A kind of inside and outside network data based on the stateless end to end connection being unidirectionally divided is handed in real time
Change system
Technical field
The present invention relates to network communication technology fields, separate more particularly to a kind of uplink and downlink based on unidirectional light splitting technology
Stateless end to end connection inside and outside network data real-time exchange system.
Background technique
With the rapid development of computer communication technology and internet, more and more enterprises or government department all pass through meter
Calculation machine network is handled official business, and a large amount of information system has been built in internal institution network, and produces the data of magnanimity.With shifting
The development of dynamic internet raises the management level in order to reach raising office efficiency, improves decision-making capability, reduces cost, mention
The purpose of high benefit, the office mode of internal network become very important a part that an enterprise integrally runs, existing
It has been very universal apply that generation, which efficiently manages in enterprise,.But this internal network office mode is brought entirely to office
Have also been introduced new network insecurity while new experience, thus enterprise to the security requirement of internal network also increasingly
It is high.Traditional inside and outside network data real-time exchange mainly uses VPN, i.e., dedicated network is established in common network, and it is logical to carry out encryption
News.The vpn server for being mainly connected to certain enterprise by creating VPN, by uniline tunnel service access enterprise networks network
Portion's resource.The method of the access Intranet of this uniline tunnel service be highly susceptible to ARP attack, DNS deception etc., safety with
Stability will have a greatly reduced quality.
In order to solve the safety and stability of VPN connection, 2012, a kind of Chinese patent literature " access VPN service terminal
The method and device of Intranet resource " (CN103023898B), proposes the method for establishing virtual IP address, solves due to address overlap
Caused by subscriber's main station can not normally access VPN service terminal Intranet resource;2012, " a kind of user terminal was logical for Chinese patent literature
Cross the system and method for VPN access Intranet " (CN103840994A), mainly user terminal and the contact of Intranet vpn server,
User terminal establishes vpn tunneling, by the data interception system and method in program process, improves safety;2016,
Chinese patent literature " intelligence based on lightweight secure virtual private network shunts gateway " (CN106330653A), by virtual
Private network solves Enterprise Mobile IP network layer safety problem, improves the safe transmission performance of IP network.
Summary of the invention
The present invention provides a kind of intranet and extranet of the stateless end to end connection of uplink and downlink separation based on unidirectional light splitting technology
Data real-time exchange system, the inside and outside network data real-time exchange system access single service different from traditional intranet and extranet and put down
Platform, the separation of internet connection uplink and downlink tunnel service and internal network part in data transmission procedure by intranet and extranet access pass through list
It is connected to optical splitter physical isolation internet, prevents the detection of uplink and downlink data correlation and the analysis etc. on route.Internet connection
Shi Caiyong random port makes traditional transaction analysis based on four-tuple (source address/destination address, source port/destination port)
Affairs can not be tracked, the status tracking of link is further prevented, realize stateless connection.
Technical scheme is as follows:
Inside and outside network data real-time exchange system based on the stateless end to end connection being unidirectionally divided includes:
1, link block is requested, (user terminal is remote by internet access to be needed by this system unit protection for user terminal
Any interconnection device of LAN services is held, is the user of this system and device) to purpose service request logical connection, this system
It is transparent for user terminal.
2, client node module, including encryption/decryption module, uplink and downlink data separating module, unidirectional light splitting isolation module and
Four submodules such as internet link block.
The encryption/decryption module includes: to redirect service, encryption and decryption service and stateless tunnel service, and encryption/decryption module will
Request transaction content is sent to encryption and decryption service by redirecting service by all transactions requests of user, is encrypted to it
(Encryption Algorithm can be optionally), then stateless tunnel service is sent by encryption data;The client node module adds solution
Stateless tunnel service in close module initiates uplink tunnel connection request respectively simultaneously and downlink tunnel receives request, and by shape
State is maintained to receiving data or time-out.
The uplink and downlink data separating module is divided into independent uplink tunnel service and downlink tunnel service, and is provided with
Trap server mainly transmits encrypted user request, and receives the response data from server-side node module.
It all can be by the unidirectional optical splitter in unidirectional light splitting isolation module, institute in the transmitting terminal of uplink and downlink data separating module and receiving end
Stating unidirectional optical splitter is that the data duplication portion for being sent to trap server originally is carried out real data processing, by actual number
It is isolated according to processing and internet, to guarantee the safety of data handling procedure.In the list of the unidirectional light splitting isolation module
Transmitting terminal and the receiving end of uplink and downlink data separating module are respectively acting on to optical splitter.
In transmitting terminal, data are replicated by unidirectional optical splitter, and a uplink for reaching client node module being replicated is fallen into
Data are sent to the uplink tunnel service of server-side node module by trap server, uplink trap server by WAN1 mouthfuls;Separately
It is a then reach redirect service after be dropped, for maintaining the physical signal link of link.
In receiving end, optical splitter replicates data, and portion reaches downlink trap server, for maintaining internet to connect;
Another reaches stateless tunnel service, and encryption/decryption module is transferred to be for further processing.
The internet link block is divided into independent uplink tunnel service connection in internet and downlink tunnel takes
Business connection, for providing the internet communication of client node module.
3, server-side node module equally includes internet link block, is unidirectionally divided isolation module, uplink and downlink data point
Four from module and encryption/decryption module etc. submodules.
The internet link block is divided into independent uplink tunnel service connection in internet and downlink tunnel takes
Business connection, for providing the internet communication of client node module.
The uplink and downlink data separating module is divided into independent uplink tunnel service and downlink tunnel service, the uplink
Tunnel service and downlink tunnel service, which are divided equally, interior network interface and outer network interface, and the interior network interface can be by being unidirectionally divided in isolation module
Unidirectional optical splitter, in receiving end, uplink tunnel service can by the data received pass through optical splitter replicate, original a data
It is sent to the receiving port of the uplink trap server in the uplink tunnel service in server-side node module, then uplink trap
The server process data, a data being replicated then are sent to encryption/decryption module and are for further processing.It is single in the present invention
Encryption data is shunted to optical splitter, the actual treatment of data is isolated in behind unidirectional optical splitter, and network transmission
Uplink and downlink data be completely segregated, the trap server placed here (is provided with ground in uplink tunnel service processing data
The uplink trap server of location), it is provided with static internet address, dedicated for preventing unidentified flow.Unidentified flow will
It is gone to here by tunnel service, and the information in tunnel itself will be sent to encryption/decryption module, and then send to Intranet purpose to service and be
System;In order to protect Intranet not under fire, unidentified internet connection transaction isolation is in the area DMZ, it can direct interconnection network
Two routers.The tunnel transmission is encrypted in the key transmitted through consultation when affairs starting, and each affairs use close
Key is not identical.
Data are carried out encryption and decryption processing by the encryption/decryption module, including data processing plate and key authentication control panel, with
Just the purpose service system in internal network is finally accessed in user.The data processing plate and key authentication control board work mistake
Journey includes:
Encrypted user's business request data flow is sent to data processing plate using optical splitter by uplink tunnel service, then is sent
Encryption and decryption is carried out to key authentication control panel;The data processing plate is directly connected to telecommunications outlet in Intranet wiring system and communicates
Draw terminal adapter;The data that data processing plate will be passed back are sent to key authentication control panel, pass through uplink and downlink data separating
Then module replicates a flow by optical splitter and is eventually sent to client node module, and key authentication control panel is then lost
Abandon the flow;The encryption and decryption route and optical splitter diverting route are mutually incoherent.
4, user accesses the purpose service system module in internal network, takes for realizing the initial request of user and purpose
The logical connection of business system is established.
Encryption/decryption module in the client node module further comprises sending stateless tunnel for encryption data
Service initiates uplink tunnel connection request and downlink tunnel respectively and receives request, and state is maintained to receiving data or surpass
When;IP address used in the client node module be can be dynamic IP addressing/static address or any other interconnection
Net access way, and be provided with trap server and prevent rogue attacks.All internet nodes of the server-side node module
No any port configuration, all external portless connections of service node device, all transport layer protocols are converted into UDP transmission,
The port numbers of the UDP transmission of conversion are only used for passing through gateway and firewall, connect to each affairs not as affairs connection judgment
It connects, port is uncertain, and statelessly maintains.
Modules in this system work independently, and do not couple mutually.
By the above summary of the invention it is found that the present invention has the advantage that compared with prior art
The invention proposes a kind of inside and outside network data of stateless end to end connection based on the uplink and downlink being unidirectionally divided separation is real
When exchange system and device, by differentiating uplink and downlink tunnel service, all internet nodes are configured without any fixed port, and benefit
The actual treatment for carrying out data after being shunted data traffic with optical splitter again is born all internets using trap apparatus and is attacked,
Intranet security is protected, not by ARP attack, DNS deception etc.;In addition to this, non-authentication internet connects transaction isolation in the area DMZ
(being used for the router of direct interconnection network) solves many safety problems of VPN access Intranet, improves inside and outside network data
The security protection performance of real-time Transmission exchange.
Detailed description of the invention
Fig. 1 is the flow diagram of present system operation;
Fig. 2 is the internal structure chart of client node module;
Fig. 3 is the course of work timing diagram of encryption/decryption module;
Fig. 4 is that the process mould for handling and transmitting is requested encrypted user in the service of client node module uplink tunnel
Block;
Fig. 5 is the process module that the service of client node module downlink tunnel receives data from server-side node module;
Fig. 6 is the internal structure chart of server-side node module;
Fig. 7 is the data processing plate and key authentication control board work process of the encryption/decryption module in server-side node module.
Specific embodiment
It is done below in conjunction with technology contents of the attached drawing to invention and carries out a step explanation:
As shown in Fig. 1, step is specifically included that for present system and the main flow of device operation
Step 11: user requests link block, and user proposes connection request to purpose service system.
The purpose service system is the computer system of the service requested access to comprising user, and the system is in
It can not be by internal network that internet directly accesses;User's request, is that user sends purpose service system
Access request, the purpose is to access the specific resources in purpose service system, the content of request includes the net of purpose service system
The signaling predetermined such as network address, port, specific instruction.
Step 12: client node module, internal structure is as shown in Fig. 2, client node module includes encryption and decryption
Module, uplink and downlink data separating module, four submodules being unidirectionally divided including isolation module, internet link block.
Step 12-1: encryption/decryption module.The encryption/decryption module include redirect service 31, encryption and decryption service 32, it is ill-mannered
State tunnel service 33, course of work timing diagram are as shown in Figure 3.Redirect the access purpose clothes that service 31 receives user's proposition
The request of business system, encryption and decryption service 32 are encrypted (Encryption Algorithm can be optionally) to it;Nothing is sent by encryption data again
State tunnel service 33, and client node device uplink tunnel service is sent it to by stateless tunnel service 33.It is connecing
When receiving data, stateless tunnel service 33 can receive the number of the downlink tunnel service in uplink and downlink data separating module
According to then sending these data to encryption and decryption service and 32 operation be decrypted, then service 31 by redirecting and feed back to use
Family.
The redirection service 31, is the service built in encryption/decryption module, function is will to receive data, and be transmitted to
Specific entity, to realize data exchange.
The encryption and decryption service 32 is data encrypting and deciphering function provided by encryption/decryption module, and key used is started by affairs
When transmitted by protocol negotiation, and the key in affairs is different from every time.
The stateless tunnel service 33, is communication service used in encryption/decryption module, which takes by redirection
Business 31 by the data from encryption and decryption service 32 according to the internet address of service node module upstream router on the level of the transport layer
It is encapsulated with udp protocol, and initiates to receive connection tunneled requests, be sent to the uplink tunnel service of uplink and downlink data separating module,
It maintains to receive data or time-out, and receives the UDP message bag data from uplink and downlink data separating module downlink tunnel service.
The UDP message packet, for the transport layer protocol data packet of conversion, for being compatible with current Internet protocol and passing through
Gateway and firewall, included in the judgement that is connected not as original user affairs of port numbers, and for new every time
The connection of user's request transaction, the port numbers can according to need, can be different, can also be identical.
Step 12-2: uplink and downlink data separating module.The uplink and downlink data separating module include uplink tunnel service and
Downlink tunnel service.
The uplink tunnel service requests the process for handling and transmitting as shown in figure 4, at this time encrypted user
Client node module is in the local area network of any connection internet.Stateless tunnel service is to redirection in encryption/decryption module
Service sends data, and data can be split device duplication when by optical fiber by being unidirectionally divided isolation module, the portion being replicated
The uplink trap server of client node module is reached, data are sent to server-side by WAN1 mouthfuls by uplink trap server
The uplink tunnel service of node module;Another is then dropped after reaching the service of redirection.
The process that the downlink tunnel service receives data from server-side node module is as shown in Figure 5.Client node mould
Link block WAN2 mouthfuls of block internet receives the data from internet, the data including the transmission of server-side node module;It should
Data can be sent to the downlink trap server of client node module, and unidirectionally light splitting isolation module can answer the data at this time
System, original a arrival downlink trap server, for handling internet data;The portion being replicated reaches stateless tunnel
Service, transfers to encryption/decryption module to be for further processing.
Step 12-3: unidirectionally it is divided isolation module.The unidirectional light splitting isolation module includes unidirectional optical splitter, and this unidirectional point
Light device is a by uplink and downlink data separating module hair by the data duplication for being sent to downlink trap server at WAN1 mouthfuls originally
Real data processing is carried out toward encryption/decryption module;Or the stateless tunnel service of encryption/decryption module is sent to encryption/decryption module originally
The data for redirecting service replicate portion under conditions of not establishing link connection and are sent to uplink and downlink data separating module uplink tunnel
Road service is ultimately destined for server-side node module.The module is isolated by actual data handling procedure and internet, to protect
Demonstrate,prove the safety of data handling procedure.
Step 12-4: internet link block.The internet link block includes one WAN1 mouthfuls and one WAN2 mouthfuls,
The described WAN1 mouthfuls lan address with dynamic internet address or inside is used to receive number from server-side node module
According to;The described WAN2 mouthfuls lan address with dynamic internet address or inside, for sending data to service end segment
Point module.
Step 13: server-side node module, internal structure is as shown in fig. 6, server-side node module includes internet
Link block, four submodules being unidirectionally divided including isolation module, uplink and downlink data separating module, encryption/decryption module.
Step 13-1: internet link block.The internet link block includes one WAN1 mouthfuls and one WAN2 mouthfuls,
Described WAN1 mouthfuls there is static internet address to be used to receive data from server-side node module;Described WAN2 mouthfuls has static state
Internet address be used to send data to server-side node module.
Step 13-2: unidirectionally it is divided isolation module.The unidirectional light splitting isolation module includes unidirectional optical splitter, and this unidirectional point
Light device is a by uplink and downlink data separating module hair by the data duplication for being sent to uplink trap server at WAN1 mouthfuls originally
Real data processing is carried out toward encryption/decryption module;Or encryption/decryption module data processing plate is sent to encryption/decryption module key originally
The data of certification control panel replicate portion in the case where not establishing logical links and are sent to uplink and downlink data separating module downlink tunnel
Road service is ultimately destined for client node module.The module is isolated by actual data handling procedure and internet, to protect
Demonstrate,prove the safety of data handling procedure.
Step 13-3: uplink and downlink data separating module.The uplink and downlink data separating module include uplink tunnel service and
Downlink tunnel service.
The process and client node that the uplink tunnel service and downlink tunnel service handle data and transmit
Module uplink and downlink data separating module is essentially identical.
Step 13-4: encryption/decryption module.The encryption/decryption module includes data processing plate and key authentication control panel, will be counted
According to encryption and decryption processing is carried out, the purpose service system in internal network is finally accessed so as to user.
The data processing plate and key authentication control board work process are as shown in Figure 7.Server-side node module uplink tunnel
Encrypted user's business request data flow is sent to data processing plate using optical splitter by road service, then is sent to key authentication
Control panel carries out encryption and decryption;The data processing plate is directly connected to telecommunications outlet in Intranet wiring system and communicates exit connection
Device;The data that data processing plate will be passed back are sent to key authentication control panel, by uplink and downlink data separating module, then
A flow, which is replicated, by optical splitter is eventually sent to client node module, and key authentication control panel then abandons the flow;
The encryption and decryption route and optical splitter diverting route are mutually incoherent.
Step 14: the purpose service system in access internal network, the data meeting after the processing of server-side node module
Purpose service system is reached by Intranet, the data after the processing of purpose service system can also be sent to service end segment by Intranet
Point module.
It is by embodiment of above as can be seen that provided by the invention based on the stateless of the uplink and downlink being unidirectionally divided separation
The inside and outside network data real-time exchange system and device of end to end connection can be taken by the characteristic and trap that optical splitter is unidirectionally divided
Internal network is hidden in business, and the mode non-authentication data isolation in trap server is on the defensive to attack, thus will
Data between user and purpose service system are safely exchanged, and are carried out in exchange to the data path of uplink and downlink
Separation, further improves the safety of data, can preferably take precautions against the abduction such as man-in-the-middle attack, Means of Intrusion.Device
In the case where guaranteeing to access secured premise, the real time service ability to all TCP/UDP service is also provided simultaneously.