CN113381906A - Restrictive external network access test method based on government and enterprise system business - Google Patents
Restrictive external network access test method based on government and enterprise system business Download PDFInfo
- Publication number
- CN113381906A CN113381906A CN202110548186.4A CN202110548186A CN113381906A CN 113381906 A CN113381906 A CN 113381906A CN 202110548186 A CN202110548186 A CN 202110548186A CN 113381906 A CN113381906 A CN 113381906A
- Authority
- CN
- China
- Prior art keywords
- data
- access
- internet
- address
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
Abstract
The invention discloses a restrictive extranet access testing method based on government and enterprise system services, which comprises the following steps: collecting all external access internet IPs of the mobile application needing external network access, and configuring the IPs into an IP table on a data proxy server; collecting domain name addresses used by mobile applications needing external network access, and configuring a stub address for each domain name; the DNS server inquires a stub address according to the configuration; initiating connection to a pile address by the android system; the VPN gateway uniformly forwards the IP packet of the pile address to the data proxy server, the IP table is forwarded to a port monitored by the data proxy server, connection is established with an Internet IP and the port in the IP table, and data forwarding is executed; and the Internet server outputs data through the established channel and returns the output data to the mobile application. The invention isolates the production environment, avoids virus infection and further ensures the safety and reliability in the test process.
Description
Technical Field
The invention relates to the technical field of software testing, in particular to a restrictive external network access testing method based on government and enterprise system services.
Background
In view of the nature of the industry, the mobile office network of a government-enterprise system is a single, isolated network that has high security requirements. The mobile office uses a mobile private network, and the used applications are also applications customized for the mobile office. Many times, people want to use some applications on the internet, such as maps, voice input methods, etc., the internet access agent system is developed for the problem, and currently, due to the lack of an effective test method for the internet access agent system, the requirement of users on product stability cannot be met.
Disclosure of Invention
The invention provides a restrictive extranet access testing method based on government and enterprise system services, aiming at the problem that the requirement of a user on product stability cannot be met due to the lack of an effective testing method for an internet access agent system.
In order to achieve the purpose, the invention adopts the following technical scheme:
a restrictive extranet access testing method based on government and enterprise system services comprises the following steps:
step 1, collecting all externally accessed Internet IPs of mobile applications needing external network access, then distributing and establishing an IP table on a data proxy server, and configuring the Internet IPs into the IP table on the data proxy server; collecting domain name addresses used by mobile applications needing external network access, and configuring a stub address for each domain name; the attribute of each item of data in the IP table comprises a domain name, an IP address, a port, a protocol, a stub address and a data agent port;
step 2, the VPN client is started in a tunnel mode, and network messages are intercepted according to a routing rule configured by a VPN gateway;
step 3, the mobile application starts internet connection, and the android system uses the DNS address configured by the secure client and requests a DNS server for resolution;
step 4, the DNS server carries out domain name resolution, inquires a pile address according to configuration, and then returns the pile address to the android system;
step 5, initiating connection to a pile address by the android system;
step 6, the VPN gateway uniformly forwards the IP packet of the pile address to a data proxy server, an IP table on the data proxy server forwards the IP packet data to a port monitored by the data proxy server according to a configured forwarding rule, establishes channel connection with an Internet IP and the port configured in the IP table and executes data forwarding;
and 7, the Internet server outputs data through the channel established in the step 6 and returns the output data to the mobile application so as to finish the test work of the mobile application on the access of the restrictive external network.
Further, the step 1 comprises:
step 1-1, an external network application of a mobile phone terminal initiates a request;
step 1-2, an application Smartproxy of the mobile phone side intercepts all requests and sends all the requests to an Http tunnel server of the PC side;
step 1-3, the Http tunnel server records a history access record;
step 1-4, sequentially taking out the Internet IP of each request from the historical access records, adding the Internet IP into a white list one by one, judging whether the function of the external network application is available, and if the function of the external network application is available, taking the Internet IP of the request as an Internet access address;
and 1-5, collecting all internet access addresses of the external network application, and configuring the internet access addresses into an IP table on the data proxy server.
Further, the step 6 comprises:
step 6-1, the VPN gateway forwards the IP packet route of the stub address to an IP table of a data proxy server; the data proxy server consists of a data proxy front-end processor and a data proxy rear-end processor; the IP meter is positioned on the data agent front-end processor;
step 6-2, the IP table redirects the IP packet to a monitoring port corresponding to the data agent front-end processor, and the data agent front-end processor performs strategy matching;
6-3, after the strategy of the data agent front-end processor is matched, forwarding the access request to the data agent rear-end processor;
and 6-4, the data agent post-processor accesses the extranet server based on the access request agent, and then the extranet server responds according to the access request and returns the response to the mobile application along the established channel.
Compared with the prior art, the invention has the following beneficial effects:
the invention can meet the test requirement of the user on the external network access without modifying the application and installing any software on the terminal, thereby simplifying the test work. In addition, the test method of the invention isolates the production environment, avoids virus infection and further ensures the safety and reliability in the test process.
Drawings
FIG. 1 is a flow chart illustrating a method for limiting extranet access testing based on government and enterprise system services according to the present invention;
FIG. 2 is a diagram illustrating the system architecture for collecting extranet addresses in accordance with the present invention;
fig. 3 shows a flow chart of the present invention for collecting an extranet address.
Detailed Description
The invention is further illustrated by the following examples in conjunction with the accompanying drawings:
as shown in fig. 1, the method for testing restricted extranet access based on the government and enterprise system business of the present invention includes the following steps:
step 1, collecting all externally accessed Internet IPs of a mobile application (apk) needing external network access, then distributing and establishing an IP table on a data proxy server, and configuring the Internet IPs into the IP table on the data proxy server; collecting domain name addresses used by mobile applications needing external network access, and configuring a stub address for each domain name; the attribute of each item of data in the IP table comprises a domain name, an IP address, a port, a protocol, a stub address and a data agent port;
step 2, the VPN client is started in a tunnel mode, and network messages are intercepted according to a routing rule configured by a VPN gateway;
step 3, the mobile application starts internet connection, and the android system uses the DNS address configured by the secure client and requests a DNS server for resolution;
step 4, the DNS server carries out domain name resolution, inquires a pile address according to configuration, and then returns the pile address to the android system;
step 5, initiating connection to a pile address by the android system;
step 6, the VPN gateway uniformly forwards the IP packet of the pile address to a data proxy server, an IP table on the data proxy server forwards the IP packet data to a port monitored by the data proxy server according to a configured forwarding rule, establishes channel connection with an Internet IP and the port configured in the IP table and executes data forwarding;
and 7, the Internet server outputs data through the channel established in the step 6 and returns the output data to the mobile application so as to finish the test work of the mobile application on the access of the restrictive external network.
In a specific embodiment, the preliminary preparation for the test is as follows:
the apk application to be used for extranet access is monitored, all its outbound access addresses are collected, and then an IP table (iptables) is assigned and built as appropriate, the table containing the columns as shown in table 1.
TABLE 1
Column name | Description of the columns |
Domain name | Application server domain names, such as: com |
IP address | Real public network IP address corresponding to domain name |
Port(s) | Real port number of application server |
Protocol | The transport protocol used by this port number: TCP or UDP |
Pile address | An IP address within the specified address field |
Data proxy port | Monitor port in data proxy port forwarding function |
The principle of collecting the extranet address is briefly described below in connection with fig. 2.
As shown in fig. 2, the application SmartProxy on the handset intercepts all network connections of all applications. It will send the destination address, destination port, application packet name of each connection to the http-tunnel-server on the PC.
The http-tunnel-server maintains a white list of destination address + port, and if the request sent by SmartProxy is in the white list, the http-tunnel-server allows the connection to be successfully established. If not, the connection is rejected and closed.
The http-tunnel-server records the request message sent by Smartproxy for the last 1000 times, and the default is rejected. We can look at these lists of request addresses through the http-tunnel-server management interface and then add the specified addresses to the white list as needed. Once whitelisted, the address is normally accessible.
By repeatedly operating an application, the IP addresses used by the application are added into a white list one by one, whether the function of the application is available is observed, and finally all the Internet access addresses of the application can be acquired.
As shown in fig. 3, the step 1 specifically includes:
step 1-1, an external network application of a mobile phone terminal initiates a request;
step 1-2, an application Smartproxy of the mobile phone side intercepts all requests and sends all the requests to an Http Tunnel Server (Http Tunnel Server) of the PC side;
step 1-3, the Http Tunnel Server records the historical access record;
step 1-4, sequentially taking out the Internet IP of each request from the historical access records, adding the Internet IP into a white list one by one, judging whether the function of the external network application is available, and if the function of the external network application is available, taking the Internet IP of the request as an Internet access address;
and 1-5, collecting all internet access addresses of the external network application, and configuring the internet access addresses into an IP table on the data proxy server.
Further, the step 6 specifically includes:
step 6-1, the VPN gateway forwards the IP packet route of the stub address to an IP table (iptables) of a data proxy server; the data proxy server consists of a data proxy front-end processor and a data proxy rear-end processor; the IP meter is positioned on the data agent front-end processor;
6-2, the iptables redirects the IP packet to a monitoring port corresponding to the data agent front-end processor, and the data agent front-end processor performs strategy matching;
6-3, after the strategy of the data agent front-end processor is matched, forwarding the access request to the data agent rear-end processor;
and 6-4, the data agent post-processor accesses the extranet server based on the access request agent, and then the extranet server responds according to the access request and returns the response to the mobile application along the established channel.
Specifically, the present invention configures the corresponding system or hardware according to the contents of table 2.
TABLE 2
In conclusion, the invention can meet the test requirement of the user on the access of the external network without modifying the application and installing any software on the terminal, thereby simplifying the test work. In addition, the test method of the invention isolates the production environment, avoids virus infection and further ensures the safety and reliability in the test process.
The above shows only the preferred embodiments of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.
Claims (3)
1. A restricted extranet access testing method based on government and enterprise system services is characterized by comprising the following steps:
step 1, collecting all externally accessed Internet IPs of mobile applications needing external network access, then distributing and establishing an IP table on a data proxy server, and configuring the Internet IPs into the IP table on the data proxy server; collecting domain name addresses used by mobile applications needing external network access, and configuring a stub address for each domain name; the attribute of each item of data in the IP table comprises a domain name, an IP address, a port, a protocol, a stub address and a data agent port;
step 2, the VPN client is started in a tunnel mode, and network messages are intercepted according to a routing rule configured by a VPN gateway;
step 3, the mobile application starts internet connection, and the android system uses the DNS address configured by the secure client and requests a DNS server for resolution;
step 4, the DNS server carries out domain name resolution, inquires a pile address according to configuration, and then returns the pile address to the android system;
step 5, initiating connection to a pile address by the android system;
step 6, the VPN gateway uniformly forwards the IP packet of the pile address to a data proxy server, an IP table on the data proxy server forwards the IP packet data to a port monitored by the data proxy server according to a configured forwarding rule, establishes channel connection with an Internet IP and the port configured in the IP table and executes data forwarding;
and 7, the Internet server outputs data through the channel established in the step 6 and returns the output data to the mobile application so as to finish the test work of the mobile application on the access of the restrictive external network.
2. The method for testing restricted extranet access based on government-enterprise system services according to claim 1, wherein the step 1 comprises:
step 1-1, an external network application of a mobile phone terminal initiates a request;
step 1-2, an application Smartproxy of the mobile phone side intercepts all requests and sends all the requests to an Http tunnel server of the PC side;
step 1-3, the Http tunnel server records a history access record;
step 1-4, sequentially taking out the Internet IP of each request from the historical access records, adding the Internet IP into a white list one by one, judging whether the function of the external network application is available, and if the function of the external network application is available, taking the Internet IP of the request as an Internet access address;
and 1-5, collecting all internet access addresses of the external network application, and configuring the internet access addresses into an IP table on the data proxy server.
3. The method for testing restricted extranet access based on government-enterprise system services according to claim 1, wherein the step 6 comprises:
step 6-1, the VPN gateway forwards the IP packet route of the stub address to an IP table of a data proxy server; the data proxy server consists of a data proxy front-end processor and a data proxy rear-end processor; the IP meter is positioned on the data agent front-end processor;
step 6-2, the IP table redirects the IP packet to a monitoring port corresponding to the data agent front-end processor, and the data agent front-end processor performs strategy matching;
6-3, after the strategy of the data agent front-end processor is matched, forwarding the access request to the data agent rear-end processor;
and 6-4, the data agent post-processor accesses the extranet server based on the access request agent, and then the extranet server responds according to the access request and returns the response to the mobile application along the established channel.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110548186.4A CN113381906B (en) | 2021-05-19 | 2021-05-19 | Restrictive external network access test method based on government and enterprise system business |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110548186.4A CN113381906B (en) | 2021-05-19 | 2021-05-19 | Restrictive external network access test method based on government and enterprise system business |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113381906A true CN113381906A (en) | 2021-09-10 |
CN113381906B CN113381906B (en) | 2022-03-25 |
Family
ID=77571381
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110548186.4A Active CN113381906B (en) | 2021-05-19 | 2021-05-19 | Restrictive external network access test method based on government and enterprise system business |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113381906B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114095283A (en) * | 2022-01-24 | 2022-02-25 | 天津市职业大学 | Security gateway protection system access control method and system |
CN114115919A (en) * | 2021-12-02 | 2022-03-01 | 四川虹美智能科技有限公司 | Communication address switching system and method |
CN114944992A (en) * | 2022-07-26 | 2022-08-26 | 南京赛宁信息技术有限公司 | Active defense gateway configuration detection method, device and system |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5796953A (en) * | 1996-06-21 | 1998-08-18 | Mci Communications Corporation | System having user terminal connecting to a remote test system via the internet for remotely testing communication network |
CN1700682A (en) * | 2004-05-21 | 2005-11-23 | 迈普(四川)通信技术有限公司 | Virtual domain name resolution proxy method and system |
CN101674268A (en) * | 2009-09-25 | 2010-03-17 | 中兴通讯股份有限公司 | Internet access control device and method and gateway thereof |
US20110173339A1 (en) * | 2010-01-14 | 2011-07-14 | Sangfor Technologies Company Limited | network service access method and access gateway equipment |
WO2013135124A1 (en) * | 2012-03-13 | 2013-09-19 | 华为技术有限公司 | Discovery method, device and system for application-layer traffic optimization server |
CN104410685A (en) * | 2014-11-23 | 2015-03-11 | 国云科技股份有限公司 | Method allowing extranet to gain access to web application through intranet |
CN106101300A (en) * | 2016-06-22 | 2016-11-09 | 东方有线网络有限公司 | The method controlling to access self-built server by private domain name system |
CN106790764A (en) * | 2017-01-24 | 2017-05-31 | 广州捷轻信息技术有限公司 | A kind of method and system based on outer net port locations IP address of internal network |
CN109587135A (en) * | 2018-12-04 | 2019-04-05 | 国网辽宁省电力有限公司大连供电公司 | Service interaction plateform system based on tertiary-structure network |
CN110602149A (en) * | 2019-10-11 | 2019-12-20 | 北京字节跳动网络技术有限公司 | External network access method, system, shunt server and internal network equipment |
CN111092863A (en) * | 2019-11-29 | 2020-05-01 | 视联动力信息技术股份有限公司 | Method, client, server, device and medium for accessing internet website |
-
2021
- 2021-05-19 CN CN202110548186.4A patent/CN113381906B/en active Active
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5796953A (en) * | 1996-06-21 | 1998-08-18 | Mci Communications Corporation | System having user terminal connecting to a remote test system via the internet for remotely testing communication network |
CN1700682A (en) * | 2004-05-21 | 2005-11-23 | 迈普(四川)通信技术有限公司 | Virtual domain name resolution proxy method and system |
CN101674268A (en) * | 2009-09-25 | 2010-03-17 | 中兴通讯股份有限公司 | Internet access control device and method and gateway thereof |
WO2010145309A1 (en) * | 2009-09-25 | 2010-12-23 | 中兴通讯股份有限公司 | Internet access control apparatus, method and gateway thereof |
US20110173339A1 (en) * | 2010-01-14 | 2011-07-14 | Sangfor Technologies Company Limited | network service access method and access gateway equipment |
WO2013135124A1 (en) * | 2012-03-13 | 2013-09-19 | 华为技术有限公司 | Discovery method, device and system for application-layer traffic optimization server |
CN104410685A (en) * | 2014-11-23 | 2015-03-11 | 国云科技股份有限公司 | Method allowing extranet to gain access to web application through intranet |
CN106101300A (en) * | 2016-06-22 | 2016-11-09 | 东方有线网络有限公司 | The method controlling to access self-built server by private domain name system |
CN106790764A (en) * | 2017-01-24 | 2017-05-31 | 广州捷轻信息技术有限公司 | A kind of method and system based on outer net port locations IP address of internal network |
CN109587135A (en) * | 2018-12-04 | 2019-04-05 | 国网辽宁省电力有限公司大连供电公司 | Service interaction plateform system based on tertiary-structure network |
CN110602149A (en) * | 2019-10-11 | 2019-12-20 | 北京字节跳动网络技术有限公司 | External network access method, system, shunt server and internal network equipment |
CN111092863A (en) * | 2019-11-29 | 2020-05-01 | 视联动力信息技术股份有限公司 | Method, client, server, device and medium for accessing internet website |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114115919A (en) * | 2021-12-02 | 2022-03-01 | 四川虹美智能科技有限公司 | Communication address switching system and method |
CN114115919B (en) * | 2021-12-02 | 2023-10-31 | 四川虹美智能科技有限公司 | Communication address switching system and method |
CN114095283A (en) * | 2022-01-24 | 2022-02-25 | 天津市职业大学 | Security gateway protection system access control method and system |
CN114944992A (en) * | 2022-07-26 | 2022-08-26 | 南京赛宁信息技术有限公司 | Active defense gateway configuration detection method, device and system |
CN114944992B (en) * | 2022-07-26 | 2022-10-18 | 南京赛宁信息技术有限公司 | Active defense gateway configuration detection method, device and system |
Also Published As
Publication number | Publication date |
---|---|
CN113381906B (en) | 2022-03-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113381906B (en) | Restrictive external network access test method based on government and enterprise system business | |
US9712493B2 (en) | System and method to associate a private user identity with a public user identity | |
CN102843391B (en) | A kind of method for sending information and gateway | |
US8892778B2 (en) | Method and systems for securing remote access to private networks | |
AU2020202148A1 (en) | Rule-based network-threat detection | |
US20100138559A1 (en) | Systems and methods for direction of communication traffic | |
AU2009304186B2 (en) | NAT traversal method and apparatus | |
US8914510B2 (en) | Methods, systems, and computer program products for enhancing internet security for network subscribers | |
CN108989420A (en) | The method and system of registration service, the method and system for calling service | |
US8861503B2 (en) | Method and system for synchronizing data between mobile terminal and internet phone | |
CN104756462B (en) | For carrying out the method and system of TCP TURN operation after restricted firewall | |
CN115190107B (en) | Multi-subsystem management method based on extensive domain name, management terminal and readable storage medium | |
Martsola et al. | Machine to machine communication in cellular networks | |
Al-Azzawi | Towards the security analysis of the five most prominent IPv4aaS technologies | |
US7457884B2 (en) | Network environment notifying method, network environment notifying system, and program | |
CN114338597A (en) | Network access method and device | |
Al-Azzawi | Plans for the security analysis of IPv4aaS technologies | |
CN111371915B (en) | IP address list maintenance method and device and gateway equipment | |
RU2690752C1 (en) | Method, apparatus, computer-readable information media and a system for building connections between a client and a destination device or terminal | |
CN115442328A (en) | Network address conversion method, device, gateway, medium and equipment | |
UA148416U (en) | METHOD OF IDENTIFICATION OF ONLINE USER IN MOBILE NETWORK ON TARGET WEBSITES | |
CN115914046A (en) | VoIP gateway identification method, apparatus, device and storage medium | |
CN111200652A (en) | Application identification method, application identification device and computing equipment | |
JP2013235541A (en) | Web system | |
EP2680626A1 (en) | System and method for establishing a distributed social network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |