CN108429770A - A kind of server and client data shielding system and data transmission method - Google Patents
A kind of server and client data shielding system and data transmission method Download PDFInfo
- Publication number
- CN108429770A CN108429770A CN201810581556.2A CN201810581556A CN108429770A CN 108429770 A CN108429770 A CN 108429770A CN 201810581556 A CN201810581556 A CN 201810581556A CN 108429770 A CN108429770 A CN 108429770A
- Authority
- CN
- China
- Prior art keywords
- client
- server
- access card
- hardware access
- card
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
Abstract
A kind of server and client data shielding system and data transmission method, the server and client data shielding system include client and physical server, the physical server peripheral hardware hardware access card;The hardware access card is connect by either internally or externally device bus with physical server;Virtual server is run on physical server;The hardware access card is to the physical server or virtual server presentation user's interface equipment;The physical server or virtual server are installed and run driver to access the hardware access card;The client is connect with the network interface of hardware access card, and client and the hardware access card are by network into row data communication.The present invention enables server and method for client data transmission using hardware access card as security boundary, though hardware access card attacked and cause to paralyse internal data if disclosure risk is not present, with very effective safety guarantee.
Description
Technical field
The present invention relates to server and client data isolation technology, especially a kind of server based on hardware access card
With client data shielding system and data transmission method, belong to data communication technology field.
Background technology
User using client from network access server be a kind of common application.Since client is present in the mutual of complexity
In networked environment, it is likely that by external attack, invaded so as to cause server, the serious consequences such as leaking data.
Client from network access server there are one way to be use virtual desktop architecture (VDI, virtual
Desktop interface) system, such as:The RDP agreements of Microsoft, the ICA agreements of Citrix, Vmware's
PCoIP agreements, the SPICE protocol of Redhat.1 method of attached drawing is to be based on VMware virtualization technologies, utilizes fire wall, VPN, row
The communication between the data center and two places data center of safety is established for equipment such as audits, protects the peace of enterprise-essential data
Entirely.Virtual desktop is to fictionalize keyboard, mouse, video card, the hardware interfaces such as USB with software.Client is by Ethernet and virtually
Server communication where desktop.General process is the CPU operation Ethernet protocol stacks on server and virtual machine management platform
Software.Due to having used the technologies such as fire wall and VPN on network, safety is still very high, but on the one hand, using journey
The design and configuration of the softwares such as sequence, fire wall, VPN and Ethernet protocol stack are likely to start a leak;On the other hand, CPU sheets
Body may also be leaky, then being also possible that by invermination or directly attack, this there is server internal data and lets out
The risk of dew.
In view of the above-mentioned problems, a kind of solution is using the KVM modules with network function.But KVM modules and clothes
The keyboard of business device, the input/output ports such as mouse and video card directly connect, so being suitable only for single client controls physical services
Device.It needs to access same server in multiple users, for example multiple users log in multiple accounts simultaneously in server, or
The multiple virtual machines run on multiple user's Connection Service devices, this KVM modules cannot be applicable in.
In conclusion due to existing client from the method presence server internal data of network access server reveal
Risk, then just needing to innovate a kind of the data isolation system and data transmission method of safety and reliability.
Invention content
The problem of the purpose of the present invention is to solve server internal leaking datas provides a kind of based on hardware access card
Server and client data shielding system and data transmission method.
Purpose of the present invention is realized by following technological system:
A kind of server and client data shielding system, including client and physical server, the physical server
Peripheral hardware hardware access card;The hardware access card is connect by either internally or externally device bus with physical server;Physics takes
Virtual server can be run on business device;The hardware access card is to the physical server or virtual server presentation user
Interface equipment;The physical server or virtual server are installed and run driver to access the hardware access card;Institute
It states client to connect with the network interface of hardware access card, client carries out data by network with the hardware access card and leads to
Letter.
Above-mentioned server and client data shielding system, the hardware access card includes network protocol stack module, client
Hold protocol stack module and bus interface module;The network protocol stack module, the operational network protocol stack on hardware access card are born
Duty processing procotol;The client protocol stack module is responsible for appointing between processing hardware access card and client defeated
Enter output equipment agreement;The bus interface module is responsible for mock standard input-output equipment.
Above-mentioned server and client data shielding system, the hardware access card present at least one set of physical equipment or
Virtual unit, the physical equipment are the peripheral hardware of physical server, and the virtual unit is the peripheral hardware of virtual server.
Above-mentioned server and client data shielding system, the physical equipment or virtual unit be divided into headend equipment and
Rear end equipment, the hardware access card are the interaction such as set, including keyboard, mouse, sound card, video card, USB interface of headend equipment
Equipment, keyboard and mouse therein etc. belong to input equipment, and sound card and video card etc. belong to output equipment;The rear end equipment includes
Hard disk, network interface card and accelerator card.
Above-mentioned server and client data shielding system, the access control that USB interface is added on hardware access card are opened
It closes, the output channel of the access control switch control USB of the USB interface.
Above-mentioned server and client data shielding system, the access control that USB interface is added on hardware access card are opened
It closes, the use of the access control switch control USB interface of the USB interface.
A kind of server and method for client data transmission, are transported in above-mentioned server in client data shielding system
Row, operates according to the following steps:
A, authentication is carried out before client and the communication of hardware access card data;
B, after authentication qualification, hardware access card receives data message and enters transmission operation mode;
C, client and hardware access card carry out input transmission operation, including:
I, the data message of client encapsulation client protocol, encryption are sent to hardware access card;
The data message received is decrypted and parsed to II, hardware access card, and the data format for being converted into input equipment is submitted to
Server;
The request of III, server process input equipment;
D, server is operated to the output of client, including:
I, data are issued the output equipment that hardware access card shows by server;
The data message that II, hardware access card are packaged into output data client protocol is encrypted, and issues client;
After III, client decrypt and parse data message, export to the user of client.
The present invention provides a kind of server and client data shielding system and data transmission method, advantage exists
In:
Server proposes the boundary using hardware access card as data isolation with client data shielding system, services
Device connects network using hardware access card as peripheral hardware, one or more client and the network interconnection, client connect with hardware
Enter card and passes through network communication.Hardware access card is physically a kind of equipment, and the output of server is converted into client energy by it
The network packet of identification;The data packet received from client is translated into simultaneously the behavior of standard input device, its outside
Interface is network, and internal interface is system bus.Hardware access card so that outer net is invisible to server.
The starting point of this system hides complicated network card equipment using standard Input/Output Device, and server can be made real
Existing tightened up and Network Isolation, though hardware access card attacked and cause to paralyse internal data if there is no the wind of leakage
Danger, safety are effectively ensured, meanwhile, using hardware access card as security boundary, interface is simply apparent, is easy to carry out safety
Certification;Installation is simple, since headend equipment interface configurations are simple, will not cause leaking data configuration mistake.
In conclusion the present invention solves the problems, such as server internal leaking data, protection significant data safety is reached
Purpose.
Description of the drawings
The invention will be further described below in conjunction with the accompanying drawings.
Fig. 1 is server of the present invention and client data shielding system structural schematic diagram;
Fig. 2 is the structural schematic diagram of hardware identification access card of the present invention;
Fig. 3 is server of the present invention and method for client data transmission work flow diagram.
Each list of reference numerals is in figure:1, client, 2, physical server, 3, hardware access card, 31, network interface, 32, key
Disk, 33, mouse, 34, video card, 35, sound card, 36, USB interface, 36-1, USB access control switch, 301, network protocol stack mould
Block, 302, client protocol stack module, 303, bus interface module, 4, virtual server, 5, hard disk, 6, network interface card, 7, accelerator card.
Specific implementation mode
Below in conjunction with the accompanying drawings and specific embodiment the invention will be further described.
Referring to Fig. 1 and Fig. 2, a kind of server of present invention offer and client data shielding system, it is accessed using hardware
Peripheral hardware of the card 3 as physical server 2, hardware access card 3 are connected by either internally or externally device bus and physical server 2
It connects;Virtual server 4 can be run on physical server 2;The hardware access card 3 is to the physical server 2 or virtually
4 presentation user's interface equipment of server;The physical server 2 or virtual server 4 are installed and run driver to access
The hardware access card 3;The client 1 is connect with the network interface 31 of hardware access card 3, and client 1 connects with the hardware
Enter card 3 by network into row data communication.
Referring to Fig. 2, in server of the present invention and client data shielding system, the hardware access card 3 includes
Network protocol stack module 301, client protocol stack module 302 and bus interface module 303;The network protocol stack module 301,
The operational network protocol stack on hardware access card 3 is responsible for processing procotol;The client protocol stack module 302 is responsible for place
The input-output equipment agreement appointed between reason hardware access card 3 and client 1;The bus interface module 303 is responsible for mould
Quasi- standard Input/Output Device.Hardware access card 3 is set to 2 presentation user's interface equipment of server, user interface apparatus for physics
Standby either virtual unit can be one group or multigroup.Physical equipment is the peripheral hardware of physical server, and virtual unit is virtual clothes
The peripheral hardware of business device.Physical equipment or virtual unit are divided into headend equipment and rear end equipment, and headend equipment includes keyboard 32, mouse
33, the interactive devices such as sound card 35, video card 34, USB interface 36;Rear end equipment includes hard disk 5, network interface card 6 etc..Hardware access card is only
Set including headend equipment, does not include rear end equipment, does not especially include network interface card function.The front end of the hardware access card 3
Equipment is divided into input equipment and output equipment, and keyboard 32 and mouse 33 etc. belong to input equipment, and sound card 35 and video card 34 etc. belong to
Output equipment;Rear end equipment includes hard disk, network interface card and accelerator card.
It is added on hardware access card 3 in server of the present invention and client data shielding system referring to Fig. 1
The USB access control switch 36-1 of USB interface 36, since USB interface 36 is both theoretically input equipment and output equipment,
Increase the access control switch 36-1 of USB interface 36 on hardware access card 3 to control the output channel of USB;It is wanted in safety
It asks in high application, or even directly disables USB interface 36.
Embodiment:Ethernet is outer net, and client protocol stack 302 handles the application than TCP/UDP agreement more top, for
The input of client 1, after the client protocol data message that client 1 encapsulates is sent to hardware access card 3, hardware access card 3
The data format that the client protocol data message received is converted into input equipment submits to virtual server 4;Virtual Service
Data are issued hardware access card 3 after hardware access card 3 is according to data type conversion format and are encapsulated as client protocol by device 4
Data message issues client 1, and after client 1 parses data message, output gives client 1 user.In order to further ensure passing
The safety of transmission of data, client 1 and hardware access card 3 add data into needing by authentication before row data communication
Close and decryption.Since external network interface, that is, Ethernet interface of hardware access card 3 connects network, internal interface is that system is total
Line, so hardware access card 3 is so that outer net is invisible to server.Namely complex web is hidden with standard input-output equipment
The input-output equipment interface of card apparatus, standard is simply and reliable.Compared with network card equipment, network card equipment is not only complicated, and
And involved excessively with application program and operating system, it is easy to be utilized to attack server.Hardware access card 3 is only to headend equipment
It is packaged, is not related to rear end equipment, network interface card 6 is classified as rear end equipment, in addition virtual server 4 can use separate mesh
Card 6 is used for making interior network interface, so hardware access card 3 does not show network card equipment interface.
Keyboard 32 and mouse 33 etc. belong to input equipment, and sound card 35 and video card 34 etc. belong to output equipment.Input is set
It is standby, be not present leaking data the problem of;For output equipment, the output of sound card 35 and video card 34 is used as after lossy compression to be regarded
Frequency stream output, also solves the problems, such as leaking data.
Operational network protocol stack 301 accesses network on hardware access card 3;The client protocol stack 302 of operation be used for into
Data translation between row client 1 and virtual server 4;On hardware access card 3 simulate user interface apparatus be used for it is virtual
Server 4 interacts;Hardware access card 3 is connect by either internally or externally device bus with physical server 2;Physical services
The virtual server 4 run on device 2 is installed and runs driver to access hardware access card 3;3 open interface of hardware access card
To driver so that hardware access card 3 is to 4 presentation user's interface equipment of virtual server, including but not limited to keyboard 32, mouse
Mark 33, sound card 35 and video card 34 etc.;But do not include network card equipment.Preferably, this hardware access card 3 shows the keyboard of standard
32, multiple inputs, the output equipment such as mouse 33, sound card 35 and video card 34, in this way, to the application software run on virtual unit,
Hardware access card 3 can be used by not needing any change.
Preferably, with PCIE bus apparatus for a preference, keyboard 32, mouse 33, sound card 35 and video card 34 are respectively
One PCIE device, each equipment correspond to respective driving, and these drivings show the interface of upper layer software (applications) to be and standard
Keyboard 32, mouse 33, sound card 35 are as 34 driving interface of video card.
One group of either multigroup physical equipment or virtual unit 4 is presented in hardware access card 3, since multiple client 1 may
Simultaneously connect same physical server 2, then this hardware access card 3 just need to present for each client 1 it is above-mentioned
One group of input-output equipment, this presentation can be in hardware device level, can also be in driving level.Another preference
It is that, as deployment of the virtual unit on physical server 2 is more and more extensive, it is defeated that each virtual unit can correspond to one group of input
The PCIE virtual units gone out.
Referring to Fig. 3, based on above-mentioned server and client data shielding system, physical server 2 and 1 data of client
Transmission method includes the following steps:
A, authentication is carried out before client 1 and the communication of 3 data of hardware access card;
B, after authentication qualification, hardware access card 3 receives data message and enters transmission operation mode;
C, client 1 carries out input transmission operation with hardware access card 3, including:
I, client 1 encapsulates the data message of client protocol, and encryption is sent to hardware access card 3;
II, hardware access card 3 are decrypted and parse the data message received, and the data format for being converted into input equipment is submitted to
Server;
The request of III, server process input equipment;
D, server is operated to the output of client, including:
I, data are issued the output equipment that hardware access card 3 shows by server;
The data message that II, hardware access card 3 are packaged into output data client protocol is encrypted, and issues client
1;
After III, client 1 decrypt and parse data message, export to the user of client 1.
Above-mentioned server 2 and 1 data transmission method of client have been divided into three parts, and first part is client and hard
Part access card is for the input operation from client, third portion into authentication, second part is carried out before row data communication
It is for being operated to the output of client to divide, and second part and Part III are the operations that can be carried out at the same time, therefore could be real
Existing multiple users log in the multiple virtual clothes run on multiple accounts or multiple user's Connection Service devices simultaneously in server
Business device 4.
Claims (7)
1. a kind of server and client data shielding system, characterized in that it includes client (1) and physical server (2),
Physical server (2) the peripheral hardware hardware access card (3);The hardware access card (3) passes through either internally or externally device bus
It is connect with physical server (2);Virtual server (4) is run on physical server (2);The hardware access card (3) is to described
Physical server (2) or virtual server (4) presentation user's interface equipment;The physical server (2) or virtual server
(4) it installs and runs driver to access the hardware access card (3);The net of the client (1) and hardware access card (3)
Network interface (31) connects, and client (1) and the hardware access card (3) are by network into row data communication.
2. server according to claim 1 and client data shielding system, characterized in that the hardware access card
(3) include network protocol stack module (301), client protocol stack module (302), bus interface module (303);The network association
Stack module (301) is discussed, processing procotol is responsible for;The client protocol stack module (302) is responsible for processing hardware access card
(3) the Input/Output Device agreement appointed between client (1);The bus interface module (303) is responsible for simulation mark
Quasi- input-output equipment.
3. server according to claim 1 or 2 and client data shielding system, characterized in that the hardware access
Block (3) and at least one set of physical equipment or virtual unit is presented, the physical equipment is the peripheral hardware of physical server (2), described
Virtual unit is the peripheral hardware of virtual server (4).
4. server according to claim 3 and client data shielding system, characterized in that the physical equipment or
Virtual unit is divided into headend equipment and rear end equipment, and the hardware access card (3) is the set of headend equipment, including keyboard
(32), the interactive devices such as mouse (33), sound card (35), video card (34), USB interface (36), wherein the keyboard (32) and mouse
Mark (33) belongs to input equipment, and the sound card (35) and video card (34) belong to output equipment;The rear end equipment includes hard disk
(5), network interface card (6) and accelerator card (7).
5. server according to claim 4 and client data shielding system, characterized in that in the hardware access card
(3) USB access controls switch (36-1), the output of USB access controls switch (36-1) the control USB interface (36) are added on
Channel.
6. server according to claim 5 and client data shielding system, characterized in that the USB access controls
It switchs (36-1), the use of access control switch (36-1) the control USB interface (36) of the USB interface.
7. a kind of server and method for client data transmission are run in above-mentioned server in client data shielding system,
It is characterized in that operating according to the following steps:
A, authentication is carried out before client (1) and the communication of hardware access card (3) data;
B, after authentication qualification, hardware access card (3) receives data message and enters transmission operation mode;
C, client (1) carries out input transmission operation with hardware access card (3), including:
I, the data message of client (1) encapsulation client protocol, encryption are sent to hardware access card (3);
II, hardware access card (3) are decrypted and parse the data message received, and the data format for being converted into input equipment submits to clothes
Business device;
The request of III, server process input equipment;
D, server is operated to the output of client (1), including:
I, data are issued the output equipment that hardware access card (3) shows by server;
The data message that II, hardware access card (3) are packaged into output data client protocol is encrypted, and issues client
(1);
After III, client (1) decrypt and parse data message, export to the user of client (1).
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810581556.2A CN108429770A (en) | 2018-06-07 | 2018-06-07 | A kind of server and client data shielding system and data transmission method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810581556.2A CN108429770A (en) | 2018-06-07 | 2018-06-07 | A kind of server and client data shielding system and data transmission method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108429770A true CN108429770A (en) | 2018-08-21 |
Family
ID=63164704
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810581556.2A Pending CN108429770A (en) | 2018-06-07 | 2018-06-07 | A kind of server and client data shielding system and data transmission method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108429770A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110704877A (en) * | 2019-10-10 | 2020-01-17 | 袁德程 | System for separating display and server |
WO2020113817A1 (en) * | 2018-12-07 | 2020-06-11 | 网宿科技股份有限公司 | Network isolation method and apparatus based on user mode protocol stack |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050033976A1 (en) * | 2003-08-04 | 2005-02-10 | Sbc Knowledge Ventures, L.P. | Host intrusion detection and isolation |
CN102239674A (en) * | 2008-08-19 | 2011-11-09 | 高赛科实验室公司 | Isolated multi-network computer system and apparatus |
CN103019640A (en) * | 2012-12-12 | 2013-04-03 | 中国航天科工集团第二研究院七〇六所 | Network-based embedded KVM (Keyboard Video Mouse) remote management equipment |
CN203103998U (en) * | 2012-12-21 | 2013-07-31 | 深圳市傲冠软件股份有限公司 | Remote management system and control device |
CN203133754U (en) * | 2013-03-26 | 2013-08-14 | 浪潮电子信息产业股份有限公司 | KVM board card based on server provided with CPCI framework |
CN203288077U (en) * | 2013-05-08 | 2013-11-13 | 山东电力集团公司青岛供电公司 | Remote maintenance system for intelligent transformer station |
US9749305B1 (en) * | 2014-08-28 | 2017-08-29 | Amazon Technologies, Inc. | Malicious client detection based on usage of negotiable protocols |
-
2018
- 2018-06-07 CN CN201810581556.2A patent/CN108429770A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050033976A1 (en) * | 2003-08-04 | 2005-02-10 | Sbc Knowledge Ventures, L.P. | Host intrusion detection and isolation |
CN102239674A (en) * | 2008-08-19 | 2011-11-09 | 高赛科实验室公司 | Isolated multi-network computer system and apparatus |
CN103019640A (en) * | 2012-12-12 | 2013-04-03 | 中国航天科工集团第二研究院七〇六所 | Network-based embedded KVM (Keyboard Video Mouse) remote management equipment |
CN203103998U (en) * | 2012-12-21 | 2013-07-31 | 深圳市傲冠软件股份有限公司 | Remote management system and control device |
CN203133754U (en) * | 2013-03-26 | 2013-08-14 | 浪潮电子信息产业股份有限公司 | KVM board card based on server provided with CPCI framework |
CN203288077U (en) * | 2013-05-08 | 2013-11-13 | 山东电力集团公司青岛供电公司 | Remote maintenance system for intelligent transformer station |
US9749305B1 (en) * | 2014-08-28 | 2017-08-29 | Amazon Technologies, Inc. | Malicious client detection based on usage of negotiable protocols |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020113817A1 (en) * | 2018-12-07 | 2020-06-11 | 网宿科技股份有限公司 | Network isolation method and apparatus based on user mode protocol stack |
CN110704877A (en) * | 2019-10-10 | 2020-01-17 | 袁德程 | System for separating display and server |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2943250C (en) | Method and system for ensuring an application conforms with security and regulatory controls prior to deployment | |
TWI526931B (en) | Inherited product activation for virtual machines | |
US8769127B2 (en) | Cross-domain solution (CDS) collaborate-access-browse (CAB) and assured file transfer (AFT) | |
CN104221325B (en) | For the system and method for the security configuration that mirror image is virtualized in network environment | |
CN105184154B (en) | A kind of system and method that crypto-operation service is provided in virtualized environment | |
US8849941B2 (en) | Virtual desktop configuration and operation techniques | |
US8505083B2 (en) | Remote resources single sign on | |
US9948616B2 (en) | Apparatus and method for providing security service based on virtualization | |
DE112015004555T5 (en) | Processing a guest event in a system controlled by a hypervisor | |
CN108809975B (en) | Internal and external network isolation system and method for realizing internal and external network isolation | |
CN102033781B (en) | Desktop system switching method for virtual machine | |
US20140201734A1 (en) | Compartmentalization of the user network interface to a device | |
CN104951712A (en) | Data safety protection method in Xen virtualization environment | |
CN104767741A (en) | Calculation service separating and safety protecting system based on light virtual machine | |
CN106576051A (en) | Zero day threat detection using host application/program to user agent mapping | |
US20150326611A1 (en) | Security control apparatus and method for cloud-based virtual desktop | |
CN108429770A (en) | A kind of server and client data shielding system and data transmission method | |
DE102023202297A1 (en) | MAINTAINING THE CONFIDENTIALITY OF CLIENTS IN A CLOUD ENVIRONMENT WHEN USING SECURITY SERVICES | |
CN116418522A (en) | Cloud server crypto-engine system based on virtualization technology | |
EP2985696A1 (en) | Method for implementing virtual secure element (vse) | |
CN105245430A (en) | Virtual machine communication data encryption method and system | |
CN102665055A (en) | Equipment and method for IO remote mapping | |
Dhar et al. | Empowering Data Centers for Next Generation Trusted Computing | |
EP3550781B1 (en) | Private information distribution method and device | |
CN105701400A (en) | Virtual machine platform safety control method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20180821 |
|
WD01 | Invention patent application deemed withdrawn after publication |