CN110971622A - Bidirectional access method and system between public network application system and intranet application system - Google Patents

Bidirectional access method and system between public network application system and intranet application system Download PDF

Info

Publication number
CN110971622A
CN110971622A CN202010141250.2A CN202010141250A CN110971622A CN 110971622 A CN110971622 A CN 110971622A CN 202010141250 A CN202010141250 A CN 202010141250A CN 110971622 A CN110971622 A CN 110971622A
Authority
CN
China
Prior art keywords
application system
web request
public network
network application
intranet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010141250.2A
Other languages
Chinese (zh)
Inventor
陈世俊
李璧鲁
戚威
宁冰
张胜
李明柱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xinlian Technology Nanjing Co ltd
Original Assignee
Xinlian Technology Nanjing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xinlian Technology Nanjing Co ltd filed Critical Xinlian Technology Nanjing Co ltd
Priority to CN202010141250.2A priority Critical patent/CN110971622A/en
Publication of CN110971622A publication Critical patent/CN110971622A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a bidirectional access method between a public network application system and an intranet application system, which integrates an agent technology, a radix parsing technology, an SSL technology, a signature checking technology, a white list/black list technology and an abnormal flow alarm technology, realizes the cooperation work of multiple detection technologies in one body, and the Internet front-end system is designed, the public network application system only needs to open the network strategy of the Internet front-end system, the entrance IP of the internet pre-positioned system is provided for the public network application system, the risk that the internal network application system is exposed on the public network is avoided, and through the series of security technologies integrally designed by the internet pre-positioned system, the method has the advantages that the abnormal network request is intercepted, the safety of the intranet application system is better improved, the safety problem of access between the public network application system and the intranet application system is effectively solved, and the safety of service data transmission is guaranteed.

Description

Bidirectional access method and system between public network application system and intranet application system
Technical Field
The invention relates to a bidirectional access method and system between a public network application system and an intranet application system, and belongs to the technical field of data security access.
Background
With the continuous development of computer network technology application, the public network application system has become a trend to access the intranet application system, and currently, the mainstream access modes mainly include NAT technology, VPN technology and the like, but these all have a problem, for example, when the public network accesses the intranet application system, an intranet application entry needs to exist on the internet, which greatly affects the information security problem of the intranet application system. Nowadays, the development of information security is also in a brand new era, and the problems of terminal security and network security are gradually brought to the attention of people. At present, most of applications in internal network terminals are important, even strictly confidential, especially terminal equipment in office networks, internal business networks and confidential networks of financial systems such as government agencies, confidential departments, core scientific research institutions, banks and the like and enterprises and public institutions. Once these devices are compromised or destroyed, very serious consequences will occur. With the information security issue getting more and more important, the intranet security issue becomes more and more important and prominent. Network communication is one of the main ways of information leakage in an intranet system, however, network control and audit are not only technical difficulties, but also means for internal network attack are changed day by day, and the difficulty of network precaution is greatly improved. Secondly, the traditional technologies have more or less defects in the aspects of problem positioning, operation complexity and high availability.
The existing technology for solving the problem that the public network application system accesses the internal network application system has 3 types: (1) the method is realized through NAT network address conversion; (2) a VPN special line technology is adopted; (3) a general application agent technique is adopted.
(1) NAT network address translation
NAT network address translation is a technology for mapping and binding an intranet IP address with an internet domain name or a public network IP port. Through NAT network address translation, the third party application system of the public network can access the application system of the internal network. This approach is inconvenient in supporting more intersystem access and also does not provide more security.
(2) VPN special line technology
A VPN is a communication means that is often used to connect private networks between medium and large enterprises or groups. The method utilizes a tunneling protocol (tunneling protocol) to achieve private message security effects such as confidentiality, sender authentication, message accuracy and the like, and the technology can use an insecure network (such as the Internet) to send reliable and secure messages. Although the private VPN line can enable public network applications to access intranet applications, the private VPN line is relatively high in cost, and the intranet network is opened to the public network through a VPN tunnel, so that more security threats are brought due to too large opening granularity.
(3) Application proxy server
The 2 technologies are methods for controlling access of a network layer, and an application proxy server controls access of an application layer above the network layer, and the proxy server can implement proxy forwarding of a Web request between a public network application system and an intranet application system. But generic proxy servers still have the disadvantages of not enabling more demanding secure access, such as not being able to authenticate client applications and detect potential Web security threats.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a bidirectional access method between a public network application system and an intranet application system, which integrates multiple detection technologies into a whole to carry out cooperative work, can effectively solve the safety problem of access between the public network application system and the intranet application system, and ensures the safety of service data transmission.
The invention adopts the following technical scheme for solving the technical problems: the invention designs a bidirectional access method between a public network application system and an intranet application system, which comprises the following steps that:
step A1, judging whether the Web request is based on HTTPS protocol or not aiming at the Web request sent by the public network application system to the intranet application system, if so, entering the step A2; otherwise refusing the Web request;
step A2, SSL uninstalling processing is carried out on the Web request, the Web request is updated to be a Web request based on the HTTP protocol, and then the step A3 is carried out;
step A3, root parsing is carried out on the URL of the Web request, service type root information corresponding to the Web request is obtained, whether the service type root information belongs to each preset service type root set between a public network application system and an internal network application system or not is judged, and if yes, the step A4 is carried out; otherwise refusing the Web request;
step A4, according to the business type root information corresponding to the Web request, applying a corresponding digital signature certificate in each digital signature certificate preset between a public network application system and an internal network application system, decrypting the business message of the message body in the Web request to obtain the decrypted business message, and performing verification digital signature processing to verify the identity of the Web request initiator and the integrity of the business data, if the verification is passed, entering step A5; if the verification is not passed, rejecting the Web request;
step A5, according to the combined detection technology of semantic analysis and preset matching rules, carrying out flow abnormity detection aiming at the message header and the message body in the Web request, if no abnormity exists, entering step A6; if the Web request is abnormal, the IP address of the Web request initiator is added into a blacklist which is preset and does not allow the IP address to pass, and the Web request is filtered;
step A6, judging whether the IP address of the Web request initiator belongs to a white list of allowed IP addresses preset between the public network application system and the intranet application system, if so, entering step A7; otherwise, the Web request is not allowed to be forwarded, and the Web request is rejected;
step A7, judging whether the IP address of the Web request initiator belongs to the blacklist, if so, disallowing the Web request to be forwarded, and rejecting the Web request; otherwise, allowing the Web request to be forwarded, and entering step A8;
step A8, according to the service type root information corresponding to the Web request, a route forwarding rule is constructed, and a new Web request is initiated aiming at the message body in the Web request and forwarded to the intranet application system, so as to realize proxy forwarding processing.
As a preferred technical scheme of the invention: the method for accessing the intranet application system to the public network application system comprises the following steps:
step B1, judging whether the Web request is based on the HTTP protocol or not aiming at the Web request sent by the intranet application system to the public network application system, if so, entering the step B2; otherwise refusing the Web request;
b2, carrying out root analysis on the URL of the Web request to obtain service type root information corresponding to the Web request, and judging whether the service type root information belongs to each preset service type root set between a public network application system and an internal network application system, if so, entering the step B3; otherwise refusing the Web request;
step B3, according to the business type root information corresponding to the Web request, applying a corresponding digital signature certificate in each digital signature certificate preset between a public network application system and an internal network application system, encrypting the business message of the message body in the Web request to obtain the encrypted business message, and performing digital signature processing to verify the identity of the Web request initiator and the integrity of the business data, if the digital signature is successful, entering step B4; if the digital signature is unsuccessful, rejecting the Web request;
step B4, SSL loading processing is carried out on the Web request, the Web request is updated to a Web request based on an HTTPS protocol, and then the step B5 is carried out;
and step B5, constructing a routing forwarding rule according to the service class root information corresponding to the Web request, initiating a new Web request aiming at the message body in the Web request, and forwarding the new Web request to a public network application system to realize proxy forwarding processing.
In view of the above, the technical problem to be solved by the present invention is to provide a system applying a bidirectional access method between a public network application system and an intranet application system, which can effectively solve the security problem of access between the public network application system and the intranet application system through the integrated cooperation of multiple detection modules, thereby ensuring the security of service data transmission.
The invention adopts the following technical scheme for solving the technical problems: the invention designs a system applying a bidirectional access method between a public network application system and an intranet application system, which comprises an internet front-end system, a communication link and a communication module, wherein the internet front-end system is arranged on the communication link between the public network application system and the intranet application system and is used for executing the steps A1 to A8 to realize the access method of the public network application system to the intranet application system; and executing the steps B1 to B5 to realize the access method of the public network application system to the intranet application system.
As a preferred technical scheme of the invention: the Internet front-end system comprises an agent module, a security module, a log module, a user management module and a high-availability module; the agent module is used for realizing the agent of the two-way communication between the internal network application system and the public network application system; the safety module is used for realizing the functions of white list mechanism, message signature verification and flow abnormity detection in the bidirectional access method; the log module is used for realizing the service log of the agent module, the service log of the security module and the configuration operation log of the Internet front-end system.
As a preferred technical scheme of the invention: the Internet preposition system also comprises a graphical system configuration module which is used for realizing the graphical configuration function of the system parameters and the functional parameters of each module in the Internet preposition.
As a preferred technical scheme of the invention: the user management module is used for realizing the management function of the user account and the authority of the Internet front-end system.
As a preferred technical scheme of the invention: the high availability module is used for realizing the cluster function of the Internet front-end system.
Compared with the prior art, the invention adopts the technical scheme that the method and the system for bidirectional access between the public network application system and the intranet application system have the following technical effects:
the invention designs a bidirectional access method between a public network application system and an intranet application system, integrates an agent technology, a etnamese analysis technology, an SSL technology, an identification technology, a white list/black list technology and an abnormal flow alarm technology, realizes that a plurality of detection technologies are integrated to carry out cooperative work, and designs an internet prepositive system according to the cooperative work, the application of the internet prepositive system enables the opening of a network strategy to be more convenient, the public network application system only needs to open the network strategy of the internet prepositive system, so that an inlet IP of the internet prepositive system is provided for the public network application system, the risk that the intranet application system is exposed on the public network is avoided, and abnormal network requests are intercepted through the series of security technologies integrally designed by the internet prepositive system, and the security of the intranet application system is better improved; the network strategy from the internet front-end system to the intranet application system is provided by the intranet application system; compared with the traditional application access method, the design method and the system can control the fine granularity of the public network application system to be accessed, and the Internet front-end system supports the access of multiple public network applications on the appointed access port.
Drawings
FIG. 1 is a schematic flow chart of a method for accessing an intranet application system by a public network application system according to the present invention;
FIG. 2 is a schematic flow chart illustrating a method for accessing a public network application system by an intranet application system according to the present invention;
FIG. 3 is a schematic diagram of a module architecture of an Internet front-end system in a system applying a bidirectional access method between a public network application system and an intranet application system according to the present invention;
fig. 4 is a schematic diagram of a deployment architecture of an internet front-end system in an embodiment of the present invention.
Detailed Description
The following description will explain embodiments of the present invention in further detail with reference to the accompanying drawings.
The invention designs a bidirectional access method between a public network application system and an intranet application system, which comprises an access method from the public network application system to the intranet application system, and in practical application, as shown in fig. 1, the following steps A1 to A8 are specifically executed.
Step A1, judging whether the Web request is based on HTTPS protocol or not aiming at the Web request sent by the public network application system to the intranet application system, if so, entering the step A2; otherwise, the Web request is rejected.
And step A2, performing SSL uninstalling processing on the Web request by adopting the specified SSL certificate, updating the Web request to a Web request based on the HTTP protocol, and then entering the step A3.
Step a3, performing root parsing on the URL of the Web request to obtain service class root information corresponding to the Web request, where the service class root information is an agreed keyword representing a specific service class, and is located in the URL for distinguishing different services, and taking an etc service as an example, the service class root information is etc, and a typical URL thereof is: https:// xxx. xxx/etc/; then, judging whether the business type etymon information belongs to a preset business type etymon set between a public network application system and an internal network application system, if so, entering the step A4; otherwise, the Web request is rejected.
Step A4, according to the business type root information corresponding to the Web request, applying a corresponding digital signature certificate in each digital signature certificate preset between a public network application system and an internal network application system, decrypting the business message of the message body in the Web request to obtain the decrypted business message, and performing verification digital signature processing to verify the identity of the Web request initiator and the integrity of the business data, if the verification is passed, entering step A5; and if the verification is not passed, rejecting the Web request.
Step A5, according to the combined detection technology of semantic analysis and preset matching rules, flow abnormity detection is carried out on the message header and the message body in the Web request, common security threats such as suspected SQL injection, XSS and the like belong to abnormity, and if no abnormity exists, the step A6 is carried out; if the Web request is abnormal, the IP address of the Web request initiator is added into a preset blacklist which does not allow the IP address to pass, and the Web request is filtered.
Step A6, judging whether the IP address of the Web request initiator belongs to a white list of allowed IP addresses preset between the public network application system and the intranet application system, if so, entering step A7; otherwise, the Web request is not allowed to be forwarded, and the Web request is rejected.
Step A7, judging whether the IP address of the Web request initiator belongs to the blacklist, if so, disallowing the Web request to be forwarded, and rejecting the Web request; otherwise, the Web request is allowed to be forwarded and step A8 is entered.
Step A8, according to the service type root information corresponding to the Web request, a routing forwarding rule is constructed, and a new Web request is initiated according to the message body in the Web request and forwarded to the intranet application system to realize proxy forwarding processing.
Correspondingly, the present invention further designs a method for accessing the intranet application system to the public network application system, and in practical application, as shown in fig. 2, the following steps B1 to B5 are specifically executed.
Step B1, judging whether the Web request is based on the HTTP protocol or not aiming at the Web request sent by the intranet application system to the public network application system, if so, entering the step B2; otherwise, the Web request is rejected.
B2, carrying out root analysis on the URL of the Web request to obtain service type root information corresponding to the Web request, and judging whether the service type root information belongs to each preset service type root set between a public network application system and an internal network application system, if so, entering the step B3; otherwise, the Web request is rejected.
Step B3, according to the business type root information corresponding to the Web request, applying a corresponding digital signature certificate in each digital signature certificate preset between a public network application system and an internal network application system, encrypting the business message of the message body in the Web request to obtain the encrypted business message, and performing digital signature processing to verify the identity of the Web request initiator and the integrity of the business data, if the digital signature is successful, entering step B4; and if the digital signature is unsuccessful, rejecting the Web request.
And step B4, SSL loading processing is carried out on the Web request, the Web request is updated to a Web request based on an HTTPS protocol, and then the step B5 is carried out.
And step B5, constructing a routing forwarding rule according to the service class root information corresponding to the Web request, initiating a new Web request aiming at the message body in the Web request, and forwarding the new Web request to a public network application system to realize proxy forwarding processing.
Aiming at the designed bidirectional access method between the public network application system and the intranet application system, the invention further designs a system applying the method, which comprises an internet front-end system, a communication link and a communication link, wherein the communication link is arranged between the public network application system and the intranet application system and is used for executing the steps A1 to A8, and the access method of the public network application system to the intranet application system is realized; and executing the steps B1 to B5 to realize the access method of the public network application system to the intranet application system.
For the internet front-end system, in practical application, as shown in fig. 3, the internet front-end system specifically includes an agent module, a security module, a log module, a user management module, a high availability module, a graphical system configuration module, a user management module, and a high availability module; the agent module is used for realizing the agent of the two-way communication between the internal network application system and the public network application system; the safety module is used for realizing the functions of white list mechanism, message signature verification and flow abnormity detection in the bidirectional access method; the log module is used for realizing a service log of the agent module, a service log of the security module and a configuration operation log of the Internet front-end system; the graphical system configuration module is used for realizing the graphical configuration function of system parameters and functional parameters of each module in the Internet front; the user management module is used for realizing the management function of the user account and the authority of the Internet front-end system; the high availability module is used for realizing the cluster function of the Internet front-end system.
In specific practical application, the agent module in the internet front-end system realizes the agent for the application of the intranet business and the agent for the third-party response system, and comprises the agent for realizing the two-way communication between the intranet application system and the public network application system, and simultaneously supports the agent modes of http, https, socket and the like.
server {
listen 8090;
location /xxhaiguan {
proxy_pass https://www.xxhaiguan.org.cn/haiguanyewu;
}
}
In the specific application of the security module in the internet pre-system, the detection technology based on semantic analysis is adopted for flow anomaly detection, namely, the identification characteristics (or fingerprints) of input data are obtained through semantic analysis, and then matching is carried out in a characteristic library through a quick search algorithm, so that the Web request with security threat is identified and filtered.
In practical application, a graphical system configuration module in the internet front-end system can remotely configure various preposed function parameters of the internet in the authority range of a security manager through a browser by using a graphical system configuration function, wherein the function parameters comprise agent adjustment, security protection and high-availability function parameters.
In practical application, a log module in the internet pre-positioned system records logs in a log file mode, and in consideration of performance, the internet pre-positioned system does not perform high-level functions such as specific log processing and analysis, and other log analysis systems can acquire detailed logs in the internet pre-positioned mode through a log file acquisition function and perform complex analysis such as flow statistics and fault location.
In practical application, a user management module in the internet front-end system only supports account and password management of a safety manager of the intermediate service platform. In practical application, the high-availability module implements management of cluster nodes based on a VRRP (Virtual router redundancy Protocol), and in a cluster mode, an internet front-end system includes a main server and a plurality of backup servers, the same service configuration is deployed on the main server and the backup servers, a Virtual IP address is used to provide services to the outside, and when the main server fails, the Virtual IP address automatically drifts to the backup servers.
In practical applications, the internet front-end system can be deployed differentially according to actual needs of users, and fig. 4 shows a typical deployment architecture of the internet front-end system. And deploying an internet front-end system in the DMZ cluster, wherein the system is responsible for accessing service traffic from a third-party response system of the internet and forwarding the service traffic to the internet front-end system in the intranet area. And deploying an internet front-end system in the intranet zone cluster, wherein the system is responsible for routing the service flow to a corresponding intranet service application system. And the intranet area internet front-end system simultaneously carries out necessary safety processing on the service flow from the third party, including message signature verification, white list flow control and web request safety filtering.
The technical scheme designs a bidirectional access method between a public network application system and an intranet application system, integrates an agent technology, a etnamese analysis technology, an SSL technology, a signature verification technology, a white list/black list technology and an abnormal flow alarm technology, realizes that a plurality of detection technologies are integrated to carry out cooperative work, and designs an internet front-end system according to the cooperative work, wherein the application of the internet front-end system enables a network strategy to be opened more conveniently, the public network application system only needs to open the network strategy of the internet front-end system, so that an inlet IP of the internet front-end system is provided for the public network application system, the risk that the intranet application system is exposed on the public network is avoided, abnormal network requests are intercepted through the series of security technologies integrally designed by the internet front-end system, and the security of the intranet application system is improved better; the network strategy from the internet front-end system to the intranet application system is provided by the intranet application system; compared with the traditional application access method, the design method and the system can control the fine granularity of the public network application system to be accessed, and the Internet front-end system supports the access of multiple public network applications on the appointed access port.
The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.

Claims (7)

1. A bidirectional access method between a public network application system and an internal network application system is characterized in that: the method comprises the following steps:
step A1, judging whether the Web request is based on HTTPS protocol or not aiming at the Web request sent by the public network application system to the intranet application system, if so, entering the step A2; otherwise refusing the Web request;
step A2, SSL uninstalling processing is carried out on the Web request, the Web request is updated to be a Web request based on the HTTP protocol, and then the step A3 is carried out;
step A3, root parsing is carried out on the URL of the Web request, service type root information corresponding to the Web request is obtained, whether the service type root information belongs to each preset service type root set between a public network application system and an internal network application system or not is judged, and if yes, the step A4 is carried out; otherwise refusing the Web request;
step A4, according to the business type root information corresponding to the Web request, applying a corresponding digital signature certificate in each digital signature certificate preset between a public network application system and an internal network application system, decrypting the business message of the message body in the Web request to obtain the decrypted business message, and performing verification digital signature processing to verify the identity of the Web request initiator and the integrity of the business data, if the verification is passed, entering step A5; if the verification is not passed, rejecting the Web request;
step A5, according to the combined detection technology of semantic analysis and preset matching rules, carrying out flow abnormity detection aiming at the message header and the message body in the Web request, if no abnormity exists, entering step A6; if the Web request is abnormal, the IP address of the Web request initiator is added into a blacklist which is preset and does not allow the IP address to pass, and the Web request is filtered;
step A6, judging whether the IP address of the Web request initiator belongs to a white list of allowed IP addresses preset between the public network application system and the intranet application system, if so, entering step A7; otherwise, the Web request is not allowed to be forwarded, and the Web request is rejected;
step A7, judging whether the IP address of the Web request initiator belongs to the blacklist, if so, disallowing the Web request to be forwarded, and rejecting the Web request; otherwise, allowing the Web request to be forwarded, and entering step A8;
step A8, according to the service type root information corresponding to the Web request, a route forwarding rule is constructed, and a new Web request is initiated aiming at the message body in the Web request and forwarded to the intranet application system, so as to realize proxy forwarding processing.
2. The method according to claim 1, wherein the method for bidirectional access between the public network application system and the intranet application system comprises: the method for accessing the intranet application system to the public network application system comprises the following steps:
step B1, judging whether the Web request is based on the HTTP protocol or not aiming at the Web request sent by the intranet application system to the public network application system, if so, entering the step B2; otherwise refusing the Web request;
b2, carrying out root analysis on the URL of the Web request to obtain service type root information corresponding to the Web request, and judging whether the service type root information belongs to each preset service type root set between a public network application system and an internal network application system, if so, entering the step B3; otherwise refusing the Web request;
step B3, according to the business type root information corresponding to the Web request, applying a corresponding digital signature certificate in each digital signature certificate preset between a public network application system and an internal network application system, encrypting the business message of the message body in the Web request to obtain the encrypted business message, and performing digital signature processing to verify the identity of the Web request initiator and the integrity of the business data, if the digital signature is successful, entering step B4; if the digital signature is unsuccessful, rejecting the Web request;
step B4, SSL loading processing is carried out on the Web request, the Web request is updated to a Web request based on an HTTPS protocol, and then the step B5 is carried out;
and step B5, constructing a routing forwarding rule according to the service class root information corresponding to the Web request, initiating a new Web request aiming at the message body in the Web request, and forwarding the new Web request to a public network application system to realize proxy forwarding processing.
3. A system for applying the method of claim 1 or 2 for bidirectional access between a public network application system and an intranet application system, characterized in that: the method comprises an Internet front-end system, a front-end system and a back-end system, wherein the Internet front-end system is arranged on a communication link between a public network application system and an intranet application system and is used for executing steps A1 to A8 to realize an access method of the public network application system to the intranet application system; and executing the steps B1 to B5 to realize the access method of the public network application system to the intranet application system.
4. The system according to claim 3, wherein the system is characterized in that: the Internet front-end system comprises an agent module, a security module, a log module, a user management module and a high-availability module; the agent module is used for realizing the agent of the two-way communication between the internal network application system and the public network application system; the safety module is used for realizing the functions of white list mechanism, message signature verification and flow abnormity detection in the bidirectional access method; the log module is used for realizing the service log of the agent module, the service log of the security module and the configuration operation log of the Internet front-end system.
5. The system according to claim 4, wherein the system comprises a public network application system and an intranet application system, and the method comprises the following steps: the Internet preposition system also comprises a graphical system configuration module which is used for realizing the graphical configuration function of the system parameters and the functional parameters of each module in the Internet preposition.
6. The system according to claim 5, wherein the system comprises a public network application system and an intranet application system, and the method comprises the following steps: the user management module is used for realizing the management function of the user account and the authority of the Internet front-end system.
7. The system according to claim 6, wherein the system comprises a public network application system and an intranet application system, and the method comprises the following steps: the high availability module is used for realizing the cluster function of the Internet front-end system.
CN202010141250.2A 2020-03-04 2020-03-04 Bidirectional access method and system between public network application system and intranet application system Pending CN110971622A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010141250.2A CN110971622A (en) 2020-03-04 2020-03-04 Bidirectional access method and system between public network application system and intranet application system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010141250.2A CN110971622A (en) 2020-03-04 2020-03-04 Bidirectional access method and system between public network application system and intranet application system

Publications (1)

Publication Number Publication Date
CN110971622A true CN110971622A (en) 2020-04-07

Family

ID=70038261

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010141250.2A Pending CN110971622A (en) 2020-03-04 2020-03-04 Bidirectional access method and system between public network application system and intranet application system

Country Status (1)

Country Link
CN (1) CN110971622A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112055032A (en) * 2020-09-21 2020-12-08 迈普通信技术股份有限公司 Message processing method and device, electronic equipment and storage medium
CN113645091A (en) * 2021-07-02 2021-11-12 国能智深控制技术有限公司 Communication system of photovoltaic power station
CN114338204A (en) * 2021-12-30 2022-04-12 中国电信股份有限公司 Method, electronic device and medium for login verification of public network communication platform for intranet
CN114500111A (en) * 2022-04-12 2022-05-13 国网浙江省电力有限公司 Multi-platform-based automatic project audit data processing method and system
CN115086013A (en) * 2022-06-13 2022-09-20 北京奇艺世纪科技有限公司 Risk identification method, risk identification device, electronic equipment, storage medium and computer program product
CN115996224A (en) * 2021-10-18 2023-04-21 国能智深控制技术有限公司 Data transmission system
CN117319093A (en) * 2023-11-30 2023-12-29 国网江苏省电力有限公司 Data access service method based on isolation device

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060122941A1 (en) * 1996-02-26 2006-06-08 Coley Christopher D Licensing system using a firewall gateway for protecting and licensing computers
CN1863093A (en) * 2006-04-06 2006-11-15 华为技术有限公司 Tactics executing point and linking method of it and intrusion detection system
CN105338020A (en) * 2014-07-02 2016-02-17 华为技术有限公司 Business access method and device
CN105610874A (en) * 2016-03-23 2016-05-25 四川九鼎智远知识产权运营有限公司 Local area network security management system
CN106856468A (en) * 2015-12-08 2017-06-16 中国科学院声学研究所 A kind of TSM Security Agent device for being deployed in cloud storage service end and TSM Security Agent method
CN107426184A (en) * 2017-06-22 2017-12-01 国网浙江海盐县供电公司 Power system Mobile solution information safety system and its transmission method
CN109309649A (en) * 2017-07-27 2019-02-05 苏宁云商集团股份有限公司 A kind of attack method for early warning and system
CN109963320A (en) * 2012-10-26 2019-07-02 华为技术有限公司 The control method and equipment of service access

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060122941A1 (en) * 1996-02-26 2006-06-08 Coley Christopher D Licensing system using a firewall gateway for protecting and licensing computers
CN1863093A (en) * 2006-04-06 2006-11-15 华为技术有限公司 Tactics executing point and linking method of it and intrusion detection system
CN109963320A (en) * 2012-10-26 2019-07-02 华为技术有限公司 The control method and equipment of service access
CN105338020A (en) * 2014-07-02 2016-02-17 华为技术有限公司 Business access method and device
CN106856468A (en) * 2015-12-08 2017-06-16 中国科学院声学研究所 A kind of TSM Security Agent device for being deployed in cloud storage service end and TSM Security Agent method
CN105610874A (en) * 2016-03-23 2016-05-25 四川九鼎智远知识产权运营有限公司 Local area network security management system
CN107426184A (en) * 2017-06-22 2017-12-01 国网浙江海盐县供电公司 Power system Mobile solution information safety system and its transmission method
CN109309649A (en) * 2017-07-27 2019-02-05 苏宁云商集团股份有限公司 A kind of attack method for early warning and system

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112055032A (en) * 2020-09-21 2020-12-08 迈普通信技术股份有限公司 Message processing method and device, electronic equipment and storage medium
CN112055032B (en) * 2020-09-21 2022-05-17 迈普通信技术股份有限公司 Message processing method and device, electronic equipment and storage medium
CN113645091A (en) * 2021-07-02 2021-11-12 国能智深控制技术有限公司 Communication system of photovoltaic power station
CN115996224A (en) * 2021-10-18 2023-04-21 国能智深控制技术有限公司 Data transmission system
CN114338204A (en) * 2021-12-30 2022-04-12 中国电信股份有限公司 Method, electronic device and medium for login verification of public network communication platform for intranet
CN114338204B (en) * 2021-12-30 2024-05-03 中国电信股份有限公司 Method for login verification of public network communication platform in intranet, electronic equipment and medium
CN114500111A (en) * 2022-04-12 2022-05-13 国网浙江省电力有限公司 Multi-platform-based automatic project audit data processing method and system
CN114500111B (en) * 2022-04-12 2022-07-15 国网浙江省电力有限公司 Multi-platform-based automatic project audit data processing method and system
CN115086013A (en) * 2022-06-13 2022-09-20 北京奇艺世纪科技有限公司 Risk identification method, risk identification device, electronic equipment, storage medium and computer program product
CN117319093A (en) * 2023-11-30 2023-12-29 国网江苏省电力有限公司 Data access service method based on isolation device

Similar Documents

Publication Publication Date Title
CN110971622A (en) Bidirectional access method and system between public network application system and intranet application system
US10425387B2 (en) Credentials enforcement using a firewall
CN111034150B (en) Method and apparatus for selectively decrypting SSL/TLS communications
US20180332079A1 (en) Efficient and secure user credential store for credentials enforcement using a firewall
US7900240B2 (en) Multilayer access control security system
US8856869B1 (en) Enforcement of same origin policy for sensitive data
EP1701510B1 (en) Secure remote access to non-public private web servers
US11792008B2 (en) Actively monitoring encrypted traffic by inspecting logs
US20090313682A1 (en) Enterprise Multi-interceptor Based Security and Auditing Method and Apparatus
US20090126002A1 (en) System and method for safeguarding and processing confidential information
US20170026184A1 (en) Detection of fraudulent digital certificates
CN112016073B (en) Construction method of server zero trust connection architecture
US12039089B2 (en) Blockchain auditing system and method
CN117118703A (en) Mobile office security architecture based on Internet
CN116248405A (en) Network security access control method based on zero trust and gateway system and storage medium adopting same
Jadhav et al. Detection and mitigation of arp spoofing attack
CN116633725A (en) All-channel access gateway
Dincer et al. Big data security: Requirements, challenges and preservation of private data inside mobile operators
Rudraraju et al. Dynamic design and implementation of security intelligence for industry
Yutanto Security Intelligence For Industry 4.0.: Design and Implementation
Koujalagi Network Security Intelligence for Small and Medium Scale Industry 4.0: Design and Implementation
Wu et al. Security Analysis of Public Security Terminal Network and Its Peripheral Equipment
Onah IP-Spoofing Vulnerability Protection Software for Data Communication Network Operators.
CN118432901A (en) High-performance comprehensive security gateway and data processing method thereof
CN116132160A (en) Method and system for protecting security of enterprise Web browser or applet network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200407