CN109245982A - A kind of inside and outside network data real-time exchange system based on the stateless end to end connection being unidirectionally divided - Google Patents

A kind of inside and outside network data real-time exchange system based on the stateless end to end connection being unidirectionally divided Download PDF

Info

Publication number
CN109245982A
CN109245982A CN201710558284.XA CN201710558284A CN109245982A CN 109245982 A CN109245982 A CN 109245982A CN 201710558284 A CN201710558284 A CN 201710558284A CN 109245982 A CN109245982 A CN 109245982A
Authority
CN
China
Prior art keywords
module
data
service
uplink
internet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710558284.XA
Other languages
Chinese (zh)
Other versions
CN109245982B (en
Inventor
程克非
张睿
刘晓侠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing Zhizai Technology Co ltd
Original Assignee
Chongqing University of Post and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University of Post and Telecommunications filed Critical Chongqing University of Post and Telecommunications
Priority to CN201710558284.XA priority Critical patent/CN109245982B/en
Publication of CN109245982A publication Critical patent/CN109245982A/en
Application granted granted Critical
Publication of CN109245982B publication Critical patent/CN109245982B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • H04L12/4675Dynamic sharing of VLAN information amongst network nodes
    • H04L12/4683Dynamic sharing of VLAN information amongst network nodes characterized by the protocol used
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/40Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass for recovering from a failure of a protocol instance or entity, e.g. service redundancy protocols, protocol state redundancy or protocol service redirection

Abstract

A kind of inside and outside network data real-time exchange system based on unidirectional light splitting and stateless end to end connection, requests link block, client node module, server-side node module and user to access the purpose service system module in internal network including user.Wherein client node module includes encryption/decryption module, uplink and downlink data separating module, unidirectional light splitting isolation module and internet link block.Wherein service end node equally includes internet link block, is unidirectionally divided isolation module, uplink and downlink data convergence dispatch module and encryption/decryption module.Wherein user accesses the purpose service system module in internal network, realizes that the logical connection of the initial request of user and purpose service system is established.This system is born all internets using trap apparatus and is attacked, and intranet security is protected, and can prevent ARP attack, DNS deception etc., and in addition to this, non-authentication internet connects transaction isolation in the area DMZ, improves the security protection performance of intranet and extranet real-time data transmission exchange.

Description

A kind of inside and outside network data based on the stateless end to end connection being unidirectionally divided is handed in real time Change system
Technical field
The present invention relates to network communication technology fields, separate more particularly to a kind of uplink and downlink based on unidirectional light splitting technology Stateless end to end connection inside and outside network data real-time exchange system.
Background technique
With the rapid development of computer communication technology and internet, more and more enterprises or government department all pass through meter Calculation machine network is handled official business, and a large amount of information system has been built in internal institution network, and produces the data of magnanimity.With shifting The development of dynamic internet raises the management level in order to reach raising office efficiency, improves decision-making capability, reduces cost, mention The purpose of high benefit, the office mode of internal network become very important a part that an enterprise integrally runs, existing It has been very universal apply that generation, which efficiently manages in enterprise,.But this internal network office mode is brought entirely to office Have also been introduced new network insecurity while new experience, thus enterprise to the security requirement of internal network also increasingly It is high.Traditional inside and outside network data real-time exchange mainly uses VPN, i.e., dedicated network is established in common network, and it is logical to carry out encryption News.The vpn server for being mainly connected to certain enterprise by creating VPN, by uniline tunnel service access enterprise networks network Portion's resource.The method of the access Intranet of this uniline tunnel service be highly susceptible to ARP attack, DNS deception etc., safety with Stability will have a greatly reduced quality.
In order to solve the safety and stability of VPN connection, 2012, a kind of Chinese patent literature " access VPN service terminal The method and device of Intranet resource " (CN103023898B), proposes the method for establishing virtual IP address, solves due to address overlap Caused by subscriber's main station can not normally access VPN service terminal Intranet resource;2012, " a kind of user terminal was logical for Chinese patent literature Cross the system and method for VPN access Intranet " (CN103840994A), mainly user terminal and the contact of Intranet vpn server, User terminal establishes vpn tunneling, by the data interception system and method in program process, improves safety;2016, Chinese patent literature " intelligence based on lightweight secure virtual private network shunts gateway " (CN106330653A), by virtual Private network solves Enterprise Mobile IP network layer safety problem, improves the safe transmission performance of IP network.
Summary of the invention
The present invention provides a kind of intranet and extranet of the stateless end to end connection of uplink and downlink separation based on unidirectional light splitting technology Data real-time exchange system, the inside and outside network data real-time exchange system access single service different from traditional intranet and extranet and put down Platform, the separation of internet connection uplink and downlink tunnel service and internal network part in data transmission procedure by intranet and extranet access pass through list It is connected to optical splitter physical isolation internet, prevents the detection of uplink and downlink data correlation and the analysis etc. on route.Internet connection Shi Caiyong random port makes traditional transaction analysis based on four-tuple (source address/destination address, source port/destination port) Affairs can not be tracked, the status tracking of link is further prevented, realize stateless connection.
Technical scheme is as follows:
Inside and outside network data real-time exchange system based on the stateless end to end connection being unidirectionally divided includes:
1, link block is requested, (user terminal is remote by internet access to be needed by this system unit protection for user terminal Any interconnection device of LAN services is held, is the user of this system and device) to purpose service request logical connection, this system It is transparent for user terminal.
2, client node module, including encryption/decryption module, uplink and downlink data separating module, unidirectional light splitting isolation module and Four submodules such as internet link block.
The encryption/decryption module includes: to redirect service, encryption and decryption service and stateless tunnel service, and encryption/decryption module will Request transaction content is sent to encryption and decryption service by redirecting service by all transactions requests of user, is encrypted to it (Encryption Algorithm can be optionally), then stateless tunnel service is sent by encryption data;The client node module adds solution Stateless tunnel service in close module initiates uplink tunnel connection request respectively simultaneously and downlink tunnel receives request, and by shape State is maintained to receiving data or time-out.
The uplink and downlink data separating module is divided into independent uplink tunnel service and downlink tunnel service, and is provided with Trap server mainly transmits encrypted user request, and receives the response data from server-side node module. It all can be by the unidirectional optical splitter in unidirectional light splitting isolation module, institute in the transmitting terminal of uplink and downlink data separating module and receiving end Stating unidirectional optical splitter is that the data duplication portion for being sent to trap server originally is carried out real data processing, by actual number It is isolated according to processing and internet, to guarantee the safety of data handling procedure.In the list of the unidirectional light splitting isolation module Transmitting terminal and the receiving end of uplink and downlink data separating module are respectively acting on to optical splitter.
In transmitting terminal, data are replicated by unidirectional optical splitter, and a uplink for reaching client node module being replicated is fallen into Data are sent to the uplink tunnel service of server-side node module by trap server, uplink trap server by WAN1 mouthfuls;Separately It is a then reach redirect service after be dropped, for maintaining the physical signal link of link.
In receiving end, optical splitter replicates data, and portion reaches downlink trap server, for maintaining internet to connect; Another reaches stateless tunnel service, and encryption/decryption module is transferred to be for further processing.
The internet link block is divided into independent uplink tunnel service connection in internet and downlink tunnel takes Business connection, for providing the internet communication of client node module.
3, server-side node module equally includes internet link block, is unidirectionally divided isolation module, uplink and downlink data point Four from module and encryption/decryption module etc. submodules.
The internet link block is divided into independent uplink tunnel service connection in internet and downlink tunnel takes Business connection, for providing the internet communication of client node module.
The uplink and downlink data separating module is divided into independent uplink tunnel service and downlink tunnel service, the uplink Tunnel service and downlink tunnel service, which are divided equally, interior network interface and outer network interface, and the interior network interface can be by being unidirectionally divided in isolation module Unidirectional optical splitter, in receiving end, uplink tunnel service can by the data received pass through optical splitter replicate, original a data It is sent to the receiving port of the uplink trap server in the uplink tunnel service in server-side node module, then uplink trap The server process data, a data being replicated then are sent to encryption/decryption module and are for further processing.It is single in the present invention Encryption data is shunted to optical splitter, the actual treatment of data is isolated in behind unidirectional optical splitter, and network transmission Uplink and downlink data be completely segregated, the trap server placed here (is provided with ground in uplink tunnel service processing data The uplink trap server of location), it is provided with static internet address, dedicated for preventing unidentified flow.Unidentified flow will It is gone to here by tunnel service, and the information in tunnel itself will be sent to encryption/decryption module, and then send to Intranet purpose to service and be System;In order to protect Intranet not under fire, unidentified internet connection transaction isolation is in the area DMZ, it can direct interconnection network Two routers.The tunnel transmission is encrypted in the key transmitted through consultation when affairs starting, and each affairs use close Key is not identical.
Data are carried out encryption and decryption processing by the encryption/decryption module, including data processing plate and key authentication control panel, with Just the purpose service system in internal network is finally accessed in user.The data processing plate and key authentication control board work mistake Journey includes:
Encrypted user's business request data flow is sent to data processing plate using optical splitter by uplink tunnel service, then is sent Encryption and decryption is carried out to key authentication control panel;The data processing plate is directly connected to telecommunications outlet in Intranet wiring system and communicates Draw terminal adapter;The data that data processing plate will be passed back are sent to key authentication control panel, pass through uplink and downlink data separating Then module replicates a flow by optical splitter and is eventually sent to client node module, and key authentication control panel is then lost Abandon the flow;The encryption and decryption route and optical splitter diverting route are mutually incoherent.
4, user accesses the purpose service system module in internal network, takes for realizing the initial request of user and purpose The logical connection of business system is established.
Encryption/decryption module in the client node module further comprises sending stateless tunnel for encryption data Service initiates uplink tunnel connection request and downlink tunnel respectively and receives request, and state is maintained to receiving data or surpass When;IP address used in the client node module be can be dynamic IP addressing/static address or any other interconnection Net access way, and be provided with trap server and prevent rogue attacks.All internet nodes of the server-side node module No any port configuration, all external portless connections of service node device, all transport layer protocols are converted into UDP transmission, The port numbers of the UDP transmission of conversion are only used for passing through gateway and firewall, connect to each affairs not as affairs connection judgment It connects, port is uncertain, and statelessly maintains.
Modules in this system work independently, and do not couple mutually.
By the above summary of the invention it is found that the present invention has the advantage that compared with prior art
The invention proposes a kind of inside and outside network data of stateless end to end connection based on the uplink and downlink being unidirectionally divided separation is real When exchange system and device, by differentiating uplink and downlink tunnel service, all internet nodes are configured without any fixed port, and benefit The actual treatment for carrying out data after being shunted data traffic with optical splitter again is born all internets using trap apparatus and is attacked, Intranet security is protected, not by ARP attack, DNS deception etc.;In addition to this, non-authentication internet connects transaction isolation in the area DMZ (being used for the router of direct interconnection network) solves many safety problems of VPN access Intranet, improves inside and outside network data The security protection performance of real-time Transmission exchange.
Detailed description of the invention
Fig. 1 is the flow diagram of present system operation;
Fig. 2 is the internal structure chart of client node module;
Fig. 3 is the course of work timing diagram of encryption/decryption module;
Fig. 4 is that the process mould for handling and transmitting is requested encrypted user in the service of client node module uplink tunnel Block;
Fig. 5 is the process module that the service of client node module downlink tunnel receives data from server-side node module;
Fig. 6 is the internal structure chart of server-side node module;
Fig. 7 is the data processing plate and key authentication control board work process of the encryption/decryption module in server-side node module.
Specific embodiment
It is done below in conjunction with technology contents of the attached drawing to invention and carries out a step explanation:
As shown in Fig. 1, step is specifically included that for present system and the main flow of device operation
Step 11: user requests link block, and user proposes connection request to purpose service system.
The purpose service system is the computer system of the service requested access to comprising user, and the system is in It can not be by internal network that internet directly accesses;User's request, is that user sends purpose service system Access request, the purpose is to access the specific resources in purpose service system, the content of request includes the net of purpose service system The signaling predetermined such as network address, port, specific instruction.
Step 12: client node module, internal structure is as shown in Fig. 2, client node module includes encryption and decryption Module, uplink and downlink data separating module, four submodules being unidirectionally divided including isolation module, internet link block.
Step 12-1: encryption/decryption module.The encryption/decryption module include redirect service 31, encryption and decryption service 32, it is ill-mannered State tunnel service 33, course of work timing diagram are as shown in Figure 3.Redirect the access purpose clothes that service 31 receives user's proposition The request of business system, encryption and decryption service 32 are encrypted (Encryption Algorithm can be optionally) to it;Nothing is sent by encryption data again State tunnel service 33, and client node device uplink tunnel service is sent it to by stateless tunnel service 33.It is connecing When receiving data, stateless tunnel service 33 can receive the number of the downlink tunnel service in uplink and downlink data separating module According to then sending these data to encryption and decryption service and 32 operation be decrypted, then service 31 by redirecting and feed back to use Family.
The redirection service 31, is the service built in encryption/decryption module, function is will to receive data, and be transmitted to Specific entity, to realize data exchange.
The encryption and decryption service 32 is data encrypting and deciphering function provided by encryption/decryption module, and key used is started by affairs When transmitted by protocol negotiation, and the key in affairs is different from every time.
The stateless tunnel service 33, is communication service used in encryption/decryption module, which takes by redirection Business 31 by the data from encryption and decryption service 32 according to the internet address of service node module upstream router on the level of the transport layer It is encapsulated with udp protocol, and initiates to receive connection tunneled requests, be sent to the uplink tunnel service of uplink and downlink data separating module, It maintains to receive data or time-out, and receives the UDP message bag data from uplink and downlink data separating module downlink tunnel service.
The UDP message packet, for the transport layer protocol data packet of conversion, for being compatible with current Internet protocol and passing through Gateway and firewall, included in the judgement that is connected not as original user affairs of port numbers, and for new every time The connection of user's request transaction, the port numbers can according to need, can be different, can also be identical.
Step 12-2: uplink and downlink data separating module.The uplink and downlink data separating module include uplink tunnel service and Downlink tunnel service.
The uplink tunnel service requests the process for handling and transmitting as shown in figure 4, at this time encrypted user Client node module is in the local area network of any connection internet.Stateless tunnel service is to redirection in encryption/decryption module Service sends data, and data can be split device duplication when by optical fiber by being unidirectionally divided isolation module, the portion being replicated The uplink trap server of client node module is reached, data are sent to server-side by WAN1 mouthfuls by uplink trap server The uplink tunnel service of node module;Another is then dropped after reaching the service of redirection.
The process that the downlink tunnel service receives data from server-side node module is as shown in Figure 5.Client node mould Link block WAN2 mouthfuls of block internet receives the data from internet, the data including the transmission of server-side node module;It should Data can be sent to the downlink trap server of client node module, and unidirectionally light splitting isolation module can answer the data at this time System, original a arrival downlink trap server, for handling internet data;The portion being replicated reaches stateless tunnel Service, transfers to encryption/decryption module to be for further processing.
Step 12-3: unidirectionally it is divided isolation module.The unidirectional light splitting isolation module includes unidirectional optical splitter, and this unidirectional point Light device is a by uplink and downlink data separating module hair by the data duplication for being sent to downlink trap server at WAN1 mouthfuls originally Real data processing is carried out toward encryption/decryption module;Or the stateless tunnel service of encryption/decryption module is sent to encryption/decryption module originally The data for redirecting service replicate portion under conditions of not establishing link connection and are sent to uplink and downlink data separating module uplink tunnel Road service is ultimately destined for server-side node module.The module is isolated by actual data handling procedure and internet, to protect Demonstrate,prove the safety of data handling procedure.
Step 12-4: internet link block.The internet link block includes one WAN1 mouthfuls and one WAN2 mouthfuls, The described WAN1 mouthfuls lan address with dynamic internet address or inside is used to receive number from server-side node module According to;The described WAN2 mouthfuls lan address with dynamic internet address or inside, for sending data to service end segment Point module.
Step 13: server-side node module, internal structure is as shown in fig. 6, server-side node module includes internet Link block, four submodules being unidirectionally divided including isolation module, uplink and downlink data separating module, encryption/decryption module.
Step 13-1: internet link block.The internet link block includes one WAN1 mouthfuls and one WAN2 mouthfuls, Described WAN1 mouthfuls there is static internet address to be used to receive data from server-side node module;Described WAN2 mouthfuls has static state Internet address be used to send data to server-side node module.
Step 13-2: unidirectionally it is divided isolation module.The unidirectional light splitting isolation module includes unidirectional optical splitter, and this unidirectional point Light device is a by uplink and downlink data separating module hair by the data duplication for being sent to uplink trap server at WAN1 mouthfuls originally Real data processing is carried out toward encryption/decryption module;Or encryption/decryption module data processing plate is sent to encryption/decryption module key originally The data of certification control panel replicate portion in the case where not establishing logical links and are sent to uplink and downlink data separating module downlink tunnel Road service is ultimately destined for client node module.The module is isolated by actual data handling procedure and internet, to protect Demonstrate,prove the safety of data handling procedure.
Step 13-3: uplink and downlink data separating module.The uplink and downlink data separating module include uplink tunnel service and Downlink tunnel service.
The process and client node that the uplink tunnel service and downlink tunnel service handle data and transmit Module uplink and downlink data separating module is essentially identical.
Step 13-4: encryption/decryption module.The encryption/decryption module includes data processing plate and key authentication control panel, will be counted According to encryption and decryption processing is carried out, the purpose service system in internal network is finally accessed so as to user.
The data processing plate and key authentication control board work process are as shown in Figure 7.Server-side node module uplink tunnel Encrypted user's business request data flow is sent to data processing plate using optical splitter by road service, then is sent to key authentication Control panel carries out encryption and decryption;The data processing plate is directly connected to telecommunications outlet in Intranet wiring system and communicates exit connection Device;The data that data processing plate will be passed back are sent to key authentication control panel, by uplink and downlink data separating module, then A flow, which is replicated, by optical splitter is eventually sent to client node module, and key authentication control panel then abandons the flow; The encryption and decryption route and optical splitter diverting route are mutually incoherent.
Step 14: the purpose service system in access internal network, the data meeting after the processing of server-side node module Purpose service system is reached by Intranet, the data after the processing of purpose service system can also be sent to service end segment by Intranet Point module.
It is by embodiment of above as can be seen that provided by the invention based on the stateless of the uplink and downlink being unidirectionally divided separation The inside and outside network data real-time exchange system and device of end to end connection can be taken by the characteristic and trap that optical splitter is unidirectionally divided Internal network is hidden in business, and the mode non-authentication data isolation in trap server is on the defensive to attack, thus will Data between user and purpose service system are safely exchanged, and are carried out in exchange to the data path of uplink and downlink Separation, further improves the safety of data, can preferably take precautions against the abduction such as man-in-the-middle attack, Means of Intrusion.Device In the case where guaranteeing to access secured premise, the real time service ability to all TCP/UDP service is also provided simultaneously.

Claims (10)

1. a kind of inside and outside network data real-time exchange system based on the stateless end to end connection being unidirectionally divided, which is characterized in that Include:
Link block is requested, for user terminal to purpose service request logical connection, the user terminal is to be protected by this system Any interconnection device by internet access distal end LAN services is needed, is the user of this system, this system is to user terminal For be transparent;
Client node module, including encryption/decryption module, uplink and downlink data separating module, unidirectional light splitting isolation module and internet Link block;The encryption/decryption module, for all transactions requests of user to be redirected to encryption and decryption service, and by stateless Tunnel service is sent to server-side node module;The uplink and downlink data separating module, network connection are divided in internet It is independent uplink tunnel service connection to connect with downlink tunnel service, encrypted user request is transmitted, and receives Response data from server-side node module;The unidirectional light splitting isolation module includes unidirectional optical splitter, the unidirectional light splitting Device is respectively acting on transmitting terminal and the receiving end of uplink and downlink data separating module;The internet link block, for mentioning For the internet communication of client node module;
Server-side node module, including internet link block and encryption/decryption module identical with client, uplink and downlink data Separation module and unidirectional light splitting isolation module;The internet link block is divided into independent uplink tunnel clothes in internet Business connection is connect with downlink tunnel service, for providing the internet communication of client node module;
User accesses the purpose service system module in internal network, for realizing the initial request of user and purpose service system Logical connection establish;The purpose service system is the computer system of the service requested access to comprising user, and this is System is in can not be by internal network that internet directly accesses.
2. system according to claim 1, which is characterized in that the modules in system work independently, and do not couple mutually.
3. system according to claim 1, which is characterized in that the encryption/decryption module of the client includes: to redirect clothes Business, encryption and decryption service and stateless tunnel service, encryption/decryption module will by redirecting service by all transactions requests of user Request transaction content is sent to encryption and decryption service, encrypts to it, then sends stateless tunnel service for encryption data;Nothing State tunnel service initiates uplink tunnel connection request and downlink tunnel respectively simultaneously and receives request, and state is maintained to receiving Data or time-out.
4. system according to claim 3, which is characterized in that the stateless tunnel service services in the future by redirection It is sealed on the level of the transport layer with udp protocol from the data of encryption and decryption service according to the internet address of service node module upstream router Dress, and initiate to receive connection tunneled requests, is sent to the uplink tunnel service of client node module, maintain to receive data or Time-out, and receive the UDP message bag data of the downlink tunnel service from client node module;The UDP message packet, to turn The transport layer protocol data packet changed, for being compatible with current Internet protocol and passing through gateway and firewall, included in The judgement that port numbers are connected not as original user affairs, and user's request transaction new every time is connected, the port numbers It can according to need, can be different, it can also be identical.
5. system according to claim 1, which is characterized in that the unidirectional light splitting isolation module includes a unidirectional light splitting Device, the unidirectional optical splitter are that the data duplication portion for being sent to trap server originally is carried out real data processing, will be real Border data processing and internet are isolated, to guarantee the safety of data handling procedure;In the client node module Unidirectional light splitting isolation module, in transmitting terminal, data are replicated by unidirectional optical splitter, a arrival client node module being replicated Uplink trap server, under conditions of not establishing link connection, uplink trap server by data pass through WAN1 mouthfuls transmission To the uplink tunnel service of server-side node module;Another is then dropped after reaching the service of redirection, for maintaining link Physical signal link;In receiving end, unidirectional optical splitter replicates data, and portion reaches downlink trap server, for maintaining Internet connection;Another reaches stateless tunnel service, and encryption/decryption module is transferred to be for further processing;The service end node Unidirectional light splitting isolation module in module, in receiving end, uplink tunnel service can be replicated the data received by optical splitter, former A data of beginning are sent to the receiving port of the uplink trap server in the service of the uplink tunnel in server-side node module, Then uplink trap server process data, a data being replicated then are sent to encryption/decryption module and make further place Reason;In transmitting terminal, downlink trap server receives the reflux data completed from encryption/decryption module processing or internet data, if It is reflux data, which directly can be sent to client node module by downlink trap server, if internet data, downlink Trap server, which will do it, to be handled and it is sent back to internet by source path;
IP address used in the client node module is that dynamic IP addressing or static address or any other internet connect Enter mode;The server-side node module has static internet address;The system guarantee access secured premise under, The real time service ability serviced all TCP/UDP is provided simultaneously.
6. system according to claim 5, which is characterized in that the real data processing, practical data handling procedure It is isolated in behind unidirectional optical splitter, and the uplink and downlink data of network transmission are completely segregated, and prevent the uplink and downlink on route Data correlation detection and analysis.
7. system according to claim 1, which is characterized in that the uplink and downlink data separating module includes: uplink tunnel Service and downlink tunnel service, the uplink tunnel service contains uplink trap server, under the downlink tunnel service contains Row trap server, and respectively have interior network interface and outer network interface, and tunnel transmission is encrypted, the affairs that are encrypted in of tunnel transmission open The key transmitted through consultation when dynamic, the key that each affairs use be not identical;The uplink tunnel service is provided with unidirectional point Light device, unidirectional optical splitter complete the branching process by uplink tunnel service;All internet sections of the service node module Point is configured without any port, and all external portless connections of service node device, all transport layer protocols are converted into UDP biography Defeated, the port numbers of the UDP transmission of conversion are only used for passing through gateway and firewall, to each affairs not as affairs connection judgment Connection, port is uncertain, and statelessly maintains.
8. the system according to claim 5 or 7, which is characterized in that the uplink trap service of the server-side node module Device is provided with static internet address, and for preventing unidentified flow, unidentified flow will be gone to here by tunnel service, and tunnel The information in road itself will be sent to server-side encryption/decryption module, and then send to Intranet purpose service system;In order to protect Intranet not Under fire, unidentified internet connection transaction isolation is in the area DMZ, it can two routers of direct interconnection network.
9. system according to claim 1, which is characterized in that the encryption/decryption module includes: data processing plate and key Control panel is authenticated, data are subjected to encryption and decryption processing, the purpose service system in internal network is finally accessed so as to user;Institute It states data processing plate and key authentication control board work process includes: that uplink tunnel service will be encrypted using unidirectional optical splitter User's business request data flow is sent to data processing plate, then send to key authentication control panel and carry out encryption and decryption;The data Processing board is directly connected to telecommunications outlet in Intranet wiring system and communicates extraction terminal adapter;The number that data processing plate will be passed back According to being sent to key authentication control panel, by uplink and downlink data separating module, then replicate a flow by unidirectional optical splitter It is eventually sent to client node module, and key authentication control panel then abandons the flow;The encryption and decryption route and optical splitter Diverting route is mutually incoherent.
10. system according to claim 1, which is characterized in that use random port, the traditional base made when internet connects In four-tuple, that is, source address/destination address, source port/destination port transaction analysis can not track affairs, prevent the shape of link Stateless connection is realized in state tracking.
CN201710558284.XA 2017-07-10 2017-07-10 Internal and external network data real-time exchange system based on one-way light splitting and stateless end-to-end connection Active CN109245982B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710558284.XA CN109245982B (en) 2017-07-10 2017-07-10 Internal and external network data real-time exchange system based on one-way light splitting and stateless end-to-end connection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710558284.XA CN109245982B (en) 2017-07-10 2017-07-10 Internal and external network data real-time exchange system based on one-way light splitting and stateless end-to-end connection

Publications (2)

Publication Number Publication Date
CN109245982A true CN109245982A (en) 2019-01-18
CN109245982B CN109245982B (en) 2020-11-24

Family

ID=65083097

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710558284.XA Active CN109245982B (en) 2017-07-10 2017-07-10 Internal and external network data real-time exchange system based on one-way light splitting and stateless end-to-end connection

Country Status (1)

Country Link
CN (1) CN109245982B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109698837A (en) * 2019-02-01 2019-04-30 重庆邮电大学 A kind of tertiary-structure network based on one-way transmission physical medium and DEU data exchange unit and method
CN111596633A (en) * 2020-06-15 2020-08-28 中国人民解放军63796部队 Industrial control system of high security
CN113055350A (en) * 2019-12-27 2021-06-29 深圳云天励飞技术有限公司 Data transmission method, device, equipment and readable storage medium
CN113872686A (en) * 2021-09-18 2021-12-31 中邮科通信技术股份有限公司 Customer self-service troubleshooting processing method based on optical broadband network service

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005295464A (en) * 2004-04-05 2005-10-20 Nippon Telegr & Teleph Corp <Ntt> Light transmission system
CN102045201A (en) * 2010-12-27 2011-05-04 北京锐安科技有限公司 Automatic upgrading method and system of intranet server cluster
CN103714151A (en) * 2013-12-26 2014-04-09 北京锐安科技有限公司 One-way optical gate and method for carrying out data synchronizing between heterogeneous databases
CN104038494A (en) * 2014-06-11 2014-09-10 普联技术有限公司 Method for recording attack source and exchanger

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005295464A (en) * 2004-04-05 2005-10-20 Nippon Telegr & Teleph Corp <Ntt> Light transmission system
CN102045201A (en) * 2010-12-27 2011-05-04 北京锐安科技有限公司 Automatic upgrading method and system of intranet server cluster
CN103714151A (en) * 2013-12-26 2014-04-09 北京锐安科技有限公司 One-way optical gate and method for carrying out data synchronizing between heterogeneous databases
CN104038494A (en) * 2014-06-11 2014-09-10 普联技术有限公司 Method for recording attack source and exchanger

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
万国根: "《面向内容的网络安全监控模型及其关键技术研究》", 《中国优秀博硕士学位论文全文数据库——信息科技辑》 *
任春梅: "《网络流量分析关键技术研究》", 《中国优秀硕士学位论文全文数据库——信息科技辑》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109698837A (en) * 2019-02-01 2019-04-30 重庆邮电大学 A kind of tertiary-structure network based on one-way transmission physical medium and DEU data exchange unit and method
CN109698837B (en) * 2019-02-01 2021-06-18 重庆邮电大学 Internal and external network isolation and data exchange device and method based on unidirectional transmission physical medium
CN113055350A (en) * 2019-12-27 2021-06-29 深圳云天励飞技术有限公司 Data transmission method, device, equipment and readable storage medium
CN113055350B (en) * 2019-12-27 2022-11-22 深圳云天励飞技术有限公司 Data transmission method, device, equipment and readable storage medium
CN111596633A (en) * 2020-06-15 2020-08-28 中国人民解放军63796部队 Industrial control system of high security
CN111596633B (en) * 2020-06-15 2021-07-09 中国人民解放军63796部队 Industrial control system
CN113872686A (en) * 2021-09-18 2021-12-31 中邮科通信技术股份有限公司 Customer self-service troubleshooting processing method based on optical broadband network service

Also Published As

Publication number Publication date
CN109245982B (en) 2020-11-24

Similar Documents

Publication Publication Date Title
CN107018134B (en) Power distribution terminal safety access platform and implementation method thereof
US8327129B2 (en) Method, apparatus and system for internet key exchange negotiation
EP3096497B1 (en) Method, apparatus, and network system for terminal to traverse private network to communicate with server in ims core network
CN109245982A (en) A kind of inside and outside network data real-time exchange system based on the stateless end to end connection being unidirectionally divided
CN101257431B (en) Converse exit passageway remote device management mode
WO2017181894A1 (en) Method and system for connecting virtual private network by terminal, and related device
CN107172020A (en) A kind of network data security exchange method and system
US20100031337A1 (en) Methods and systems for distributed security processing
CN101741547A (en) Inter-node secret communication method and system
CN108810023A (en) Safe encryption method, key sharing method and safety encryption isolation gateway
WO2008108821A2 (en) Virtual security interface
CN106209883A (en) Based on link selection and the multi-chain circuit transmission method and system of broken restructuring
CN112332901B (en) Heaven and earth integrated mobile access authentication method and device
CN109525514A (en) A kind of information transferring method and information carrying means
CN1984131A (en) Method for processing distributed IPSec
CN114143050B (en) Video data encryption system
CN111698245A (en) VxLAN security gateway and two-layer security network construction method based on state cryptographic algorithm
US20040029562A1 (en) System and method for securing communications over cellular networks
CN103023741A (en) Method for processing faults of virtual private network (VPN) device
CN102932359A (en) Method, device and system for streaming media service request
CN103167489A (en) Wireless public network communication method with security protection in power system
CN112636913B (en) Networking method for key sharing
CA2136150A1 (en) Apparatus and method for providing a secure gateway for communication and data exchanges between networks
CN115459913A (en) Quantum key cloud platform-based link transparent encryption method and system
CN105072010B (en) A kind of traffic flow information determines method and apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20220909

Address after: No. 4-2, Unit 2, Building 1, No. 22, Chongwen Road, Huangjueya Town, Nan'an District, Chongqing 400065

Patentee after: Chongqing Lingdie Technology Co.,Ltd.

Address before: 400065 Chongqing Nan'an District huangjuezhen pass Chongwen Road No. 2

Patentee before: CHONGQING University OF POSTS AND TELECOMMUNICATIONS

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230613

Address after: No. B2-2-6, B2-2-7, No. 5, Middle Mount Huangshan Avenue, High tech Park, New North Zone, Yubei District, Chongqing 401121

Patentee after: Chongqing Zhizai Technology Co.,Ltd.

Address before: No. 4-2, Unit 2, Building 1, No. 22, Chongwen Road, Huangjueya Town, Nan'an District, Chongqing 400065

Patentee before: Chongqing Lingdie Technology Co.,Ltd.

TR01 Transfer of patent right