CN110324282A - The load-balancing method and its system of SSL/TLS visualization flow - Google Patents

The load-balancing method and its system of SSL/TLS visualization flow Download PDF

Info

Publication number
CN110324282A
CN110324282A CN201810273821.0A CN201810273821A CN110324282A CN 110324282 A CN110324282 A CN 110324282A CN 201810273821 A CN201810273821 A CN 201810273821A CN 110324282 A CN110324282 A CN 110324282A
Authority
CN
China
Prior art keywords
equipment
flow
ssl
tls
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810273821.0A
Other languages
Chinese (zh)
Inventor
吴东升
刘勤
贝少峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huayao (china) Technology Co Ltd
Original Assignee
Huayao (china) Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huayao (china) Technology Co Ltd filed Critical Huayao (china) Technology Co Ltd
Priority to CN201810273821.0A priority Critical patent/CN110324282A/en
Publication of CN110324282A publication Critical patent/CN110324282A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0464Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload using hop-by-hop encryption, i.e. wherein an intermediate entity decrypts the information and re-encrypts it before forwarding it
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1008Server selection for load balancing based on parameters of servers, e.g. available memory or workload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Abstract

The present invention relates to data security arts, disclose the load-balancing method and its system of a kind of SSL/TLS visualization flow.In the present invention, all flows in the same session are all sent to the same safety equipment and detected by the load-balancing method of SSL/TLS visualization flow, load balancing is realized to safety equipment with can be convenient, and the safety equipment from the context can be analyzed, the accuracy of detection is substantially increased, can additionally guarantee to communicate between client and server-side transparent.

Description

The load-balancing method and its system of SSL/TLS visualization flow
Technical field
The present invention relates to data security arts, in particular to a kind of load-balancing technique of SSL/TLS visualization flow.
Background technique
The safety that more and more applications and website reach applied business data using SSL/TLS encrypts, various attacks, Virus can also be equally hidden under the privacy protection of SSL/TLS, cause some Safety Examination equipment such as IPS, IDS or WAF Deng at one's wit's end for SSL/TLS flow, there is blind spot.Although some safety equipments can have the function of SSL/TLS agency Can, but tls protocol, asymmetric arithmetic, symmetry algorithm are increasingly constantly weeded out the old and bring forth the new and the increasing of SSL/TLS flow bandwidth, So that safety equipment handles SSL/TLS simultaneously and flow examination is attended to one thing and lose sight of another, the process performance of complete machine is had too many difficulties to cope with, therefore at present urgently The technology and product for needing one kind that safety equipment can be allowed to free from many and diverse SSL/TLS proxy task, realize SSL/TLS While traffic visualization again can by visualize flow more safety equipments realize load balancing provide deployment flexibility, Mobility.
Summary of the invention
The purpose of the present invention is to provide the load-balancing methods and its system of a kind of SSL/TLS visualization flow, will be same All flows in one session are all sent to the same safety equipment and are detected, and realize with can be convenient and load to safety equipment Equilibrium, and the safety equipment from the context can be analyzed, and the accuracy of detection is substantially increased, and can additionally protect It is communicated between card client and server-side transparent.
To solve the above-mentioned problems, this application discloses a kind of load-balancing method of SSL/TLS visualization flow, the party Method is applied to the intermediate network node between client and server-side, which includes first node equipment, second Node device and N platform safety equipment, the first node equipment are connect by the N platform safety equipment with the second node equipment, Middle N is the integer greater than 1, method includes the following steps:
When the client sends SSL/TLS flow to the server-side, first node equipment decryption is received from the client The SSL/TLS flow arrived, and send plain text stream amount and detected to safety equipment M, safety equipment M is in the N platform safety equipment One;The flow that safety equipment M will test is sent to the second node equipment;The second node equipment re-encrypted passes through The flow that safety equipment M was detected, and encryption flow is sent to the server-side;
When the server-side returns to SSL/TLS flow to the client, second node equipment decryption is returned from the server-side The SSL/TLS flow returned, and send plain text stream amount and detected to safety equipment M;The flow that safety equipment M will test is sent Give the first node equipment;The first node equipment re-encrypted passes through the flow that safety equipment M was detected, and encryption is flowed Amount is sent to the client.
Disclosed herein as well is a kind of SiteServer LBS of SSL/TLS visualization flow, which is connected to client Between server-side, which includes first node equipment, second node equipment and N platform safety equipment, the first node equipment It is connect by the N platform safety equipment with the second node equipment, wherein N is the integer greater than 1,
When the client sends SSL/TLS flow to the server-side,
The first node equipment for decrypting the SSL/TLS flow received from the client, and sends plain text stream amount to peace Full equipment M detection, safety equipment M are one in the N platform safety equipment;
Safety equipment M, the plaintext flow sent for detecting the first node equipment, and the flow hair that will test Give the second node equipment;
The second node equipment passes through the flow that safety equipment M was detected for re-encrypted, and will encryption flow hair Give the server-side;
When the server-side returns to SSL/TLS flow to the client,
The second node equipment, be also used to decrypt from the server-side return SSL/TLS flow, and send plain text stream amount to Safety equipment M detection;
Safety equipment M, is also used to detect the plaintext flow that the second node equipment side comes, and the flow that will test is sent Give the first node equipment;
The first node equipment is also used to re-encrypted and passes through the flow that safety equipment M was detected, and will encrypt flow It is sent to the client.
Compared with prior art, the main distinction and its effect are embodiment of the present invention:
All flows in the same session are all sent to the same safety equipment to detect, can be convenient to safety Equipment realizes load balancing, and the safety equipment from the context can be analyzed, and the accuracy of detection is substantially increased, It can additionally guarantee to communicate between client and server-side transparent.
Further, by selecting suitable hash algorithm to determine corresponding safety equipment, the same meeting has both been may insure Words are handled in the same safety equipment, and realize load balancing with can be convenient.
Further, before flow is transmitted to safety equipment, the purpose IP address of flow is not revised as setting safely Standby IP address, but be forwarded according to the IP address of safety equipment by three-layer network communication equipment or according to the safety The MAC Address of the rear end second node of equipment is forwarded by double layer network communication equipment, can guarantee in this way client and What is communicated between server-side is transparent.
Detailed description of the invention
Fig. 1 is that a kind of process of the load-balancing method of SSL/TLS visualization flow in first embodiment of the invention is shown It is intended to;
Fig. 2 is that a kind of structure of the SiteServer LBS of SSL/TLS visualization flow in second embodiment of the invention is shown It is intended to;
Fig. 3 is the topological diagram of technical solution of the present invention;
Fig. 4 is the system framework figure of technical solution of the present invention;
Fig. 5 is the software flow pattern of technical solution of the present invention;
Fig. 6 is the timing diagram of technical solution of the present invention;
Fig. 7 is the topological diagram of a specific embodiment of the invention.
Specific embodiment
In the following description, in order to make the reader understand this application better, many technical details are proposed.But this The those of ordinary skill in field is appreciated that even if without these technical details and many variations based on the following respective embodiments And modification, each claim of the application technical solution claimed can also be realized.
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to implementation of the invention Mode is described in further detail.
First embodiment of the invention is related to a kind of load-balancing method of SSL/TLS visualization flow.Fig. 1 is the SSL/ TLS visualizes the flow diagram of the load-balancing method of flow.
Firstly, it is necessary to which explanation, SSL refer to Secure Sockets Layer, Secure Socket Layer;TLS refers to Transport Layer Security, Transport Layer Security.
This method is applied to the intermediate network node between client and server-side, which includes first segment Point device, second node equipment and N platform safety equipment, the first node equipment pass through the N platform safety equipment and the second node Equipment connection, wherein N is the integer greater than 1.
Specifically, as shown in Figure 1, the SSL/TLS visualization flow load-balancing method the following steps are included:
In a step 101, when client sends SSL/TLS flow to server-side, first node equipment is decrypted from client The SSL/TLS flow received is held, and sends plain text stream amount and is detected to safety equipment M, safety equipment M is the N platform safety equipment In one.
In the present embodiment, first node equipment sends plaintext flow and detects to safety equipment, is distributed to N platform and sets safely In standby wherein one detected, the foundation of distribution can be according to load-balancing algorithm in the prior art.Such as it can be with It is to select safety equipments most lightly loaded in N platform safety equipment or that current residual resource is most, plaintext flow is transmitted to the peace Full equipment is handled.In the prior art, load-balancing algorithm is highly developed technology, and implementation is also varied, This is no longer specifically described.
In the embodiments of the present invention, which can be mobile phone, tablet computer, laptop, special Terminal etc., server-side can be various servers.Safety equipment can be IPS, IDS and/or WAF etc..
Then into step 102, the flow that safety equipment M will test is sent to second node equipment.
Then into step 103, second node equipment re-encrypted passes through the flow that safety equipment M was detected, and will Encryption flow is sent to server-side.
Then into step 104, when server-side returns to SSL/TLS flow to client, the decryption of second node equipment from The SSL/TLS flow that server-side returns, and send plain text stream amount and detected to safety equipment M.
Then into step 105, the flow that safety equipment M will test is sent to first node equipment.
Then into step 106, first node equipment re-encrypted passes through the flow that safety equipment M was detected, and will Encryption flow is sent to client.
Hereafter terminate this process.
It should be noted that above-mentioned steps 101-103, realizes communication of the SSL/TLS flow from client to server-side Process.Server-side can return to the corresponding SSL/TLS flow of client, above-mentioned step after receiving the SSL/TLS flow of client Rapid 104-106 shows the communication process of the SSL/TLS flow from server-side to client.That is, above-mentioned steps 101- 106 realize from client to server-side, then the SSL/TLS flow interactive process of client is returned to from server-side.
In the technical solution of the application, all flows in the same session are all sent to the same safety equipment and are carried out Detection realizes load balancing to safety equipment with can be convenient, and the safety equipment from the context can be analyzed, greatly The accuracy for improving detection greatly, can additionally guarantee to communicate between client and server-side transparent.
It should be noted that at step 104, safety equipment M is exactly the safety equipment that flow passes through in step 101.
In the present embodiment, it is preferable that all establish and keep each in first node equipment and second node equipment Corresponding relationship between a session and safety equipment, first node equipment and second node equipment can be by the institutes in the same session There is flow to be all sent to the same safety equipment according to the corresponding relationship to be detected.
In the prior art, in general load balancing, after load balancing control equipment receives message, each reality can be selected Most lightly loaded or server that current residual resource is most, forwards the message at the server in the processing server of border Reason.And the application uses different technical solutions, i.e., all establishes and keep each session and peace on two node devices Corresponding relationship between full equipment, two node devices can be by all messages in the same session all according to this corresponding relationship It is sent in the same safety equipment and is checked, which from the context can be analyzed, and inspection is substantially increased Accuracy.
One example of corresponding relationship is that node device is arranged between Intranet and outer net, original of the node device to message Address and destination address carry out Hash operation, determine corresponding safety equipment according to obtained cryptographic Hash, suitable by selecting Hash algorithm not only may insure that the same session was handled in the same safety equipment, but also realize load balancing with can be convenient.
Further, it is preferable that in step 101 and step 104, first node equipment and second node equipment to When safety equipment M transmitted traffic, be forwarded according to the IP address of safety equipment M by three-layer network communication equipment or according to The MAC Address of the rear end second node of the safety equipment M is forwarded by double layer network communication equipment.
In the prior art, in general load balancing, load balancing control equipment can be by the mesh of message after receiving message IP address be revised as actual treatment server IP address, the server is then sent to by IP network.In this implementation In mode, after node device receives message, before being transmitted to safety equipment, the purpose IP address of message is not revised as pacifying The IP address of full equipment, but be forwarded according to the IP address of safety equipment by three-layer network communication equipment or according to described The MAC Address of the rear end second node of safety equipment is forwarded by double layer network communication equipment.It can guarantee client in this way It is communicated between end and server-side transparent.
In addition, before step 101, it is further comprising the steps of:
When client is initiated and the SSL/TLS of server-side shakes hands, first node equipment is communicated with server-side, is obtained and is deposited Store up server-side certificate;
First node equipment forges new authentication according to the server-side certificate of storage and signs to new authentication;
First node equipment sends the new authentication after signing to the client, and SSL/TLS, which shakes hands, to be continued.
In conclusion the technical solution of the application may be implemented:
Intercepting and capturing, the decryption of 1.SSL/TLS flow, may be implemented the transparence between client and server-side.
2. may be implemented to receive, check the load balancing of the safety equipment of SSL/TLS plaintext flow, SSL/TLS visualization Flow issues different flow audiomonitors.
3. can be with the flow of snoop accesses outer net also with the flow of snoop accesses Intranet, it can be by way of OSI3 layers The load balancing to visualization flow can also be reached in such a way that 2 layers of OSI.
Second embodiment of the invention is related to a kind of SiteServer LBS of SSL/TLS visualization flow.Fig. 2 is the SSL/ TLS visualizes the structural schematic diagram of the SiteServer LBS of flow.
Specifically, as shown in Fig. 2, the SiteServer LBS of SSL/TLS visualization flow is connected to client and clothes It is engaged between end, comprising: first node equipment, second node equipment and N platform safety equipment, first node equipment pass through N platform safety Equipment is connect with second node equipment, and wherein N is the integer greater than 1,
N platform safety equipment is connected between first node equipment and second node, for detecting first node equipment and The SSL/TLS flow that two node devices are sent.
When client sends SSL/TLS flow to server-side,
First node equipment for decrypting the SSL/TLS flow received from client, and sends plain text stream amount and sets to safety Standby M is detected, and safety equipment M is one in N platform safety equipment;
In the present embodiment, first node equipment sends plaintext flow and detects to safety equipment, is distributed to N platform and sets safely In standby wherein one detected, the foundation of distribution can be according to load-balancing algorithm in the prior art.Such as it can be with It is to select safety equipments most lightly loaded in N platform safety equipment or that current residual resource is most, plaintext flow is transmitted to the peace Full equipment is handled.In the prior art, load-balancing algorithm is highly developed technology, and implementation is also varied, This is no longer specifically described.
Safety equipment M, the plaintext flow sent for detecting first node equipment, and the flow that will test is sent to Second node equipment;
Second node equipment passes through the flow that safety equipment M was detected for re-encrypted, and encryption flow is sent to Server-side;
When server-side returns to SSL/TLS flow to client,
Second node equipment is also used to decrypt the SSL/TLS flow returned from server-side, and sends plain text stream amount to safety Equipment M detection;
Safety equipment M is also used to detect the plaintext flow that second node equipment is sent, and the flow that will test is sent Give first node equipment;
First node equipment is also used to re-encrypted and passes through the flow that safety equipment M was detected, and encryption flow is sent To client.
In the SiteServer LBS of SSL/TLS visualization flow, all flows in the same session are all sent to The same safety equipment is detected, and realizes load balancing to safety equipment with can be convenient, and the safety equipment can join It fastens and is hereafter analyzed, substantially increase the accuracy of detection, can additionally guarantee to communicate between client and server-side It is transparent.
Further, it is preferable to which ground, first node equipment and second node equipment, are also used to establish and keep each session Corresponding relationship between safety equipment, and all send all flows in the same session to according to the corresponding relationship same A safety equipment is detected.
In the prior art, in general load balancing, after load balancing control equipment receives message, each reality can be selected Most lightly loaded or server that current residual resource is most, forwards the message at the server in the processing server of border Reason.And the application uses different technical solutions, i.e., all establishes and keep each session and peace on two node devices Corresponding relationship between full equipment, two node devices can be by all messages in the same session all according to this corresponding relationship It is sent in the same safety equipment and is checked, which from the context can be analyzed, and inspection is substantially increased Accuracy.
One example of corresponding relationship is that node device is arranged between Intranet and outer net, original of the node device to message Address and destination address carry out Hash operation, determine corresponding safety equipment according to obtained cryptographic Hash, suitable by selecting Hash algorithm not only may insure that the same session was handled in the same safety equipment, but also realize load balancing with can be convenient.
Further, it is preferable that when first node equipment and second node equipment are to safety equipment M transmitted traffic, It is to be forwarded according to the IP address of safety equipment M by three-layer network communication equipment or according to the rear end of the safety equipment M The MAC Address of second node is forwarded by double layer network communication equipment.
In the prior art, in general load balancing, load balancing control equipment can be by the mesh of message after receiving message IP address be revised as actual treatment server IP address, the server is then sent to by IP network.In this implementation In mode, after node device receives message, before being transmitted to safety equipment, the purpose IP address of message is not revised as pacifying The IP address of full equipment, but be forwarded according to the IP address of safety equipment by three-layer network communication equipment or according to described The MAC Address of the rear end second node of safety equipment is forwarded by double layer network communication equipment.It can guarantee client in this way It is communicated between end and server-side transparent.
In addition, the SiteServer LBS of SSL/TLS visualization flow can also include:
Certificate acquisition module, for communicating, obtaining with server-side when client is initiated and the SSL/TLS of server-side shakes hands Take simultaneously storage service end certificate;
Certificate forges module, for forging new authentication according to the server-side certificate of storage and signing to new authentication, and New authentication after sending signature is to client.
Present embodiment is system embodiment corresponding with first embodiment, and present embodiment can be implemented with first Mode is worked in coordination implementation.The relevant technical details mentioned in first embodiment are still effective in the present embodiment, in order to It reduces and repeats, which is not described herein again.Correspondingly, the relevant technical details mentioned in present embodiment are also applicable in the first implementation In mode.
Illustrate the specific embodiment of the application below.
Existing server or the network equipment of centre are all used as the role of SSL/TLS server-side, and this kind of role is past Toward the destination node for being all SSL/TLS flow, final SSL/TLS flow node and client role category as client access In one-to-one interaction.
The technical solution of the application is applied to the network node among client and server-side, carries out to SSL/TLS flow Decryption oprerations are visualized, and are responsible for keeping ciphertext to communicate with client and server-side, while visual flow equalization being divided It issues audiomonitor and achievees the purpose that load balancing.
The topological diagram of technical scheme is as shown in figure 3, monitoring device is connected on the line that client is communicated with server-side On the road, including first node equipment (APV equipment 1), second node equipment (APV equipment 2) and N platform safety equipment.
The system framework figure of technical scheme is as shown in Figure 4.
The application can be divided into SSL monitor and the big module of safety equipment load balancing two because SSL/TLS agreement be The 5th layer of application layer in osi model, and load balancing module operates mainly in the 2 of network protocol stack, 3,4 layers;Starting module is SSL/TLS monitors module, and load balancing module can be triggered after monitoring successfully.SSL/TLS monitors module from specific function angle Degree can be divided into visualization monitoring driving assembly and certificate acquisition again and certificate forges component, and driving assembly is responsible for driving certificate Acquisition movement and forge certificate movement.SSL/TLS visual driving component and certificate acquisition component need the ginseng of encrypting module With.
The software flow pattern of technical scheme is as shown in Figure 5.
The timing diagram of technical scheme as shown in fig. 6, serve as server-side role for the client present invention, and for The real server-side present invention serves as client role.Handshake information involved in figure is the Handshake Protocol of SSL/TLS standard.
Fig. 7 is the topological diagram of a specific embodiment in the application including two safety equipments (that is: N is 2).
As shown in fig. 7, required equipment includes:
Two APV2600 equipment (16G memory, 6 network interfaces) are specifically two equipment among Fig. 7.
Two safety equipments (APV equipment SSL is monitored and the main target equipment of load balancing service).
In order to facilitate description process, two APV equipment are from left to right respectively designated as equipment A and equipment B in Fig. 7.
The description of SSL monitor function:
1. administrator generates public key and private key pair, and the root ca certificate comprising public key in A equipment.
2. administrator ensures that the root ca certificate generated has been introduced into the accredited root ca certificate library of client.
3. initiating SSL when client to shake hands, A equipment is served as SSL client and is communicated with real server, to obtain theirs Server certificate.
4.A equipment simulates certificate by following steps: the public key in SSL certificate that a. will acquire replaces with life with label originator At root ca certificate public key and label originator;B. it is signed again to certificate using the private key of root ca certificate.
5.A equipment sends the server certificate of simulation to client, and SSL, which shakes hands, to be continued.
Load-balancing function description:
Specific data flow and function description are described from the both direction of flow:
Flow from client to server:
1. equipment A decrypts the SSL flow received from client, and sends plain text stream amount and detect to safety equipment, it is distributed to Wherein the foundation of an equipment is according to load-balancing algorithm.
2. equipment B re-encrypted passes through the flow that safety equipment detected, and encryption flow is sent to server.
Flow from client/server to client:
3. equipment B decrypts the SSL flow returned from server, and sends plain text stream amount and detect to safety equipment, set safely The foundation of alternative is the equipment that flow passes through in 1.
4. equipment A re-encrypted passes through the flow that safety equipment detected, and encryption flow is sent to client.
Profile instance:
In order to facilitate addition configuration, two APV equipment in Fig. 7 are from left to right respectively designated as Ingress (entrance section Point) and Egress (Egress node), concrete configuration is as follows:
Ingress (Ingress node):
The configuration of network address and routing:
1. configuring IP address on network interface port1, port3
2. default route is arranged
3. Provisioning Policy routes
Load balancing setting:
1. forward mode is arranged
2. the safety equipment that configuration needs load balancing
3. the algorithm of configuration load equilibrium
4. configuring the service type that inlet flow rate is monitored is 443 port SSL/TLS
5. the monitoring of configuration inlet flow rate and the association for needing load-balancing device
SSL configuration:
1.SSL configuration is associated with the service of monitoring
2. the monitor function in SSL configuration
3. being configured to reach the signature CA certificate monitored purpose and need to forge certificate, and start SSL monitor function
Egress (Egress node):
The configuration of network address and routing:
1. configuring network interface Port2, Port4 network address
2. default route is arranged
3. configuration strategy routes
Load balancing (to the load balancing of net gateway out) configuration:
1. forward mode is arranged
2. the routing device of Configuration network next-hop be load-balancing device (for this sentences a next-hop gateway, such as Fruit has multiple links, and configuring multiple similar configurations here both may be implemented load balancing to link), it configures simultaneously Keepdip guarantees to still maintain destination IP by the flow of Egress node and port is constant
3. (this port needs to need load balancing with Ingress node configuration the serve port 8443 of configuration monitoring plaintext flow Safety equipment when the port that uses it is consistent)
4. service and load-balancing device are monitored in association
SSL setting:
1.SSL configuration is associated with the service of monitoring
2. monitor function and starting SSL monitor function in SSL configuration
It should be noted that each method embodiment of the invention can be realized in a manner of software, hardware, firmware etc.. Regardless of the present invention is realized in a manner of software, hardware or firmware, instruction code may be stored in any kind of computer In addressable memory (such as permanent perhaps revisable volatibility is perhaps non-volatile solid or non-solid State, fix or replaceable medium etc.).Equally, memory may, for example, be programmable logic array (Programmable Array Logic, referred to as " PAL "), random access memory (Random Access Memory, referred to as " RAM "), programmable read only memory (Programmable Read Only Memory, referred to as " PROM "), read-only memory (Read-Only Memory, referred to as " ROM "), electrically erasable programmable read-only memory (Electrically Erasable Programmable ROM, referred to as " EEPROM "), disk, CD, digital versatile disc (Digital Versatile Disc, Referred to as " DVD ") etc..
Each module mentioned in each system embodiment of the present invention is all logic module, physically, a logic module It can be a physical module, be also possible to a part of a physical module, it can also be real with the combination of multiple physical modules Existing, the Physical realization of these logic modules itself is not most important, the group for the function that these logic modules are realized Close the key for being only and solving technical problem proposed by the invention.In addition, in order to protrude innovative part of the invention, in the present invention Each equipment embodiment is stated not introduce the module less close with technical problem relationship proposed by the invention is solved, this It does not indicate above equipment embodiment and there is no other modules.
It should be noted that in the claim and specification of this patent, such as first and second or the like relationship Term is only used to distinguish one entity or operation from another entity or operation, without necessarily requiring or implying There are any actual relationship or orders between these entities or operation.Moreover, the terms "include", "comprise" or its Any other variant is intended to non-exclusive inclusion so that include the process, methods of a series of elements, article or Equipment not only includes those elements, but also including other elements that are not explicitly listed, or further include for this process, Method, article or the intrinsic element of equipment.In the absence of more restrictions, being wanted by what sentence " including one " limited Element, it is not excluded that there is also other identical elements in the process, method, article or apparatus that includes the element.
Although being shown and described to the present invention by referring to some of the preferred embodiment of the invention, It will be understood by those skilled in the art that can to it, various changes can be made in the form and details, without departing from this hair Bright spirit and scope.

Claims (10)

1. a kind of load-balancing method of SSL/TLS visualization flow, which is characterized in that the method is applied to client and clothes Intermediate network node between business end, the intermediate network node include first node equipment, second node equipment and N platform safety Equipment, the first node equipment are connect by the N platform safety equipment with the second node equipment, and wherein N is greater than 1 Integer the described method comprises the following steps:
When the client sends SSL/TLS flow to the server-side, the first node equipment is decrypted from the client The SSL/TLS flow received is held, and sends plain text stream amount and is detected to safety equipment M, the safety equipment M is the N platform safety One in equipment;The flow that the safety equipment M will test is sent to the second node equipment;The second node is set Standby re-encrypted passes through the flow that the safety equipment M was detected, and encryption flow is sent to the server-side;
When the server-side returns to SSL/TLS flow to the client, the second node equipment is decrypted from the service The SSL/TLS flow returned is held, and sends plain text stream amount and is detected to the safety equipment M;What the safety equipment M will test Flow is sent to the first node equipment;What the first node equipment re-encrypted was detected by the safety equipment M Flow, and encryption flow is sent to the client.
2. the load-balancing method of SSL/TLS according to claim 1 visualization flow, which is characterized in that further include with Lower step:
All establish and keep in the first node equipment and the second node equipment each session and safety equipment it Between corresponding relationship, the first node equipment and the second node equipment can be by all flows all roots in the same session The same safety equipment is sent to according to the corresponding relationship to be detected.
3. the load-balancing method of SSL/TLS visualization flow according to claim 1 or 2, which is characterized in that described It is according to the safety equipment M when first node equipment and the second node equipment are to the safety equipment M transmitted traffic IP address is forwarded by three-layer network communication equipment or the MAC Address of the rear end second node according to the safety equipment M It is forwarded by double layer network communication equipment.
4. the load-balancing method of SSL/TLS visualization flow according to claim 1, which is characterized in that in the visitor Family end is sent to before the SSL/TLS flow of the server-side, further comprising the steps of:
When the client is initiated and the SSL/TLS of the server-side shakes hands, the first node equipment and the server-side Communication, obtains and stores the server-side certificate;
The first node equipment forges new authentication according to the server-side certificate of storage and signs to new authentication;
The first node equipment sends the new authentication after signing to the client, and the SSL/TLS, which shakes hands, to be continued.
5. the load-balancing method of SSL/TLS visualization flow according to claim 1, which is characterized in that in " the institute It states first node equipment and decrypts the SSL/TLS flow received from the client, and send plain text stream amount and examined to safety equipment M In the step of survey ", the safety equipment M is that most lightly loaded in the N platform safety equipment or current residual resource is most.
6. a kind of SiteServer LBS of SSL/TLS visualization flow, which is characterized in that the system is connected to client and clothes It is engaged between end, the system comprises first node equipment, second node equipment and N platform safety equipment, the first node equipment It is connect by the N platform safety equipment with the second node equipment, wherein N is the integer greater than 1,
When the client sends SSL/TLS flow to the server-side,
The first node equipment for decrypting the SSL/TLS flow received from the client, and sends plain text stream amount to peace Full equipment M detection, the safety equipment M are one in the N platform safety equipment;
The safety equipment M, the plaintext flow sent for detecting the first node equipment, and the flow hair that will test Give the second node equipment;
The second node equipment passes through the flow that the safety equipment M was detected for re-encrypted, and will encryption flow hair Give the server-side;
When the server-side returns to SSL/TLS flow to the client,
The second node equipment, be also used to decrypt from the server-side return SSL/TLS flow, and send plain text stream amount to The safety equipment M detection;
The safety equipment M is also used to detect the plaintext flow that the second node equipment is sent, and the flow that will test It is sent to the first node equipment;
The first node equipment is also used to re-encrypted and passes through the flow that the safety equipment M was detected, and will encrypt flow It is sent to the client.
7. the SiteServer LBS of SSL/TLS visualization flow according to claim 6, which is characterized in that described first Node device and the second node equipment are also used to establish and keep the corresponding pass between each session and safety equipment System, and the same safety equipment is all sent according to the corresponding relationship by all flows in the same session and is detected.
8. the SiteServer LBS of SSL/TLS visualization flow according to claim 6 or 7, which is characterized in that described It is according to the safety equipment M when first node equipment and the second node equipment are to the safety equipment M transmitted traffic IP address is forwarded by three-layer network communication equipment or the MAC Address of the rear end second node according to the safety equipment M It is forwarded by double layer network communication equipment.
9. the SiteServer LBS of SSL/TLS visualization flow according to claim 6, which is characterized in that further include:
Certificate acquisition module, for when the client is initiated and the SSL/TLS of the server-side shakes hands, with the server-side Communication, obtains and stores the server-side certificate;
Certificate forges module, for forging new authentication according to the server-side certificate of storage and signing to new authentication, and New authentication after sending signature is to the client.
10. the SiteServer LBS of SSL/TLS visualization flow according to claim 6, which is characterized in that as the visitor Family end to the server-side send SSL/TLS flow when, the safety equipment M be the N platform safety equipment in it is most lightly loaded or Current residual resource is most.
CN201810273821.0A 2018-03-29 2018-03-29 The load-balancing method and its system of SSL/TLS visualization flow Pending CN110324282A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810273821.0A CN110324282A (en) 2018-03-29 2018-03-29 The load-balancing method and its system of SSL/TLS visualization flow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810273821.0A CN110324282A (en) 2018-03-29 2018-03-29 The load-balancing method and its system of SSL/TLS visualization flow

Publications (1)

Publication Number Publication Date
CN110324282A true CN110324282A (en) 2019-10-11

Family

ID=68111083

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810273821.0A Pending CN110324282A (en) 2018-03-29 2018-03-29 The load-balancing method and its system of SSL/TLS visualization flow

Country Status (1)

Country Link
CN (1) CN110324282A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112738217A (en) * 2020-12-28 2021-04-30 中国建设银行股份有限公司 Secure interaction system and method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141243A (en) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 Device and method for carrying out security check and content filtering on communication data
CN101621509A (en) * 2009-07-31 2010-01-06 浪潮电子信息产业股份有限公司 Design architecture and method for secure load balancing by utilizing SSL communication protocol
CN102316094A (en) * 2010-06-30 2012-01-11 丛林网络公司 The many service VPN networking clients that are used for mobile device with integrated acceleration
CN103188074A (en) * 2011-12-28 2013-07-03 上海格尔软件股份有限公司 Proxy method for improving SSL algorithm intensity of browser
CN103731482A (en) * 2013-12-24 2014-04-16 浪潮电子信息产业股份有限公司 Cluster load balancing system and achieving method thereof
CN106789542A (en) * 2017-03-03 2017-05-31 清华大学 A kind of implementation method of cloud data center security service chain

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141243A (en) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 Device and method for carrying out security check and content filtering on communication data
CN101621509A (en) * 2009-07-31 2010-01-06 浪潮电子信息产业股份有限公司 Design architecture and method for secure load balancing by utilizing SSL communication protocol
CN102316094A (en) * 2010-06-30 2012-01-11 丛林网络公司 The many service VPN networking clients that are used for mobile device with integrated acceleration
CN103188074A (en) * 2011-12-28 2013-07-03 上海格尔软件股份有限公司 Proxy method for improving SSL algorithm intensity of browser
CN103731482A (en) * 2013-12-24 2014-04-16 浪潮电子信息产业股份有限公司 Cluster load balancing system and achieving method thereof
CN106789542A (en) * 2017-03-03 2017-05-31 清华大学 A kind of implementation method of cloud data center security service chain

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112738217A (en) * 2020-12-28 2021-04-30 中国建设银行股份有限公司 Secure interaction system and method

Similar Documents

Publication Publication Date Title
US10735511B2 (en) Device and related method for dynamic traffic mirroring
US20200007568A1 (en) Extracting Encryption Metadata and Terminating Malicious Connections Using Machine Learning
US9961103B2 (en) Intercepting, decrypting and inspecting traffic over an encrypted channel
US9813447B2 (en) Device and related method for establishing network policy based on applications
US9130826B2 (en) System and related method for network monitoring and control based on applications
US9256636B2 (en) Device and related method for application identification
US9736112B2 (en) Context-aware network and situation management for crypto-partitioned networks
CN112333143B (en) Granularity offloading of proxied secure sessions
US9230213B2 (en) Device and related method for scoring applications running on a network
CN109067803A (en) A kind of SSL/TLS encryption and decryption communication means, device and equipment
US20140280887A1 (en) A device and related method for dynamic traffic mirroring policy
US10291600B2 (en) Synchronizing secure session keys
US10505984B2 (en) Exchange of control information between secure socket layer gateways
Frahim et al. Cisco ASA: all-in-one firewall, IPS, and VPN adaptive security appliance
EP3499908B1 (en) A device and method for the determination of applications running on a network
Tennekoon et al. Prototype implementation of fast and secure traceability service over public networks
Frahim et al. Cisco ASA: All-in-one Next-Generation Firewall, IPS, and VPN Services
US10015208B2 (en) Single proxies in secure communication using service function chaining
US10601788B2 (en) Interception of secure shell communication sessions
Liyanage et al. Secure hierarchical VPLS architecture for provider provisioned networks
CN110324282A (en) The load-balancing method and its system of SSL/TLS visualization flow
Liu Next generation SSH2 implementation: securing data in motion
Parenreng Network Security Analysis Based on Internet Protocol Security Using Virtual Private Network (VPN)
US20200259863A1 (en) Security socket layer decryption method for security
Cherukuri et al. Integrity of IoT network flow records in encrypted traffic analytics

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 100125 Beijing city Chaoyang District Liangmaqiao Road No. 40 building 10 room 1001, twenty-first Century

Applicant after: Beijing Huayao Technology Co.,Ltd.

Address before: 100125 Beijing city Chaoyang District Liangmaqiao Road No. 40 building 10 room 1001, twenty-first Century

Applicant before: ARRAY NETWORKS, Inc.

RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20191011