CN110855634A - Cross-network switching service system and method based on secure network - Google Patents
Cross-network switching service system and method based on secure network Download PDFInfo
- Publication number
- CN110855634A CN110855634A CN201911019806.4A CN201911019806A CN110855634A CN 110855634 A CN110855634 A CN 110855634A CN 201911019806 A CN201911019806 A CN 201911019806A CN 110855634 A CN110855634 A CN 110855634A
- Authority
- CN
- China
- Prior art keywords
- data
- transmitted
- service module
- legal
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2212/00—Encapsulation of packets
Abstract
The invention relates to the technical field of cross-network interaction, in particular to a cross-network exchange service system and a method based on a secure network. The system comprises: the secondary security network end is used for packaging and encapsulating the data to be transmitted into an internal unified communication data format; verifying the legality of the data to be transmitted, storing legal data and basic information thereof, and sending a transmission data packet to a third-party exchange server; the third party exchange server is used for receiving the transmission data packet and forwarding the transmission data packet to the secure network end; and the safety network end is used for extracting the data to be transmitted, verifying the legality of the data to be transmitted, storing legal data and basic information thereof, and packaging the data to be transmitted into an internal unified communication data format. The invention sniffs and records the data stream through the network probe, analyzes the data such as the secret and the like, and provides real-time isolation, early warning and tracing sources, thereby effectively improving the security of the network boundary and having wide application prospect.
Description
Technical Field
The invention relates to the technical field of cross-network interaction, in particular to a cross-network exchange service system and a method based on a secure network.
Background
With the continuous development of the information society, computer network security is more and more concerned by various fields, people also more and more pay attention to the rapid transmission and security of information, especially government organs pay more attention to the security transmission of information, even civil enterprises also have higher requirements on network security, and in these industry fields, the security control of data and files is an important research direction. In order to improve the work efficiency of the government, more and more manufacturers cooperate with the government to develop various software so as to improve the efficiency. However, the information of government agencies, such as news information, notice information and other low-security information, can only be accessed and checked in the intranet, thereby reducing the efficiency while ensuring the security.
Of the two networks, one network requires higher security than the other network, and the network data with higher security is passive in cross-network transmission (passive cross-network data reception is not active cross-network data transmission). The common technical scheme only solves the cross-network data exchange requirement of the security boundary, but introduces new problems such as load size limitation of each exchange, single support exchange mode and the like, and lacks active callback of exchange results, API servitization capability of cross-network exchange supervision and control of data and files and the like.
Most cross-network exchange system products of the traditional method are only limited to data and file exchange capacity of a security boundary, and simultaneously, a plurality of expansibility docking functions are sacrificed for improving security, such as only supporting HTTP (protocol support is single), no secondary development docking capacity and the like, and the capacity of supervising and controlling data and files to be exchanged may be lacked.
Therefore, a cross-network switching service system and method based on a secure network are urgently needed.
Disclosure of Invention
The invention provides a cross-network switching service system and method based on a secure network, so that data transmission between the secure network and a secondary secure network is more convenient.
In one aspect of the present invention, a cross-network switching service system based on a secure network is provided, including:
the secondary security network end is used for receiving data to be transmitted, packaging and encapsulating the data to be transmitted into an internal unified communication data format, and obtaining a transmission data packet; verifying the legality of the data to be transmitted, if the data to be transmitted passes the verification, determining the data to be transmitted as legal data, storing the legal data and basic information thereof, and sending a transmission data packet to a third party exchange server;
the third party exchange server is used for receiving the transmission data packet and forwarding the transmission data packet to the secure network end;
and the safety network end is used for receiving the transmission data packet, extracting the data to be transmitted, verifying the legality of the data to be transmitted, if the data to be transmitted passes the verification, storing the legal data and the basic information thereof, and packaging the data to be transmitted into an internal unified communication data format.
Further, the secondary security network side includes:
the first business service module is used for receiving data to be transmitted, packaging and packaging the data to be transmitted into an internal unified communication data format, obtaining a transmission data packet and sending the transmission data packet to the first gateway service module;
the first gateway service module is used for sending the received transmission data packet to the first supervision service module;
the first supervision service module is used for receiving the transmission data packet, verifying the legality of the data to be transmitted, storing the legal data and the basic information thereof and sending the transmission data packet to the first exchange service module if the data to be transmitted is legal;
the first exchange service module is used for receiving the transmission data packet and sending the transmission data packet to a third party exchange service end;
the secure network side includes:
the second exchange service module is used for receiving the transmission data packet and sending the transmission data packet to the second supervision service module;
the second monitoring service module is used for receiving the transmission data packet, extracting the data to be transmitted, verifying the legality of the data to be transmitted, if the data to be transmitted passes the verification, storing the legal data and the basic information of the legal data and sending the legal data to the second gateway service module;
the second gateway service module is used for sending the received legal data to the second business service module;
and the second business service module is used for receiving the legal data, unpacking the legal data and packaging the legal data into an internal unified communication data format.
Further, the first business service module packages and encapsulates the data to be transmitted into any one of an XML format or a JSON format.
Further, the first supervision service module verifies the legality of the data to be transmitted by using any one of a digital signature technology and an open authorization technology.
Further, the basic information of the legal data includes the source, creation time and summary of the legal data.
In a second aspect of the present invention, there is provided a method for implementing a cross-network switching service based on a secure network based on the system as described above, including the following steps:
the method comprises the steps that a secondary security network end receives data to be transmitted, and packages and encapsulates the data to be transmitted into an internal unified communication data format to obtain a transmission data packet; verifying the legality of the data to be transmitted, if the data to be transmitted passes the verification, determining the data to be transmitted as legal data, storing the legal data and basic information thereof, and sending a transmission data packet to a third party exchange server;
the third party exchange server receives the transmission data packet and forwards the transmission data packet to the secure network end;
and the safety network end receives the transmission data packet, extracts the data to be transmitted, verifies the legality of the data to be transmitted, if the data to be transmitted passes the verification, the data to be transmitted is legal data, stores the legal data and the basic information thereof, and packages and encapsulates the data to be transmitted into an internal unified communication data format.
Further, the secondary security network end includes a first service module, a first gateway service module, a first supervision service module and a first exchange service module, and the security network end includes a second exchange service module, a second supervision service module, a second gateway service module and a second service module, wherein:
the first business service module receives data to be transmitted, packages and encapsulates the data to be transmitted into an internal unified communication data format, obtains a transmission data packet and sends the transmission data packet to the first gateway service module;
the first gateway service module sends the received transmission data packet to the first supervision service module;
the first supervision service module receives the transmission data packet, verifies the legality of the data to be transmitted, if the data to be transmitted passes the verification, the data to be transmitted is legal data, stores the legal data and the basic information of the legal data and sends the transmission data packet to the first switching service module;
the first exchange service module receives the transmission data packet and sends the transmission data packet to a third party exchange service end;
the second exchange service module receives the transmission data packet and sends the transmission data packet to the second supervision service module;
the second monitoring service module receives the transmission data packet, extracts the data to be transmitted, verifies the legality of the data to be transmitted, if the data to be transmitted passes the verification, the data to be transmitted is legal data, stores the legal data and the basic information of the legal data and sends the legal data to the second gateway service module;
the second gateway service module sends the received legal data to a second business service module;
the second business service module receives the legal data, unpacks the legal data and packages the legal data into an internal unified communication data format.
Compared with the prior art, the cross-network switching service system and the method based on the secure network provided by the invention have the following advantages that:
the invention provides a synchronous frame for supporting and realizing the exchange of data, files, websites and databases between a secure network and a secondary secure network; sniffing and recording data flow through probing the network, analyzing data such as danger and secret-related data to provide real-time isolation, early warning and tracing source, thereby greatly improving the efficiency of safety protection, reducing the consumption of manpower and material resources, and simultaneously, in view of the fact that a computer does not need to have a rest, the working time is longer and can not be tired out, and the safety and other characteristics can be ensured by omnibearing monitoring without dead angles, thereby effectively improving the safety of network boundaries and having wide application prospect.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a block diagram illustrating connection of devices in a cross-network switching service system over a secure network according to an embodiment of the present invention;
fig. 2 is a flowchart of a cross-network switching service method based on a secure network according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
In this embodiment:
the definition of secure network is: 1. the security is higher than the network security of the other party; 2. the cross-network transmission is passive (passive cross-network data receiving can not actively transmit the data); 3. the cross-network transmission process of data and files has supervision and control capability.
The secondary security network is defined as: 1. the security requirements are lower than for secure networks; 2. the capability of actively transmitting data and files across the network is provided; 3. the monitoring and control capability of the cross-network transmission process of data and files is not necessarily required.
The embodiment provides a cross-network switching service system and a method based on a secure network.
As shown in fig. 1, a cross-network switching service system based on a secure network according to the present embodiment includes:
the secondary security network end is used for receiving data to be transmitted, packaging and encapsulating the data to be transmitted into an internal unified communication data format, and obtaining a transmission data packet; verifying the legality of the data to be transmitted, if the data to be transmitted passes the verification, determining the data to be transmitted as legal data, storing the legal data and basic information thereof, and sending a transmission data packet to a third party exchange server;
the third party exchange server is used for receiving the transmission data packet and forwarding the transmission data packet to the secure network end;
and the safety network end is used for receiving the transmission data packet, extracting the data to be transmitted, verifying the legality of the data to be transmitted, if the data to be transmitted passes the verification, storing the legal data and the basic information thereof, and packaging the data to be transmitted into an internal unified communication data format.
The cross-network exchange service system based on the secure network of the embodiment provides an exchange synchronization framework for supporting and realizing data, files, websites and databases between the secure network and a secondary secure network; sniffing and recording data flow through probing the network, analyzing data such as danger and secret-related data to provide real-time isolation, early warning and tracing source, thereby greatly improving the efficiency of safety protection, reducing the consumption of manpower and material resources, and simultaneously, in view of the fact that a computer does not need to have a rest, the working time is longer and can not be tired out, and the safety and other characteristics can be ensured by omnibearing monitoring without dead angles, thereby effectively improving the safety of network boundaries and having wide application prospect.
As the most core service module of the invention, in the environment of the traditional safety boundary system, based on the data exchange capability of the safety boundary data exchange platform, the original technical mode is improved, thereby realizing more high efficiency and meeting the requirements of the modern system platform and the large data volume service on the data handover capability.
For complex service data exchange, initiating boundary data exchange by adopting a plurality of distributed link queues, such as for structured unstructured data synchronization, and butting a security isolation and data exchange system; aiming at the application of high-flow audio/video and image services, the special safety isolation equipment for multimedia and a customized protocol service system are butted, and the proprietary conversion of a standard protocol, large-data-volume transmission and virus characteristic filtering are supported; the scheme can adopt more targeted security policy control on different data exchange channels, and realize more efficiency and higher security.
The method has the advantages that the load saturation capacity of the boundary exchange service system is detected, and before file exchange is carried out, signature data and files with small flow are exchanged across networks, so that whether the boundary exchange service system is normal or not is judged, and data loss caused by downtime exceeding the bearing capacity of the boundary exchange service system is reduced; and on the other hand, responding to the next received file through data exchange synchronous information.
As shown in fig. 1, in an implementation, the secondary security network side includes:
the first business service module is used for receiving data to be transmitted, packaging and packaging the data to be transmitted into an internal unified communication data format, obtaining a transmission data packet and sending the transmission data packet to the first gateway service module; for the third-party business service, common and practical functions are packaged into independent business service modules, so that the development and docking modes of other businesses of the same type are simplified, the docking difficulty is reduced, and the docking development cost is reduced. The first service module may be a news information synchronization module (at this time, the data to be transmitted is crawled target site news information web page content, etc.), a database structured data synchronization module (at this time, the data to be transmitted is structured data that needs to be synchronized according to predefined timing reading, etc.), a mailbox mail receiving and sending synchronization module, or other data modules. The business service module has expandability and replaceability, can support the deployment in a free combination mode, has independence and decoupling as a whole, and cannot influence the normal operation of other modules.
The first gateway service module is used for sending the received transmission data packet to the first supervision service module; the gateway service is a single access point, acts as a proxy for multiple services, supports all cross-service transformation, routing and public processing, and can also be directly connected with a third-party service module. The gateway service has a single machine/distributed deployment capability, integrates a load balancing capability (such as Nginx, Apache and other schemes), and can be based on main identity Authentication modes such as HTTP Basic Authentication (HTTP Basic Authentication), Session Authentication, Token Authentication, JSON Web Token (JWT) Authentication, OAuth2.0 Authentication and the like. On the other hand, the gateway service binds a callback address (such as IP, port, domain name, etc.), a callback protocol (such as HTTP, HTTPs, RPC, WebSocket, etc.), and a data format (such as XML, JSON, etc.) at the time of registration based on the identity, and is used for both-side communication during the exchange process.
The first supervision service module is used for receiving the transmission data packet, verifying the legality of the data to be transmitted, storing the legal data and the basic information thereof and sending the transmission data packet to the first exchange service module if the data to be transmitted is legal; in terms of security, the first supervision service module verifies the identity of a data source (based on common authentication services such as OAuth2.0 (open authorization)), and signs data (digital signatures, which adopt asymmetric key encryption technology and digital digest technology, such as RSA, ElGamal, Fiat-Shamir, Guillou-Quisquarter, Schnorr, Ong-Schnorr-Shamir digital signature algorithm, DES/DSA, elliptic curve digital signature algorithm, finite automaton digital signature algorithm, and the like). In the aspect of supervision, the first supervision service module records data and file information in detail: file attribute information such as data record size, archive to file or database, file record size, message digest (algorithm such as MD 5/HASH), creation time, etc. Each record carries corresponding authentication information, and traceability of sources is guaranteed. On the reverse side of management and control, a sniffing scheme for data and files is not specifically defined in this embodiment, but any legal sniffing scheme is developed and supported in an open interface design manner, two methods are provided on the interface capability, one is to transmit a data stream to be sniffed, the other is to transmit the data stream after sniffing, and the communication protocol can be a mainstream data stream transmission manner such as HTTP/HTTPs, RPC, WebSocket, and the like. In the sniffing process, if the data stream has illegal and unsafe data, relevant data is deleted, or the whole data stream is not returned and is not considered to pass, the gateway service is called back to notify the corresponding service result.
The first exchange service module is used for receiving the transmission data packet and sending the transmission data packet to a third party exchange service end; for complex service data exchange, initiating boundary data exchange by adopting a plurality of distributed link queues, such as for structured unstructured data synchronization, and butting a security isolation and data exchange system; aiming at the application of high-flow audio/video and image services, the special safety isolation equipment for multimedia and a customized protocol service system are butted, and the proprietary conversion of a standard protocol, large-data-volume transmission and virus characteristic filtering are supported; and more targeted security policy control can be adopted for different data exchange channels, so that more efficient and higher security is realized. The method has the advantages that the load saturation capacity of the boundary exchange service system is detected, and before file exchange is carried out, signature data and files with small flow are exchanged across networks, so that whether the boundary exchange service system is normal or not is judged, and data loss caused by downtime exceeding the bearing capacity of the boundary exchange service system is reduced; and on the other hand, responding to the next received file through data exchange synchronous information.
The secure network side includes:
the second exchange service module is used for receiving the transmission data packet and sending the transmission data packet to the second supervision service module;
the second monitoring service module is used for receiving the transmission data packet, extracting the data to be transmitted, verifying the legality of the data to be transmitted, if the data to be transmitted passes the verification, storing the legal data and the basic information of the legal data and sending the legal data to the second gateway service module;
the second gateway service module is used for sending the received legal data to the second business service module;
and the second business service module is used for receiving the legal data, unpacking the legal data and packaging the legal data into an internal unified communication data format.
The expressions "first" and "second" are only used to distinguish the modules in the secure network and the secondary secure network, and the functions are the same, and are not described again.
In specific implementation, the first business service module packages and encapsulates the data to be transmitted into any one of an XML format or a JSON format. When the data transmission device is used specifically, the data to be transmitted can be packaged and encapsulated into other format types according to the requirements of users.
In specific implementation, the first supervision service module verifies the legality of the data to be transmitted by using any one of a digital signature technology and an open authorization technology.
In specific implementation, the basic information of the legal data includes the source, creation time and summary of the legal data. When the method is used specifically, other information such as the size of legal data can be recorded according to the requirements of users.
Referring to fig. 2, a method for performing a cross-network switching service based on a secure network implemented by the system in the foregoing embodiment of the present embodiment includes the following steps:
s1, the secondary security network end receives data to be transmitted, and packages and encapsulates the data to be transmitted into an internal unified communication data format to obtain a transmission data packet; verifying the legality of the data to be transmitted, if the data to be transmitted passes the verification, determining the data to be transmitted as legal data, storing the legal data and basic information thereof, and sending a transmission data packet to a third party exchange server;
s2, the third party exchange server receives the transmission data packet and forwards the transmission data packet to the secure network terminal;
and S3, the security network end receives the transmission data packet, extracts the data to be transmitted, verifies the legality of the data to be transmitted, if the data to be transmitted passes the verification, the data to be transmitted is legal data, stores the legal data and the basic information thereof, and packages and encapsulates the data to be transmitted into an internal unified communication data format.
The cross-network exchange service method based on the secure network of the embodiment provides an exchange synchronization framework for supporting and realizing data, files, websites and databases between the secure network and a secondary secure network; sniffing and recording data flow through probing the network, analyzing data such as danger and secret-related data to provide real-time isolation, early warning and tracing source, thereby greatly improving the efficiency of safety protection, reducing the consumption of manpower and material resources, and simultaneously, in view of the fact that a computer does not need to have a rest, the working time is longer and can not be tired out, and the safety and other characteristics can be ensured by omnibearing monitoring without dead angles, thereby effectively improving the safety of network boundaries and having wide application prospect.
In specific implementation, the secondary security network end includes a first service module, a first gateway service module, a first supervision service module and a first exchange service module, and the security network end includes a second exchange service module, a second supervision service module, a second gateway service module and a second service module, wherein:
the first business service module receives data to be transmitted, packages and encapsulates the data to be transmitted into an internal unified communication data format, obtains a transmission data packet and sends the transmission data packet to the first gateway service module;
the first gateway service module sends the received transmission data packet to the first supervision service module;
the first supervision service module receives the transmission data packet, verifies the legality of the data to be transmitted, if the data to be transmitted passes the verification, the data to be transmitted is legal data, stores the legal data and the basic information of the legal data and sends the transmission data packet to the first switching service module;
the first exchange service module receives the transmission data packet and sends the transmission data packet to a third party exchange service end;
the second exchange service module receives the transmission data packet and sends the transmission data packet to the second supervision service module;
the second monitoring service module receives the transmission data packet, extracts the data to be transmitted, verifies the legality of the data to be transmitted, if the data to be transmitted passes the verification, the data to be transmitted is legal data, stores the legal data and the basic information of the legal data and sends the legal data to the second gateway service module;
the second gateway service module sends the received legal data to a second business service module;
the second business service module receives the legal data, unpacks the legal data and packages the legal data into an internal unified communication data format.
In specific implementation, the first business service module packages and encapsulates the data to be transmitted into any one of an XML format or a JSON format.
In specific implementation, the first supervision service module verifies the legality of the data to be transmitted by using any one of a digital signature technology and an open authorization technology.
In specific implementation, the basic information of the legal data includes the source, creation time and summary of the legal data.
The invention relates to a cross-network switching service system and a method based on a secure network, wherein the specific working embodiment of the cross-network switching service system and the method based on the secure network comprises the following steps:
firstly, data active exchange process. The process is to transmit data from the secondary security network to the security network across networks.
1. Secondary security network-traffic service: as a transmission data initiator, packaging and encapsulating data into an internal unified communication data format (such as XML, JSON and the like), and sending data received from a service server under a secure network to a gateway service according to a private docking protocol (such as HTTP, HTTPS, SOAP and the like) of the gateway service; on the other hand, the service also receives and analyzes the data response format called back by the gateway service according to the private docking protocol of the gateway service, and takes out the service data called back.
2. Secondary security network-gateway service: the system is used as a request distribution and identity authentication party for processing requests of a plurality of service users and providers, supports two-way communication and ensures stable service load and legal request source.
(1) Once the gateway receives the message data, a uniform processing is performed on all the messages based on the private docking protocol of the gateway service (which may be based on HTTP + JSON, HTTP + XML, SOAP or even TCP/UDP, etc.).
(2) The message handled by the gateway is identified as a particular service identity to determine whether it is for service provider A, B or C.
(3) When it is determined that a message is to be delivered to a particular service provider, it will be mapped to a network addressable endpoint so that the message can be forwarded back to the service provider.
(4) The part of service is realized based on a load balancing module and an identity authentication module.
(5) The load balancing module supports the gateway service to process the message data in a single-machine or multi-machine distributed concurrent manner, when the distributed type is adopted, one service host needs to be selected to be responsible for load distribution of the message data, and the adopted load balancing algorithm includes but is not limited to: random LoadBalance (Random equalization algorithm); RoundRobin LoadBalance (weight round robin equalization algorithm), least active LoadBalance (least active call number equalization algorithm), constistentHashLoadbalance (consistent Hash equalization algorithm), and the like.
(6) And the identity authentication module is used for verifying the legality of the message data sent by the service party. In the traditional identity authentication architecture, a large-scale cluster is needed to meet the requirement, but the invention supports the adoption of a Serverless architecture design and ensures the stateless service. Such as: the authentication service is matched with JWT (JSON Web Token), some key information of authentication is encrypted and then changed into Token to be issued, and then, during authentication, a private key is used for decryption.
3. Secondary security network-administrative services: as a data signing, recording and safety service party, firstly, the data is signed with the message digest (MD5, SHA1, SHA256, SHA512 and the like), the integrity and the uniqueness of the data are recorded, and the data are recorded and put on record. If the data validity sniffing service is connected, the data validity is sniffed, and if the data is legal, the data validity is sent to the exchange service; if not, entering a processing result flow, and calling back the result information to the gateway service to initiate a call-back notification.
4. Secondary secure network-switched service: the system is used as a security boundary preposition business service for receiving message data about to be sent through a security boundary, configuring the message data based on a data format and a size specified by an existing security boundary system, uniformly splitting and compressing the received message data into single or a plurality of independent data packets, and additionally adopting the following protocol at the head part of a data stream of each data packet: the system comprises { service identity } - { complete data message digest signature } - { packet message digest signature } - { packet sequence number } - { packet total number } ###. And pushing each data packet into a data queue, and waiting for receiving and processing by a security boundary.
5. Security boundary-data exchange: also called network security boundary, is the security concept of information boundary protection, boundary protection technology, data switching network technology, external interconnection of high-density network, and the like. This section is the implementation of third party services and the present invention encompasses an improved system platform for receiving data that needs to be exchanged across borders, and verifying message data and exchanging the data to a secure network on the other side of the gatekeeper according to the configured modules and legitimacy requirements of the system.
6. Secure network-switched service: and the post-service serving as a security boundary is used for receiving each data packet from the security boundary, combining and restoring the scattered message data packets into complete message data based on the unpacking and packet header protocols, verifying the integrity of the data based on each data signature, adding the complete message into a data queue, and waiting for the next service to receive and process the complete message in a unified manner.
7. Secure network-policing service: corresponding to the secondary security network-supervision service, the complete data in the data queue of the exchange service is subjected to message digest signature verification (MD5, SHA1, SHA256, SHA512 and the like), the integrity and uniqueness of the data are recorded, the data are recorded and put in storage for record, and the complete message data are pushed to the gateway service.
8. Secure network-gateway service: based on the message identification processed by the sub-security network-gateway service, and distributing the complete data to the corresponding service receiving party. During the distribution process, two modes are divided: one is to actively push the data to the business service registered in the gateway service, provide a corresponding receiving address according to the private docking protocol of the gateway service, and actively push the complete data to the corresponding business service by the gateway service; the other is that the gateway service passively pushes the service registered in the gateway service, and the service actively pulls the complete data temporarily stored in the gateway service according to the protocol according to the private docking protocol of the gateway service. The time for the gateway service to temporarily store the data can be configured.
9. Secure network-traffic service: as a transmission data receiver, based on a private docking protocol of a gateway service (which can be based on HTTP + JSON, HTTP + XML, SOAP, even TCP/UDP and the like), unified processing is performed on all message data, the message data sent by the secondary security network-service is analyzed and received, and the data content and format guarantee of the message data are consistent with those of the message data sent and received; on the other hand, an active request mode can be adopted, and a certain section of message data is actively taken out from the filing data of the gateway service and is analyzed and processed according to the private docking protocol of the gateway service.
And secondly, a data passive exchange process. The process is to transmit data from the secure network to the secondary secure network across networks.
1. Secure network-traffic service: as a transmission data initiator, packaging and encapsulating data into an internal unified communication data format (such as XML, JSON and the like), and sending data received from a service server under a secure network to a gateway service according to a private docking protocol (such as HTTP, HTTPS, SOAP and the like) of the gateway service; on the other hand, the service also receives and analyzes the data response format called back by the gateway service according to the private docking protocol of the gateway service, and takes out the service data called back.
2. Secure network-gateway service: the system is used as a request distribution and identity authentication party for processing requests of a plurality of service users and providers, supports two-way communication and ensures stable service load and legal request source.
(1) Once the gateway receives the message data, a uniform processing is performed on all the messages based on the private docking protocol of the gateway service (which may be based on HTTP + JSON, HTTP + XML, SOAP or even TCP/UDP, etc.).
(2) The message handled by the gateway is identified as a particular service identity to determine whether it is for service provider A, B or C.
(3) When it is determined that a message is to be delivered to a particular service provider, it will be mapped to a network addressable endpoint so that the message can be forwarded back to the service provider.
(4) The part of service is realized based on a load balancing module and an identity authentication module.
(5) The load balancing module supports the gateway service to process the message data in a single-machine or multi-machine distributed concurrent manner, when the distributed type is adopted, one service host needs to be selected to be responsible for load distribution of the message data, and the adopted load balancing algorithm includes but is not limited to: random LoadBalance (Random equalization algorithm); RoundRobin LoadBalance (weight round robin equalization algorithm), least active LoadBalance (least active call number equalization algorithm), constistentHashLoadbalance (consistent Hash equalization algorithm), and the like.
(6) And the identity authentication module is used for verifying the legality of the message data sent by the service party. In the traditional identity authentication architecture, a large-scale cluster is needed to meet the requirement, but the invention supports the adoption of a Serverless architecture design and ensures the stateless service. Such as: the authentication service is matched with JWT (JSON Web Token), some key information of authentication is encrypted and then changed into Token to be issued, and then, during authentication, a private key is used for decryption.
3. Secure network-policing service: as a data signing, recording and safety service party, firstly, the data is signed with the message digest (MD5, SHA1, SHA256, SHA512 and the like), the integrity and the uniqueness of the data are recorded, and the data are recorded and put on record. If the data validity sniffing service is connected, the data validity is sniffed, and if the data is legal, the data validity is sent to the exchange service; if not, entering a processing result flow, and calling back the result information to the gateway service to initiate a call-back notification.
4. Secure network-switched service: the system is used as a security boundary preposition business service for receiving message data about to be sent through a security boundary, configuring the message data based on a data format and a size specified by an existing security boundary system, uniformly splitting and compressing the received message data into single or a plurality of independent data packets, and additionally adopting the following protocol at the head part of a data stream of each data packet: the system comprises { service identity } - { complete data message digest signature } - { packet message digest signature } - { packet sequence number } - { packet total number } ###. And pushing each data packet into a data queue, and waiting for receiving and processing by a security boundary.
5. Security boundary-data exchange: also called network security boundary, is the security concept of information boundary protection, boundary protection technology, data switching network technology, external interconnection of high-density network, and the like. This section is the implementation of third party services and the present invention encompasses an improved system platform for receiving data that needs to be exchanged across borders, and verifying message data and exchanging the data to a secure network on the other side of the gatekeeper according to the configured modules and legitimacy requirements of the system.
6. Secondary secure network-switched service: and the post-service serving as a security boundary is used for receiving each data packet from the security boundary, combining and restoring the scattered message data packets into complete message data based on the unpacking and packet header protocols, verifying the integrity of the data based on each data signature, adding the complete message into a data queue, and waiting for the next service to receive and process the complete message in a unified manner.
(1) Because the security boundary is unidirectional and cannot actively transmit the message data from the secure network to the secondary secure network, the invention designs that the request is initiated by the 'secondary secure network-switching service' timed polling, and the dequeued message data is acquired from the data queue in the 'secure network-switching service' through 'security boundary-data switching'.
(2) Because the performance of the security boundary system is limited, and resources are occupied and wasted by excessively frequent timing requests, the invention adopts a lower-frequency timing request mechanism, if the number of message data in a data queue in the secure network-switching service is more than or equal to 2, the high-frequency timing request mechanism is automatically switched to, and the data queue is returned to the lower-frequency timing request mechanism after the dequeuing of the data queue is completed.
(3) Because the performance configuration of the safety boundary system is different under different environments, the setting of the timing frequency needs to be configured specifically based on the field environment and the resource requirement.
7. Secondary security network-administrative services: corresponding to the secondary security network-supervision service, the complete data in the data queue of the exchange service is subjected to message digest signature verification (MD5, SHA1, SHA256, SHA512 and the like), the integrity and uniqueness of the data are recorded, the data are recorded and put in storage for record, and the complete message data are pushed to the gateway service.
8. Secondary security network-gateway service: based on the message identification processed by the sub-security network-gateway service, and distributing the complete data to the corresponding service receiving party. During the distribution process, two modes are divided: one is to actively push the data to the business service registered in the gateway service, provide a corresponding receiving address according to the private docking protocol of the gateway service, and actively push the complete data to the corresponding business service by the gateway service; the other is that the gateway service passively pushes the service registered in the gateway service, and the service actively pulls the complete data temporarily stored in the gateway service according to the protocol according to the private docking protocol of the gateway service. The time for the gateway service to temporarily store the data can be configured.
9. Secondary security network-traffic service: as a transmission data receiver, based on a private docking protocol of a gateway service (which can be based on HTTP + JSON, HTTP + XML, SOAP, even TCP/UDP and the like), unified processing is performed on all message data, the message data sent by the secondary security network-service is analyzed and received, and the data content and format guarantee of the message data are consistent with those of the message data sent and received; on the other hand, an active request mode can be adopted, and a certain section of message data is actively taken out from the filing data of the gateway service and is analyzed and processed according to the private docking protocol of the gateway service.
And thirdly, actively exchanging the files. The process is to transmit files from the secondary security network to the security network in a cross-network mode.
1. Secondary security network-traffic service: as a file transmission initiator, sending a file received under a secure network to a gateway service according to a private docking protocol (such as HTTP, HTTPS, SOAP and the like) of the gateway service; on the other hand, the service also receives and analyzes the data response format called back by the gateway service according to the private docking protocol of the gateway service, and obtains the service data of the call-back response.
2. Secondary security network-gateway service: the system is used as a request distribution and identity authentication party for processing requests of a plurality of service users and providers, supports two-way communication and ensures stable service load and legal request source.
(1) Once the gateway receives the file data, a uniform processing is performed on all file data streams based on the private docking protocol of the gateway service (which may be based on HTTP + JSON, HTTP + XML, SOAP, or even TCP/UDP, etc.).
(2) The file handled by the gateway is identified as a particular service identity to determine whether it is for service provider A, B or C.
(3) When a file is determined to be delivered to a particular service provider, it will be mapped to a network addressable endpoint so that the file processing results can be forwarded back to the service provider.
(4) The part of service is realized based on a load balancing module and an identity authentication module.
(5) The load balancing module supports the gateway service to process the file data stream in a single-machine or multi-machine distributed concurrent mode, when the distributed mode is adopted, one server needs to be selected to be used as a service host to be responsible for load distribution of the file request, and the adopted load balancing algorithm comprises but is not limited to: random LoadBalance (Random equalization algorithm); RoundRobin LoadBalance (weight round robin equalization algorithm), least active LoadBalance (least active call number equalization algorithm), constistenthash LoadBalance (consistent Hash equalization algorithm), and the like.
(6) And the identity authentication module is used for verifying the legality of the message data sent by the service party. In the traditional identity authentication architecture, a large-scale cluster is needed to meet the requirement, but the invention supports the adoption of a Serverless architecture design and ensures the stateless service. Such as: the authentication service is matched with JWT (JSON Web Token), some key information of authentication is encrypted and then changed into Token to be issued, and then, during authentication, a private key is used for decryption.
3. Secondary security network-administrative services: as a file signing, recording and security service party, file data is firstly subjected to message digest signing (MD5, SHA1, SHA256, SHA512 and the like), the integrity and uniqueness of the file data are recorded, and the file is put into a storage and recorded. If the data validity sniffing service is connected, the file data validity is sniffed, and if the file data is legal, the file data validity is sent to the exchange service; if not, entering a processing result flow, and calling back the result information to the gateway service to initiate a call-back notification.
4. Secondary secure network-switched service: the system is used as a security boundary pre-service and is used for receiving file data to be sent through a security boundary, configuring the file data based on the file size specified by the existing security boundary system, uniformly splitting and compressing the received message data into single or multiple independent file compression packets, and adopting the following protocol on the naming of each file compression packet: { service identity } - { file information digest signature } - { packet number } - { packet total } -. And pushing each file compression packet to be added into a file queue, and waiting for receiving processing of a security boundary. Unlike data exchange, file exchange is technically complex and the present invention can achieve automated synchronization capabilities in design:
(1) the supported mainstream file transfer protocols include, but are not limited to, HTTP, FTP, SFTP, NFS, SMB, and the like. Based on these protocols, the file is transferred to the file preamble of the security border system.
(2) The switching request is initiated by the 'sub-secure network-switching service' following the setting of the security border system, and the security border system will perform the file switching processing operation.
(3) If the front storage space of the safety boundary system is saturated (the next file cannot be uploaded), suspending the automatic processing of the file queue, starting a timer to check the state of the storage space until the front storage space of the safety boundary system has space for placing the next queue file, and resuming the process of the step (1).
(4) If the front storage space of the safety boundary system can upload the next file, the automatic processing of the file queue is carried out according to the flow of the step (1).
5. Security boundary-file exchange: also called network security boundary, is the security concept of information boundary protection, boundary protection technology, data switching network technology, external interconnection of high-density network, and the like. This section is the implementation of third party services and the present invention surrounds an improved system platform for receiving files that need to be exchanged across borders, and verifying the file data and exchanging the files to a secure network on the other side of the gatekeeper according to the configured modules and legitimacy requirements of the system.
6. Secure network-switched service: the system is used as a security boundary post-service and is used for receiving each file compression package from a security boundary, combining and restoring the scattered file compression packages to a complete file based on the naming protocol of the file compression packages, verifying the data integrity of the file based on the signature of each file compression package, adding the complete file into a file queue, and waiting for the next service to receive and process the complete file in a unified manner.
7. Secure network-policing service: corresponding to the 'secondary security network-supervision service', the complete file data in the file queue of the 'security network-exchange service' is subjected to information digest signature verification (MD5, SHA1, SHA256, SHA512 and the like), the integrity and uniqueness of the data are recorded, the files are recorded and put in storage for record, and the complete file data is pushed to the gateway service.
8. Secure network-gateway service: based on the file identification processed by the 'secondary security network-gateway service', and distributing the complete file data to the corresponding business service receiver. During the distribution process, two modes are divided: one is to actively push the data to the service registered in the gateway service, and the gateway service actively pushes the complete file data to the corresponding service address according to the private docking protocol (which can be based on HTTP, SOAP, FTP, SFTP, SCP, etc.) of the gateway service; the other is that the gateway service passively pushes to the service registered in the gateway service, and the service actively pulls the complete file data temporarily stored in the gateway service according to the protocol according to the private docking protocol (which can be based on HTTP, SOAP, FTP, SFTP, SCP, etc.) of the gateway service. The time of the file data temporarily stored by the gateway service can be configured.
9. Secure network-traffic service: as a text transmission receiver, based on a private docking protocol (which can be based on HTTP, SOAP, FTP, SFTP, SCP, etc.) of gateway service, unified processing is executed on all file data, and the file data transmitted by 'secondary security network-service' is analyzed and received, so that the content and format of the file data are ensured to be consistent in the transmitting and receiving process; on the other hand, an active request mode can be adopted, and according to a private docking protocol of the gateway service, the file set of the home identity in a certain time period is actively taken out from the filing data of the gateway service for analysis and processing.
And fourthly, passively exchanging the files. The process is characterized in that the files are transmitted from the secure network to the secondary secure network in a cross-network mode.
1. Secure network-traffic service: as a file transmission initiator, sending a file received under a secure network to a gateway service according to a private docking protocol (such as HTTP, HTTPS, SOAP and the like) of the gateway service; on the other hand, the service also receives and analyzes the data response format called back by the gateway service according to the private docking protocol of the gateway service, and obtains the service data of the call-back response.
2. Secure network-gateway service: the system is used as a request distribution and identity authentication party for processing requests of a plurality of service users and providers, supports two-way communication and ensures stable service load and legal request source.
(1) Once the gateway receives the file data, a uniform processing is performed on all file data streams based on the private docking protocol of the gateway service (which may be based on HTTP + JSON, HTTP + XML, SOAP, or even TCP/UDP, etc.).
(2) The file handled by the gateway is identified as a particular service identity to determine whether it is for service provider A, B or C.
(3) When a file is determined to be delivered to a particular service provider, it will be mapped to a network addressable endpoint so that the file processing results can be forwarded back to the service provider.
(4) The part of service is realized based on a load balancing module and an identity authentication module.
(5) The load balancing module supports the gateway service to process the file data stream in a single-machine or multi-machine distributed concurrent mode, when the distributed mode is adopted, one server needs to be selected to be used as a service host to be responsible for load distribution of the file request, and the adopted load balancing algorithm comprises but is not limited to: random LoadBalance (Random equalization algorithm); RoundRobin LoadBalance (weight round robin equalization algorithm), least active LoadBalance (least active call number equalization algorithm), constistenthash LoadBalance (consistent Hash equalization algorithm), and the like.
(6) And the identity authentication module is used for verifying the legality of the message data sent by the service party. In the traditional identity authentication architecture, a large-scale cluster is needed to meet the requirement, but the invention supports the adoption of a Serverless architecture design and ensures the stateless service. Such as: the authentication service is matched with JWT (JSON Web Token), some key information of authentication is encrypted and then changed into Token to be issued, and then, during authentication, a private key is used for decryption.
3. Secure network-policing service: as a file signing, recording and security service party, file data is firstly subjected to message digest signing (MD5, SHA1, SHA256, SHA512 and the like), the integrity and uniqueness of the file data are recorded, and the file is put into a storage and recorded. If the data validity sniffing service is connected, the file data validity is sniffed, and if the file data is legal, the file data validity is sent to the exchange service; if not, entering a processing result flow, and calling back the result information to the gateway service to initiate a call-back notification.
4. Secure network-switched service: the system is used as a security boundary pre-service and is used for receiving file data to be sent through a security boundary, configuring the file data based on the file size specified by the existing security boundary system, uniformly splitting and compressing the received message data into single or multiple independent file compression packets, and adopting the following protocol on the naming of each file compression packet: { service identity } - { file information digest signature } - { packet number } - { packet total } -. And pushing each file compression packet to be added into a file queue, and waiting for receiving processing of a security boundary. Unlike data exchange, file exchange is technically complex and the present invention can achieve automated synchronization capabilities in design:
(1) the supported mainstream file transfer protocols include, but are not limited to, HTTP, FTP, SFTP, NFS, SMB, and the like. Based on these protocols, the file is transferred to the file preamble of the security border system.
(2) The switching request is initiated by the 'sub-secure network-switching service' following the setting of the security border system, and the security border system will perform the file switching processing operation.
(3) If the front storage space of the safety boundary system is saturated (the next file cannot be uploaded), suspending the automatic processing of the file queue, starting a timer to check the state of the storage space until the front storage space of the safety boundary system has space for placing the next queue file, and resuming the process of the step (1).
(4) If the front storage space of the safety boundary system can upload the next file, the automatic processing of the file queue is carried out according to the flow of the step (1).
5. Security boundary-file exchange: also called network security boundary, is the security concept of information boundary protection, boundary protection technology, data switching network technology, external interconnection of high-density network, and the like. This section is the implementation of third party services and the present invention surrounds an improved system platform for receiving files that need to be exchanged across borders, and verifying the file data and exchanging the files to a secure network on the other side of the gatekeeper according to the configured modules and legitimacy requirements of the system.
6. Secondary secure network-switched service: the post-service serving as the safety boundary is used for receiving each file compression packet from the safety boundary, verifying the data integrity based on each file compression packet, combining and restoring the scattered file compression packets to a complete file, verifying the data integrity based on the signature of each file compression packet, adding the complete file into a file queue, and waiting for the next service to receive and process the complete file in a unified manner.
(1) Because the security boundary has unidirectionality and can not actively transmit the file data from the secure network to the secondary secure network, the invention designs that the request is initiated by the 'secondary secure network-exchange service' timed polling and the dequeued file data is acquired from the file queue in the 'secure network-exchange service' through 'security boundary-file exchange'.
(2) Because the performance of the security boundary system is limited, and resources are occupied and wasted by excessively frequent timing requests, the invention adopts a lower-frequency timing request mechanism, if the number of message data in a data queue in the secure network-switching service is more than or equal to 2, the high-frequency timing request mechanism is automatically switched to, and the data queue is returned to the lower-frequency timing request mechanism after the dequeuing of the data queue is completed.
(3) Because the performance configuration of the safety boundary system may be different under different environments, the setting of the timing frequency needs to be configured specifically based on the field environment and the resource requirement.
7. Secondary security network-administrative services: corresponding to the 'secondary security network-supervision service', the complete file data in the file queue of the 'security network-exchange service' is subjected to information digest signature verification (MD5, SHA1, SHA256, SHA512 and the like), the integrity and uniqueness of the data are recorded, the files are recorded and put in storage for record, and the complete file data is pushed to the gateway service.
8. Secondary security network-gateway service: based on the file identification processed by the 'secondary security network-gateway service', and distributing the complete file data to the corresponding business service receiver. During the distribution process, two modes are divided: one is to actively push the data to the service registered in the gateway service, and the gateway service actively pushes the complete file data to the corresponding service address according to the private docking protocol (which can be based on HTTP, SOAP, FTP, SFTP, SCP, etc.) of the gateway service; the other is that the gateway service passively pushes to the service registered in the gateway service, and the service actively pulls the complete file data temporarily stored in the gateway service according to the protocol according to the private docking protocol (which can be based on HTTP, SOAP, FTP, SFTP, SCP, etc.) of the gateway service. The time of the file data temporarily stored by the gateway service can be configured.
9. Secondary security network-traffic service: as a text transmission receiver, based on a private docking protocol (which can be based on HTTP, SOAP, FTP, SFTP, SCP, etc.) of gateway service, unified processing is executed on all file data, and the file data transmitted by 'secondary security network-service' is analyzed and received, so that the content and format of the file data are ensured to be consistent in the transmitting and receiving process; on the other hand, an active request mode can be adopted, and according to a private docking protocol of the gateway service, the file set of the home identity in a certain time period is actively taken out from the filing data of the gateway service for analysis and processing.
The improvement in the above system embodiment also belongs to the improvement in the above method embodiment, and is not described in detail in the method embodiment.
For simplicity of explanation, the method embodiments are described as a series of acts or combinations, but those skilled in the art will appreciate that the embodiments are not limited by the order of acts described, as some steps may occur in other orders or concurrently with other steps in accordance with the embodiments of the invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A system for cross-network switching services over a secure network, comprising:
the secondary security network end is used for receiving data to be transmitted, packaging and encapsulating the data to be transmitted into an internal unified communication data format, and obtaining a transmission data packet; verifying the legality of the data to be transmitted, if the data to be transmitted passes the verification, determining the data to be transmitted as legal data, storing the legal data and basic information thereof, and sending a transmission data packet to a third party exchange server;
the third party exchange server is used for receiving the transmission data packet and forwarding the transmission data packet to the secure network end;
and the safety network end is used for receiving the transmission data packet, extracting the data to be transmitted, verifying the legality of the data to be transmitted, if the data to be transmitted passes the verification, storing the legal data and the basic information thereof, and packaging the data to be transmitted into an internal unified communication data format.
2. The system of claim 1, wherein the secondary secure network side comprises:
the first business service module is used for receiving data to be transmitted, packaging and packaging the data to be transmitted into an internal unified communication data format, obtaining a transmission data packet and sending the transmission data packet to the first gateway service module;
the first gateway service module is used for sending the received transmission data packet to the first supervision service module;
the first supervision service module is used for receiving the transmission data packet, verifying the legality of the data to be transmitted, storing the legal data and the basic information thereof and sending the transmission data packet to the first exchange service module if the data to be transmitted is legal;
the first exchange service module is used for receiving the transmission data packet and sending the transmission data packet to a third party exchange service end;
the secure network side includes:
the second exchange service module is used for receiving the transmission data packet and sending the transmission data packet to the second supervision service module;
the second monitoring service module is used for receiving the transmission data packet, extracting the data to be transmitted, verifying the legality of the data to be transmitted, if the data to be transmitted passes the verification, storing the legal data and the basic information of the legal data and sending the legal data to the second gateway service module;
the second gateway service module is used for sending the received legal data to the second business service module;
and the second business service module is used for receiving the legal data, unpacking the legal data and packaging the legal data into an internal unified communication data format.
3. The system according to claim 2, wherein the first service module packages and encapsulates data to be transmitted into any one of XML format or JSON format.
4. The cross-network switching service system under the secure network according to claim 3, wherein the first administrative service module verifies the validity of the data to be transmitted using any one of a digital signature technique or an open authorization technique.
5. The system according to claim 4, wherein the basic information of the legal data includes a source, a creation time, and a digest of the legal data.
6. A method for performing cross-network switching service over a secure network based on the system of claim 1, comprising the steps of:
the method comprises the steps that a secondary security network end receives data to be transmitted, and packages and encapsulates the data to be transmitted into an internal unified communication data format to obtain a transmission data packet; verifying the legality of the data to be transmitted, if the data to be transmitted passes the verification, determining the data to be transmitted as legal data, storing the legal data and basic information thereof, and sending a transmission data packet to a third party exchange server;
the third party exchange server receives the transmission data packet and forwards the transmission data packet to the secure network end;
and the safety network end receives the transmission data packet, extracts the data to be transmitted, verifies the legality of the data to be transmitted, if the data to be transmitted passes the verification, the data to be transmitted is legal data, stores the legal data and the basic information thereof, and packages and encapsulates the data to be transmitted into an internal unified communication data format.
7. The cross-network switching service method under the secure network according to claim 6, wherein the secondary secure network end comprises a first traffic service module, a first gateway service module, a first supervision service module and a first switching service module, and the secure network end comprises a second switching service module, a second supervision service module, a second gateway service module and a second traffic service module, wherein:
the first business service module receives data to be transmitted, packages and encapsulates the data to be transmitted into an internal unified communication data format, obtains a transmission data packet and sends the transmission data packet to the first gateway service module;
the first gateway service module sends the received transmission data packet to the first supervision service module;
the first supervision service module receives the transmission data packet, verifies the legality of the data to be transmitted, if the data to be transmitted passes the verification, the data to be transmitted is legal data, stores the legal data and the basic information of the legal data and sends the transmission data packet to the first switching service module;
the first exchange service module receives the transmission data packet and sends the transmission data packet to a third party exchange service end;
the second exchange service module receives the transmission data packet and sends the transmission data packet to the second supervision service module;
the second monitoring service module receives the transmission data packet, extracts the data to be transmitted, verifies the legality of the data to be transmitted, if the data to be transmitted passes the verification, the data to be transmitted is legal data, stores the legal data and the basic information of the legal data and sends the legal data to the second gateway service module;
the second gateway service module sends the received legal data to a second business service module;
the second business service module receives the legal data, unpacks the legal data and packages the legal data into an internal unified communication data format.
8. The cross-network switching service method under the secure network according to claim 7, wherein the first service module packages and encapsulates data to be transmitted into any one of an XML format or a JSON format.
9. The method according to claim 8, wherein the first administrative service module verifies the validity of the data to be transmitted using any one of a digital signature technique and an open authorization technique.
10. The method for cross-network switching service over a secure network according to claim 9, wherein the basic information of the legal data includes a source, creation time, and digest of the legal data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911019806.4A CN110855634A (en) | 2019-10-24 | 2019-10-24 | Cross-network switching service system and method based on secure network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911019806.4A CN110855634A (en) | 2019-10-24 | 2019-10-24 | Cross-network switching service system and method based on secure network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110855634A true CN110855634A (en) | 2020-02-28 |
Family
ID=69596892
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911019806.4A Pending CN110855634A (en) | 2019-10-24 | 2019-10-24 | Cross-network switching service system and method based on secure network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110855634A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111917737A (en) * | 2020-07-14 | 2020-11-10 | 北京明略软件系统有限公司 | Cross-network RPC calling system and method |
| CN112235193A (en) * | 2020-10-12 | 2021-01-15 | 南威软件股份有限公司 | Data transmission method, device, equipment and medium based on cross-network multi-level routing |
| CN113032274A (en) * | 2021-04-07 | 2021-06-25 | 北京电信易通信息技术股份有限公司 | Method for verifying CABAC (context-based adaptive binary arithmetic coding) continuous image aiming at H.265 |
| CN114003938A (en) * | 2021-11-11 | 2022-02-01 | 蓝象智联(杭州)科技有限公司 | Secure hidden data query method based on multi-head alliance |
| CN114499976A (en) * | 2021-12-28 | 2022-05-13 | 航天科工智慧产业发展有限公司 | Data exchange method for realizing cross-network exchange |
| CN114499949A (en) * | 2021-12-23 | 2022-05-13 | 北京环宇博亚科技有限公司 | Device binding method and device, electronic device and computer readable medium |
| CN116566698A (en) * | 2023-05-22 | 2023-08-08 | 中央军委后勤保障部信息中心 | Secret-related data exchange method and system based on multistage cross-network isolation |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101447999A (en) * | 2008-10-31 | 2009-06-03 | 神州数码金程(北京)科技有限公司 | Security exchange system and realization method thereof |
| CN101447862A (en) * | 2008-10-31 | 2009-06-03 | 神州数码金程(北京)科技有限公司 | Security exchange system and security exchange method thereof |
| CN106790028A (en) * | 2016-12-15 | 2017-05-31 | 贵州监信数据开发有限公司 | A kind of prison and the data transmission method and system of bank's intranet and extranet security isolation |
| CN109547470A (en) * | 2018-12-20 | 2019-03-29 | 北京交通大学 | Protect electrical isolation wall method, the apparatus and system of network space safety |
| CN110278181A (en) * | 2019-01-29 | 2019-09-24 | 广州金越软件技术有限公司 | A kind of instant protocol conversion technology about inter-network data exchange |
-
2019
- 2019-10-24 CN CN201911019806.4A patent/CN110855634A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101447999A (en) * | 2008-10-31 | 2009-06-03 | 神州数码金程(北京)科技有限公司 | Security exchange system and realization method thereof |
| CN101447862A (en) * | 2008-10-31 | 2009-06-03 | 神州数码金程(北京)科技有限公司 | Security exchange system and security exchange method thereof |
| CN106790028A (en) * | 2016-12-15 | 2017-05-31 | 贵州监信数据开发有限公司 | A kind of prison and the data transmission method and system of bank's intranet and extranet security isolation |
| CN109547470A (en) * | 2018-12-20 | 2019-03-29 | 北京交通大学 | Protect electrical isolation wall method, the apparatus and system of network space safety |
| CN110278181A (en) * | 2019-01-29 | 2019-09-24 | 广州金越软件技术有限公司 | A kind of instant protocol conversion technology about inter-network data exchange |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111917737A (en) * | 2020-07-14 | 2020-11-10 | 北京明略软件系统有限公司 | Cross-network RPC calling system and method |
| CN112235193A (en) * | 2020-10-12 | 2021-01-15 | 南威软件股份有限公司 | Data transmission method, device, equipment and medium based on cross-network multi-level routing |
| CN113032274A (en) * | 2021-04-07 | 2021-06-25 | 北京电信易通信息技术股份有限公司 | Method for verifying CABAC (context-based adaptive binary arithmetic coding) continuous image aiming at H.265 |
| CN114003938A (en) * | 2021-11-11 | 2022-02-01 | 蓝象智联(杭州)科技有限公司 | Secure hidden data query method based on multi-head alliance |
| CN114003938B (en) * | 2021-11-11 | 2022-05-31 | 蓝象智联(杭州)科技有限公司 | Secure hidden data query method based on multi-head alliance |
| CN114499949A (en) * | 2021-12-23 | 2022-05-13 | 北京环宇博亚科技有限公司 | Device binding method and device, electronic device and computer readable medium |
| CN114499976A (en) * | 2021-12-28 | 2022-05-13 | 航天科工智慧产业发展有限公司 | Data exchange method for realizing cross-network exchange |
| CN114499976B (en) * | 2021-12-28 | 2022-11-04 | 航天科工智慧产业发展有限公司 | Data exchange method for realizing cross-network exchange |
| CN116566698A (en) * | 2023-05-22 | 2023-08-08 | 中央军委后勤保障部信息中心 | Secret-related data exchange method and system based on multistage cross-network isolation |
| CN116566698B (en) * | 2023-05-22 | 2024-02-20 | 中央军委后勤保障部信息中心 | Secret-related data exchange method and system based on multistage cross-network isolation |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110855634A (en) | Cross-network switching service system and method based on secure network | |
| US10630784B2 (en) | Facilitating a secure 3 party network session by a network device | |
| US10305904B2 (en) | Facilitating secure network traffic by an application delivery controller | |
| US10708360B2 (en) | Method for transport agnostic communication between internet of things client and broker | |
| US11303431B2 (en) | Method and system for performing SSL handshake | |
| US10313402B2 (en) | Single pass load balancing and session persistence in packet networks | |
| US20200021614A1 (en) | HTTPS request enrichment | |
| WO2011150701A1 (en) | Method, network device and network system for data service processing | |
| WO2014180407A1 (en) | Pushing method and device therefor | |
| WO2023151264A1 (en) | Load balancing method and apparatus, node, and storage medium | |
| CN106464596A (en) | Openflow communication method, system, controller, and service gateway | |
| WO2011140910A1 (en) | Service process unit and method, and service control gateway and load equalization method | |
| WO2016180188A1 (en) | Distributed link establishment method, apparatus and system | |
| US20150127837A1 (en) | Relay apparatus and data transfer method | |
| CN105612723A (en) | Method and device for distributing traffic by using plurality of network interfaces in wireless communication system | |
| WO2015027931A1 (en) | Method and system for realizing cross-domain remote command | |
| CN109495477A (en) | A kind of authentication method, equipment and system | |
| Cui | Comparison of IoT application layer protocols | |
| EP4018621A1 (en) | Method and system for managing secure iot device applications | |
| CN112217862A (en) | Data communication method, device, terminal equipment and storage medium | |
| CN114679265B (en) | Flow acquisition method, device, electronic equipment and storage medium | |
| CN107426452B (en) | Internet call method and device | |
| EP4047885A1 (en) | Method and system for processing network service, and gateway device | |
| CN113904860A (en) | Data transmission method, device, equipment, system and storage medium | |
| CN110430111B (en) | OpenVPN data transmission method and VPN server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200228 |
|
| RJ01 | Rejection of invention patent application after publication |