CN110324282A - The load-balancing method and its system of SSL/TLS visualization flow - Google Patents
The load-balancing method and its system of SSL/TLS visualization flow Download PDFInfo
- Publication number
- CN110324282A CN110324282A CN201810273821.0A CN201810273821A CN110324282A CN 110324282 A CN110324282 A CN 110324282A CN 201810273821 A CN201810273821 A CN 201810273821A CN 110324282 A CN110324282 A CN 110324282A
- Authority
- CN
- China
- Prior art keywords
- equipment
- flow
- ssl
- tls
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0464—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload using hop-by-hop encryption, i.e. wherein an intermediate entity decrypts the information and re-encrypts it before forwarding it
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1001—Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1001—Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
- H04L67/1004—Server selection for load balancing
- H04L67/1008—Server selection for load balancing based on parameters of servers, e.g. available memory or workload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Abstract
The present invention relates to data security arts, disclose the load-balancing method and its system of a kind of SSL/TLS visualization flow.In the present invention, all flows in the same session are all sent to the same safety equipment and detected by the load-balancing method of SSL/TLS visualization flow, load balancing is realized to safety equipment with can be convenient, and the safety equipment from the context can be analyzed, the accuracy of detection is substantially increased, can additionally guarantee to communicate between client and server-side transparent.
Description
Technical field
The present invention relates to data security arts, in particular to a kind of load-balancing technique of SSL/TLS visualization flow.
Background technique
The safety that more and more applications and website reach applied business data using SSL/TLS encrypts, various attacks,
Virus can also be equally hidden under the privacy protection of SSL/TLS, cause some Safety Examination equipment such as IPS, IDS or WAF
Deng at one's wit's end for SSL/TLS flow, there is blind spot.Although some safety equipments can have the function of SSL/TLS agency
Can, but tls protocol, asymmetric arithmetic, symmetry algorithm are increasingly constantly weeded out the old and bring forth the new and the increasing of SSL/TLS flow bandwidth,
So that safety equipment handles SSL/TLS simultaneously and flow examination is attended to one thing and lose sight of another, the process performance of complete machine is had too many difficulties to cope with, therefore at present urgently
The technology and product for needing one kind that safety equipment can be allowed to free from many and diverse SSL/TLS proxy task, realize SSL/TLS
While traffic visualization again can by visualize flow more safety equipments realize load balancing provide deployment flexibility,
Mobility.
Summary of the invention
The purpose of the present invention is to provide the load-balancing methods and its system of a kind of SSL/TLS visualization flow, will be same
All flows in one session are all sent to the same safety equipment and are detected, and realize with can be convenient and load to safety equipment
Equilibrium, and the safety equipment from the context can be analyzed, and the accuracy of detection is substantially increased, and can additionally protect
It is communicated between card client and server-side transparent.
To solve the above-mentioned problems, this application discloses a kind of load-balancing method of SSL/TLS visualization flow, the party
Method is applied to the intermediate network node between client and server-side, which includes first node equipment, second
Node device and N platform safety equipment, the first node equipment are connect by the N platform safety equipment with the second node equipment,
Middle N is the integer greater than 1, method includes the following steps:
When the client sends SSL/TLS flow to the server-side, first node equipment decryption is received from the client
The SSL/TLS flow arrived, and send plain text stream amount and detected to safety equipment M, safety equipment M is in the N platform safety equipment
One;The flow that safety equipment M will test is sent to the second node equipment;The second node equipment re-encrypted passes through
The flow that safety equipment M was detected, and encryption flow is sent to the server-side;
When the server-side returns to SSL/TLS flow to the client, second node equipment decryption is returned from the server-side
The SSL/TLS flow returned, and send plain text stream amount and detected to safety equipment M;The flow that safety equipment M will test is sent
Give the first node equipment;The first node equipment re-encrypted passes through the flow that safety equipment M was detected, and encryption is flowed
Amount is sent to the client.
Disclosed herein as well is a kind of SiteServer LBS of SSL/TLS visualization flow, which is connected to client
Between server-side, which includes first node equipment, second node equipment and N platform safety equipment, the first node equipment
It is connect by the N platform safety equipment with the second node equipment, wherein N is the integer greater than 1,
When the client sends SSL/TLS flow to the server-side,
The first node equipment for decrypting the SSL/TLS flow received from the client, and sends plain text stream amount to peace
Full equipment M detection, safety equipment M are one in the N platform safety equipment;
Safety equipment M, the plaintext flow sent for detecting the first node equipment, and the flow hair that will test
Give the second node equipment;
The second node equipment passes through the flow that safety equipment M was detected for re-encrypted, and will encryption flow hair
Give the server-side;
When the server-side returns to SSL/TLS flow to the client,
The second node equipment, be also used to decrypt from the server-side return SSL/TLS flow, and send plain text stream amount to
Safety equipment M detection;
Safety equipment M, is also used to detect the plaintext flow that the second node equipment side comes, and the flow that will test is sent
Give the first node equipment;
The first node equipment is also used to re-encrypted and passes through the flow that safety equipment M was detected, and will encrypt flow
It is sent to the client.
Compared with prior art, the main distinction and its effect are embodiment of the present invention:
All flows in the same session are all sent to the same safety equipment to detect, can be convenient to safety
Equipment realizes load balancing, and the safety equipment from the context can be analyzed, and the accuracy of detection is substantially increased,
It can additionally guarantee to communicate between client and server-side transparent.
Further, by selecting suitable hash algorithm to determine corresponding safety equipment, the same meeting has both been may insure
Words are handled in the same safety equipment, and realize load balancing with can be convenient.
Further, before flow is transmitted to safety equipment, the purpose IP address of flow is not revised as setting safely
Standby IP address, but be forwarded according to the IP address of safety equipment by three-layer network communication equipment or according to the safety
The MAC Address of the rear end second node of equipment is forwarded by double layer network communication equipment, can guarantee in this way client and
What is communicated between server-side is transparent.
Detailed description of the invention
Fig. 1 is that a kind of process of the load-balancing method of SSL/TLS visualization flow in first embodiment of the invention is shown
It is intended to;
Fig. 2 is that a kind of structure of the SiteServer LBS of SSL/TLS visualization flow in second embodiment of the invention is shown
It is intended to;
Fig. 3 is the topological diagram of technical solution of the present invention;
Fig. 4 is the system framework figure of technical solution of the present invention;
Fig. 5 is the software flow pattern of technical solution of the present invention;
Fig. 6 is the timing diagram of technical solution of the present invention;
Fig. 7 is the topological diagram of a specific embodiment of the invention.
Specific embodiment
In the following description, in order to make the reader understand this application better, many technical details are proposed.But this
The those of ordinary skill in field is appreciated that even if without these technical details and many variations based on the following respective embodiments
And modification, each claim of the application technical solution claimed can also be realized.
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to implementation of the invention
Mode is described in further detail.
First embodiment of the invention is related to a kind of load-balancing method of SSL/TLS visualization flow.Fig. 1 is the SSL/
TLS visualizes the flow diagram of the load-balancing method of flow.
Firstly, it is necessary to which explanation, SSL refer to Secure Sockets Layer, Secure Socket Layer;TLS refers to
Transport Layer Security, Transport Layer Security.
This method is applied to the intermediate network node between client and server-side, which includes first segment
Point device, second node equipment and N platform safety equipment, the first node equipment pass through the N platform safety equipment and the second node
Equipment connection, wherein N is the integer greater than 1.
Specifically, as shown in Figure 1, the SSL/TLS visualization flow load-balancing method the following steps are included:
In a step 101, when client sends SSL/TLS flow to server-side, first node equipment is decrypted from client
The SSL/TLS flow received is held, and sends plain text stream amount and is detected to safety equipment M, safety equipment M is the N platform safety equipment
In one.
In the present embodiment, first node equipment sends plaintext flow and detects to safety equipment, is distributed to N platform and sets safely
In standby wherein one detected, the foundation of distribution can be according to load-balancing algorithm in the prior art.Such as it can be with
It is to select safety equipments most lightly loaded in N platform safety equipment or that current residual resource is most, plaintext flow is transmitted to the peace
Full equipment is handled.In the prior art, load-balancing algorithm is highly developed technology, and implementation is also varied,
This is no longer specifically described.
In the embodiments of the present invention, which can be mobile phone, tablet computer, laptop, special
Terminal etc., server-side can be various servers.Safety equipment can be IPS, IDS and/or WAF etc..
Then into step 102, the flow that safety equipment M will test is sent to second node equipment.
Then into step 103, second node equipment re-encrypted passes through the flow that safety equipment M was detected, and will
Encryption flow is sent to server-side.
Then into step 104, when server-side returns to SSL/TLS flow to client, the decryption of second node equipment from
The SSL/TLS flow that server-side returns, and send plain text stream amount and detected to safety equipment M.
Then into step 105, the flow that safety equipment M will test is sent to first node equipment.
Then into step 106, first node equipment re-encrypted passes through the flow that safety equipment M was detected, and will
Encryption flow is sent to client.
Hereafter terminate this process.
It should be noted that above-mentioned steps 101-103, realizes communication of the SSL/TLS flow from client to server-side
Process.Server-side can return to the corresponding SSL/TLS flow of client, above-mentioned step after receiving the SSL/TLS flow of client
Rapid 104-106 shows the communication process of the SSL/TLS flow from server-side to client.That is, above-mentioned steps 101-
106 realize from client to server-side, then the SSL/TLS flow interactive process of client is returned to from server-side.
In the technical solution of the application, all flows in the same session are all sent to the same safety equipment and are carried out
Detection realizes load balancing to safety equipment with can be convenient, and the safety equipment from the context can be analyzed, greatly
The accuracy for improving detection greatly, can additionally guarantee to communicate between client and server-side transparent.
It should be noted that at step 104, safety equipment M is exactly the safety equipment that flow passes through in step 101.
In the present embodiment, it is preferable that all establish and keep each in first node equipment and second node equipment
Corresponding relationship between a session and safety equipment, first node equipment and second node equipment can be by the institutes in the same session
There is flow to be all sent to the same safety equipment according to the corresponding relationship to be detected.
In the prior art, in general load balancing, after load balancing control equipment receives message, each reality can be selected
Most lightly loaded or server that current residual resource is most, forwards the message at the server in the processing server of border
Reason.And the application uses different technical solutions, i.e., all establishes and keep each session and peace on two node devices
Corresponding relationship between full equipment, two node devices can be by all messages in the same session all according to this corresponding relationship
It is sent in the same safety equipment and is checked, which from the context can be analyzed, and inspection is substantially increased
Accuracy.
One example of corresponding relationship is that node device is arranged between Intranet and outer net, original of the node device to message
Address and destination address carry out Hash operation, determine corresponding safety equipment according to obtained cryptographic Hash, suitable by selecting
Hash algorithm not only may insure that the same session was handled in the same safety equipment, but also realize load balancing with can be convenient.
Further, it is preferable that in step 101 and step 104, first node equipment and second node equipment to
When safety equipment M transmitted traffic, be forwarded according to the IP address of safety equipment M by three-layer network communication equipment or according to
The MAC Address of the rear end second node of the safety equipment M is forwarded by double layer network communication equipment.
In the prior art, in general load balancing, load balancing control equipment can be by the mesh of message after receiving message
IP address be revised as actual treatment server IP address, the server is then sent to by IP network.In this implementation
In mode, after node device receives message, before being transmitted to safety equipment, the purpose IP address of message is not revised as pacifying
The IP address of full equipment, but be forwarded according to the IP address of safety equipment by three-layer network communication equipment or according to described
The MAC Address of the rear end second node of safety equipment is forwarded by double layer network communication equipment.It can guarantee client in this way
It is communicated between end and server-side transparent.
In addition, before step 101, it is further comprising the steps of:
When client is initiated and the SSL/TLS of server-side shakes hands, first node equipment is communicated with server-side, is obtained and is deposited
Store up server-side certificate;
First node equipment forges new authentication according to the server-side certificate of storage and signs to new authentication;
First node equipment sends the new authentication after signing to the client, and SSL/TLS, which shakes hands, to be continued.
In conclusion the technical solution of the application may be implemented:
Intercepting and capturing, the decryption of 1.SSL/TLS flow, may be implemented the transparence between client and server-side.
2. may be implemented to receive, check the load balancing of the safety equipment of SSL/TLS plaintext flow, SSL/TLS visualization
Flow issues different flow audiomonitors.
3. can be with the flow of snoop accesses outer net also with the flow of snoop accesses Intranet, it can be by way of OSI3 layers
The load balancing to visualization flow can also be reached in such a way that 2 layers of OSI.
Second embodiment of the invention is related to a kind of SiteServer LBS of SSL/TLS visualization flow.Fig. 2 is the SSL/
TLS visualizes the structural schematic diagram of the SiteServer LBS of flow.
Specifically, as shown in Fig. 2, the SiteServer LBS of SSL/TLS visualization flow is connected to client and clothes
It is engaged between end, comprising: first node equipment, second node equipment and N platform safety equipment, first node equipment pass through N platform safety
Equipment is connect with second node equipment, and wherein N is the integer greater than 1,
N platform safety equipment is connected between first node equipment and second node, for detecting first node equipment and
The SSL/TLS flow that two node devices are sent.
When client sends SSL/TLS flow to server-side,
First node equipment for decrypting the SSL/TLS flow received from client, and sends plain text stream amount and sets to safety
Standby M is detected, and safety equipment M is one in N platform safety equipment;
In the present embodiment, first node equipment sends plaintext flow and detects to safety equipment, is distributed to N platform and sets safely
In standby wherein one detected, the foundation of distribution can be according to load-balancing algorithm in the prior art.Such as it can be with
It is to select safety equipments most lightly loaded in N platform safety equipment or that current residual resource is most, plaintext flow is transmitted to the peace
Full equipment is handled.In the prior art, load-balancing algorithm is highly developed technology, and implementation is also varied,
This is no longer specifically described.
Safety equipment M, the plaintext flow sent for detecting first node equipment, and the flow that will test is sent to
Second node equipment;
Second node equipment passes through the flow that safety equipment M was detected for re-encrypted, and encryption flow is sent to
Server-side;
When server-side returns to SSL/TLS flow to client,
Second node equipment is also used to decrypt the SSL/TLS flow returned from server-side, and sends plain text stream amount to safety
Equipment M detection;
Safety equipment M is also used to detect the plaintext flow that second node equipment is sent, and the flow that will test is sent
Give first node equipment;
First node equipment is also used to re-encrypted and passes through the flow that safety equipment M was detected, and encryption flow is sent
To client.
In the SiteServer LBS of SSL/TLS visualization flow, all flows in the same session are all sent to
The same safety equipment is detected, and realizes load balancing to safety equipment with can be convenient, and the safety equipment can join
It fastens and is hereafter analyzed, substantially increase the accuracy of detection, can additionally guarantee to communicate between client and server-side
It is transparent.
Further, it is preferable to which ground, first node equipment and second node equipment, are also used to establish and keep each session
Corresponding relationship between safety equipment, and all send all flows in the same session to according to the corresponding relationship same
A safety equipment is detected.
In the prior art, in general load balancing, after load balancing control equipment receives message, each reality can be selected
Most lightly loaded or server that current residual resource is most, forwards the message at the server in the processing server of border
Reason.And the application uses different technical solutions, i.e., all establishes and keep each session and peace on two node devices
Corresponding relationship between full equipment, two node devices can be by all messages in the same session all according to this corresponding relationship
It is sent in the same safety equipment and is checked, which from the context can be analyzed, and inspection is substantially increased
Accuracy.
One example of corresponding relationship is that node device is arranged between Intranet and outer net, original of the node device to message
Address and destination address carry out Hash operation, determine corresponding safety equipment according to obtained cryptographic Hash, suitable by selecting
Hash algorithm not only may insure that the same session was handled in the same safety equipment, but also realize load balancing with can be convenient.
Further, it is preferable that when first node equipment and second node equipment are to safety equipment M transmitted traffic,
It is to be forwarded according to the IP address of safety equipment M by three-layer network communication equipment or according to the rear end of the safety equipment M
The MAC Address of second node is forwarded by double layer network communication equipment.
In the prior art, in general load balancing, load balancing control equipment can be by the mesh of message after receiving message
IP address be revised as actual treatment server IP address, the server is then sent to by IP network.In this implementation
In mode, after node device receives message, before being transmitted to safety equipment, the purpose IP address of message is not revised as pacifying
The IP address of full equipment, but be forwarded according to the IP address of safety equipment by three-layer network communication equipment or according to described
The MAC Address of the rear end second node of safety equipment is forwarded by double layer network communication equipment.It can guarantee client in this way
It is communicated between end and server-side transparent.
In addition, the SiteServer LBS of SSL/TLS visualization flow can also include:
Certificate acquisition module, for communicating, obtaining with server-side when client is initiated and the SSL/TLS of server-side shakes hands
Take simultaneously storage service end certificate;
Certificate forges module, for forging new authentication according to the server-side certificate of storage and signing to new authentication, and
New authentication after sending signature is to client.
Present embodiment is system embodiment corresponding with first embodiment, and present embodiment can be implemented with first
Mode is worked in coordination implementation.The relevant technical details mentioned in first embodiment are still effective in the present embodiment, in order to
It reduces and repeats, which is not described herein again.Correspondingly, the relevant technical details mentioned in present embodiment are also applicable in the first implementation
In mode.
Illustrate the specific embodiment of the application below.
Existing server or the network equipment of centre are all used as the role of SSL/TLS server-side, and this kind of role is past
Toward the destination node for being all SSL/TLS flow, final SSL/TLS flow node and client role category as client access
In one-to-one interaction.
The technical solution of the application is applied to the network node among client and server-side, carries out to SSL/TLS flow
Decryption oprerations are visualized, and are responsible for keeping ciphertext to communicate with client and server-side, while visual flow equalization being divided
It issues audiomonitor and achievees the purpose that load balancing.
The topological diagram of technical scheme is as shown in figure 3, monitoring device is connected on the line that client is communicated with server-side
On the road, including first node equipment (APV equipment 1), second node equipment (APV equipment 2) and N platform safety equipment.
The system framework figure of technical scheme is as shown in Figure 4.
The application can be divided into SSL monitor and the big module of safety equipment load balancing two because SSL/TLS agreement be
The 5th layer of application layer in osi model, and load balancing module operates mainly in the 2 of network protocol stack, 3,4 layers;Starting module is
SSL/TLS monitors module, and load balancing module can be triggered after monitoring successfully.SSL/TLS monitors module from specific function angle
Degree can be divided into visualization monitoring driving assembly and certificate acquisition again and certificate forges component, and driving assembly is responsible for driving certificate
Acquisition movement and forge certificate movement.SSL/TLS visual driving component and certificate acquisition component need the ginseng of encrypting module
With.
The software flow pattern of technical scheme is as shown in Figure 5.
The timing diagram of technical scheme as shown in fig. 6, serve as server-side role for the client present invention, and for
The real server-side present invention serves as client role.Handshake information involved in figure is the Handshake Protocol of SSL/TLS standard.
Fig. 7 is the topological diagram of a specific embodiment in the application including two safety equipments (that is: N is 2).
As shown in fig. 7, required equipment includes:
Two APV2600 equipment (16G memory, 6 network interfaces) are specifically two equipment among Fig. 7.
Two safety equipments (APV equipment SSL is monitored and the main target equipment of load balancing service).
In order to facilitate description process, two APV equipment are from left to right respectively designated as equipment A and equipment B in Fig. 7.
The description of SSL monitor function:
1. administrator generates public key and private key pair, and the root ca certificate comprising public key in A equipment.
2. administrator ensures that the root ca certificate generated has been introduced into the accredited root ca certificate library of client.
3. initiating SSL when client to shake hands, A equipment is served as SSL client and is communicated with real server, to obtain theirs
Server certificate.
4.A equipment simulates certificate by following steps: the public key in SSL certificate that a. will acquire replaces with life with label originator
At root ca certificate public key and label originator;B. it is signed again to certificate using the private key of root ca certificate.
5.A equipment sends the server certificate of simulation to client, and SSL, which shakes hands, to be continued.
Load-balancing function description:
Specific data flow and function description are described from the both direction of flow:
Flow from client to server:
1. equipment A decrypts the SSL flow received from client, and sends plain text stream amount and detect to safety equipment, it is distributed to
Wherein the foundation of an equipment is according to load-balancing algorithm.
2. equipment B re-encrypted passes through the flow that safety equipment detected, and encryption flow is sent to server.
Flow from client/server to client:
3. equipment B decrypts the SSL flow returned from server, and sends plain text stream amount and detect to safety equipment, set safely
The foundation of alternative is the equipment that flow passes through in 1.
4. equipment A re-encrypted passes through the flow that safety equipment detected, and encryption flow is sent to client.
Profile instance:
In order to facilitate addition configuration, two APV equipment in Fig. 7 are from left to right respectively designated as Ingress (entrance section
Point) and Egress (Egress node), concrete configuration is as follows:
Ingress (Ingress node):
The configuration of network address and routing:
1. configuring IP address on network interface port1, port3
2. default route is arranged
3. Provisioning Policy routes
Load balancing setting:
1. forward mode is arranged
2. the safety equipment that configuration needs load balancing
3. the algorithm of configuration load equilibrium
4. configuring the service type that inlet flow rate is monitored is 443 port SSL/TLS
5. the monitoring of configuration inlet flow rate and the association for needing load-balancing device
SSL configuration:
1.SSL configuration is associated with the service of monitoring
2. the monitor function in SSL configuration
3. being configured to reach the signature CA certificate monitored purpose and need to forge certificate, and start SSL monitor function
Egress (Egress node):
The configuration of network address and routing:
1. configuring network interface Port2, Port4 network address
2. default route is arranged
3. configuration strategy routes
Load balancing (to the load balancing of net gateway out) configuration:
1. forward mode is arranged
2. the routing device of Configuration network next-hop be load-balancing device (for this sentences a next-hop gateway, such as
Fruit has multiple links, and configuring multiple similar configurations here both may be implemented load balancing to link), it configures simultaneously
Keepdip guarantees to still maintain destination IP by the flow of Egress node and port is constant
3. (this port needs to need load balancing with Ingress node configuration the serve port 8443 of configuration monitoring plaintext flow
Safety equipment when the port that uses it is consistent)
4. service and load-balancing device are monitored in association
SSL setting:
1.SSL configuration is associated with the service of monitoring
2. monitor function and starting SSL monitor function in SSL configuration
It should be noted that each method embodiment of the invention can be realized in a manner of software, hardware, firmware etc..
Regardless of the present invention is realized in a manner of software, hardware or firmware, instruction code may be stored in any kind of computer
In addressable memory (such as permanent perhaps revisable volatibility is perhaps non-volatile solid or non-solid
State, fix or replaceable medium etc.).Equally, memory may, for example, be programmable logic array
(Programmable Array Logic, referred to as " PAL "), random access memory (Random Access Memory, referred to as
" RAM "), programmable read only memory (Programmable Read Only Memory, referred to as " PROM "), read-only memory
(Read-Only Memory, referred to as " ROM "), electrically erasable programmable read-only memory (Electrically Erasable
Programmable ROM, referred to as " EEPROM "), disk, CD, digital versatile disc (Digital Versatile Disc,
Referred to as " DVD ") etc..
Each module mentioned in each system embodiment of the present invention is all logic module, physically, a logic module
It can be a physical module, be also possible to a part of a physical module, it can also be real with the combination of multiple physical modules
Existing, the Physical realization of these logic modules itself is not most important, the group for the function that these logic modules are realized
Close the key for being only and solving technical problem proposed by the invention.In addition, in order to protrude innovative part of the invention, in the present invention
Each equipment embodiment is stated not introduce the module less close with technical problem relationship proposed by the invention is solved, this
It does not indicate above equipment embodiment and there is no other modules.
It should be noted that in the claim and specification of this patent, such as first and second or the like relationship
Term is only used to distinguish one entity or operation from another entity or operation, without necessarily requiring or implying
There are any actual relationship or orders between these entities or operation.Moreover, the terms "include", "comprise" or its
Any other variant is intended to non-exclusive inclusion so that include the process, methods of a series of elements, article or
Equipment not only includes those elements, but also including other elements that are not explicitly listed, or further include for this process,
Method, article or the intrinsic element of equipment.In the absence of more restrictions, being wanted by what sentence " including one " limited
Element, it is not excluded that there is also other identical elements in the process, method, article or apparatus that includes the element.
Although being shown and described to the present invention by referring to some of the preferred embodiment of the invention,
It will be understood by those skilled in the art that can to it, various changes can be made in the form and details, without departing from this hair
Bright spirit and scope.
Claims (10)
1. a kind of load-balancing method of SSL/TLS visualization flow, which is characterized in that the method is applied to client and clothes
Intermediate network node between business end, the intermediate network node include first node equipment, second node equipment and N platform safety
Equipment, the first node equipment are connect by the N platform safety equipment with the second node equipment, and wherein N is greater than 1
Integer the described method comprises the following steps:
When the client sends SSL/TLS flow to the server-side, the first node equipment is decrypted from the client
The SSL/TLS flow received is held, and sends plain text stream amount and is detected to safety equipment M, the safety equipment M is the N platform safety
One in equipment;The flow that the safety equipment M will test is sent to the second node equipment;The second node is set
Standby re-encrypted passes through the flow that the safety equipment M was detected, and encryption flow is sent to the server-side;
When the server-side returns to SSL/TLS flow to the client, the second node equipment is decrypted from the service
The SSL/TLS flow returned is held, and sends plain text stream amount and is detected to the safety equipment M;What the safety equipment M will test
Flow is sent to the first node equipment;What the first node equipment re-encrypted was detected by the safety equipment M
Flow, and encryption flow is sent to the client.
2. the load-balancing method of SSL/TLS according to claim 1 visualization flow, which is characterized in that further include with
Lower step:
All establish and keep in the first node equipment and the second node equipment each session and safety equipment it
Between corresponding relationship, the first node equipment and the second node equipment can be by all flows all roots in the same session
The same safety equipment is sent to according to the corresponding relationship to be detected.
3. the load-balancing method of SSL/TLS visualization flow according to claim 1 or 2, which is characterized in that described
It is according to the safety equipment M when first node equipment and the second node equipment are to the safety equipment M transmitted traffic
IP address is forwarded by three-layer network communication equipment or the MAC Address of the rear end second node according to the safety equipment M
It is forwarded by double layer network communication equipment.
4. the load-balancing method of SSL/TLS visualization flow according to claim 1, which is characterized in that in the visitor
Family end is sent to before the SSL/TLS flow of the server-side, further comprising the steps of:
When the client is initiated and the SSL/TLS of the server-side shakes hands, the first node equipment and the server-side
Communication, obtains and stores the server-side certificate;
The first node equipment forges new authentication according to the server-side certificate of storage and signs to new authentication;
The first node equipment sends the new authentication after signing to the client, and the SSL/TLS, which shakes hands, to be continued.
5. the load-balancing method of SSL/TLS visualization flow according to claim 1, which is characterized in that in " the institute
It states first node equipment and decrypts the SSL/TLS flow received from the client, and send plain text stream amount and examined to safety equipment M
In the step of survey ", the safety equipment M is that most lightly loaded in the N platform safety equipment or current residual resource is most.
6. a kind of SiteServer LBS of SSL/TLS visualization flow, which is characterized in that the system is connected to client and clothes
It is engaged between end, the system comprises first node equipment, second node equipment and N platform safety equipment, the first node equipment
It is connect by the N platform safety equipment with the second node equipment, wherein N is the integer greater than 1,
When the client sends SSL/TLS flow to the server-side,
The first node equipment for decrypting the SSL/TLS flow received from the client, and sends plain text stream amount to peace
Full equipment M detection, the safety equipment M are one in the N platform safety equipment;
The safety equipment M, the plaintext flow sent for detecting the first node equipment, and the flow hair that will test
Give the second node equipment;
The second node equipment passes through the flow that the safety equipment M was detected for re-encrypted, and will encryption flow hair
Give the server-side;
When the server-side returns to SSL/TLS flow to the client,
The second node equipment, be also used to decrypt from the server-side return SSL/TLS flow, and send plain text stream amount to
The safety equipment M detection;
The safety equipment M is also used to detect the plaintext flow that the second node equipment is sent, and the flow that will test
It is sent to the first node equipment;
The first node equipment is also used to re-encrypted and passes through the flow that the safety equipment M was detected, and will encrypt flow
It is sent to the client.
7. the SiteServer LBS of SSL/TLS visualization flow according to claim 6, which is characterized in that described first
Node device and the second node equipment are also used to establish and keep the corresponding pass between each session and safety equipment
System, and the same safety equipment is all sent according to the corresponding relationship by all flows in the same session and is detected.
8. the SiteServer LBS of SSL/TLS visualization flow according to claim 6 or 7, which is characterized in that described
It is according to the safety equipment M when first node equipment and the second node equipment are to the safety equipment M transmitted traffic
IP address is forwarded by three-layer network communication equipment or the MAC Address of the rear end second node according to the safety equipment M
It is forwarded by double layer network communication equipment.
9. the SiteServer LBS of SSL/TLS visualization flow according to claim 6, which is characterized in that further include:
Certificate acquisition module, for when the client is initiated and the SSL/TLS of the server-side shakes hands, with the server-side
Communication, obtains and stores the server-side certificate;
Certificate forges module, for forging new authentication according to the server-side certificate of storage and signing to new authentication, and
New authentication after sending signature is to the client.
10. the SiteServer LBS of SSL/TLS visualization flow according to claim 6, which is characterized in that as the visitor
Family end to the server-side send SSL/TLS flow when, the safety equipment M be the N platform safety equipment in it is most lightly loaded or
Current residual resource is most.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810273821.0A CN110324282A (en) | 2018-03-29 | 2018-03-29 | The load-balancing method and its system of SSL/TLS visualization flow |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810273821.0A CN110324282A (en) | 2018-03-29 | 2018-03-29 | The load-balancing method and its system of SSL/TLS visualization flow |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110324282A true CN110324282A (en) | 2019-10-11 |
Family
ID=68111083
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810273821.0A Pending CN110324282A (en) | 2018-03-29 | 2018-03-29 | The load-balancing method and its system of SSL/TLS visualization flow |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110324282A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112738217A (en) * | 2020-12-28 | 2021-04-30 | 中国建设银行股份有限公司 | Secure interaction system and method |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101141243A (en) * | 2006-09-08 | 2008-03-12 | 飞塔信息科技(北京)有限公司 | Device and method for carrying out security check and content filtering on communication data |
CN101621509A (en) * | 2009-07-31 | 2010-01-06 | 浪潮电子信息产业股份有限公司 | Design architecture and method for secure load balancing by utilizing SSL communication protocol |
CN102316094A (en) * | 2010-06-30 | 2012-01-11 | 丛林网络公司 | The many service VPN networking clients that are used for mobile device with integrated acceleration |
CN103188074A (en) * | 2011-12-28 | 2013-07-03 | 上海格尔软件股份有限公司 | Proxy method for improving SSL algorithm intensity of browser |
CN103731482A (en) * | 2013-12-24 | 2014-04-16 | 浪潮电子信息产业股份有限公司 | Cluster load balancing system and achieving method thereof |
CN106789542A (en) * | 2017-03-03 | 2017-05-31 | 清华大学 | A kind of implementation method of cloud data center security service chain |
-
2018
- 2018-03-29 CN CN201810273821.0A patent/CN110324282A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101141243A (en) * | 2006-09-08 | 2008-03-12 | 飞塔信息科技(北京)有限公司 | Device and method for carrying out security check and content filtering on communication data |
CN101621509A (en) * | 2009-07-31 | 2010-01-06 | 浪潮电子信息产业股份有限公司 | Design architecture and method for secure load balancing by utilizing SSL communication protocol |
CN102316094A (en) * | 2010-06-30 | 2012-01-11 | 丛林网络公司 | The many service VPN networking clients that are used for mobile device with integrated acceleration |
CN103188074A (en) * | 2011-12-28 | 2013-07-03 | 上海格尔软件股份有限公司 | Proxy method for improving SSL algorithm intensity of browser |
CN103731482A (en) * | 2013-12-24 | 2014-04-16 | 浪潮电子信息产业股份有限公司 | Cluster load balancing system and achieving method thereof |
CN106789542A (en) * | 2017-03-03 | 2017-05-31 | 清华大学 | A kind of implementation method of cloud data center security service chain |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112738217A (en) * | 2020-12-28 | 2021-04-30 | 中国建设银行股份有限公司 | Secure interaction system and method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10735511B2 (en) | Device and related method for dynamic traffic mirroring | |
US20200007568A1 (en) | Extracting Encryption Metadata and Terminating Malicious Connections Using Machine Learning | |
US9961103B2 (en) | Intercepting, decrypting and inspecting traffic over an encrypted channel | |
US9813447B2 (en) | Device and related method for establishing network policy based on applications | |
US9130826B2 (en) | System and related method for network monitoring and control based on applications | |
US9256636B2 (en) | Device and related method for application identification | |
US9736112B2 (en) | Context-aware network and situation management for crypto-partitioned networks | |
CN112333143B (en) | Granularity offloading of proxied secure sessions | |
US9230213B2 (en) | Device and related method for scoring applications running on a network | |
CN109067803A (en) | A kind of SSL/TLS encryption and decryption communication means, device and equipment | |
US20140280887A1 (en) | A device and related method for dynamic traffic mirroring policy | |
US10291600B2 (en) | Synchronizing secure session keys | |
US10505984B2 (en) | Exchange of control information between secure socket layer gateways | |
Frahim et al. | Cisco ASA: all-in-one firewall, IPS, and VPN adaptive security appliance | |
EP3499908B1 (en) | A device and method for the determination of applications running on a network | |
Tennekoon et al. | Prototype implementation of fast and secure traceability service over public networks | |
Frahim et al. | Cisco ASA: All-in-one Next-Generation Firewall, IPS, and VPN Services | |
US10015208B2 (en) | Single proxies in secure communication using service function chaining | |
US10601788B2 (en) | Interception of secure shell communication sessions | |
Liyanage et al. | Secure hierarchical VPLS architecture for provider provisioned networks | |
CN110324282A (en) | The load-balancing method and its system of SSL/TLS visualization flow | |
Liu | Next generation SSH2 implementation: securing data in motion | |
Parenreng | Network Security Analysis Based on Internet Protocol Security Using Virtual Private Network (VPN) | |
US20200259863A1 (en) | Security socket layer decryption method for security | |
Cherukuri et al. | Integrity of IoT network flow records in encrypted traffic analytics |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: 100125 Beijing city Chaoyang District Liangmaqiao Road No. 40 building 10 room 1001, twenty-first Century Applicant after: Beijing Huayao Technology Co.,Ltd. Address before: 100125 Beijing city Chaoyang District Liangmaqiao Road No. 40 building 10 room 1001, twenty-first Century Applicant before: ARRAY NETWORKS, Inc. |
|
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191011 |