CN108040122B - File transmission method and device - Google Patents

File transmission method and device Download PDF

Info

Publication number
CN108040122B
CN108040122B CN201711432490.2A CN201711432490A CN108040122B CN 108040122 B CN108040122 B CN 108040122B CN 201711432490 A CN201711432490 A CN 201711432490A CN 108040122 B CN108040122 B CN 108040122B
Authority
CN
China
Prior art keywords
network
file
parent program
program
transmitted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711432490.2A
Other languages
Chinese (zh)
Other versions
CN108040122A (en
Inventor
章年忠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Maipu Communication Technology Co Ltd
Original Assignee
Maipu Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Maipu Communication Technology Co Ltd filed Critical Maipu Communication Technology Co Ltd
Priority to CN201711432490.2A priority Critical patent/CN108040122B/en
Publication of CN108040122A publication Critical patent/CN108040122A/en
Application granted granted Critical
Publication of CN108040122B publication Critical patent/CN108040122B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/563Data redirection of data network streams
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a file transmission method and device, relates to the technical field of communication networks, and can improve the file transmission efficiency between isolation networks. The method comprises the following steps: under the condition that the first network is isolated from the second network, a third network is added, and a shared storage space with read-only permission is set on a network device in the third network. When files need to be transmitted from the first network to the second network, a user who does not have the second network and directly transmits the files to be transmitted in the first network from the first network to the second network can call a father program installed on network equipment in the first network in a file transmission instruction input mode, indirectly call a subprogram installed on the network equipment in the first network through the father program, and write the files to be transmitted into the shared storage space.

Description

File transmission method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a file transmission method and apparatus.
Background
Currently, to ensure file security, the entire network is usually divided into different network segments to achieve network isolation. For example, the entire network is divided into an internal network and an external network which are isolated from each other, wherein the internal network has a higher security level and is used for storing confidential files. When the confidential documents are transmitted from the internal network to the external network, the external network users are required to submit the document transmission electronic flow, and after the auditors finish the examination and approval, the confidential documents are manually copied from the internal network to the external network by the internal network administrator. Therefore, the file transmission process needs manual examination and approval, time is long, errors are prone to occurring, and accordingly the file transmission efficiency is low.
Disclosure of Invention
The application provides a file transmission method and device, which can improve the efficiency of transmitting files between two networks isolated from each other.
In order to achieve the purpose, the technical scheme is as follows:
in a first aspect, the present application provides a file transfer method, which is applied to a communication network including a first network, a second network and a third network; the first network is isolated from the second network, and the network equipment of the third network comprises a shared storage space; network equipment in a first network is provided with a parent program and a subprogram, wherein the parent program has read-only permission of a shared storage space, and the subprogram has write permission of the shared storage space; the network device in the second network has read-only permission of the shared storage space, and the method comprises the following steps: a network device in a first network receives a file transmission instruction input by a user through a network device in a second network through a parent program; the file transmission instruction carries an identifier of network equipment in a second network, file information of a file to be transmitted stored in a first network and an identifier of a target storage space; the network device in the first network calls the subprogram through the parent program to execute the following process: determining that the network equipment in the second network has the read permission of the file to be transmitted according to the identifier of the network equipment in the second network and the file information; determining that the identifier of the target storage space corresponds to the identifier of the shared storage space; and writing the file to be transmitted into the shared storage space according to the file information.
In a second aspect, the present application provides a file transfer apparatus, which is applied to a network device in a first network as described in the first aspect. The device includes: the device comprises a receiving module and a storage module. The receiving module is used for receiving a file transmission instruction input by a user through network equipment in the second network through a parent program, wherein the file transmission instruction carries an identifier of the network equipment in the second network, file information of a file to be transmitted stored in the first network and an identifier of a target storage space. The processing module is used for calling the subprogram through the parent program to execute the following flow: determining that the network equipment in the second network has the read permission of the file to be transmitted according to the identifier of the network equipment in the second network and the file information; determining that the identifier of the target storage space corresponds to the identifier of the shared storage space; and writing the file to be transmitted into the shared storage space according to the file information.
In a third aspect, the present application provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when a network device in a first network executes the instructions, the network device executes the file transmission method described in any one of the first aspect and various optional implementation manners.
According to the file transmission method and device, under the condition that the first network is isolated from the second network, the third network is added, and the shared storage space with read-only permission of the user in the second network is set on the network equipment in the third network. When a file needs to be transmitted from a first network to a second network, a user who does not have the second network for directly transmitting the file to be transmitted in the first network from the first network to the second network can call a parent program installed on a network device in the first network by inputting a file transmission instruction, and indirectly calls a subprogram which is also installed on the network equipment in the first network through the father program, writes the file to be transmitted into the shared storage space, thereby realizing the purpose of safely and efficiently transmitting the file to be transmitted from the first network to the second network isolated from the first network by temporarily improving the file transmission authority of the user of the second network, the problems that manual examination and approval are needed when the to-be-transmitted file is transmitted in an electronic stream examination and approval mode, time is long, and mistakes are prone to occurring can be avoided, and file transmission efficiency among isolation networks can be improved.
Drawings
Fig. 1 is a schematic view of a communication network structure to which a file transmission method and apparatus according to an embodiment of the present disclosure are applied;
fig. 2 is a first flowchart illustrating a file transmission method according to an embodiment of the present application;
fig. 3 is a schematic flowchart illustrating a second file transfer method according to an embodiment of the present application;
fig. 4 is a third schematic flowchart of a file transmission method according to an embodiment of the present application;
fig. 5 is a fourth schematic flowchart of a file transmission method according to an embodiment of the present application;
fig. 6 is a fifth flowchart illustrating a file transmission method according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a document transportation device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a network device in a first network according to an embodiment of the present application.
Detailed Description
The following describes a file transfer method and apparatus provided in an embodiment of the present application in detail with reference to the accompanying drawings.
The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone.
The terms "first" and "second" and the like in the description and drawings of the present application are used for distinguishing different objects or for distinguishing different processes for the same object, and are not used for describing a specific order of the objects.
Furthermore, the terms "including" and "having," and any variations thereof, as referred to in the description of the present application, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may alternatively include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that in the embodiments of the present application, words such as "exemplary" or "for example" are used to indicate examples, illustrations or explanations. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
In the description of the present application, the meaning of "a plurality" means two or more unless otherwise specified.
The file transmission method provided by the embodiment of the present application can be applied to the communication network 10 shown in fig. 1. Wherein the communication network 10 includes a first network 11, a second network 12, and a third network 13; the first network 11 is isolated from the second network 12, and the network device of the third network 13 includes a shared storage space 131; the network device 111 in the first network 11 is installed with a parent program 1111 and a child program 1112, the parent program 1111 has read-only rights to the shared storage space 131, and the child program 1112 has write rights to the shared storage space 131; the network device 121 in the second network 12 has read-only rights to the shared memory space 131. User 14 may access network device 111 in first network 11 through network device 121 in second network 121. The parent program 1111 and the child program 1112 may be implemented by a script language, or may be implemented by a programming language such as a C language, which is not limited in the present application.
Illustratively, the first network 11 may be a research and development intranet of an enterprise, and the network devices 111 in the first network 11 may include servers, workstations, high-performance computers, and mass storage devices for storing files with higher security levels, such as codes and confidential documents. The second network 12 may be a network containing dedicated test equipment that has a network connection to the network equipment 121 in the second network 12. The network device 121 in the second network 12 may be an electronic device such as a notebook Computer, a Personal Computer (PC), or the like, which can access the first network in a wired or wireless manner.
Of course, the rights of different users to use the first network 11, the second network 12 and the third network 13 are different. The different users may include network administrators and users in the second network 12, among others.
Illustratively, the network administrator has the authority to create and manage the first network 11 and the second network 12 isolated from each other, and the authority to add the third network 13 between the first network 11 and the second network 12. Specifically, first, the network administrator creates the shared directory M3 on the network device of the third network 13. Wherein the system administrator has write rights to the shared directory M3 and the users in the second network have read-only rights to the shared directory M3. The network administrator then maps the shared directory M3 to a mirrored directory M1 accessible by the network device 111 in the first network 11, and maps the shared directory M3 to a mirrored directory M2 accessible by the network device 121 in the second network 11.
Illustratively, the network administrator may also create program installation directories Ma and Mb on the network device 111 of the first network 11, install a sub program Pa having the write authority of the above-described shared directory M3 on Ma, and install a parent program Pb having the read-only authority of the above-described shared directory M3 and the call authority of Pa on Mb. The authority configuration information of the sub program Pa and the parent program Pb may be stored in the designated program installation directories Ma and Mb in the form of configuration files, or may be embedded in the program codes of the sub program Pa and the parent program Pb, which is not limited in this application. For example, for convenience of management and modification, the configuration information of the sub program Pa may be recorded in the configuration file pa.conf, and the configuration information of the parent program Pb may be recorded in the configuration file pb.conf. The above-described configuration files pa.conf and pb.conf may be stored in the respective program installation directories Ma and Mb, respectively.
Illustratively, the network administrator also has the authority to create accounts for users 14 of the second network 12 and configure the right to access the first network 11. Specifically, a network administrator may configure the users 14 of the second network 12 to have the following privileges: the authority to access the network device 111 of the first network 11 through the network device 121 of the second network 12, including at least one of a read-only authority, a writable authority, and an executable authority of the specified directory of the network device 111; read-only rights of the shared storage space 131; and calling the authority of the parent program Pb in a mode of inputting a file transmission instruction. However, in view of security, the users 14 of the second network 12 do not have the authority to directly export the security-related files from the first network 11 to the second network 12.
It should be noted that fig. 1 is only an exemplary architecture diagram, and the communication network may include other functional units besides the functional units shown in fig. 1, which is not limited in this embodiment of the present application.
As shown in fig. 2, an embodiment of the present application provides a file transfer method, which is applied to a network device 111 in a first network 11 shown in fig. 1. The method may comprise S201-S203, or S201 and S203:
s201, the network device in the first network receives a file transmission instruction input by a user through the network device in the second network through the parent program.
The file transmission instruction carries an identifier of network equipment in the second network, file information of a file to be transmitted stored in the first network and an identifier of a target storage space.
The file information of the file to be transmitted may include, for example, a storage location of the file to be transmitted, a file name, a file size, a file format, and permissions of different users configured by a network administrator. The identification of the destination storage space may include at least one of an Internet Protocol (IP) address, a Media Access Control (MAC) address, and path information of a storage device for storing the transmitted file.
Specifically, S201 may be an instruction for the user to remotely log in to the network device in the first network through the network device in the second network and to invoke the parent program, which is input at the human interface provided by the network device in the first network.
S202, the network equipment in the first network determines whether the file to be transmitted is authorized or not according to the file information of the file to be transmitted through the father program.
Specifically, the network device in the first network determines, through the parent program, whether file information carried in the file transmission instruction matches configuration information of the access right of the file to be transmitted, which is locally stored in the network device in the first network. And if so, confirming that the file to be transmitted is authorized to be transmitted.
Optionally, S202 may include S301-S304:
s301, the network device in the first network obtains the file to be transmitted according to the file information through the father program.
For example, the file to be transmitted may be acquired according to the storage location and the file name of the file to be transmitted. The file to be transmitted may be stored in a storage space of any network device in the first network, and is not necessarily limited to the storage space of the network device 111 shown in fig. 1.
S302, the network device in the first network determines the file type of the file to be transmitted to be an authorized file type through the parent program.
S303, the network device in the first network determines that the file format of the file to be transmitted conforms to the standard format of the authorized file type through the parent program.
S304, the network device in the first network determines the file content of the file to be transmitted as authorized file content through the parent program.
In practical applications, the file type, the file format, and the file content of the file to be uploaded may be preset and stored in a configuration file locally stored in the network device in the first network.
For example, in the software development process, a test version file is generated according to software codes written by programming languages such as C language, and the test version file is uploaded to a specific test device located in the second network for testing, and the source code file does not need to be uploaded. Therefore, the file type of the file to be transmitted can be preset as the file type and the file format of the test version file, and the test version file can be preset to be generated according to a pre-specified source code file, that is, the file content of the file to be transmitted is preset. By checking whether the file to be transmitted is authorized, the confidential file which does not need to be transmitted can be prevented from being transmitted to the second network, and the security of the confidential file in the isolated network environment is further improved.
It should be noted that the execution sequence of S302-S304 may be arbitrary, and the embodiment of the present application does not limit this.
S203, the network device in the first network calls the subprogram through the father program to write the file to be transmitted into the shared storage space.
Optionally, in S203, "the network device in the first network calls the subprogram through the parent program", which may be specifically implemented as: a network device in a first network sends a file transmission request to a subprogram through a parent program; wherein the file transmission request comprises a file transmission instruction and an identifier of a parent program.
The subprogram may be an executable script that executes a file transmission request sent by the parent program according to the transmission instruction of the file to be transmitted and transmits the file to be transmitted from the first network to the second network, or an application program or a process that can complete the same function, which is not limited in this embodiment of the present application.
Optionally, S203 may include S401-S403:
s401, according to the identification of the network equipment in the second network and the file information, determining that the network equipment in the second network has the read permission of the file to be transmitted.
S402, determining that the identification of the destination storage space corresponds to the identification of the shared storage space.
Specifically, the authority configuration file local to the network device in the first network may be queried according to the identifier of the network device in the second network, the file information, and the identifier of the destination storage space. If the authority configuration file contains the information to be inquired, the file to be transmitted is considered to be authorized.
It should be noted that the execution sequence of S401 and S402 may be arbitrary, and this is not limited in this embodiment of the application.
And S403, writing the file to be transmitted into the shared storage space according to the file information.
Specifically, the file to be transmitted may be written in the shared storage space through a network connection between the network device in the first network and the shared storage space.
Optionally, to further improve the security of file transmission in the isolated network environment, before performing S403, S203 may further include at least one of S501 and S502:
s501, determining that the user in the second network has the authority of calling the parent program through the network device in the second network.
And S502, determining that the parent program has the authority of calling the subprogram.
Specifically, it may be confirmed in a manner similar to S401 and S402 whether the user and the parent program in the second network have the rights as described in S501 and S502, respectively, which is not described herein again.
It should be noted that the execution sequence of S401, S402, S501, and S502 may be arbitrary, and this is not limited in this embodiment of the application. For example, at least one of S501 and S502 may be performed first, and then S401 to S402 may be performed.
To further improve the security of the file to be transmitted in the first network, S502 determines that the parent program has the authority to call the child program, and may include S601 and S602:
s601, acquiring path information of the parent program according to the identifier of the parent program.
The path information of the parent program is program path information for installing the parent program, and the path includes an executable file of the parent program. Specifically, when the parent program is executed, the network device in the first network records, in the specified file, parent-related information, such as an identifier of the parent program, path information of an executable file of the parent program, an identifier of a child program called by the parent program, path information of the executable file, and the like.
For example, in a network device of a first network in which a Linux operating system is installed, program path information of a parent program Pb calling a child program Pa may be acquired in a file/proc/< PID >/cmdline automatically generated after the network device is started.
S602, if the path information of the parent program corresponds to the preset path information of the program which authorizes the calling of the subprogram, determining that the parent program has the authority of calling the subprogram.
The path information of the parent program corresponds to the path information of a preset program which authorizes the calling of the subprogram, the program path information of the parent program can be stored in the authority configuration file of the subprogram, and the program path information of the parent program can be matched with the authority configuration information embedded in the program code of the subprogram.
According to the file transmission method and device, under the condition that the first network is isolated from the second network, the third network is added, and the shared storage space with read-only permission of the user in the second network is set on the network equipment in the third network. When a file needs to be transmitted from a first network to a second network, a user who does not have the second network for directly transmitting the file to be transmitted in the first network from the first network to the second network can call a parent program installed on a network device in the first network by inputting a file transmission instruction, and indirectly calls a subprogram which is also installed on the network equipment in the first network through the father program, writes the file to be transmitted into the shared storage space, thereby realizing the purpose of safely and efficiently transmitting the file to be transmitted from the first network to the second network isolated from the first network by temporarily improving the file transmission authority of the user of the second network, the problems that manual examination and approval are needed when the to-be-transmitted file is transmitted in an electronic stream examination and approval mode, time is long, and mistakes are prone to occurring can be avoided, and file transmission efficiency among isolation networks can be improved.
In the embodiment of the present application, the network device in the first network may be divided into the functional modules or the functional units according to the above method examples, for example, each functional module or functional unit may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module may be implemented in a form of hardware, or may be implemented in a form of a software functional module or a functional unit. The division of the modules or units in the embodiment of the present application is schematic, and is only a logic function division, and there may be another division manner in actual implementation.
Fig. 7 shows a schematic diagram of a possible structure of the file transfer device according to the above embodiment. The apparatus is applied to a network device 111 of a first network as shown in fig. 1, and comprises a processing module 71, a receiving module 72 and a storage module 73.
The receiving module 72 is configured to receive, through the parent program, a file transmission instruction input by a user through a network device in the second network; the file transmission instruction carries an identifier of network equipment in the second network, file information of a file to be transmitted stored in the first network and an identifier of a target storage space.
A processing module 71, configured to call a subprogram by the parent program to perform the following processes: determining that the network equipment in the second network has the read permission of the file to be transmitted according to the identifier of the network equipment in the second network and the file information; determining that the identifier of the target storage space corresponds to the identifier of the shared storage space; and writing the file to be transmitted into the shared storage space according to the file information.
And the storage module 73 is used for storing the program codes of the parent program and the subprogram and a file transmission instruction to be transmitted.
Optionally, the processing module 71 is further configured to send a file transfer request to the sub program through the parent program; wherein the file transmission request comprises a file transmission instruction and an identifier of a parent program.
Optionally, the processing module 71 is further configured to determine that the user has the right to invoke the parent program through a network device in the second network.
The processing module 71 is further configured to determine that the parent program has the authority to call the child program.
Optionally, the processing module 71 is further configured to obtain path information of the parent program according to the identifier of the parent program;
the processing module 71 is further configured to determine that the parent program has the authority to call the child program if the path information of the parent program corresponds to the preset path information of the program authorized to call the child program.
Optionally, the processing module 71 is further configured to obtain, by the parent program, a file to be transmitted according to the file information;
the processing module 71 is further configured to determine, by the parent program, that the file type of the file to be transmitted is an authorized file type, that the file format of the file to be transmitted conforms to the standard format of the authorized file type, and that the file content of the file to be transmitted is authorized file content.
According to the file transmission device, under the condition that the first network is isolated from the second network, the third network is added, and the shared storage space with the read-only permission of the user in the second network is set on the network equipment in the third network. When a file needs to be transmitted from a first network to a second network, a user who does not have the second network for directly transmitting the file to be transmitted in the first network from the first network to the second network can call a parent program installed on a network device in the first network by inputting a file transmission instruction, and indirectly calls a subprogram which is also installed on the network equipment in the first network through the father program, writes the file to be transmitted into the shared storage space, thereby realizing the purpose of safely and efficiently transmitting the file to be transmitted from the first network to the second network isolated from the first network by temporarily improving the file transmission authority of the user of the second network, the problems that manual examination and approval are needed when the to-be-transmitted file is transmitted in an electronic stream examination and approval mode, time is long, and mistakes are prone to occurring can be avoided, and file transmission efficiency among isolation networks can be improved.
Fig. 8 shows a schematic diagram of a possible structure of the network device of the first network involved in the above embodiments. As shown in fig. 8, the network device 80 includes: a processing unit 81 and a communication unit 82. Processing unit 81 is used to control and manage the actions of network device 80, e.g., to perform the steps performed by storage module 73, processing module 71, and/or other processes for performing the techniques described herein. The communication unit 82 is configured to support communication between the network device 80 and other network entities, for example, to perform the steps performed by the receiving module 72. The network device 80 may further comprise a storage unit 83 and a bus 84, the storage unit 83 being used for storing program codes and data of the network device 80.
The processing unit 81 may be, for example, a processor or a controller in the network device 80, which may implement or execute various exemplary logical blocks, modules, and circuits described in connection with the disclosure. The processor or controller may be a central processing unit, general purpose processor, digital signal processor, application specific integrated circuit, field programmable gate array or other programmable logic device, transistor logic device, hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs, and microprocessors, among others.
The communication unit 82 may be a transceiver, a transceiving circuit or a communication interface, etc. in the network device 80.
The storage unit 83 may be a memory or the like in the network device 80, and the memory may include a volatile memory such as a random access memory; the memory may also include non-volatile memory, such as read-only memory, flash memory, a hard disk, or a solid state disk; the memory may also comprise a combination of memories of the kind described above.
The bus 84 may be an Extended Industry Standard Architecture (EISA) bus or the like. The bus 84 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 8, but this is not intended to represent only one bus or type of bus.
Through the above description of the embodiments, it is clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the above described functions. For the specific working processes of the system, the apparatus and the unit described above, reference may be made to the corresponding processes in the foregoing method embodiments, and details are not described here again.
An embodiment of the present application further provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when a network device in a first network executes the instructions, the network device executes each step executed by the network device in the method flow shown in the foregoing method embodiment.
The computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM), a register, a hard disk, an optical fiber, a portable Compact Disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, any suitable combination of the above, or any other form of computer readable storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an Application Specific Integrated Circuit (ASIC). In embodiments of the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The above description is only an embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. The file transmission method is applied to a communication network, wherein the communication network comprises a first network, a second network and a third network; the first network is isolated from the second network, and the network equipment of the third network comprises a shared storage space; network equipment in the first network is provided with a parent program and a subprogram, wherein the parent program has read-only permission of the shared storage space, and the subprogram has write permission of the shared storage space; network devices in the second network have read-only rights to the shared storage space, the method comprising:
the network device in the first network receives a file transmission instruction input by a user through the network device in the second network through the parent program; the file transmission instruction carries an identifier of network equipment in the second network, file information of a file to be transmitted stored in the first network and an identifier of a target storage space;
the network device in the first network calls the subprogram to execute the following flow through the parent program:
determining that the network equipment in the second network has the read permission of the file to be transmitted according to the identifier of the network equipment in the second network and the file information;
determining that the identifier of the destination storage space corresponds to the identifier of the shared storage space;
and writing the file to be transmitted into the shared storage space according to the file information.
2. The method of claim 1, wherein the network device in the first network invokes the subprogram through the parent program, comprising:
a network device in the first network sends a file transmission request to the subprogram through the parent program; wherein the file transfer request includes the file transfer instruction and an identification of the parent program.
3. The method according to claim 1, wherein before the writing the file to be transmitted into the shared storage space according to the file information, the process further comprises:
determining that the user has permission to invoke the parent program through a network device in the second network;
determining that the parent program has the authority to invoke the child program.
4. The method of claim 3, wherein the determining that the parent program has the right to invoke the child program comprises:
acquiring path information of the parent program according to the identifier of the parent program;
and if the path information of the parent program corresponds to the preset path information of the program which is authorized to call the subprogram, determining that the parent program has the authority of calling the subprogram.
5. The method according to any of claims 1-4, wherein before a network device in the first network invokes the subprogram through the parent program, the method further comprises:
network equipment in the first network acquires the file to be transmitted according to the file information through the parent program;
the network equipment in the first network determines the file type of the file to be transmitted as an authorized file type through the parent program;
network equipment in the first network determines that the file format of the file to be transmitted conforms to the standard format of the authorized file type through the parent program;
and the network equipment in the first network determines the file content of the file to be transmitted as authorized file content through the parent program.
6. The file transmission device is applied to a communication network, wherein the communication network comprises a first network, a second network and a third network; the first network is isolated from the second network, and the network equipment of the third network comprises a shared storage space; network equipment in the first network is provided with a parent program and a subprogram, wherein the parent program has read-only permission of the shared storage space, and the subprogram has write permission of the shared storage space; network devices in the second network have read-only rights to the shared storage space, the apparatus comprising:
the receiving module is used for receiving a file transmission instruction input by a user through network equipment in the second network through the parent program; the file transmission instruction carries an identifier of network equipment in the second network, file information of a file to be transmitted stored in the first network and an identifier of a target storage space;
the processing module is used for calling the subprogram through the father program to execute the following processes:
determining that the network equipment in the second network has the read permission of the file to be transmitted according to the identifier of the network equipment in the second network and the file information;
determining that the identifier of the destination storage space corresponds to the identifier of the shared storage space;
and writing the file to be transmitted into the shared storage space according to the file information.
7. The apparatus of claim 6, wherein the processing module is further configured to send a file transfer request to the subprogram through the parent program; wherein the file transfer request includes the file transfer instruction and an identification of the parent program.
8. The apparatus of claim 6, wherein the processing module is further configured to determine that the user has the right to invoke the parent program through a network device in the second network;
the processing module is further used for determining that the parent program has the authority of calling the subprogram.
9. The apparatus according to claim 8, wherein the processing module is further configured to obtain path information of the parent program according to an identifier of the parent program;
the processing module is further configured to determine that the parent program has the authority to invoke the subprogram if the path information of the parent program corresponds to preset path information of a program authorized to invoke the subprogram.
10. The apparatus according to any one of claims 6 to 9, wherein the processing module is further configured to obtain, by the parent program, the file to be transmitted according to the file information;
the processing module is further configured to determine, by the parent program, that the file type of the file to be transmitted is an authorized file type;
the processing module is further configured to determine, by the parent program, that a file format of the file to be transmitted conforms to a standard format of the authorized file type;
the processing module is further configured to determine, by the parent program, that the file content of the file to be transmitted is authorized file content.
CN201711432490.2A 2017-12-26 2017-12-26 File transmission method and device Active CN108040122B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711432490.2A CN108040122B (en) 2017-12-26 2017-12-26 File transmission method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711432490.2A CN108040122B (en) 2017-12-26 2017-12-26 File transmission method and device

Publications (2)

Publication Number Publication Date
CN108040122A CN108040122A (en) 2018-05-15
CN108040122B true CN108040122B (en) 2020-06-19

Family

ID=62101151

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711432490.2A Active CN108040122B (en) 2017-12-26 2017-12-26 File transmission method and device

Country Status (1)

Country Link
CN (1) CN108040122B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109391694B (en) * 2018-10-26 2022-07-26 深圳壹账通智能科技有限公司 SFTP-based file transmission method and related equipment
CN112187759A (en) * 2020-09-21 2021-01-05 浙江网商银行股份有限公司 Cross-network data transmission method and device
CN114900879A (en) * 2022-03-29 2022-08-12 中国电信股份有限公司 Data synchronization method and system, information intercommunication gateway and network equipment

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1450460A (en) * 2003-05-16 2003-10-22 杭州展望科技有限公司 SCSI interface network data isolation and switching transmission method and device
CN101820378A (en) * 2010-03-26 2010-09-01 童超 Security information exchange system
CN102638481A (en) * 2011-02-15 2012-08-15 英大传媒投资集团有限公司 Audiovisual material remote filing system and method thereof
CN102938761A (en) * 2012-10-22 2013-02-20 苏州互盟信息存储技术有限公司 One-way data exchange device and method for physical isolation among networks at different security levels
CN204009899U (en) * 2014-07-17 2014-12-10 国网山西省电力公司信息通信分公司 A kind of network information interchanger
CN104363221A (en) * 2014-11-10 2015-02-18 青岛微智慧信息有限公司 Network safety isolation file transmission control method
CN104468512A (en) * 2014-10-31 2015-03-25 苏州德鲁森自动化系统有限公司 Secure file transmission method and device
CN104486289A (en) * 2014-10-30 2015-04-01 中国人民解放军信息工程大学 Data one-way transmission method and system
CN104901928A (en) * 2014-03-07 2015-09-09 中国移动通信集团浙江有限公司 Data interaction method, device and system
CN105049412A (en) * 2015-06-02 2015-11-11 深圳市联软科技有限公司 Secure data exchange method, device and equipment among different networks
CN105791284A (en) * 2016-02-29 2016-07-20 华为技术有限公司 Secure data transmission device and method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10404795B2 (en) * 2014-02-19 2019-09-03 Vmware, Inc. Virtual machine high availability using shared storage during network isolation

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1450460A (en) * 2003-05-16 2003-10-22 杭州展望科技有限公司 SCSI interface network data isolation and switching transmission method and device
CN101820378A (en) * 2010-03-26 2010-09-01 童超 Security information exchange system
CN102638481A (en) * 2011-02-15 2012-08-15 英大传媒投资集团有限公司 Audiovisual material remote filing system and method thereof
CN102938761A (en) * 2012-10-22 2013-02-20 苏州互盟信息存储技术有限公司 One-way data exchange device and method for physical isolation among networks at different security levels
CN104901928A (en) * 2014-03-07 2015-09-09 中国移动通信集团浙江有限公司 Data interaction method, device and system
CN204009899U (en) * 2014-07-17 2014-12-10 国网山西省电力公司信息通信分公司 A kind of network information interchanger
CN104486289A (en) * 2014-10-30 2015-04-01 中国人民解放军信息工程大学 Data one-way transmission method and system
CN104468512A (en) * 2014-10-31 2015-03-25 苏州德鲁森自动化系统有限公司 Secure file transmission method and device
CN104363221A (en) * 2014-11-10 2015-02-18 青岛微智慧信息有限公司 Network safety isolation file transmission control method
CN105049412A (en) * 2015-06-02 2015-11-11 深圳市联软科技有限公司 Secure data exchange method, device and equipment among different networks
CN105791284A (en) * 2016-02-29 2016-07-20 华为技术有限公司 Secure data transmission device and method

Also Published As

Publication number Publication date
CN108040122A (en) 2018-05-15

Similar Documents

Publication Publication Date Title
CN110414268B (en) Access control method, device, equipment and storage medium
US9836616B2 (en) Creating distinct user spaces through user identifiers
US10073966B2 (en) Operating system-independent integrity verification
US20160359859A1 (en) System For Secure File Access
US20180173517A1 (en) Operating system update management for enrolled devices
US9904484B2 (en) Securing protected information based on software designation
US9432369B2 (en) Secure data containers
CN108040122B (en) File transmission method and device
US10891386B2 (en) Dynamically provisioning virtual machines
US8856918B1 (en) Host validation mechanism for preserving integrity of portable storage data
US10528749B2 (en) Methods and apparatus for containerized secure computing resources
US9830099B1 (en) Secure erase of storage devices
CN105528553A (en) A method and a device for secure sharing of data and a terminal
WO2012176530A1 (en) Information processing device, method, and program which administer secret information
US10491589B2 (en) Information processing apparatus and device coordination authentication method
JP2008242826A (en) Information processing system and control method and program of information processing system
CN104036194A (en) Vulnerability detection method and device for revealing private data in application program
US9430674B2 (en) Secure data access
US20150370482A1 (en) Storage apparatus, communication apparatus, and storage control system
KR102243627B1 (en) METHOD AND APPARATUS FOR MANAGING RIGHTS OF IoT DEVICE
WO2020063002A1 (en) Data management method and apparatus, and server
CN111147430A (en) Encryption method and device applied to intelligent home gateway
WO2022068322A1 (en) Software access through heterogeneous encryption
US9519759B2 (en) Secure access to programming data
CN109814849B (en) Information synchronization method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP02 Change in the address of a patent holder
CP02 Change in the address of a patent holder

Address after: 610041 nine Xing Xing Road 16, hi tech Zone, Sichuan, Chengdu

Patentee after: MAIPU COMMUNICATION TECHNOLOGY Co.,Ltd.

Address before: 610041, 17 floor, maple building, 1 building, 288 Tianfu street, Chengdu, Sichuan.

Patentee before: MAIPU COMMUNICATION TECHNOLOGY Co.,Ltd.