first embodiment, and the module is the same as the example and application scenario realized by the corresponding Step, but is not limited to the disclosure in the first embodiment. It should be noted that the modules described above as a part of the apparatus may operate in the client tunneling apparatus provided in the first embodiment, and may be implemented by software or hardware.
Example 4
According to an embodiment of the present invention, an embodiment of an apparatus for implementing the method in fig. 2 is further provided, and the apparatus provided in the foregoing embodiment of the present application may be run on a client.
Fig. 12 is a schematic structural diagram of an apparatus for constructing a virtual private network according to a fourth embodiment of the present invention.
As shown in fig. 12, the apparatus includes: a receiving module 1202, a determining module 1204, and a sending module 1206,
the receiving module 1202 is configured to receive a second type protocol packet sent by a client; a judging module 1204, configured to judge whether a message parameter in the second type protocol message has an attack feature of a network attack; the sending module 1206 is configured to send the second type protocol packet to the corresponding sending port according to the type of the server if the determination result is negative.
As can be seen from the above, in the scheme provided in the fourth embodiment of the present application, the second-type protocol packet sent by the client is received; judging whether the message parameters in the second type protocol message have the attack characteristics of the network attack; and under the condition that the judgment result is negative, sending the second type protocol message to the corresponding sending port according to the type of the server. The purpose that the devices supporting different communication protocols on two sides in the VPN network are compatible is achieved, the technical effect of establishing the VPN tunnel is achieved, and the technical problem that the VPN tunnel cannot be established due to the fact that the devices on the two sides of the VPN network are incompatible with the specific communication protocols is solved.
It should be noted here that the receiving module 1202, the determining module 1204 and the sending module 1206 correspond to steps S502 to S506 in the second embodiment, and the three modules are the same as the corresponding steps in the implementation example and the application scenario, but are not limited to the disclosure in the second embodiment. It should be noted that the above modules as a part of the apparatus may operate in the tunnel terminating apparatus provided in the second embodiment, and may be implemented by software or hardware.
Optionally, fig. 13 is a schematic structural diagram of an apparatus for constructing a virtual private network according to a fourth embodiment of the present invention. As shown in fig. 13, the apparatus for constructing a virtual private network according to the embodiment of the present application further includes: the decryption module 1205 is a function of,
the decryption module 1205 is configured to decrypt the second type protocol packet according to a preset decryption rule before sending the second type protocol packet to the corresponding sending port according to the type of the server.
It should be noted here that the decryption module 1205 corresponds to the step S505 in the second embodiment, and the module is the same as the example and the application scenario realized by the corresponding step, but is not limited to the disclosure in the second embodiment. It should be noted that the above modules as a part of the apparatus may operate in the tunnel terminating apparatus provided in the second embodiment, and may be implemented by software or hardware.
Further, optionally, fig. 14 is a schematic structural diagram of another apparatus for constructing a virtual private network according to a fourth embodiment of the present invention. As shown in fig. 14, the decryption module 1205 includes: a matching unit 12051 and a decryption unit 12052,
the matching unit 12051 is configured to match a corresponding decryption rule according to the service type of the second type protocol packet; a decryption unit 12052, configured to perform feature decryption on the second type protocol packet according to the decryption rule, where the feature decryption is configured to instruct to perform decryption according to the packet parameters in the second type protocol packet, where the packet parameters include: at least one of message length, eigenvalue, sending rate and data size.
It should be noted here that the matching unit 12051 and the decryption unit 12052 correspond to Step1 and Step2 in Step S505 in the second embodiment, and the two modules are the same as the corresponding steps in the implementation example and application scenarios, but are not limited to the disclosure in the second embodiment. It should be noted that the above modules as a part of the apparatus may operate in the tunnel terminating apparatus provided in the second embodiment, and may be implemented by software or hardware.
Optionally, fig. 15 is a schematic structural diagram of another apparatus for constructing a virtual private network according to a fourth embodiment of the present invention. As shown in fig. 15, the sending module 1206 includes: a first transmission unit 12061 and a second transmission unit 12062,
the first sending unit 12061 is configured to send, when the type of the server is a type supporting a second type of protocol packet, the second type of protocol packet to the server through a first type of sending port, where the first type of sending port is a port corresponding to the server supporting the second type of protocol packet; a second sending unit 12062, configured to, when the type of the server is the type supporting the first type of protocol packet, obtain data in the second type of protocol packet, and send the data to the server through a second type of sending port, where the second type of sending port is a port corresponding to the server supporting the first type of protocol packet.
It should be noted that the first sending unit 12061 and the second sending unit 12062 correspond to Step1 and Step2 in Step S506 in the second embodiment, and the two modules are the same as the corresponding steps in the example and application scenarios, but are not limited to the disclosure in the second embodiment. It should be noted that the above modules as a part of the apparatus may operate in the tunnel terminating apparatus provided in the second embodiment, and may be implemented by software or hardware.
Example 5
According to an embodiment of the present invention, there is further provided a system embodiment for implementing the method embodiment for constructing a virtual private network, and the client tunneling apparatus in the system for constructing a virtual private network provided in the embodiment of the present application may be software of a client application layer.
Fig. 16 is a schematic structural diagram of a system for constructing a virtual private network according to an embodiment of the present application.
As shown in fig. 16, the system includes: the client tunnel device 1601 is used for detecting a message type of a received protocol message, converting the protocol message of which the message type is a first type protocol message into a second type protocol message used for communication in a virtual private network, judging whether the protocol message has attack characteristics of network attack or not by detecting message parameters in the second type protocol message, and sending the protocol message if the judgment result is negative; the tunnel network equipment is in communication connection with the client tunnel device and is used for receiving the second type of protocol message sent by the client tunnel device, detecting whether the second type of protocol message has network attack or not, and sending the decrypted second type of protocol message to a corresponding sending port according to the type of the server under the condition that the judgment result is negative; wherein, the client tunnel device is a device for constructing a virtual private network shown in any one of fig. 9 to 11; the tunnel network device is the apparatus for constructing a virtual private network shown in any one of fig. 12 to 15.
Optionally, the system further comprises: and the tunnel network equipment is embedded into the server.
Example 6
The embodiment of the invention also provides a storage medium. Optionally, in this embodiment, the storage medium may be configured to store the program code executed by the method for constructing a virtual private network provided in the first embodiment.
Optionally, in this embodiment, the storage medium may be located in any one of computer terminals in a computer terminal group in a computer network, or in any one of mobile terminals in a mobile terminal group.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: detecting the message type of a protocol message received in advance; when the message type of the protocol message is a first type protocol message, converting the protocol message into a second type protocol message used for communication in the virtual private network; detecting message parameters in the second type protocol messages, and judging whether the message parameters have attack characteristics of network attack or not; and sending the second type protocol message under the condition that the judgment result is negative.
Optionally, the storage medium is further arranged to store program code for performing the steps of: acquiring data in a protocol message; and packaging the data according to the format of the second type protocol message to obtain the protocol message with the message type of the second type protocol message.
Optionally, the storage medium is further arranged to store program code for performing the steps of: before detecting the message parameters in the second type of protocol message, obtaining a corresponding encryption rule according to the service type matching of the protocol message, and encrypting the second type of protocol message according to the encryption rule, wherein the encryption rule is used for indicating that the encryption security level is changed according to the service type in the encryption process.
Optionally, the storage medium is further arranged to store program code for performing the steps of: and performing characteristic encryption on the second type protocol message according to the encryption rule, wherein the characteristic encryption is performed according to message parameters in the second type protocol message.
Optionally, the storage medium is further arranged to store program code for performing the steps of: detecting the message length, the characteristic value, the sending rate and the data size in the message parameters in the second type of protocol messages; judging whether at least one of the message length, the characteristic value, the sending rate and the data size in the message parameters is matched with a preset attack characteristic or not; and judging whether the protocol message has network attack according to the matching result of the message parameters and the attack characteristics.
Optionally, the storage medium is further arranged to store program code for performing the steps of: and if so, discarding the second type of protocol message.
Optionally, the storage medium is further arranged to store program code for performing the steps of: receiving a second type protocol message returned by the server; receiving a second type protocol message returned by the server; and returning the second type protocol message through the forwarding port.
Optionally, the storage medium is further arranged to store program code for performing the steps of: detecting the type of a protocol message supported by a forwarding port corresponding to a destination address; and sending the second type of protocol message according to the type of the protocol message supported by the forwarding port.
Optionally, the storage medium is further arranged to store program code for performing the steps of: detecting the type of a protocol message supported by a forwarding port corresponding to a destination address; and returning the data through the corresponding forwarding port.
Optionally, the storage medium is further arranged to store program code for performing the steps of: and when the type of the protocol message supported by the forwarding port is detected to be the second type of protocol message, returning the second type of protocol message through the corresponding forwarding port.
Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
Optionally, the specific example in this embodiment may refer to the example described in embodiment 1 above, and this embodiment is not described again here.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims (24)

1. A method for constructing a virtual private network, comprising:
detecting the message type of a protocol message received in advance;
when the message type of the protocol message is a first type protocol message, converting the protocol message into a second type protocol message used for communication in a virtual private network;
detecting message parameters in the second type protocol messages, and judging whether the message parameters have attack characteristics of network attack or not;
under the condition that the judgment result is negative, the second type protocol message is sent;
wherein, the message parameters include: at least one of a parity check value of data in the second type protocol message, a cyclic redundancy check value of the data, a message length, a destination IP used for communication, a destination port, a sending rate and a data size; judging whether the message parameters have the attack characteristics of the network attack comprises the following steps: judging whether at least one item of the message parameters is the same as the attack characteristics of the network attack;
before detecting the message parameters in the second type protocol message, the method further includes: and obtaining a corresponding encryption rule according to the service type matching of the protocol message, and encrypting the second type protocol message according to the encryption rule, wherein the encryption rule is used for indicating that the encryption security level is changed according to the service type in the encryption process.
2. The method of claim 1, wherein converting the protocol packet into a second type of protocol packet for communication in a virtual private network comprises:
acquiring data in the protocol message;
and encapsulating the data according to the format of the second type protocol message to obtain the protocol message with the message type of the second type protocol message.
3. The method according to claim 1, wherein said encrypting the second type protocol packet according to the encryption rule comprises:
and performing characteristic encryption on the second type protocol message according to the encryption rule, wherein the characteristic encryption is performed according to message parameters in the second type protocol message.
4. The method according to claim 3, wherein the detecting the message parameter in the second type protocol message and determining whether the message parameter has an attack characteristic of a network attack comprises:
and judging whether the protocol message has the network attack according to the matching result of the message parameters and the attack characteristics.
5. The method of claim 1, further comprising:
and if the judgment result is yes, discarding the second type protocol message.
6. The method of claim 1, further comprising:
receiving a second type protocol message returned by the server;
matching a corresponding forwarding port according to the destination address of the second type protocol message;
and returning the second type protocol message through the forwarding port.
7. The method according to claim 6, wherein said returning the second type protocol packet through the forwarding port comprises:
detecting the type of a protocol message supported by a forwarding port corresponding to the destination address;
and sending the second type of protocol message according to the type of the protocol message supported by the forwarding port.
8. The method according to claim 7, wherein said sending the second type of protocol packet according to the type of protocol packet supported by the forwarding port comprises:
when detecting that the type of the protocol message supported by the forwarding port is a first type protocol message, acquiring data in a second type protocol message;
and returning the data through the corresponding forwarding port.
9. The method according to claim 7, wherein said sending the second type of protocol packet according to the type of protocol packet supported by the forwarding port comprises:
and when the type of the protocol message supported by the forwarding port is detected to be a second type protocol message, returning the second type protocol message through the corresponding forwarding port.
10. A method for constructing a virtual private network, comprising:
receiving a second type of protocol message sent by a client, wherein the client detects the message type of the protocol message received in advance; when the message type of the protocol message is a first type protocol message, converting the protocol message into a second type protocol message used for communication in a virtual private network;
judging whether the message parameters in the second type protocol message have attack characteristics of network attack or not;
under the condition that the judgment result is negative, the second type protocol message is sent to a corresponding sending port according to the type of the server;
wherein, the message parameters include: at least one of a parity check value of data in the second type protocol message, a cyclic redundancy check value of the data, a message length, a destination IP used for communication, a destination port, a sending rate and a data size; judging whether the message parameters in the second type protocol message have the attack characteristics of the network attack comprises the following steps: judging whether at least one item of the message parameters is the same as the attack characteristics of the network attack;
before sending the second type protocol packet to the corresponding sending port according to the type of the server, the method further includes:
decrypting the second type protocol message according to a preset decryption rule;
wherein the decrypting the second type protocol packet according to a preset decryption rule comprises:
matching a corresponding decryption rule according to the service type of the second type protocol message;
and executing feature decryption on the second type protocol message according to the decryption rule, wherein the feature decryption is used for indicating that decryption is executed according to message parameters in the second type protocol message.
11. The method according to claim 10, wherein the sending the decrypted second-type protocol packet to a corresponding sending port according to the type of the server comprises:
when the type of the server supports a second type of protocol message, sending the second type of protocol message to the server through a first type of sending port, wherein the first type of sending port is a port corresponding to the server supporting the second type of protocol message;
and when the type of the server supports a first type of protocol message, acquiring data in a second type of protocol message, and sending the data to the server through a second type of sending port, wherein the second type of sending port is a port corresponding to the server supporting the first type of protocol message.
12. An apparatus for constructing a virtual private network, comprising:
the detection module is used for detecting the message type of the protocol message received in advance;
the conversion module is used for converting the protocol message into a second protocol message used for communication in a virtual private network when the message type of the protocol message is a first protocol message;
the judging module is used for detecting the message parameters in the second type protocol messages and judging whether the message parameters have attack characteristics of network attack or not;
the sending module is used for sending the second type protocol message under the condition that the judgment result is negative;
wherein, the message parameters include: at least one of a parity check value of data in the second type protocol message, a cyclic redundancy check value of the data, a message length, a destination IP used for communication, a destination port, a sending rate and a data size; judging whether the message parameters have the attack characteristics of the network attack comprises the following steps: judging whether at least one item of the message parameters is the same as the attack characteristics of the network attack;
and the encryption module is used for obtaining a corresponding encryption rule according to the service type matching of the protocol message before detecting the message parameter in the second type of protocol message, and encrypting the second type of protocol message according to the encryption rule, wherein the encryption rule is used for indicating that the encryption security level is changed according to the service type in the encryption process.
13. The apparatus of claim 12, wherein the conversion module comprises:
an obtaining unit, configured to obtain data in the protocol message;
and the packaging unit is used for packaging the data according to the format of the second type protocol message to obtain the protocol message with the message type of the second type protocol message.
14. The apparatus of claim 12, wherein the encryption module comprises:
and the encryption unit is used for executing characteristic encryption on the second type protocol message according to the encryption rule, wherein the characteristic encryption is carried out according to message parameters in the second type protocol message.
15. The apparatus of claim 14, wherein the determining module comprises:
and the judging unit is used for judging whether the protocol message has the network attack according to the matching result of the message parameters and the attack characteristics.
16. The apparatus of claim 12, further comprising:
and the execution module is used for discarding the protocol message under the condition that the judgment result is yes.
17. The apparatus of claim 12, further comprising:
the receiving module is used for receiving the second type protocol message returned by the server;
the matching module is used for matching the corresponding forwarding port according to the destination address of the second type protocol message;
and the feedback module is used for returning the second type protocol message through the forwarding port.
18. The apparatus of claim 17, wherein the feedback module comprises:
a type detection unit, configured to detect a type of a protocol packet supported by a forwarding port corresponding to the destination address;
and the sending unit is used for sending the second type of protocol message according to the type of the protocol message supported by the forwarding port.
19. The apparatus of claim 18, wherein the sending unit comprises:
an obtaining subunit, configured to obtain data in the second type of protocol packet when it is detected that the type of the protocol packet supported by the forwarding port is a first type of protocol packet;
and the first sending subunit is configured to return the data through the corresponding forwarding port.
20. The apparatus of claim 18, wherein the sending unit comprises:
and the second sending subunit is configured to, when it is detected that the type of the protocol packet supported by the forwarding port is a second type protocol packet, return the second type protocol packet through the corresponding forwarding port.
21. An apparatus for constructing a virtual private network, comprising:
the receiving module is used for receiving a second type of protocol message sent by a client, wherein the client detects the message type of the protocol message received in advance; when the message type of the protocol message is a first type protocol message, converting the protocol message into a second type protocol message used for communication in a virtual private network;
the judging module is used for judging whether the message parameters in the second type protocol message have attack characteristics of network attack or not;
the sending module is used for sending the second type of protocol message to a corresponding sending port according to the type of the server under the condition that the judgment result is negative;
wherein, the message parameters include: at least one of a parity check value of data in the second type protocol message, a cyclic redundancy check value of the data, a message length, a destination IP used for communication, a destination port, a sending rate and a data size; judging whether the message parameters in the second type protocol message have the attack characteristics of the network attack comprises the following steps: judging whether at least one item of the message parameters is the same as the attack characteristics of the network attack;
the device further comprises:
the decryption module is used for decrypting the second type of protocol message according to a preset decryption rule before sending the second type of protocol message to a corresponding sending port according to the type of the server;
wherein the decryption module comprises:
the matching unit is used for matching the corresponding decryption rule according to the service type of the second type protocol message;
and the decryption unit is used for executing feature decryption on the second type protocol message according to the decryption rule, and the feature decryption is used for indicating that decryption is executed according to the message parameters in the second type protocol message.
22. The apparatus of claim 21, wherein the sending module comprises:
the first sending unit is used for sending the second type of protocol message to the server through a first type of sending port when the type of the server supports the second type of protocol message, wherein the first type of sending port is a port corresponding to the server supporting the second type of protocol message;
and the second sending unit is used for acquiring data in the second type of protocol message and sending the data to the server through a second type of sending port when the type of the server supports the first type of protocol message, wherein the second type of sending port is a port corresponding to the server supporting the first type of protocol message.
23. A system for constructing a virtual private network, comprising: a client tunnel device and a tunnel network apparatus, the client tunnel device and the tunnel network apparatus being communicatively connected, wherein,
the client tunnel device is used for converting the protocol message of which the message type is the first type protocol message into a second type protocol message used for communication in a virtual private network by detecting the message type of the received protocol message, judging whether the protocol message has the attack characteristic of network attack or not by detecting the message parameter in the second type protocol message, and sending the protocol message under the condition that the judgment result is no;
the tunnel network equipment is in communication connection with the client tunnel device and is used for receiving a second type of protocol message sent by the client tunnel device, detecting whether the second type of protocol message has network attack or not, and sending the decrypted second type of protocol message to a corresponding sending port according to the type of a server under the condition that the judgment result is negative;
wherein the client tunneling apparatus is the apparatus for constructing a virtual private network according to any one of claims 12 to 20; the tunnel network device is the apparatus for constructing a virtual private network according to any one of claims 21 to 22.
24. The system of claim 23, further comprising: a server, the tunnel network device being embedded in the server.
CN201610084105.9A 2016-02-06 2016-02-06 Method, device and system for constructing virtual private network Active CN107046495B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610084105.9A CN107046495B (en) 2016-02-06 2016-02-06 Method, device and system for constructing virtual private network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610084105.9A CN107046495B (en) 2016-02-06 2016-02-06 Method, device and system for constructing virtual private network

Publications (2)

Publication Number Publication Date
CN107046495A CN107046495A (en) 2017-08-15
CN107046495B true CN107046495B (en) 2020-08-18

Family

ID=59543725

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610084105.9A Active CN107046495B (en) 2016-02-06 2016-02-06 Method, device and system for constructing virtual private network

Country Status (1)

Country Link
CN (1) CN107046495B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107612907A (en) * 2017-09-15 2018-01-19 北京外通电子技术公司 VPN VPN safety protecting methods and FPGA
CN109120696A (en) * 2018-08-17 2019-01-01 百度在线网络技术(北京)有限公司 Method and apparatus for sending data
CN110933028B (en) * 2019-10-24 2022-04-15 中移(杭州)信息技术有限公司 Message transmission method, device, network equipment and storage medium
WO2021134621A1 (en) * 2019-12-31 2021-07-08 华为技术有限公司 Message scheduling method and apparatus
CN112260926B (en) * 2020-10-16 2022-06-03 上海叠念信息科技有限公司 Data transmission system, method, device, equipment and storage medium of virtual private network
CN112491651B (en) * 2020-11-17 2022-07-12 北京天融信网络安全技术有限公司 Message matching method and device
CN112667359B (en) * 2020-12-30 2024-01-30 深圳市科思科技股份有限公司 Data transparent transmission method, electronic equipment and storage medium
CN115225347B (en) * 2022-06-30 2023-12-22 烽台科技(北京)有限公司 Method and device for monitoring target range resources

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1878082A (en) * 2005-06-09 2006-12-13 杭州华为三康技术有限公司 Protective method for network attack
CN101753531A (en) * 2008-12-19 2010-06-23 上海安达通信息安全技术股份有限公司 Method utilizing https/http protocol to realize encapsulation of IPsec protocol
CN102104478A (en) * 2009-12-16 2011-06-22 中兴通讯股份有限公司 Method and device for improving safety of EPON system
CN103001931A (en) * 2011-09-08 2013-03-27 北京智慧风云科技有限公司 Communication system of terminals interconnected among different networks

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102065125A (en) * 2010-11-18 2011-05-18 广州致远电子有限公司 Method for realizing embedded secure socket layer virtual private network (SSL VPN)
US20120167196A1 (en) * 2010-12-23 2012-06-28 International Business Machines Corporation Automatic Virtual Private Network
US9596271B2 (en) * 2012-10-10 2017-03-14 International Business Machines Corporation Dynamic virtual private network
CN104243267B (en) * 2014-09-18 2019-02-22 百度在线网络技术(北京)有限公司 Data transmission method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1878082A (en) * 2005-06-09 2006-12-13 杭州华为三康技术有限公司 Protective method for network attack
CN101753531A (en) * 2008-12-19 2010-06-23 上海安达通信息安全技术股份有限公司 Method utilizing https/http protocol to realize encapsulation of IPsec protocol
CN102104478A (en) * 2009-12-16 2011-06-22 中兴通讯股份有限公司 Method and device for improving safety of EPON system
CN103001931A (en) * 2011-09-08 2013-03-27 北京智慧风云科技有限公司 Communication system of terminals interconnected among different networks

Also Published As

Publication number Publication date
CN107046495A (en) 2017-08-15

Similar Documents

Publication Publication Date Title
CN107046495B (en) Method, device and system for constructing virtual private network
EP2362586B1 (en) System and method for data communication between a user terminal and a gateway via a network node
CN107534665B (en) Scalable intermediary network device utilizing SSL session ticket extensions
US9225685B2 (en) Forcing all mobile network traffic over a secure tunnel connection
US9100370B2 (en) Strong SSL proxy authentication with forced SSL renegotiation against a target server
US11115391B2 (en) Securing end-to-end virtual machine traffic
CN108702371A (en) System, apparatus and method for generating the addresses dynamic IP V6 for being used for safety verification
CN107104929B (en) Method, device and system for defending network attack
CN114503507A (en) Secure publish-subscribe communications method and apparatus
US20140095862A1 (en) Security association detection for internet protocol security
US11757840B2 (en) Configuring a protocol in a virtual private network
US20190124055A1 (en) Ethernet security system and method
US20180176230A1 (en) Data packet transmission method, apparatus, and system, and node device
KR101971995B1 (en) Method for decryping secure sockets layer for security
Migault et al. Diet-ESP: IP layer security for IoT
US11539668B2 (en) Selective transport layer security encryption
CN113950802B (en) Gateway device and method for performing site-to-site communication
US20230239279A1 (en) Method and apparatus for security communication
CN114567450A (en) Protocol message processing method and device
CN117254976B (en) National standard IPsec VPN realization method, device and system based on VPP and electronic equipment
CN113765878B (en) Selective transport layer security encryption
CN111556084B (en) Communication method, device, system, medium and electronic equipment among VPN (virtual private network) devices
CN116938441A (en) Quantum cryptography in internet key exchange process
Luniya et al. SmartX--Advanced Network Security for Windows Opearating System

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 1240422

Country of ref document: HK

GR01 Patent grant
GR01 Patent grant