CN110266674B - Intranet access method and related device - Google Patents

Intranet access method and related device Download PDF

Info

Publication number
CN110266674B
CN110266674B CN201910503580.9A CN201910503580A CN110266674B CN 110266674 B CN110266674 B CN 110266674B CN 201910503580 A CN201910503580 A CN 201910503580A CN 110266674 B CN110266674 B CN 110266674B
Authority
CN
China
Prior art keywords
intranet
firewall
mobile wireless
wireless access
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910503580.9A
Other languages
Chinese (zh)
Other versions
CN110266674A (en
Inventor
范安心
黄成尧
王绪军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN201910503580.9A priority Critical patent/CN110266674B/en
Publication of CN110266674A publication Critical patent/CN110266674A/en
Application granted granted Critical
Publication of CN110266674B publication Critical patent/CN110266674B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Power Engineering (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention is suitable for access control in security protection, and discloses an intranet access method and a related device, wherein the method comprises the following steps: the method comprises the steps that intranet firewall allocation equipment receives an intranet connection request sent by mobile wireless access equipment, wherein the intranet connection request carries positioning reference information of the mobile wireless access equipment; determining a resident geographic area where the mobile wireless access equipment is located by the intranet firewall distribution equipment; the intranet firewall distribution equipment determines the first intranet firewall as an intranet firewall matched with the mobile wireless access equipment; the intranet firewall allocation equipment sends the first IP address of the first intranet firewall to the mobile wireless access equipment, so that after the mobile wireless access equipment is connected with the first intranet firewall, service for accessing the target intranet is provided for the user terminal. The invention can improve the access efficiency of the target intranet and improve the safety of the target intranet resources.

Description

Intranet access method and related device
Technical Field
The present application relates to the field of communications, and in particular, to an intranet access method and related apparatus.
Background
With the integration of global economy, more and more enterprises have developed related businesses around the world, which requires that employees of the enterprises be dispatched to work around the world. In some office scenarios, the enterprise employee at a foreign location needs to access some resources of the intranet server, such as accessing intranet web pages, accessing files stored in a shared folder in the intranet file server, and so on. In a conventional manner, the VPN (Virtual Private Network) is usually implemented, a VPN server needs to be established in an intranet of a company, and after an external employee connects to the internet locally through a mobile phone, a computer, or the like, the external employee connects to the VPN server in the intranet through the internet, and then accesses the intranet through the VPN server. On the other hand, when the enterprise employee connects to the intranet through a terminal such as a computer, parameters for connecting to the intranet VPN, such as an address of an intranet VPN server, a login name and a password of the user, need to be configured in advance, and then dial up and connect. User operation is more and latency is longer, comparatively influences connection efficiency. On the other hand, by using the mode, the enterprise staff can access the intranet at any place, so that the security of intranet resources is threatened to a certain extent.
Disclosure of Invention
The invention provides an intranet access method and related equipment, which can improve the access efficiency of a user to a target intranet and improve the safety of target intranet resources.
A first aspect of an embodiment of the present invention provides an intranet access method, including:
the method comprises the steps that intranet firewall allocation equipment receives an intranet connection request aiming at a target intranet and sent by mobile wireless access equipment, wherein the intranet connection request carries positioning reference information of the mobile wireless access equipment;
the intranet firewall distribution equipment determines that the mobile wireless access equipment is located in a resident geographic area of the mobile wireless access equipment according to the positioning reference information;
the intranet firewall distribution equipment determines the first intranet firewall to be an intranet firewall matched with the mobile wireless access equipment according to the preset corresponding relation between the resident geographic area and the first intranet firewall, wherein the first intranet firewall is one of a plurality of intranet firewalls deployed for the target intranet;
the intranet firewall allocation equipment sends a first IP address of the first intranet firewall to the mobile wireless access equipment, so that after the mobile wireless access equipment establishes connection with the first intranet firewall according to the first IP address, the first intranet firewall routes an intranet access request, sent by the mobile wireless access equipment, of a user terminal to an intranet server of a target intranet through an intranet access request route of the target intranet, and the first intranet firewall sends an intranet request response message, returned by the intranet access request, of the intranet server to the user terminal through the mobile wireless access equipment.
With reference to the first aspect, in a first possible implementation manner, the method further includes:
the intranet firewall distribution equipment acquires a resident geographic area of the mobile wireless access equipment;
the intranet firewall distribution equipment determines a resident geographic area corresponding to the first intranet firewall from a plurality of intranet firewalls deployed for the target intranet, and establishes a corresponding relation between the resident geographic area and the first intranet firewall, wherein the first intranet firewall is that under the condition that the mobile wireless access equipment is located in the resident geographic area, the intranet firewall closest to the mobile wireless access equipment is located in the plurality of intranet firewalls deployed for the target intranet, or under the condition that the mobile wireless access equipment is located in the resident geographic area, the intranet firewall with the minimum network delay between the mobile wireless access equipment and the plurality of intranet firewalls deployed for the target intranet is located in the network firewall deployed for the target intranet.
With reference to the first aspect, in a second possible implementation manner, the method further includes:
the intranet firewall distribution equipment periodically acquires the real-time geographic position of the mobile wireless access equipment;
when the intranet firewall distribution equipment determines that the mobile wireless access equipment is transferred to the outside of the resident geographic area according to the real-time geographic position of the mobile wireless access equipment, the intranet firewall distribution equipment sends a connection interruption instruction aiming at the mobile wireless access equipment to the first intranet firewall, so that the first intranet firewall is disconnected from the mobile wireless access equipment according to the connection interruption instruction.
With reference to the first aspect, in a third possible implementation manner, before the sending, by the intranet firewall allocation device, the first IP address of the first intranet firewall to the mobile wireless access device, the method further includes:
the intranet firewall allocation equipment acquires equipment identity information of the mobile wireless access equipment and/or terminal identity information of a user terminal connected with the mobile wireless access equipment;
the intranet firewall distribution equipment sends the first IP address of the first intranet firewall to the mobile wireless access equipment, and the method comprises the following steps:
and the intranet firewall allocation equipment sends the first IP address of the first intranet firewall to the mobile wireless access equipment after passing the identity verification of the mobile wireless access equipment according to the equipment identity information and/or after passing the identity verification of a user terminal connected with the mobile wireless access equipment according to the terminal identity information.
With reference to the first aspect, in a fourth possible implementation manner, the resident geographic area of the mobile wireless access device includes a plurality of geographic areas;
the method further comprises the following steps:
the intranet firewall distribution equipment periodically acquires the real-time geographic position of the mobile wireless access equipment;
when the intranet firewall distribution equipment determines that the mobile wireless access equipment is switched between a plurality of resident geographic areas of the mobile wireless access equipment according to the real-time geographic position, determining a second intranet firewall to be matched with the intranet firewall after the mobile wireless access equipment is switched to the resident geographic area in a plurality of intranet firewalls deployed aiming at the target intranet according to a preset corresponding relation between the resident geographic area after the mobile wireless access equipment is switched and the second intranet firewall of the target intranet;
and when the intranet firewall distribution equipment determines that the first intranet firewall is inconsistent with the second intranet firewall, the second IP address of the second intranet firewall is sent to the mobile wireless access equipment, so that the mobile wireless access equipment establishes connection with the second intranet firewall according to the second IP address and disconnects connection with the first intranet firewall.
A second aspect of the present invention provides an intranet access method, where the method includes:
the method comprises the steps that a mobile wireless access device sends an intranet connection request aiming at a target intranet to an intranet firewall distribution device, so that the intranet firewall distribution device determines a resident geographic area of the mobile wireless access device according to positioning reference information of the mobile wireless access device contained in the intranet connection request, the intranet firewall distribution device determines a first intranet firewall to be in a plurality of intranet firewalls deployed aiming at the target intranet according to a preset corresponding relation between the resident geographic area of the mobile wireless access device and the first intranet firewall deployed aiming at the target intranet, and the intranet firewall matched with the mobile wireless access device;
the mobile wireless access equipment receives a first IP address of the first intranet firewall sent by the intranet firewall allocation equipment, and sends a first firewall connection request to the first intranet firewall according to the first IP address, so that the first intranet firewall establishes connection with the mobile wireless access equipment according to the first firewall connection request;
after receiving an intranet access request aiming at the target intranet and sent by a user terminal, the mobile wireless access equipment routes the intranet access request to an intranet server of the target intranet through the first intranet firewall;
and after receiving an intranet request response message returned by the intranet server responding to the intranet access request through the first intranet firewall, the mobile wireless access equipment sends the intranet request response message to the user terminal.
With reference to the second aspect, in a first possible implementation manner, the resident geographic area of the mobile wireless access device includes a plurality of geographic areas;
the method further comprises the following steps:
the mobile wireless access equipment acquires the real-time geographic position of the mobile wireless access equipment;
when the mobile wireless access equipment determines that the mobile wireless access equipment is switched between a plurality of resident geographic areas of the mobile wireless access equipment according to the real-time geographic position, the mobile wireless access equipment sends a firewall switching request carrying the real-time geographic position to intranet firewall distribution equipment, so that after the intranet firewall distribution equipment passes verification of the real-time geographic position of the mobile wireless access equipment, according to the preset corresponding relation between the resident geographic area after the mobile wireless access equipment is switched and a second intranet firewall of the target intranet, the second intranet firewall is determined to be an intranet firewall matched with the target intranet firewall deployed aiming at the target intranet after the mobile wireless access equipment is switched to a normally resident geographic area, and when the intranet firewall distribution equipment determines that the first intranet firewall is inconsistent with the second intranet firewall, sending a second IP address of the second intranet firewall to the mobile wireless access equipment;
the mobile wireless access equipment sends a second firewall connection request to the second intranet firewall according to the second IP address, so that the second intranet firewall establishes connection with the mobile wireless access equipment according to the second firewall connection request;
and the mobile wireless access equipment is disconnected with the first intranet firewall.
A third aspect of the embodiments of the present invention provides a mobile wireless access device, including:
the intranet firewall distribution equipment is used for determining a first intranet firewall to be in a plurality of intranet firewalls deployed for the target intranet and the intranet firewall matched with the mobile wireless access equipment according to the preset corresponding relationship between the resident geographic area of the mobile wireless access equipment and the first intranet firewall deployed for the target intranet;
the connection establishing unit is used for receiving a first IP address of the first intranet firewall sent by the intranet firewall allocation equipment and sending a first firewall connection request to the first intranet firewall according to the first IP address so that the first intranet firewall establishes connection with the mobile wireless access equipment according to the first firewall connection request;
the message transmission unit is used for routing the intranet access request to an intranet server of the target intranet through the first intranet firewall after receiving the intranet access request aiming at the target intranet and sent by the user terminal;
the message transmission unit is further configured to send an intranet request response message to the user terminal after receiving an intranet request response message returned by the intranet server in response to the intranet access request through the first intranet firewall.
In a fourth aspect, the present invention provides a mobile wireless access device, comprising a processor, a memory and a communication interface, wherein the processor, the memory and the communication interface are connected to each other, the communication interface is configured to receive and transmit data, the memory is configured to store program codes, and the processor is configured to call the program codes, and the program codes, when executed by a computer, cause the computer to perform any one of the above-mentioned second aspect and its possible implementation manners.
In a fifth aspect, the present invention provides a computer storage medium storing a computer program comprising program instructions which, when executed by a computer, cause the computer to perform any one of the above first aspect and each possible implementation manner of the first aspect, and any one of the above second aspect and each possible implementation manner of the second aspect.
In the embodiment of the invention, when receiving an intranet connection request of a mobile wireless access device for a target intranet, an intranet firewall allocation device determines a resident geographic area where the mobile wireless access device is located according to positioning reference information carried by the intranet connection request, and allocates a first intranet firewall to the mobile wireless access device according to a corresponding relation between a preset resident geographic area and the first intranet firewall, so that after the mobile wireless access device is connected with the first intranet firewall, a service for accessing an intranet server in the target intranet is provided for a user terminal connected with the mobile wireless access device. Through the embodiment, a user does not need to configure any parameter before accessing the target intranet, so that the access efficiency of the target intranet is improved, meanwhile, when the intranet firewall distribution equipment determines that the mobile wireless access equipment is in the resident geographic area range preset for the mobile wireless access equipment, the intranet firewall of the connected target intranet is recommended for the mobile wireless access equipment, if the mobile wireless access equipment is not in the resident geographic area, the mobile wireless access equipment can be limited to be connected with the target intranet according to the geographic position, and the safety of internal resources of the target intranet is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic frame diagram of an intranet access system according to an embodiment of the present invention;
fig. 2 is a system interaction diagram of an intranet access method according to an embodiment of the present invention;
fig. 3 is a system interaction diagram of another intranet access method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a mobile wireless access device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of another mobile wireless access device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic diagram of a framework of an intranet access system according to an embodiment of the present invention, as shown in the figure, in the framework of the intranet access system, an intranet firewall 1, an intranet firewall 2, and an intranet firewall 3 are 3 intranet firewalls deployed for a target intranet, a mobile wireless access device 1 and a mobile wireless access device 2 are respectively connected to the intranet firewall 1, the mobile wireless access device 3 is connected to the intranet firewall 3, a user terminal 1 is connected to the mobile wireless access device 2, and the user terminal 2 is connected to the mobile wireless access device.
Here, the target intranet is a local area communication network that connects various computers, servers, databases, and the like within a local geographical range of a specific enterprise, a specific organization, a specific school, and the like to one another. When the terminal or the server in the target intranet carries out communication, the communication is realized through a data link layer, and communication messages do not need to pass through the route of a router; when the terminal or the server outside the target intranet carries out communication, the communication is realized through a network layer, communication messages sent by the terminal or the server inside the target intranet need to be routed to the terminal or the server outside the target intranet after being converted by a router through network address, and communication messages returned by the terminal or the server outside the target intranet need to be routed to the terminal or the server inside the target intranet after being converted by the router through the network address.
Here, the intranet firewall deployed for the target intranet may be a firewall deployed in each global place and configured to filter data packets entering and exiting the target intranet, and the intranet firewall is connected to the router of the target intranet through the wide area network, and further connected to the intranet server of the target intranet through the router of the target intranet.
Here, the mobile wireless access device is a mobile wireless access device which can transmit wireless network signals and has a routing function. The mobile wireless access device accesses a data network by inserting a Subscriber Identity Module (SIM) card, accesses a wired network by inserting a network cable, and accesses a wireless network by connecting a wireless fidelity (WIFI). The user terminal can access the wireless network transmitted by the mobile wireless access equipment to connect with the mobile wireless access equipment.
Here, the intranet firewall allocation apparatus may be a device, such as a GTM (Global Traffic Manager) device, which has a domain name resolution function for the target intranet and stores the IP addresses and the deployment locations of the firewalls deployed for the target intranet.
Here, the user terminal may be a terminal device having a wireless network receiving function, including a notebook computer, a mobile phone, a tablet computer, and the like.
Referring to fig. 2, fig. 2 is a system interaction schematic diagram of an intranet access method according to an embodiment of the present invention, as shown in the figure, the method may include:
s201, the mobile wireless access equipment sends an intranet connection request aiming at a target intranet to intranet firewall distribution equipment.
Specifically, the mobile wireless access device may send an intranet connection request to the intranet firewall distribution device after being triggered to start, may send an intranet connection request to the intranet firewall distribution device after receiving a function start instruction sent by a user to access a target intranet, or may send an intranet connection request to the intranet firewall distribution device when receiving an intranet access request sent by a connected user terminal for the target intranet. The intranet connection request can carry the intranet domain name of the target intranet, so that the intranet firewall distribution equipment can determine the intranet connection request as the intranet connection request for the target intranet after analyzing the intranet domain name.
Here, the intranet connection request carries positioning reference information of the mobile wireless access device, where the positioning reference information may be an IP address, GPS data, WIFI access point information, connection base station information, and the like of the mobile wireless access device.
S202, the intranet firewall allocation equipment determines a resident geographic area in which the mobile wireless access equipment is located according to the positioning reference information of the mobile wireless access equipment carried in the intranet connection request.
Here, different mobile wireless access devices have different corresponding geographic areas of residence, where the geographic areas of residence are geographic areas of residence for the mobile wireless access devices. The resident geographic area of the mobile wireless access device may include a plurality of, and the intranet firewall distribution device may determine the resident geographic area where the mobile wireless access device is located according to the positioning reference information of the mobile wireless access device.
Specifically, the intranet firewall allocation device determines the geographic position of the mobile wireless access device according to the positioning reference information, and determines the resident geographic area where the mobile wireless access device is located according to the geographic position. If the positioning reference information is the IP address of the mobile wireless access device, the intranet firewall allocation device may determine the geographic location of the mobile wireless access device according to the IP address through an IP positioning technology, and if the positioning reference information is the connection base station information of the mobile wireless access device, the intranet firewall may determine the geographic location of the mobile wireless access device through the connection base station information through a base station positioning technology, and then determine the resident geographic area where the mobile wireless access device is located according to the geographic location.
And S203, the intranet firewall distribution equipment determines the first intranet firewall to be the intranet firewall matched with the mobile wireless access equipment according to the preset corresponding relation between the resident geographic area and the first intranet firewall.
Specifically, before step S203, the intranet firewall allocating device obtains a resident geographic area of the mobile wireless access device, for example, in order to ensure the security of the target intranet, the resident geographic area may be an allowed secure access area specific to the mobile wireless access device, which is input by an administrator of the mobile wireless access device and received by the intranet firewall allocating device, and an unsecure access area is outside the resident geographic area; for another example, the resident geographic area is the resident geographic area of the mobile wireless access device obtained by the intranet firewall distribution device according to the historical visiting location statistics of the mobile wireless access device, or the resident geographic area obtained by the mobile wireless access device through the historical visiting location statistics of the mobile wireless access device itself, and then the resident geographic area is sent to the intranet firewall distribution device.
After the intranet firewall distribution equipment acquires a resident geographic area of the mobile wireless access equipment, determining a first intranet firewall corresponding to the resident geographic area from a plurality of intranet firewalls deployed aiming at the target intranet, and establishing a corresponding relation between the resident geographic area and the first intranet firewall. In an optional implementation manner, the intranet firewall allocation device determines, according to the resident geographic area and the deployment position of each intranet firewall deployed for the target intranet, an intranet firewall closest to the mobile wireless access device among a plurality of intranet firewalls deployed for the target intranet as the first intranet firewall corresponding to the mobile wireless access device in the resident geographic area. In another optional implementation manner, in a case that the mobile wireless access device is in the resident geographic area, the intranet firewall allocation device may determine, by the first intranet firewall, an intranet firewall with a minimum network delay with respect to the mobile wireless access device from among a plurality of intranet firewalls deployed for the target intranet, to be the first intranet firewall. When the mobile wireless access device is located in the resident geographic area, the network delay between each intranet firewall of the target intranet and the mobile wireless access device may be determined by approximate estimation of the network delay connected to the intranet firewall of the target intranet when other mobile wireless access devices having the same performance as the mobile wireless access device are located in the resident geographic area, or may be determined by approximate estimation of the lengths of a message transmission medium and a message transmission medium between the resident geographic area and each intranet firewall of the target intranet.
S204, the intranet firewall allocation equipment sends the first IP address of the first intranet firewall to the mobile wireless access equipment.
Optionally, before step S204, the mobile wireless access device sends the device identity information of the mobile wireless access device and/or the terminal identity information of the user terminal to the intranet firewall distribution device, and in step S204, the intranet firewall distribution device sends the first IP address of the first intranet firewall to the mobile wireless access device after passing the authentication of the mobile wireless access device according to the device identity information and/or after passing the authentication of the user terminal according to the terminal identity information. The device identity information of the mobile wireless access device may be an access device identification code, a digital certificate, an access device user name and an access device password received by the mobile wireless access device and input by a user, biometric information for identity authentication received by the mobile wireless access device and input by the user, and the like. The terminal identity information may be a terminal device identification code of the user terminal, a digital certificate, a terminal user name and a terminal password received by the user terminal and input by the user, biometric information for identity authentication received by the user terminal and input by the user, and the like. Before the intranet firewall allocation equipment sends the first IP address to the mobile wireless equipment, the security of resources in a target intranet can be further guaranteed through the authentication of the mobile wireless access equipment.
S205, the mobile wireless access equipment establishes connection with the first intranet firewall according to the first IP address.
Specifically, the mobile wireless access device sends a firewall connection request to the first intranet firewall according to the first IP address, so that the first intranet firewall establishes connection with the mobile wireless access device after passing the identity authentication of the mobile access device according to the firewall connection request.
In one implementation manner, the firewall connection request carries an access device identifier, such as an MAC address, of the mobile wireless access device, and the first intranet firewall determines that the identity authentication of the mobile wireless access device passes when determining that the access device identifier is one of the preset access device identifiers that allow connection.
In another implementation manner, the firewall connection request carries a user name and a password input by a user through the mobile wireless access device, and the first intranet firewall determines that the identity authentication of the mobile wireless access device passes when determining that the user name and the password are one of preset user names and passwords allowed to be connected.
In yet another implementation manner, the firewall connection request carries a digital certificate of the mobile wireless access device, and the first intranet firewall determines a certificate issuer of the digital certificate of the access device according to issuer information of the digital certificate of the access device carried in the digital certificate of the access device; after the first intranet firewall acquires the issuer digital certificate of the certificate issuer, the certificate fingerprint of the access equipment digital certificate is obtained by decrypting the digital signature in the access equipment digital certificate through the issuer public key contained in the issuer digital certificate and using the issuer public key, and the first intranet firewall performs hash calculation on the access equipment digital certificate by using a specified hash algorithm to obtain a digital certificate hash value; and when the first intranet firewall determines that the digital certificate hash value obtained by the hash calculation of the first intranet firewall is consistent with the certificate fingerprint of the access equipment, determining that the identity authentication of the mobile wireless access equipment is passed.
Specifically, the mobile wireless access device initiates a three-way handshake to establish a connection based on a TCP/IP protocol with the first intranet firewall, and the specific steps are as follows: the mobile wireless access equipment sends SYN (synchronization Sequence Numbers) data packets to the first intranet firewall; after receiving the SYN packet, the first intranet firewall sends a SYN + ACK (acknowledgement Character) packet to the mobile wireless access device; after receiving the SYN + ACK data packet, the mobile wireless access equipment feeds back an ACK data packet to the first intranet firewall; and after the first intranet firewall receives the ACK data packet fed back by the mobile wireless access equipment, the connection establishment between the mobile wireless access equipment and the first intranet firewall is completed.
S206, the user terminal sends an intranet access request aiming at the target intranet to the mobile wireless access equipment.
Specifically, before step S206, the user terminal may send a wireless network connection request to the mobile wireless access device, and the mobile wireless access device may directly establish a connection with the user terminal, or establish a connection with the user terminal after being verified through user terminal identity information carried in the wireless network connection request. The user terminal identity information may be a user name and a password of a wireless network established by the mobile wireless access device and input by the user, which are received by the user terminal, or may be biometric information input by the user and received by the user terminal, or may be terminal device identification information of the user terminal.
It is understood that step S206 may be performed at any time before step S207 after the mobile wireless access device establishes a connection with the user terminal.
And S207, the mobile wireless access equipment sends the intranet access request to the first intranet firewall.
Specifically, the intranet access request is an access request for a server in a target intranet, for example, an access request for a Web server in the target intranet, an access request for an FTP server in the target intranet, an access request for a mail server in the target intranet, and the like.
And S208, the first intranet firewall routes the intranet access request to the intranet server of the target intranet.
Specifically, after receiving an intranet access request sent by the mobile wireless access device, the first intranet firewall sends the intranet access request to the router of the target intranet through an extranet, and the router of the target intranet routes the intranet access request to a corresponding intranet server in the target intranet through the target intranet.
S209, the intranet server returns an intranet request response message responding to the intranet access request to the first intranet firewall.
Specifically, after responding to the intranet access request and generating an intranet request response message, the intranet server sends the intranet request response message to the router of the target intranet through the target intranet, and the router of the target intranet sends the intranet request response message to the first intranet firewall through an extranet. For example, if the intranet access request requests to acquire a certain file in a file server in a target intranet, the intranet request response message may be the file sent by the file server.
S210, the first intranet firewall sends the intranet request response message to the mobile wireless access equipment.
S211, the mobile wireless access device sends the intranet request response message to the user terminal.
Optionally, when the resident geographic areas of the mobile wireless access device include a plurality of resident geographic areas, after the mobile wireless access device establishes a connection with the first intranet firewall, the real-time geographic position of the mobile wireless access device itself may be obtained in real time, and whether the mobile wireless access device itself switches among the plurality of resident geographic areas is monitored according to the real-time geographic position of the mobile wireless access device itself; if the mobile wireless access equipment is determined to be switched among a plurality of resident geographic areas of the mobile wireless access equipment, sending a firewall switching request carrying the real-time geographic position to the intranet firewall distribution equipment, determining the second intranet firewall to be in a plurality of intranet firewalls deployed aiming at the target intranet according to the preset corresponding relation between the resident geographic area after the mobile wireless access equipment is switched and the second intranet firewall of the target intranet after the intranet firewall distribution equipment passes the verification of the real-time geographic position of the mobile wireless access equipment, sending a second IP address of the second intranet firewall to the mobile wireless access equipment when the intranet firewall distribution equipment determines that the first intranet firewall is inconsistent with the second intranet firewall after the mobile wireless access equipment is switched to a normally resident geographic area, and after the mobile wireless access equipment establishes connection with the second intranet firewall according to the second IP address, the mobile wireless access equipment is disconnected from the first intranet firewall.
Here, the corresponding relationship between the switched resident geographic area and the second intranet firewall may refer to the establishment of the corresponding relationship between the resident geographic area before switching and the first intranet firewall in step S203, which is not described herein again.
The mobile wireless access equipment initiates four-time waving to disconnect the TCP/IP connection with the first intranet firewall, and the specific steps are as follows: the mobile wireless access equipment sends a FIN (Finish Character) data packet to the first intranet firewall; after receiving the FIN data packet, the first intranet firewall sends an ACK data packet to the mobile wireless access equipment; the first intranet firewall sends a FIN data packet to the mobile wireless access equipment; after receiving the FIN data packet, the mobile wireless access equipment sends an ACK data packet to the first intranet firewall; and after the first intranet firewall distribution equipment receives the ACK data packet, the connection between the mobile wireless access equipment and the first intranet firewall is disconnected.
In the embodiment of the invention, when receiving an intranet connection request of a mobile wireless access device for a target intranet, an intranet firewall allocation device determines a resident geographic area where the mobile wireless access device is located according to positioning reference information carried by the intranet connection request, and allocates a first intranet firewall to the mobile wireless access device according to a corresponding relation between a preset resident geographic area and the first intranet firewall, so that after the mobile wireless access device is connected with the first intranet firewall, a service for accessing an intranet server in the target intranet is provided for a user terminal connected with the mobile wireless access device. Through the embodiment, a user does not need to configure any parameter before accessing the target intranet, so that the access efficiency of the target intranet is improved, meanwhile, when the intranet firewall distribution equipment determines that the mobile wireless access equipment is in the resident geographic area range preset for the mobile wireless access equipment, the intranet firewall of the connected target intranet is recommended for the mobile wireless access equipment, if the mobile wireless access equipment is not in the resident geographic area, the mobile wireless access equipment can be limited to be connected with the target intranet according to the geographic position, and the safety of internal resources of the target intranet is improved.
Referring to fig. 3, fig. 3 is a system interaction schematic diagram of another intranet access method provided in the embodiment of the present invention, as shown in the figure, the intranet access method may include:
s301, the mobile wireless access equipment sends an intranet connection request aiming at a target intranet to the intranet firewall distribution equipment.
And S302, the intranet firewall allocation equipment determines a first resident geographic area in which the mobile wireless access equipment is located according to the positioning reference information of the mobile wireless access equipment carried in the intranet connection request.
Specifically, before step S302, the intranet firewall allocation device acquires a plurality of resident geographic areas of the mobile wireless access device, where the first resident geographic area is one of the resident geographic areas. In step S302, the mobile wireless access device determines a geographic location of the mobile wireless access device according to positioning reference information of the mobile wireless access device, such as an IP address and GPS data, and determines that the mobile wireless access device is located in a first resident geographic area in a plurality of resident geographic areas corresponding to the mobile wireless access device according to the geographic location.
And S303, determining the first intranet firewall to be the intranet firewall matched with the mobile wireless access equipment by the intranet firewall distribution equipment according to the preset corresponding relation between the first resident geographic area and the first intranet firewall.
Specifically, for a plurality of resident geographic areas of the mobile wireless access device, before step S303, the intranet firewall distribution device matches the corresponding intranet firewall of the target intranet for each resident geographic area, and establishes a correspondence between each resident geographic area and the matched intranet firewall. In one implementation, the intranet firewall corresponding to each resident geographic area is the intranet firewall with the minimum distance from the mobile wireless access device when the mobile wireless access device is located in each resident geographic area; in another implementation, the intranet firewall corresponding to the resident geographic area is an intranet firewall with minimum network delay with the mobile wireless access device when the mobile wireless access device is located in each resident geographic area. The corresponding relationship between each resident geographic area and the matched intranet firewall includes the corresponding relationship between the first resident geographic area and the first intranet firewall, and the preset corresponding relationship between the resident geographic area after the mobile wireless access device is switched and the second intranet firewall of the target intranet in step S311.
In step S303, the intranet firewall allocation device obtains an intranet firewall corresponding to the first resident geographic area, that is, a first intranet firewall, from a correspondence between the plurality of resident geographic areas corresponding to the mobile wireless access device and the matched intranet firewalls.
S304, the intranet firewall allocation device sends the first IP address of the first intranet firewall to the mobile wireless access device.
S305, the mobile wireless access equipment establishes connection with the first intranet firewall according to the first IP address.
S306, the intranet firewall distribution equipment periodically acquires the real-time geographic position of the mobile wireless access equipment.
Here, the real-time geographic location of the mobile wireless access device may be obtained by a positioning technology for the intranet firewall distribution device. If the real-time geographic position of the mobile wireless access device is that the mobile wireless access device sends to the intranet firewall distribution device, in order to ensure that the target intranet is only connected by the mobile wireless access device within the permanent geographic area of the mobile wireless access device, and further ensure the security of resources in the target intranet, after the intranet firewall distribution device receives the real-time geographic position sent by the mobile wireless access device, the intranet firewall distribution device needs to verify the real-time geographic position through a positioning technology, and then step S307 is executed.
S307, the intranet firewall judges whether the mobile wireless access equipment is located in a plurality of resident geographic areas preset for the mobile wireless access equipment according to the real-time geographic position.
If the determination result in step S307 is no, step S308 is executed, and if the determination result is yes, step S309 is executed.
S308, the intranet firewall distribution equipment sends a connection interruption instruction aiming at the mobile wireless access equipment to the first intranet firewall.
S309, the first intranet firewall disconnects the connection with the mobile wireless access equipment according to the connection interruption instruction.
Specifically, before step S309, a TCP/IP-based connection is established between the first intranet firewall and the mobile wireless access device, and in step S309, the first intranet firewall initiates four waving disconnection of the TCP/IP connection with the mobile wireless access device according to the connection interruption instruction. In the embodiment shown in fig. 2, in step S211, the mobile wireless access device initiates a step of four hands waving off to disconnect the TCP/IP connection with the first intranet firewall, which is not described herein again.
S310, the intranet firewall judges whether the mobile wireless access equipment is switched among a plurality of resident geographic areas of the mobile wireless access equipment or not according to the real-time geographic position.
If the determination result in step S310 is no, no processing is performed, and if the determination result is yes, step S311 is performed.
S311, the intranet firewall allocation device determines the second intranet firewall to be in a plurality of intranet firewalls deployed for the target intranet according to the preset corresponding relation between the resident geographic area after the mobile wireless access device is switched and the second intranet firewall of the target intranet, and the intranet firewall matched with the mobile wireless access device after the mobile wireless access device is switched to the resident geographic area.
S312, when the intranet firewall distribution equipment determines that the first intranet firewall is inconsistent with the second intranet firewall, the intranet firewall distribution equipment sends a second IP address of the second intranet firewall to the mobile wireless access equipment.
S313, the mobile wireless access equipment establishes connection with the second intranet firewall according to the second IP address and disconnects connection with the first intranet firewall.
In the embodiment of the invention, after the mobile wireless access equipment establishes connection with the first intranet firewall distributed by the intranet firewall distribution equipment, the intranet firewall distribution equipment monitors the real-time geographic position of the mobile wireless access equipment, and when the mobile wireless access equipment is determined to be transferred to a place outside a resident geographic area of the mobile wireless access equipment, the intranet firewall distribution equipment instructs the first intranet firewall to disconnect the connection with the mobile wireless access equipment, so that the mobile wireless access equipment stops providing service for a connected user terminal to access a target intranet, the position of the user terminal to access the target intranet is effectively controlled, and the safety of resources in the target intranet is improved. Meanwhile, when the intranet firewall distribution equipment determines that the mobile wireless access equipment is switched among a plurality of resident geographic areas according to the real-time geographic position of the mobile wireless access equipment, the intranet firewall distribution equipment pushes the intranet firewall matched with the switched resident geographic areas for the mobile wireless access equipment, so that the intranet firewall connected with the mobile wireless access equipment is always closest to the mobile wireless access equipment or has the minimum network delay compared with the mobile wireless access, and the access network quality of a user terminal accessing the target intranet through the connection of the mobile wireless access equipment and the intranet firewall is ensured.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a mobile wireless access device according to an embodiment of the present invention, as shown in the figure, the mobile wireless access device 40 at least includes a request sending unit 401, a connection establishing unit 402, and a message transmitting unit 403, where:
the request sending unit 401 is configured to send an intranet connection request for a target intranet to an intranet firewall distribution device, so that the intranet firewall distribution device determines, according to positioning reference information of the mobile wireless access device included in the intranet connection request, a resident geographic area where the mobile wireless access device is located in the mobile wireless access device, and the intranet firewall distribution device further determines, according to a preset corresponding relationship between the resident geographic area of the mobile wireless access device and a first intranet firewall deployed for the target intranet, that the first intranet firewall is located in a plurality of intranet firewalls deployed for the target intranet, where the intranet firewall is matched with the mobile wireless access device.
The connection establishing unit 402 is configured to receive a first IP address of the first intranet firewall sent by the intranet firewall allocation device, and send a first firewall connection request to the first intranet firewall according to the first IP address, so that the first intranet firewall establishes a connection with the mobile wireless access device according to the first firewall connection request.
A message transmission unit 403, configured to route the intranet access request to the intranet server of the target intranet through the first intranet firewall after receiving the intranet access request for the target intranet sent by the user terminal.
The message transmission unit 403 is further configured to send an intranet request response message to the user terminal after receiving an intranet request response message returned by the intranet server responding to the intranet access request through the first intranet firewall.
In a specific implementation, the mobile wireless access device may execute, through each built-in functional module thereof, each step executed by the mobile wireless access device in the intranet access method in fig. 2 to 3, and specific implementation details may refer to implementation details of each step in the embodiment corresponding to fig. 2 to 3, which are not described herein again.
In the embodiment of the invention, after a request sending unit sends an intranet connection request aiming at a target intranet to an intranet firewall distribution device, the intranet firewall distribution device determines a resident geographic area where a mobile wireless access device is located according to positioning reference information carried by the intranet connection request, and sends a first IP address of a first intranet firewall to a connection establishing unit according to a corresponding relation between a preset resident geographic area and the first intranet firewall, and the connection establishing unit establishes connection with the first intranet firewall according to the first IP address and then provides a service for accessing an intranet server in the target intranet for a user terminal connected with the mobile wireless access device through a message transmission unit. According to the embodiment, a user does not need to configure any parameter before accessing the target intranet, so that the access efficiency of the target intranet is improved, when the intranet firewall distribution equipment determines that the mobile wireless access equipment is in the resident geographic area range preset for the mobile wireless access equipment, the firewall determination unit recommends the intranet firewall of the connected target intranet for the mobile wireless access equipment, if the mobile wireless access equipment is not in the resident geographic area, the connection of the mobile wireless access equipment to the target intranet can be limited according to the geographic position, and the safety of internal resources of the target intranet is improved.
Referring to fig. 5, fig. 5 is a schematic structural diagram of another mobile wireless access device according to an embodiment of the present invention, and as shown in the figure, the mobile wireless access device 50 includes a processor 501, a memory 502, and a communication interface 503. The processor 501 is connected to a memory 502 and a communication interface 503, for example, the processor 501 may be connected to the memory 502 and the communication interface 503 through a bus.
The processor 501 is configured to support the mobile wireless access device to perform the corresponding functions of the mobile wireless access device in the intranet access method described in fig. 2-3. The Processor 501 may be a Central Processing Unit (CPU), a Network Processor (NP), a hardware chip, or any combination thereof. The hardware chip may be an Application-Specific Integrated Circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a Field-Programmable Gate Array (FPGA), General Array Logic (GAL), or any combination thereof.
The memory 502 is used to store program codes and the like. The memory 502 includes internal memory that may include at least one of: volatile memory (e.g., Dynamic Random Access Memory (DRAM), Static RAM (SRAM), Synchronous Dynamic RAM (SDRAM), etc.) and non-volatile memory (e.g., one-time programmable read-only memory (OTPROM), Programmable ROM (PROM), Erasable Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM). memory 502 may also include external memory, which may include at least one of a Hard Disk (Hard Disk Drive, HDD) or a Solid-State Drive (SSD), flash drives, such as high-density flash (CF), Secure Digital (SD), micro SD, mini SD, extreme digital (xD), memory sticks, etc.
The communication interface 503 is used for receiving or transmitting data.
The processor 501 may call the program code to perform the following operations:
sending an intranet connection request aiming at a target intranet to intranet firewall distribution equipment, so that the intranet firewall distribution equipment determines a resident geographic area of the mobile wireless access equipment according to positioning reference information of the mobile wireless access equipment, which is contained in the intranet connection request, of the mobile wireless access equipment, and the intranet firewall distribution equipment further determines a first intranet firewall to be in a plurality of intranet firewalls aiming at the target intranet and matched with the intranet firewall of the mobile wireless access equipment according to a preset corresponding relation between the resident geographic area of the mobile wireless access equipment and the first intranet firewall aiming at the target intranet;
receiving a first IP address of the first intranet firewall sent by the intranet firewall distribution equipment, and sending a first firewall connection request to the first intranet firewall according to the first IP address so that the first intranet firewall establishes connection with the mobile wireless access equipment according to the first firewall connection request;
after receiving an intranet access request aiming at the target intranet and sent by a user terminal, routing the intranet access request to an intranet server of the target intranet through the first intranet firewall;
and after receiving an intranet request response message returned by the intranet server responding to the intranet access request through the first intranet firewall, sending the intranet request response message to the user terminal.
It should be noted that, the implementation of each operation may also correspond to the corresponding description of the method embodiments shown in fig. 2 to fig. 3; the processor 501 may also be used to perform other operations in the above method embodiments.
Embodiments of the present invention also provide a computer storage medium storing a computer program, the computer program comprising program instructions, which when executed by a computer, cause the computer to perform the method according to the foregoing embodiments, wherein the computer may be a part of the above mentioned intranet firewall distribution equipment or mobile wireless access equipment.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present invention, and it is therefore to be understood that the invention is not limited by the scope of the appended claims.

Claims (9)

1. An intranet access method, comprising:
the method comprises the following steps that intranet firewall allocation equipment receives an intranet connection request which is sent by mobile wireless access equipment and aims at a target intranet, wherein the intranet connection request carries positioning reference information of the mobile wireless access equipment, and the target intranet is a local communication network which connects a computer, a server and a database in a local geographic range;
the intranet firewall distribution equipment determines a resident geographic area of the mobile wireless access equipment according to the positioning reference information;
the intranet firewall distribution equipment determines the first intranet firewall to be an intranet firewall matched with the mobile wireless access equipment according to the preset corresponding relation between the resident geographic area and the first intranet firewall, wherein the first intranet firewall is one of a plurality of intranet firewalls deployed for the target intranet, the intranet firewall is a firewall for filtering a data packet entering and exiting the target intranet, and the intranet firewall is connected with a router of the target intranet through a wide area network so as to realize connection with an intranet server of the target intranet;
the intranet firewall allocation equipment sends a first IP address of the first intranet firewall to the mobile wireless access equipment, so that after the mobile wireless access equipment establishes connection with the first intranet firewall according to the first IP address, the first intranet firewall routes an intranet access request, sent by a user terminal to a target intranet through the mobile wireless access equipment, of the target intranet to an intranet server of the target intranet, the first intranet firewall sends an intranet request response message returned by the intranet server in response to the intranet access request to the user terminal through the mobile wireless access equipment, the intranet access request is an access request for a server in the target intranet and comprises an access request for a Web server in the target intranet, an access request for an FTP server in the target intranet, and a request for the FTP server in the target intranet, Aiming at the access request of the mail server in the target intranet, the intranet access request also comprises a request for acquiring a file in the file server in the target intranet, and the intranet request response message also comprises the file of the file server;
the intranet firewall distribution equipment periodically acquires the real-time geographic position of the mobile wireless access equipment;
when the intranet firewall distribution equipment determines that the mobile wireless access equipment is transferred to the outside of the resident geographic area according to the real-time geographic position of the mobile wireless access equipment, the intranet firewall distribution equipment sends a connection interruption instruction aiming at the mobile wireless access equipment to the first intranet firewall, so that the first intranet firewall is disconnected from the mobile wireless access equipment according to the connection interruption instruction.
2. The method of claim 1, wherein the method further comprises:
the intranet firewall allocation equipment acquires a resident geographic area of the mobile wireless access equipment;
the intranet firewall distribution equipment determines a resident geographic area corresponding to the first intranet firewall from a plurality of intranet firewalls deployed for the target intranet, and establishes a corresponding relation between the resident geographic area and the first intranet firewall, wherein the first intranet firewall is that under the condition that the mobile wireless access equipment is located in the resident geographic area, the intranet firewall closest to the mobile wireless access equipment is located in the plurality of intranet firewalls deployed for the target intranet, or under the condition that the mobile wireless access equipment is located in the resident geographic area, the intranet firewall with the minimum network delay between the mobile wireless access equipment and the plurality of intranet firewalls deployed for the target intranet is located in the network firewall deployed for the target intranet.
3. The method according to claim 1, wherein before the intranet firewall assignment device sends the first IP address of the first intranet firewall to the mobile wireless access device, further comprising:
the intranet firewall allocation equipment acquires equipment identity information of the mobile wireless access equipment and/or terminal identity information of a user terminal connected with the mobile wireless access equipment;
the intranet firewall distribution equipment sends the first IP address of the first intranet firewall to the mobile wireless access equipment, and the method comprises the following steps:
and the intranet firewall allocation equipment sends the first IP address of the first intranet firewall to the mobile wireless access equipment after passing the identity verification of the mobile wireless access equipment according to the equipment identity information and/or after passing the identity verification of a user terminal connected with the mobile wireless access equipment according to the terminal identity information.
4. The method of claim 1, wherein the geographic area of residence of said mobile wireless access device comprises a plurality;
the method further comprises the following steps:
the intranet firewall distribution equipment periodically acquires the real-time geographic position of the mobile wireless access equipment;
when the intranet firewall distribution equipment determines that the mobile wireless access equipment is switched among a plurality of resident geographic areas of the mobile wireless access equipment according to the real-time geographic position, determining a second intranet firewall to be a matched intranet firewall after the mobile wireless access equipment is switched among a plurality of intranet firewalls deployed for the target intranet according to a preset corresponding relation between the resident geographic area after the mobile wireless access equipment is switched and the second intranet firewall of the target intranet;
and when the intranet firewall distribution equipment determines that the first intranet firewall is inconsistent with the second intranet firewall, the second IP address of the second intranet firewall is sent to the mobile wireless access equipment, so that the mobile wireless access equipment establishes connection with the second intranet firewall according to the second IP address and disconnects connection with the first intranet firewall.
5. An intranet access method, the method comprising:
the method comprises the steps that a mobile wireless access device sends an intranet connection request aiming at a target intranet to an intranet firewall distribution device, so that the intranet firewall distribution device determines a resident geographic area of the mobile wireless access device according to positioning reference information of the mobile wireless access device contained in the intranet connection request, the intranet firewall distribution device determines a first intranet firewall to be in a plurality of intranet firewalls deployed aiming at the target intranet according to a preset corresponding relation between the resident geographic area of the mobile wireless access device and the first intranet firewall deployed aiming at the target intranet, the intranet firewall matched with the mobile wireless access device is determined, and the target intranet is a local communication network which connects a computer, a server and a database in a local geographic range, the intranet firewall is a firewall for filtering data packets entering and exiting the target intranet, and is connected with the router of the target intranet through a wide area network so as to realize connection with the intranet server of the target intranet;
the mobile wireless access equipment receives a first IP address of the first intranet firewall sent by the intranet firewall allocation equipment, and sends a first firewall connection request to the first intranet firewall according to the first IP address, so that the first intranet firewall establishes connection with the mobile wireless access equipment according to the first firewall connection request;
after receiving an intranet access request aiming at the target intranet sent by a user terminal, the mobile wireless access equipment routes the intranet access request to an intranet server of the target intranet through the first intranet firewall, wherein the intranet access request is an access request aiming at the server in the target intranet and comprises an access request aiming at a Web server in the target intranet, an access request aiming at an FTP server in the target intranet and an access request aiming at a mail server in the target intranet, the intranet access request also comprises a request for acquiring a file in a file server in the target intranet, and the intranet request response message also comprises a file of the file server;
and after receiving an intranet request response message returned by the intranet server responding to the intranet access request through the first intranet firewall, the mobile wireless access equipment sends the intranet request response message to the user terminal.
6. The method of claim 5, wherein the geographic area of residence of said mobile wireless access device comprises a plurality;
the method further comprises the following steps:
the mobile wireless access equipment acquires the real-time geographic position of the mobile wireless access equipment;
when the mobile wireless access equipment determines that the mobile wireless access equipment is switched between a plurality of resident geographic areas of the mobile wireless access equipment according to the real-time geographic position, the mobile wireless access equipment sends a firewall switching request carrying the real-time geographic position to intranet firewall distribution equipment, so that after the intranet firewall distribution equipment passes verification of the real-time geographic position of the mobile wireless access equipment, according to the preset corresponding relation between the resident geographic area after the mobile wireless access equipment is switched and a second intranet firewall of the target intranet, the second intranet firewall is determined to be an intranet firewall matched with the target intranet firewall deployed aiming at the target intranet after the mobile wireless access equipment is switched to a normally resident geographic area, and when the intranet firewall distribution equipment determines that the first intranet firewall is inconsistent with the second intranet firewall, sending a second IP address of the second intranet firewall to the mobile wireless access equipment;
the mobile wireless access equipment sends a second firewall connection request to the second intranet firewall according to the second IP address, so that the second intranet firewall establishes connection with the mobile wireless access equipment according to the second firewall connection request;
and the mobile wireless access equipment is disconnected with the first intranet firewall.
7. A mobile wireless access device, comprising:
a request sending unit, configured to send an intranet connection request for a target intranet to an intranet firewall allocation device, so that the intranet firewall allocation device determines, according to positioning reference information of the mobile wireless access device included in the intranet connection request, a resident geographic area in which the mobile wireless access device is located in the mobile wireless access device, the intranet firewall allocation device determines, according to a preset correspondence between the resident geographic area of the mobile wireless access device and a first intranet firewall deployed for the target intranet, the first intranet firewall to be in a plurality of intranet firewalls deployed for the target intranet, the intranet firewall matched with the mobile wireless access device, and the target intranet is a local communication network that interconnects computers, servers, and databases in a local geographic range, the intranet firewall is a firewall for filtering data packets entering and exiting the target intranet, and is connected with the router of the target intranet through a wide area network so as to realize connection with the intranet server of the target intranet;
the connection establishing unit is used for receiving a first IP address of the first intranet firewall sent by the intranet firewall allocation equipment and sending a first firewall connection request to the first intranet firewall according to the first IP address so that the first intranet firewall establishes connection with the mobile wireless access equipment according to the first firewall connection request;
the message transmission unit is used for routing the intranet access request to an intranet server of the target intranet through the first intranet firewall after receiving an intranet access request which is sent by a user terminal and aims at the target intranet, wherein the intranet access request is an access request aiming at the server in the target intranet and comprises an access request aiming at a Web server in the target intranet, an access request aiming at an FTP server in the target intranet and an access request aiming at a mail server in the target intranet, the intranet access request also comprises a request for acquiring a file in a file server in the target intranet, and the intranet request response message also comprises a file of the file server;
the message transmission unit is further configured to send an intranet request response message to the user terminal after receiving an intranet request response message returned by the intranet server in response to the intranet access request through the first intranet firewall.
8. A mobile radio access device comprising a processor, a memory and a communication interface, the processor, the memory and the communication interface being interconnected, wherein the communication interface is configured to receive and transmit data, the memory is configured to store program code, and the processor is configured to invoke the program code to perform the method of any of claims 5-6.
9. A computer storage medium, characterized in that the computer storage medium stores a computer program comprising program instructions that, when executed by a processor, cause the processor to perform the method according to any one of claims 1-6.
CN201910503580.9A 2019-06-10 2019-06-10 Intranet access method and related device Active CN110266674B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910503580.9A CN110266674B (en) 2019-06-10 2019-06-10 Intranet access method and related device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910503580.9A CN110266674B (en) 2019-06-10 2019-06-10 Intranet access method and related device

Publications (2)

Publication Number Publication Date
CN110266674A CN110266674A (en) 2019-09-20
CN110266674B true CN110266674B (en) 2022-08-16

Family

ID=67917687

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910503580.9A Active CN110266674B (en) 2019-06-10 2019-06-10 Intranet access method and related device

Country Status (1)

Country Link
CN (1) CN110266674B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112822146A (en) * 2019-11-18 2021-05-18 中国电信股份有限公司 Network connection monitoring method, device, system and computer readable storage medium
CN116419230A (en) * 2022-01-05 2023-07-11 西安西电捷通无线网络通信股份有限公司 Network access method and device
CN115086422B (en) * 2022-06-29 2024-04-26 北京金山云网络技术有限公司 Server access method, device, storage medium and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004318663A (en) * 2003-04-18 2004-11-11 Shimizu Corp Network management operation system
KR20070038618A (en) * 2005-10-06 2007-04-11 주식회사 케이티프리텔 Method and system for providing virtual private network services based on mobile communication and mobile terminal for the same
CN105101433A (en) * 2015-07-02 2015-11-25 深圳平安通信科技有限公司 Control server, hotspot resource sharing control method and system
CN106772525A (en) * 2016-12-30 2017-05-31 维坤智能科技(上海)有限公司 A kind of personnel positioning networking structure based on GPRS mobile terminals

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101635759A (en) * 2009-08-26 2010-01-27 深圳华为通信技术有限公司 Method and device for realizing mobile terminal firewall
CN101980486A (en) * 2010-10-12 2011-02-23 北京星网锐捷网络技术有限公司 Address library data updating method and network equipment
CN103095778A (en) * 2011-11-07 2013-05-08 北京知道创宇信息技术有限公司 Web application firewall and web application safety protection method
US10038721B2 (en) * 2015-02-16 2018-07-31 International Business Machines Corporation Enabling an on-premises resource to be exposed to a public cloud application securely and seamlessly
CN108989352B (en) * 2018-09-03 2022-11-11 平安科技(深圳)有限公司 Firewall implementation method and device, computer equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004318663A (en) * 2003-04-18 2004-11-11 Shimizu Corp Network management operation system
KR20070038618A (en) * 2005-10-06 2007-04-11 주식회사 케이티프리텔 Method and system for providing virtual private network services based on mobile communication and mobile terminal for the same
CN105101433A (en) * 2015-07-02 2015-11-25 深圳平安通信科技有限公司 Control server, hotspot resource sharing control method and system
CN106772525A (en) * 2016-12-30 2017-05-31 维坤智能科技(上海)有限公司 A kind of personnel positioning networking structure based on GPRS mobile terminals

Also Published As

Publication number Publication date
CN110266674A (en) 2019-09-20

Similar Documents

Publication Publication Date Title
CN106878135B (en) Connection method and device
CN110266674B (en) Intranet access method and related device
WO2022247751A1 (en) Method, system and apparatus for remotely accessing application, device, and storage medium
CN110336794B (en) Intranet access method, system and related device
US20130191906A1 (en) Apparatus and method for supporting portable mobile virtual private network service
CN111132305B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
CN103179100A (en) Method and device for preventing the attack on a domain name system tunnel
CN110830516B (en) Network access method, device, network control equipment and storage medium
CN110336793B (en) Intranet access method and related device
US11743724B2 (en) System and method for accessing a privately hosted application from a device connected to a wireless network
CN104253798A (en) Network security monitoring method and system
CN104955036A (en) Secure networking method and device in public Wi-Fi (wireless fidelity) environment
CN110311785B (en) Intranet access method and related device
JP2008263445A (en) Connection setting system, authentication apparatus, wireless terminal and connection setting method
CN110324826B (en) Intranet access method and related device
CN111093196B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
CN110324318B (en) Intranet access method and related device
WO2021002180A1 (en) Relay method, relay system, and relay program
CN110213769B (en) Intranet access method and related device
JP2003101545A (en) Method for controlling access to lan from wireless lan terminal, wireless lan base station apparatus and wireless lan terminal apparatus
CN108307683B (en) Communication method, micro base station controller, terminal and system
CN116938486A (en) Access control method, device, system, equipment and storage medium
JP4878043B2 (en) Access control system, connection control device, and connection control method
Briones et al. Case of study: Identity theft in a university WLAN Evil twin and cloned authentication web interface
CN114499965B (en) Internet surfing authentication method and system based on POP3 protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant