CN112202922A - Information communication safety access management method, system and storage medium - Google Patents
Information communication safety access management method, system and storage medium Download PDFInfo
- Publication number
- CN112202922A CN112202922A CN202011158706.2A CN202011158706A CN112202922A CN 112202922 A CN112202922 A CN 112202922A CN 202011158706 A CN202011158706 A CN 202011158706A CN 112202922 A CN112202922 A CN 112202922A
- Authority
- CN
- China
- Prior art keywords
- data
- server
- user terminal
- virtual space
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 title claims abstract description 21
- 238000007726 management method Methods 0.000 title claims description 19
- 238000000034 method Methods 0.000 claims abstract description 27
- 238000012545 processing Methods 0.000 claims abstract description 22
- 238000013507 mapping Methods 0.000 claims abstract description 6
- 238000004590 computer program Methods 0.000 claims description 11
- 238000013500 data storage Methods 0.000 claims description 8
- 238000001914 filtration Methods 0.000 claims description 7
- 230000008569 process Effects 0.000 abstract description 7
- 238000013461 design Methods 0.000 description 6
- 241000700605 Viruses Species 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/565—Conversion or adaptation of application format or content
- H04L67/5651—Reducing the amount or size of exchanged application data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method, a system and a storage medium for managing information communication security access, which comprises the steps of intercepting an access request sent by a user terminal to a server and verifying the authority of the user terminal; after verifying that the user terminal has the access right, extracting the address information of the user terminal, sending the address information and the space request to a server, and setting a virtual space for mapping the address by the server; and intercepting data sent by the user terminal to the server, analyzing and processing the data, and sending the data to the mapped virtual space. The gateway has the advantages that the gateway has the function of verifying the user, when the user has the right, the data is sent to the server, the server can distribute a mapped virtual space at the moment, the virtual space has an independent function, the data of the user can be independently processed and returned to the user, the gateway can detect the address of the user when the user sends the data each time, and then the data of the user is sent to the mapped virtual space to process the data, so that the data processing speed is accelerated.
Description
Technical Field
The invention relates to the field of information security, in particular to a method, a system and a storage medium for managing information communication security access.
Background
Security gateways are an interesting fusion of technologies with important and unique protection ranging from protocol level filtering to very sophisticated application level filtering. The purpose of the arrangement is to prevent the spread of Internet or extranet insecure factors to the intranet of its own enterprise or organization.
A security gateway is formed by a router and a processor, which when combined provide protocol, link and application level protection. Such a dedicated gateway is not required to provide the translation function as other kinds of gateways. As gateways at the edge of the network, their responsibility is to control the incoming and outgoing data flow. The internal network and the external network connected with the security gateway both use IP protocols, so protocol conversion is not needed, and filtering is most important. The reason for protecting the intranet from unauthorized external network access is obvious. The reason for controlling the outward access is less obvious. In some cases, it is desirable to filter data that is sent to the outside. For example, value added services that a user browses based may generate a significant amount of WAN traffic that, if left uncontrolled, can easily affect the ability of the network to carry other applications, thus necessitating the blocking of such data in whole or in part.
Many existing enterprises establish a server by themselves, install a client on a mobile phone or a computer, connect to the server through the client to acquire data in the server, even though a gateway is also arranged to filter external data in the process, then directly send the filtered external data to the server, read the information of the client by the server, and then distribute and process the data.
Disclosure of Invention
An object of the present invention is to solve at least the above problems and to provide at least the advantages described later.
The invention aims to provide a method, a system and a storage medium for managing information communication security access, which aim to solve the problems that the existing gateway only performs filtering work, so that a server has more steps for allocating processing work, the program is complicated and delay is easily caused.
To achieve these objects and other advantages in accordance with the present invention:
in a first aspect, a method for secure access management for information communication includes:
intercepting an access request sent by a user terminal to a server, and verifying the authority of the user terminal;
after verifying that the user terminal has the access right, extracting the address information of the user terminal, sending the address information and the space request to a server, and setting a virtual space for mapping the address by the server;
and intercepting data sent by the user terminal to the server, analyzing and processing the data, and sending the data to the mapped virtual space.
In one possible design, the method further comprises: and when the data transmitted by the user terminal is not received any more after the set time is exceeded, transmitting a release request to the server, and releasing the mapped virtual space by the server.
In one possible design, when the server sets the virtual space, the server randomly selects resources to form the virtual space, and then maps the virtual space to the address of the user terminal.
In one possible design, the method further comprises: setting a blacklist, when external data is received, firstly checking address information of the data, and if the address of the data is in the blacklist, discarding the data.
In one possible design, the method further comprises: and analyzing all received data, and filtering out the offensive part in the data.
In one possible design, the method further comprises: when the received data is analyzed to have the attack characteristics, an alarm is also sent to a security administrator.
In one possible design, the method further comprises: when receiving data sent by a user terminal, recording the time of receiving the data.
In a second aspect, the information communication security access management system includes a data processing module, a data transceiver module, and a data storage module, where the data transceiver module is configured to receive information sent from outside or send information to outside, the data storage module is configured to store a computer program, and the data processing module is configured to execute the computer program to implement the information communication security access management method disclosed in the first aspect.
In a third aspect, a storage medium has a computer program stored thereon, and the computer program, when executed by a processor, implements the information communication security access management method disclosed in the first aspect.
The invention at least comprises the following beneficial effects: (1) the management system is a gateway system, the management method is a gateway operation method, in operation, the gateway has a function of verifying a user, when the user has a right, the data is sent to the server, the server can distribute a mapped virtual space aiming at the address of the user at the moment, the virtual space has an independent function, the data of the user can be independently processed, the data are returned to the user, and then, each time the user sends the data, the gateway can detect the address of the user, then the user data are sent to the mapped virtual space, and the data are independently processed, so that the data processing speed is accelerated;
(2) when the interval time for sending data by the user terminal is too long, resource waste can be caused, so that the virtual space of the user is not mapped when the interval time reaches a certain value, the virtual space can be used for other purposes, and resources are saved;
(3) the gateway can be set with a blacklist, for example, after a certain address sends attack data all the time, after the address is added to the blacklist by a manager, the data is directly discarded each time the address sends the data, filtering work cannot be executed, gateway work is prevented from being aggravated, and the running speed of the gateway is accelerated.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention.
Drawings
FIG. 1 is a flow chart of the operation of the present invention;
fig. 2 is a system configuration diagram of the present invention.
Detailed Description
The present invention is further described in detail below with reference to the attached drawings so that those skilled in the art can implement the invention by referring to the description text.
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the specification, as detailed in the appended claims.
The terminology used in the description herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present specification. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
In a first aspect, as shown in fig. 1, a method for managing information communication security access includes:
s101, intercepting an access request sent by a user terminal to a server, and verifying the authority of the user terminal;
s102, after verifying that the user terminal has the access right, extracting the address information of the user terminal, and sending the address information and the space request to a server, wherein the server sets a virtual space for mapping the address;
and S103, intercepting data sent by the user terminal to the server, analyzing and processing the data, and sending the data to the mapped virtual space.
The management method is executed by a gateway, the gateway is connected to the user terminal and the server through a network, the gateway can be a computer, is connected to an external user terminal through an optical fiber transceiver, and is connected to the server through an internal network.
In step S101, a user terminal loads a client in a computer or loads an APP in a mobile phone, a user can log in through the user terminal, and after clicking the log-in, the user sends an access request to a server, but all data enters a gateway first, the gateway intercepts the access request sent by the user terminal to the server, and the gateway stores all user information and authenticates the user, and if there is no authority, the user returns a log-in failure to the user; if the authority is available, the process proceeds to step S102.
In step 102, after verifying that the user has the right, the gateway sends an address information and a space request, wherein the address information is mainly used for mapping, namely after the server allocates a virtual space, the server does not manage the virtual space, and the gateway directly performs data communication with the virtual space; the space request is a request for applying for a virtual space by the gateway, the request includes basic information of the user, the server establishes a corresponding virtual space according to the user information, and the previous information of the user is copied into the virtual space. The virtual space has independent processing function and storage function, and can be used as a complete computer for storing data and processing data.
In step 103, after the user logs in successfully, the subsequent operation data is sent to the gateway successively, the gateway filters the operation data, so that some data with aggressivity are prevented from being sent to the server, and according to the address information of the user, the gateway directly sends the operation data to the virtual space, without the need of server decentralized processing, thereby accelerating the processing speed.
The gateway can be used in software application such as a safe desktop, namely, after a user successfully verifies, a similar desktop is opened on a computer or a mobile phone of the user, the similar desktop is simulated in a virtual space, then a picture is formed and sent to the user through the gateway to be displayed, the operation of the user on the computer or the mobile phone can be instantly collected and sent to the gateway, the gateway is filtered and sent to the virtual space, the virtual space is simulated, the picture is formed and then the picture is immediately returned to the user, and therefore the user can carry out instant operation on the similar desktop.
Because the server can be connected with a plurality of user terminals, the user login information is managed through the gateway, the virtual space is created by the server, the virtual space is directly connected with the gateway, and the gateway directly contacts the virtual space after receiving the user information, so that excessive operation of the server is not needed, and the workload of the server is reduced.
The server has other functions, which are not described in detail, for example, when an OA system of a company is used, a user may not always run alone when a secure desktop is used, and when a virtual space is simulated, some operation requests of the user need to be sent to other virtual spaces, such as a subordinate leave-asking process, and after the virtual space is operated, the operation requests are forwarded to the host, so that the host establishes a virtual space for processing. The server does not need to carry out the work generated by the user desktop, and only needs to carry out the work of butting each virtual space.
The gateway receives the data sent by the user terminal and also counts time, and when the set time is exceeded and the data sent by the user terminal is not received any more, a release request is sent to the server, and the server releases the mapped virtual space. In this step, the operation of the gateway is also described, that is, although the virtual space is mapped to the user, the virtual space does not exist permanently, when the user does not send data any more for a while, the gateway sends a request for releasing the virtual space to the server, and the server cancels the virtual space mapped with the user address information, releases the virtual space, and releases resources for other user terminals to use.
And when the server sets the virtual space, randomly selecting the resources to form the virtual space, and then mapping the virtual space to the address of the user terminal. It is described above that when the user terminal is no longer in use, the virtual space is released for use by other user terminals, so that when the server establishes the virtual space, the resources conforming to the user terminal are also randomly selected to form the virtual space, where the resources include a storage module and a data processing function module, and after being allocated to the user terminal, the resources are only the server of the user terminal. But after the user terminal is not used for a period of time, the limitation is removed, and the user terminal is put into a resource pool to be allocated to other user terminals.
The gateway sets a blacklist, when external data is received, the address information of the data is firstly checked, and if the address of the data is in the blacklist, the data is discarded. The method comprises the steps of setting a blacklist, wherein some users may maliciously send offensive data, adding address information of the users to the blacklist when detecting that the offensive data sent by the users are large, directly discarding the data when receiving the data sent by the clients again, avoiding wasting resources to analyze the data and influencing the work of a gateway, and certainly, external unauthorized users can continuously send the data and also can add the data to the blacklist, check the addresses first, and discard the data when the addresses are in the blacklist.
The gateway analyzes all received data and filters out offensive parts in the data. The users in the blacklist send data, which is directly discarded, while the data sent by the general users needs to be analyzed and processed to filter out the data with attacks inside. The user may not know that it is offensive to send data by himself, for example, a computer has a virus, and the gateway may process the virus if the data is sent with the virus data.
And when analyzing that the received data has the attack characteristics, the gateway also sends an alarm to a security manager. The gateway sends a warning to the security administrator through an external device such as an alarm to let the security administrator know that the data sent by those clients has problems or that an external person is attacking the server.
When the gateway receives the data sent by the user terminal, the time for receiving the data is recorded. The behavior of the user can be counted conveniently, data can be recorded, and when problems occur, the data can be used as the basis of follow-up examination.
In a second aspect, as shown in fig. 2, the information communication security access management system includes a data processing module, a data transceiver module, and a data storage module, where the data transceiver module is configured to receive information sent from outside or send information to outside, the data storage module is configured to store a computer program, and the data processing module is configured to execute the computer program to implement the information communication security access management method disclosed in the first aspect.
In a first aspect, an operation method of an information communication security access management system is introduced, where the information communication security access management system is the gateway described in the first aspect, and when the information communication security access management system operates, the data transceiver module is used to receive data sent by an external user terminal and an internal server, the data processing module is used to process the data, and the data storage module is used to store an operation program and some data.
If the user sends login information, the data receiving and sending module receives the data, the data processing module enters the data storage module to search for the user information, and if the user information exists and the information is consistent, the user is indicated to have login authority.
If the user sends the operation information, the data receiving and sending module receives the operation information, the data processing module analyzes the operation information to obtain the address information, filters out the offensive data, and forwards the information to the mapped virtual space through the data receiving and sending module according to the address information.
If the virtual space simulates the user operation, the data is returned, and the returned data is received by the data transceiver module, checked and forwarded to the mapped user terminal.
The whole system can be a computer, the processing program is loaded in the computer, and the computer is connected to an external user terminal through an optical fiber transceiver and is connected to a server through an internal network cable.
In a third aspect, a storage medium has a computer program stored thereon, and the computer program, when executed by a processor, implements the information communication security access management method disclosed in the first aspect.
The gateway of the present invention may be a program itself, the program itself is stored in a storage medium such as a usb disk and an optical disk, and when it needs to be used, the usb disk is inserted, i.e. the gateway can be operated, or the optical disk is inserted into a computer, or the program can be operated, so as to implement the functions of the first aspect.
While embodiments of the invention have been described above, it is not limited to the applications set forth in the description and the embodiments, which are fully applicable in various fields of endeavor to which the invention pertains, and further modifications may readily be made by those skilled in the art, it being understood that the invention is not limited to the details shown and described herein without departing from the general concept defined by the appended claims and their equivalents.
Claims (9)
1. The information communication security access management method is characterized by comprising the following steps:
intercepting an access request sent by a user terminal to a server, and verifying the authority of the user terminal;
after verifying that the user terminal has the access right, extracting the address information of the user terminal, sending the address information and the space request to a server, and setting a virtual space for mapping the address by the server;
and intercepting data sent by the user terminal to the server, analyzing and processing the data, and sending the data to the mapped virtual space.
2. The method of claim 1, further comprising: and when the data transmitted by the user terminal is not received any more after the set time is exceeded, transmitting a release request to the server, and releasing the mapped virtual space by the server.
3. The method according to claim 1 or 2, wherein when the server sets the virtual space, the server randomly selects resources to form the virtual space, and then maps the virtual space to the address of the user terminal.
4. The method of claim 1, further comprising: setting a blacklist, when external data is received, firstly checking address information of the data, and if the address of the data is in the blacklist, discarding the data.
5. The method of claim 1, further comprising: and analyzing all received data, and filtering out the offensive part in the data.
6. The method of claim 5, further comprising: when the received data is analyzed to have the attack characteristics, an alarm is also sent to a security administrator.
7. The method of claim 1, further comprising: when receiving data sent by a user terminal, recording the time of receiving the data.
8. The information communication security access management system is characterized by comprising a data processing module, a data transceiver module and a data storage module, wherein the data transceiver module is used for receiving information sent from the outside or sending the information to the outside, the data storage module is used for storing a computer program, and the data processing module is used for executing the computer program to realize the information communication security access management method according to any one of claims 1 to 7.
9. A storage medium having stored thereon a computer program which, when executed by a processor, implements the information communication security access management method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011158706.2A CN112202922A (en) | 2020-10-26 | 2020-10-26 | Information communication safety access management method, system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011158706.2A CN112202922A (en) | 2020-10-26 | 2020-10-26 | Information communication safety access management method, system and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112202922A true CN112202922A (en) | 2021-01-08 |
Family
ID=74011520
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011158706.2A Pending CN112202922A (en) | 2020-10-26 | 2020-10-26 | Information communication safety access management method, system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112202922A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114338086A (en) * | 2021-12-03 | 2022-04-12 | 浙江毫微米科技有限公司 | Identity authentication method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104023033A (en) * | 2014-06-24 | 2014-09-03 | 浪潮电子信息产业股份有限公司 | Safety production method for cloud services |
| US20150012977A1 (en) * | 2011-12-05 | 2015-01-08 | Intellectual Discovery Co., Ltd. | Method and apparatus for security in cloud computing service |
| CN105245606A (en) * | 2015-10-22 | 2016-01-13 | 中国铁路总公司 | Cloud office platform |
-
2020
- 2020-10-26 CN CN202011158706.2A patent/CN112202922A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150012977A1 (en) * | 2011-12-05 | 2015-01-08 | Intellectual Discovery Co., Ltd. | Method and apparatus for security in cloud computing service |
| CN104023033A (en) * | 2014-06-24 | 2014-09-03 | 浪潮电子信息产业股份有限公司 | Safety production method for cloud services |
| CN105245606A (en) * | 2015-10-22 | 2016-01-13 | 中国铁路总公司 | Cloud office platform |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114338086A (en) * | 2021-12-03 | 2022-04-12 | 浙江毫微米科技有限公司 | Identity authentication method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10621344B2 (en) | System and method for providing network security to mobile devices | |
| US11757835B2 (en) | System and method for implementing content and network security inside a chip | |
| US11652829B2 (en) | System and method for providing data and device security between external and host devices | |
| US10904293B2 (en) | System and method for providing network and computer firewall protection with dynamic address isolation to a device | |
| US10701104B2 (en) | Agentless security of virtual machines using a network interface controller | |
| EP2132643B1 (en) | System and method for providing data and device security between external and host devices | |
| EP2387746B1 (en) | Methods and systems for securing and protecting repositories and directories | |
| CN112202922A (en) | Information communication safety access management method, system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210108 |