CN112437095A - Client-server communication interaction method across security zones - Google Patents
Client-server communication interaction method across security zones Download PDFInfo
- Publication number
- CN112437095A CN112437095A CN202011404912.7A CN202011404912A CN112437095A CN 112437095 A CN112437095 A CN 112437095A CN 202011404912 A CN202011404912 A CN 202011404912A CN 112437095 A CN112437095 A CN 112437095A
- Authority
- CN
- China
- Prior art keywords
- protocol
- client
- data
- local
- gateway service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000004891 communication Methods 0.000 title claims abstract description 27
- 230000003993 interaction Effects 0.000 title claims abstract description 21
- 238000002955 isolation Methods 0.000 claims description 22
- 239000003795 chemical substances by application Substances 0.000 claims description 20
- 238000012545 processing Methods 0.000 claims description 14
- 230000008569 process Effects 0.000 claims description 11
- 238000012544 monitoring process Methods 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 abstract description 11
- 238000012958 reprocessing Methods 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000007547 defect Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/08—Protocols for interworking; Protocol conversion
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/18—Multiprotocol handlers, e.g. single devices capable of handling multiple protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of communication, and discloses a communication interaction method for a client and a server across a security zone, which comprises the following steps based on a local protocol agent, a local side protocol gateway service and an opposite side protocol gateway service: s1, the client side obtains the requested data through the local protocol proxy service; s2, converting the requested data into a protocol file stream and sending the protocol file stream to the A security zone protocol gateway service; and S3, the A safety zone protocol gateway service receives the protocol file stream and then transfers the protocol file stream to the isolating device. According to the communication interaction method of the client and the server across the safety zone, the client is enabled to realize protocol independence through the local protocol proxy, the client can use any protocol to communicate with the local protocol proxy, the protocol file stream format can be transmitted and analyzed through the cache zone, all data or a large amount of data do not need to be read for reprocessing, and concurrency and reliability of transmission of structured data and unstructured data are improved.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a client-server communication interaction method across a security zone.
Background
In the electric power secondary system, different safe working areas, such as production areas (I area and II area) and management areas (III area and IV area), are divided according to the importance of different service systems. Different safety protection requirements are determined in different safety working areas, and different safety levels and protection levels are provided. The forward/reverse isolation devices arranged among different working areas improve the safety of the power communication network, but bring inconvenience to the communication among the different working areas to a certain extent.
The existing scheme of the power system crossing the safety zone has certain defects, for example, under an isolation device, a communication protocol between a client and a server is limited, the traditional TCP and UDP can not be used, the communication cost between the client and the service is very high, both the client and the service must realize the protocol, under the isolation device, the transmission and the processing of big data are limited, and the requirement for processing the big data can not be met under a high-concurrency scene.
Disclosure of Invention
Technical problem to be solved
Aiming at the defects of the prior art, the invention provides a communication interaction method between a client and a server across a security zone, which has the advantages that the client realizes protocol independence through a local protocol agent, the client can use any protocol to communicate with the local protocol agent, a protocol file stream format can be transmitted and analyzed through a cache zone, all data or a large amount of data does not need to be read for reprocessing, the concurrency and reliability of transmission of structured data and unstructured data are improved, and the problems that the communication protocol between the client and the server is limited, the traditional TCP and UDP can not be used, the communication cost between the client and the service is very high, both sides need to realize the protocol, the transmission and processing of big data are limited under an isolating device, and the requirement for processing big data can not be met in a high-concurrency scene are solved.
(II) technical scheme
In order to realize that the client can use any protocol to communicate with the local protocol proxy, the protocol file stream format can be transmitted and analyzed through the cache region, all data or a large amount of data do not need to be read for reprocessing, and the concurrency and reliability of the transmission of the structured data and the unstructured data are improved, the invention provides the following technical scheme: a communication interaction method between a client and a server across a security zone comprises the following steps of based on a local protocol agent, a local side protocol gateway service and an opposite side protocol gateway service:
s1, the client side obtains the requested data through the local protocol proxy service;
s2, converting the requested data into a protocol file stream and sending the protocol file stream to the A security zone protocol gateway service;
s3, the protocol gateway service of the A safety zone receives the protocol file stream and then transfers the protocol file stream to the isolation device;
s4, after receiving the data of the isolation device, the B security zone protocol gateway service analyzes the protocol file stream for processing;
s5, the result of the security zone protocol gateway service processing is converted into a protocol file stream and then sent to an isolation device;
s6, after receiving the protocol file stream, the A safety zone protocol gateway service sends the protocol file stream to the local protocol proxy service of the client;
and S7, after receiving the file, the local protocol proxy service analyzes the data and returns the data to the client.
Preferably, the request of the client at the side of the security zone communicates with the remote server by means of a local protocol proxy, and the specific steps are as follows:
s1, the local protocol agent receives all the data sent by the client through the monitoring local port;
s2, the local protocol agent converts the received client data into a protocol file stream and sends the protocol file stream to the protocol gateway service;
and S3, the local protocol agent receives the result data returned by the protocol gateway service, and returns the result data to the client after analysis.
Preferably, the protocol file stream is used for parsing and transmitting files through a buffer.
Preferably, the device served by the protocol gateway is a server.
Preferably, the process of interacting the peer protocol gateway service with the server includes the following specific steps:
s1, the local side protocol gateway service sends the client information to the opposite side protocol gateway service through forward isolation;
s2, the opposite side protocol gateway service starts to analyze and process after receiving the data of the protocol file stream;
and S3, the opposite side protocol gateway service converts the processing result into the data of the protocol file stream and sends the data to the local side protocol gateway service through the reverse isolation device.
(III) advantageous effects
Compared with the prior art, the invention provides a client-server communication interaction method across a security zone, which has the following beneficial effects:
the cross-security-zone client and server communication interaction method is characterized in that a local protocol agent, a local side protocol gateway service and an opposite side protocol gateway service are arranged, the local protocol agent converts data sent by a client into a format of a protocol file stream by monitoring, sends the format of the protocol file stream to the protocol gateway service, simultaneously sends data received by the protocol gateway service to the client, then the protocol gateway service carries out transmission and analysis in a protocol file stream mode, the protocol gateway service at the local side of the client forwards data from the client and an isolation device, and the opposite side protocol gateway service carries out analysis and returns the data to the isolation device, in the process, the protocol file stream can improve concurrency and reliability of transmission of structured data and unstructured data, and the client and server communication interaction method in the cross-security-zone realizes protocol independence through the local protocol agent, the client can use any protocol to communicate with the local protocol proxy, and the protocol file stream format can be transmitted and analyzed through the cache region, so that all data or a large amount of data do not need to be read for further processing, and the concurrency and reliability of transmission of structured data and unstructured data are improved.
Drawings
FIG. 1 is a schematic diagram of a network environment to which the present invention is directed;
FIG. 2 is a schematic diagram of a client and a server in a high level security zone according to the present invention;
fig. 3 is a schematic diagram of information interaction across security zones in the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1-3, a method for client-server communication interaction across security zones includes a local protocol agent, a local side protocol gateway service and an opposite side protocol gateway service, and includes the following steps:
s1, the client side obtains the requested data through the local protocol proxy service;
s2, converting the requested data into a protocol file stream and sending the protocol file stream to the A security zone protocol gateway service;
s3, the protocol gateway service of the A safety zone receives the protocol file stream and then transfers the protocol file stream to the isolation device;
s4, after receiving the data of the isolation device, the B security zone protocol gateway service analyzes the protocol file stream for processing;
s5, the result of the security zone protocol gateway service processing is converted into a protocol file stream and then sent to an isolation device;
s6, after receiving the protocol file stream, the A safety zone protocol gateway service sends the protocol file stream to the local protocol proxy service of the client;
and S7, after receiving the file, the local protocol proxy service analyzes the data and returns the data to the client.
The request of the client side at one side of the safety zone communicates with the remote server in a local protocol proxy mode, and the specific steps are as follows:
s1, the local protocol agent receives all the data sent by the client through the monitoring local port;
s2, the local protocol agent converts the received client data into a protocol file stream and sends the protocol file stream to the protocol gateway service;
and S3, the local protocol agent receives the result data returned by the protocol gateway service, and returns the result data to the client after analysis.
The protocol file flow analyzes and transmits the file through the buffer area, so that the concurrency and reliability of the transmission of the structured data and the unstructured data are improved.
The protocol gateway service equipment is a server, the server has high-speed CPU computing capacity, long-time reliable operation, strong I/O external data throughput capacity and better expansibility, and the reliability of the communication interaction method between the client and the server in a cross-security zone is guaranteed.
The interactive process of the side protocol gateway service and the service end comprises the following specific steps:
s1, the local side protocol gateway service sends the client information to the opposite side protocol gateway service through forward isolation;
s2, the opposite side protocol gateway service starts to analyze and process after receiving the data of the protocol file stream;
and S3, the opposite side protocol gateway service converts the processing result into the data of the protocol file stream and sends the data to the local side protocol gateway service through the reverse isolation device.
To sum up, in the cross-security-zone client and server communication interaction method, when in use, a local protocol agent converts data sent by a client into a format of a protocol file stream by monitoring, sends the format to a protocol gateway service, simultaneously sends data received from the protocol gateway service to the client, then the protocol gateway service transmits and analyzes the data in a protocol file stream mode, the protocol gateway service on the local side of the client forwards the data from the client and an isolation device, and analyzes the protocol gateway service on the opposite side and returns the data to the isolation device, in the process, the protocol file stream can improve concurrency and reliability of transmission of structured data and unstructured data, the client and the server communication interaction method in the cross-security-zone realizes protocol independence through the local protocol agent, and the client can communicate with the local protocol agent by using any protocol, and the protocol file stream format can be transmitted and analyzed through the buffer area, all data or a large amount of data do not need to be read for reprocessing, and the concurrency and reliability of transmission of the structured data and the unstructured data are improved.
It is to be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (5)
1. A client-side and server-side communication interaction method across security zones is characterized in that: the method comprises the steps of based on a local protocol agent, a local side protocol gateway service and an opposite side protocol gateway service, and comprises the following specific steps:
s1, the client side obtains the requested data through the local protocol proxy service;
s2, converting the requested data into a protocol file stream and sending the protocol file stream to the A security zone protocol gateway service;
s3, the protocol gateway service of the A safety zone receives the protocol file stream and then transfers the protocol file stream to the isolation device;
s4, after receiving the data of the isolation device, the B security zone protocol gateway service analyzes the protocol file stream for processing;
s5, the result of the security zone protocol gateway service processing is converted into a protocol file stream and then sent to an isolation device;
s6, after receiving the protocol file stream, the A safety zone protocol gateway service sends the protocol file stream to the local protocol proxy service of the client;
and S7, after receiving the file, the local protocol proxy service analyzes the data and returns the data to the client.
2. The method for client-server communication interaction across secure zones as claimed in claim 1, wherein: the request of the client side at one side of the safety zone communicates with the remote server in a local protocol proxy mode, and the specific steps are as follows:
s1, the local protocol agent receives all the data sent by the client through the monitoring local port;
s2, the local protocol agent converts the received client data into a protocol file stream and sends the protocol file stream to the protocol gateway service;
and S3, the local protocol agent receives the result data returned by the protocol gateway service, and returns the result data to the client after analysis.
3. The method for client-server communication interaction across secure zones as claimed in claim 1, wherein: the protocol file stream is used for analyzing and transmitting files through the buffer area.
4. The method for client-server communication interaction across secure zones as claimed in claim 1, wherein: the protocol gateway serves the server.
5. The method for client-server communication interaction across secure zones as claimed in claim 1, wherein: the process of the interaction between the opposite side protocol gateway service and the service end comprises the following specific steps:
s1, the local side protocol gateway service sends the client information to the opposite side protocol gateway service through forward isolation;
s2, the opposite side protocol gateway service starts to analyze and process after receiving the data of the protocol file stream;
and S3, the opposite side protocol gateway service converts the processing result into the data of the protocol file stream and sends the data to the local side protocol gateway service through the reverse isolation device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011404912.7A CN112437095A (en) | 2020-12-05 | 2020-12-05 | Client-server communication interaction method across security zones |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011404912.7A CN112437095A (en) | 2020-12-05 | 2020-12-05 | Client-server communication interaction method across security zones |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112437095A true CN112437095A (en) | 2021-03-02 |
Family
ID=74692598
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011404912.7A Pending CN112437095A (en) | 2020-12-05 | 2020-12-05 | Client-server communication interaction method across security zones |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112437095A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115022013A (en) * | 2022-05-30 | 2022-09-06 | 上海博般数据技术有限公司 | Network data simulation device and method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1921438A (en) * | 2006-09-15 | 2007-02-28 | 深圳市深信服电子科技有限公司 | Method for realizing acceleration between networks by using proxy |
| CN208424434U (en) * | 2018-06-01 | 2019-01-22 | 中央军委后勤保障部信息中心 | A kind of net interval is from exchange system |
| CN109756474A (en) * | 2018-11-23 | 2019-05-14 | 国电南瑞科技股份有限公司 | A kind of trans-regional call method of the service of electric power scheduling automatization system and device |
| CN110213240A (en) * | 2019-05-09 | 2019-09-06 | 国电南瑞科技股份有限公司 | A kind of electric power dispatching system and its transregional service calling method of routing self-adaption |
-
2020
- 2020-12-05 CN CN202011404912.7A patent/CN112437095A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1921438A (en) * | 2006-09-15 | 2007-02-28 | 深圳市深信服电子科技有限公司 | Method for realizing acceleration between networks by using proxy |
| CN208424434U (en) * | 2018-06-01 | 2019-01-22 | 中央军委后勤保障部信息中心 | A kind of net interval is from exchange system |
| CN109756474A (en) * | 2018-11-23 | 2019-05-14 | 国电南瑞科技股份有限公司 | A kind of trans-regional call method of the service of electric power scheduling automatization system and device |
| CN110213240A (en) * | 2019-05-09 | 2019-09-06 | 国电南瑞科技股份有限公司 | A kind of electric power dispatching system and its transregional service calling method of routing self-adaption |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115022013A (en) * | 2022-05-30 | 2022-09-06 | 上海博般数据技术有限公司 | Network data simulation device and method |
| CN115022013B (en) * | 2022-05-30 | 2024-08-23 | 上海博般数据技术有限公司 | Network data simulation device and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112613024B (en) | Data interaction method, device, system and storage medium | |
| US20040088583A1 (en) | Alert transmission apparatus and method for policy-based intrusion detection and response | |
| CN112600926A (en) | Message pushing method and device and computer readable storage medium | |
| EP1892887A1 (en) | Communication method between communication devices and communication apparatus | |
| KR102344625B1 (en) | LTE-R based Integrated Railway Information Method and System Using Clouding platform | |
| CN103108037B (en) | A kind of communication means, Web server and Web communication system | |
| CN112511586A (en) | High-speed railway intelligent traffic scheduling safety card control system based on cloud edge cooperation | |
| CN102546606B (en) | Telnet command filter method, network safety device and network safety system | |
| CN101426014A (en) | Method and system for multicast source attack prevention | |
| CN109167764A (en) | E-government system network perception analysis platform system | |
| CN108924228B (en) | Industrial internet optimization system based on edge calculation | |
| CN112437095A (en) | Client-server communication interaction method across security zones | |
| CN111385332A (en) | Internet of things equipment, Internet of things platform access method and equipment | |
| CN103442003A (en) | Data acquisition backfill system for SCADA system and method thereof | |
| CN111355785A (en) | FTP (File transfer protocol) secure transmission system and method based on CMSP (China Mobile protocol service) | |
| US7062560B1 (en) | Method and apparatus for communicating hot objects of a server to the server's load balancer | |
| CN112600894A (en) | Non-polling-based vehicle real-time fault alarm pushing system and pushing method | |
| CN114866623B (en) | Nuclear power station laser real-time data unidirectional feedback-free transmission method and system | |
| CN101227277B (en) | Method and system for implementing safety of end to end based on WAP1.2 gateway | |
| CN212009372U (en) | Industrial control data fusion acquisition system | |
| CN110730249B (en) | Web service safety access system and method based on one-way transmission protocol | |
| CN102882697A (en) | Message receiving method of multi-client end of network management system based on callback system | |
| CN113472736A (en) | Method, device, equipment and readable medium for internal and external network data transmission | |
| CN112769804A (en) | Internet security supervision method, system, computer equipment and readable storage medium | |
| CN112491932A (en) | Network security defense system based on Internet of things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20210302 |