CN113381906A - Restrictive external network access test method based on government and enterprise system business - Google Patents

Restrictive external network access test method based on government and enterprise system business Download PDF

Info

Publication number
CN113381906A
CN113381906A CN202110548186.4A CN202110548186A CN113381906A CN 113381906 A CN113381906 A CN 113381906A CN 202110548186 A CN202110548186 A CN 202110548186A CN 113381906 A CN113381906 A CN 113381906A
Authority
CN
China
Prior art keywords
data
access
internet
address
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110548186.4A
Other languages
Chinese (zh)
Other versions
CN113381906B (en
Inventor
张静泽
武宗品
韩金池
周小欠
荆豪明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Xinda Jiean Information Technology Co Ltd
Original Assignee
Zhengzhou Xinda Jiean Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Xinda Jiean Information Technology Co Ltd filed Critical Zhengzhou Xinda Jiean Information Technology Co Ltd
Priority to CN202110548186.4A priority Critical patent/CN113381906B/en
Publication of CN113381906A publication Critical patent/CN113381906A/en
Application granted granted Critical
Publication of CN113381906B publication Critical patent/CN113381906B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Abstract

The invention discloses a restrictive extranet access testing method based on government and enterprise system services, which comprises the following steps: collecting all external access internet IPs of the mobile application needing external network access, and configuring the IPs into an IP table on a data proxy server; collecting domain name addresses used by mobile applications needing external network access, and configuring a stub address for each domain name; the DNS server inquires a stub address according to the configuration; initiating connection to a pile address by the android system; the VPN gateway uniformly forwards the IP packet of the pile address to the data proxy server, the IP table is forwarded to a port monitored by the data proxy server, connection is established with an Internet IP and the port in the IP table, and data forwarding is executed; and the Internet server outputs data through the established channel and returns the output data to the mobile application. The invention isolates the production environment, avoids virus infection and further ensures the safety and reliability in the test process.

Description

Restrictive external network access test method based on government and enterprise system business
Technical Field
The invention relates to the technical field of software testing, in particular to a restrictive external network access testing method based on government and enterprise system services.
Background
In view of the nature of the industry, the mobile office network of a government-enterprise system is a single, isolated network that has high security requirements. The mobile office uses a mobile private network, and the used applications are also applications customized for the mobile office. Many times, people want to use some applications on the internet, such as maps, voice input methods, etc., the internet access agent system is developed for the problem, and currently, due to the lack of an effective test method for the internet access agent system, the requirement of users on product stability cannot be met.
Disclosure of Invention
The invention provides a restrictive extranet access testing method based on government and enterprise system services, aiming at the problem that the requirement of a user on product stability cannot be met due to the lack of an effective testing method for an internet access agent system.
In order to achieve the purpose, the invention adopts the following technical scheme:
a restrictive extranet access testing method based on government and enterprise system services comprises the following steps:
step 1, collecting all externally accessed Internet IPs of mobile applications needing external network access, then distributing and establishing an IP table on a data proxy server, and configuring the Internet IPs into the IP table on the data proxy server; collecting domain name addresses used by mobile applications needing external network access, and configuring a stub address for each domain name; the attribute of each item of data in the IP table comprises a domain name, an IP address, a port, a protocol, a stub address and a data agent port;
step 2, the VPN client is started in a tunnel mode, and network messages are intercepted according to a routing rule configured by a VPN gateway;
step 3, the mobile application starts internet connection, and the android system uses the DNS address configured by the secure client and requests a DNS server for resolution;
step 4, the DNS server carries out domain name resolution, inquires a pile address according to configuration, and then returns the pile address to the android system;
step 5, initiating connection to a pile address by the android system;
step 6, the VPN gateway uniformly forwards the IP packet of the pile address to a data proxy server, an IP table on the data proxy server forwards the IP packet data to a port monitored by the data proxy server according to a configured forwarding rule, establishes channel connection with an Internet IP and the port configured in the IP table and executes data forwarding;
and 7, the Internet server outputs data through the channel established in the step 6 and returns the output data to the mobile application so as to finish the test work of the mobile application on the access of the restrictive external network.
Further, the step 1 comprises:
step 1-1, an external network application of a mobile phone terminal initiates a request;
step 1-2, an application Smartproxy of the mobile phone side intercepts all requests and sends all the requests to an Http tunnel server of the PC side;
step 1-3, the Http tunnel server records a history access record;
step 1-4, sequentially taking out the Internet IP of each request from the historical access records, adding the Internet IP into a white list one by one, judging whether the function of the external network application is available, and if the function of the external network application is available, taking the Internet IP of the request as an Internet access address;
and 1-5, collecting all internet access addresses of the external network application, and configuring the internet access addresses into an IP table on the data proxy server.
Further, the step 6 comprises:
step 6-1, the VPN gateway forwards the IP packet route of the stub address to an IP table of a data proxy server; the data proxy server consists of a data proxy front-end processor and a data proxy rear-end processor; the IP meter is positioned on the data agent front-end processor;
step 6-2, the IP table redirects the IP packet to a monitoring port corresponding to the data agent front-end processor, and the data agent front-end processor performs strategy matching;
6-3, after the strategy of the data agent front-end processor is matched, forwarding the access request to the data agent rear-end processor;
and 6-4, the data agent post-processor accesses the extranet server based on the access request agent, and then the extranet server responds according to the access request and returns the response to the mobile application along the established channel.
Compared with the prior art, the invention has the following beneficial effects:
the invention can meet the test requirement of the user on the external network access without modifying the application and installing any software on the terminal, thereby simplifying the test work. In addition, the test method of the invention isolates the production environment, avoids virus infection and further ensures the safety and reliability in the test process.
Drawings
FIG. 1 is a flow chart illustrating a method for limiting extranet access testing based on government and enterprise system services according to the present invention;
FIG. 2 is a diagram illustrating the system architecture for collecting extranet addresses in accordance with the present invention;
fig. 3 shows a flow chart of the present invention for collecting an extranet address.
Detailed Description
The invention is further illustrated by the following examples in conjunction with the accompanying drawings:
as shown in fig. 1, the method for testing restricted extranet access based on the government and enterprise system business of the present invention includes the following steps:
step 1, collecting all externally accessed Internet IPs of a mobile application (apk) needing external network access, then distributing and establishing an IP table on a data proxy server, and configuring the Internet IPs into the IP table on the data proxy server; collecting domain name addresses used by mobile applications needing external network access, and configuring a stub address for each domain name; the attribute of each item of data in the IP table comprises a domain name, an IP address, a port, a protocol, a stub address and a data agent port;
step 2, the VPN client is started in a tunnel mode, and network messages are intercepted according to a routing rule configured by a VPN gateway;
step 3, the mobile application starts internet connection, and the android system uses the DNS address configured by the secure client and requests a DNS server for resolution;
step 4, the DNS server carries out domain name resolution, inquires a pile address according to configuration, and then returns the pile address to the android system;
step 5, initiating connection to a pile address by the android system;
step 6, the VPN gateway uniformly forwards the IP packet of the pile address to a data proxy server, an IP table on the data proxy server forwards the IP packet data to a port monitored by the data proxy server according to a configured forwarding rule, establishes channel connection with an Internet IP and the port configured in the IP table and executes data forwarding;
and 7, the Internet server outputs data through the channel established in the step 6 and returns the output data to the mobile application so as to finish the test work of the mobile application on the access of the restrictive external network.
In a specific embodiment, the preliminary preparation for the test is as follows:
the apk application to be used for extranet access is monitored, all its outbound access addresses are collected, and then an IP table (iptables) is assigned and built as appropriate, the table containing the columns as shown in table 1.
TABLE 1
Column name Description of the columns
Domain name Application server domain names, such as: com
IP address Real public network IP address corresponding to domain name
Port(s) Real port number of application server
Protocol The transport protocol used by this port number: TCP or UDP
Pile address An IP address within the specified address field
Data proxy port Monitor port in data proxy port forwarding function
The principle of collecting the extranet address is briefly described below in connection with fig. 2.
As shown in fig. 2, the application SmartProxy on the handset intercepts all network connections of all applications. It will send the destination address, destination port, application packet name of each connection to the http-tunnel-server on the PC.
The http-tunnel-server maintains a white list of destination address + port, and if the request sent by SmartProxy is in the white list, the http-tunnel-server allows the connection to be successfully established. If not, the connection is rejected and closed.
The http-tunnel-server records the request message sent by Smartproxy for the last 1000 times, and the default is rejected. We can look at these lists of request addresses through the http-tunnel-server management interface and then add the specified addresses to the white list as needed. Once whitelisted, the address is normally accessible.
By repeatedly operating an application, the IP addresses used by the application are added into a white list one by one, whether the function of the application is available is observed, and finally all the Internet access addresses of the application can be acquired.
As shown in fig. 3, the step 1 specifically includes:
step 1-1, an external network application of a mobile phone terminal initiates a request;
step 1-2, an application Smartproxy of the mobile phone side intercepts all requests and sends all the requests to an Http Tunnel Server (Http Tunnel Server) of the PC side;
step 1-3, the Http Tunnel Server records the historical access record;
step 1-4, sequentially taking out the Internet IP of each request from the historical access records, adding the Internet IP into a white list one by one, judging whether the function of the external network application is available, and if the function of the external network application is available, taking the Internet IP of the request as an Internet access address;
and 1-5, collecting all internet access addresses of the external network application, and configuring the internet access addresses into an IP table on the data proxy server.
Further, the step 6 specifically includes:
step 6-1, the VPN gateway forwards the IP packet route of the stub address to an IP table (iptables) of a data proxy server; the data proxy server consists of a data proxy front-end processor and a data proxy rear-end processor; the IP meter is positioned on the data agent front-end processor;
6-2, the iptables redirects the IP packet to a monitoring port corresponding to the data agent front-end processor, and the data agent front-end processor performs strategy matching;
6-3, after the strategy of the data agent front-end processor is matched, forwarding the access request to the data agent rear-end processor;
and 6-4, the data agent post-processor accesses the extranet server based on the access request agent, and then the extranet server responds according to the access request and returns the response to the mobile application along the established channel.
Specifically, the present invention configures the corresponding system or hardware according to the contents of table 2.
TABLE 2
Figure BDA0003074299200000051
In conclusion, the invention can meet the test requirement of the user on the access of the external network without modifying the application and installing any software on the terminal, thereby simplifying the test work. In addition, the test method of the invention isolates the production environment, avoids virus infection and further ensures the safety and reliability in the test process.
The above shows only the preferred embodiments of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.

Claims (3)

1. A restricted extranet access testing method based on government and enterprise system services is characterized by comprising the following steps:
step 1, collecting all externally accessed Internet IPs of mobile applications needing external network access, then distributing and establishing an IP table on a data proxy server, and configuring the Internet IPs into the IP table on the data proxy server; collecting domain name addresses used by mobile applications needing external network access, and configuring a stub address for each domain name; the attribute of each item of data in the IP table comprises a domain name, an IP address, a port, a protocol, a stub address and a data agent port;
step 2, the VPN client is started in a tunnel mode, and network messages are intercepted according to a routing rule configured by a VPN gateway;
step 3, the mobile application starts internet connection, and the android system uses the DNS address configured by the secure client and requests a DNS server for resolution;
step 4, the DNS server carries out domain name resolution, inquires a pile address according to configuration, and then returns the pile address to the android system;
step 5, initiating connection to a pile address by the android system;
step 6, the VPN gateway uniformly forwards the IP packet of the pile address to a data proxy server, an IP table on the data proxy server forwards the IP packet data to a port monitored by the data proxy server according to a configured forwarding rule, establishes channel connection with an Internet IP and the port configured in the IP table and executes data forwarding;
and 7, the Internet server outputs data through the channel established in the step 6 and returns the output data to the mobile application so as to finish the test work of the mobile application on the access of the restrictive external network.
2. The method for testing restricted extranet access based on government-enterprise system services according to claim 1, wherein the step 1 comprises:
step 1-1, an external network application of a mobile phone terminal initiates a request;
step 1-2, an application Smartproxy of the mobile phone side intercepts all requests and sends all the requests to an Http tunnel server of the PC side;
step 1-3, the Http tunnel server records a history access record;
step 1-4, sequentially taking out the Internet IP of each request from the historical access records, adding the Internet IP into a white list one by one, judging whether the function of the external network application is available, and if the function of the external network application is available, taking the Internet IP of the request as an Internet access address;
and 1-5, collecting all internet access addresses of the external network application, and configuring the internet access addresses into an IP table on the data proxy server.
3. The method for testing restricted extranet access based on government-enterprise system services according to claim 1, wherein the step 6 comprises:
step 6-1, the VPN gateway forwards the IP packet route of the stub address to an IP table of a data proxy server; the data proxy server consists of a data proxy front-end processor and a data proxy rear-end processor; the IP meter is positioned on the data agent front-end processor;
step 6-2, the IP table redirects the IP packet to a monitoring port corresponding to the data agent front-end processor, and the data agent front-end processor performs strategy matching;
6-3, after the strategy of the data agent front-end processor is matched, forwarding the access request to the data agent rear-end processor;
and 6-4, the data agent post-processor accesses the extranet server based on the access request agent, and then the extranet server responds according to the access request and returns the response to the mobile application along the established channel.
CN202110548186.4A 2021-05-19 2021-05-19 Restrictive external network access test method based on government and enterprise system business Active CN113381906B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110548186.4A CN113381906B (en) 2021-05-19 2021-05-19 Restrictive external network access test method based on government and enterprise system business

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110548186.4A CN113381906B (en) 2021-05-19 2021-05-19 Restrictive external network access test method based on government and enterprise system business

Publications (2)

Publication Number Publication Date
CN113381906A true CN113381906A (en) 2021-09-10
CN113381906B CN113381906B (en) 2022-03-25

Family

ID=77571381

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110548186.4A Active CN113381906B (en) 2021-05-19 2021-05-19 Restrictive external network access test method based on government and enterprise system business

Country Status (1)

Country Link
CN (1) CN113381906B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114095283A (en) * 2022-01-24 2022-02-25 天津市职业大学 Security gateway protection system access control method and system
CN114115919A (en) * 2021-12-02 2022-03-01 四川虹美智能科技有限公司 Communication address switching system and method
CN114944992A (en) * 2022-07-26 2022-08-26 南京赛宁信息技术有限公司 Active defense gateway configuration detection method, device and system

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5796953A (en) * 1996-06-21 1998-08-18 Mci Communications Corporation System having user terminal connecting to a remote test system via the internet for remotely testing communication network
CN1700682A (en) * 2004-05-21 2005-11-23 迈普(四川)通信技术有限公司 Virtual domain name resolution proxy method and system
CN101674268A (en) * 2009-09-25 2010-03-17 中兴通讯股份有限公司 Internet access control device and method and gateway thereof
US20110173339A1 (en) * 2010-01-14 2011-07-14 Sangfor Technologies Company Limited network service access method and access gateway equipment
WO2013135124A1 (en) * 2012-03-13 2013-09-19 华为技术有限公司 Discovery method, device and system for application-layer traffic optimization server
CN104410685A (en) * 2014-11-23 2015-03-11 国云科技股份有限公司 Method allowing extranet to gain access to web application through intranet
CN106101300A (en) * 2016-06-22 2016-11-09 东方有线网络有限公司 The method controlling to access self-built server by private domain name system
CN106790764A (en) * 2017-01-24 2017-05-31 广州捷轻信息技术有限公司 A kind of method and system based on outer net port locations IP address of internal network
CN109587135A (en) * 2018-12-04 2019-04-05 国网辽宁省电力有限公司大连供电公司 Service interaction plateform system based on tertiary-structure network
CN110602149A (en) * 2019-10-11 2019-12-20 北京字节跳动网络技术有限公司 External network access method, system, shunt server and internal network equipment
CN111092863A (en) * 2019-11-29 2020-05-01 视联动力信息技术股份有限公司 Method, client, server, device and medium for accessing internet website

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5796953A (en) * 1996-06-21 1998-08-18 Mci Communications Corporation System having user terminal connecting to a remote test system via the internet for remotely testing communication network
CN1700682A (en) * 2004-05-21 2005-11-23 迈普(四川)通信技术有限公司 Virtual domain name resolution proxy method and system
CN101674268A (en) * 2009-09-25 2010-03-17 中兴通讯股份有限公司 Internet access control device and method and gateway thereof
WO2010145309A1 (en) * 2009-09-25 2010-12-23 中兴通讯股份有限公司 Internet access control apparatus, method and gateway thereof
US20110173339A1 (en) * 2010-01-14 2011-07-14 Sangfor Technologies Company Limited network service access method and access gateway equipment
WO2013135124A1 (en) * 2012-03-13 2013-09-19 华为技术有限公司 Discovery method, device and system for application-layer traffic optimization server
CN104410685A (en) * 2014-11-23 2015-03-11 国云科技股份有限公司 Method allowing extranet to gain access to web application through intranet
CN106101300A (en) * 2016-06-22 2016-11-09 东方有线网络有限公司 The method controlling to access self-built server by private domain name system
CN106790764A (en) * 2017-01-24 2017-05-31 广州捷轻信息技术有限公司 A kind of method and system based on outer net port locations IP address of internal network
CN109587135A (en) * 2018-12-04 2019-04-05 国网辽宁省电力有限公司大连供电公司 Service interaction plateform system based on tertiary-structure network
CN110602149A (en) * 2019-10-11 2019-12-20 北京字节跳动网络技术有限公司 External network access method, system, shunt server and internal network equipment
CN111092863A (en) * 2019-11-29 2020-05-01 视联动力信息技术股份有限公司 Method, client, server, device and medium for accessing internet website

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114115919A (en) * 2021-12-02 2022-03-01 四川虹美智能科技有限公司 Communication address switching system and method
CN114115919B (en) * 2021-12-02 2023-10-31 四川虹美智能科技有限公司 Communication address switching system and method
CN114095283A (en) * 2022-01-24 2022-02-25 天津市职业大学 Security gateway protection system access control method and system
CN114944992A (en) * 2022-07-26 2022-08-26 南京赛宁信息技术有限公司 Active defense gateway configuration detection method, device and system
CN114944992B (en) * 2022-07-26 2022-10-18 南京赛宁信息技术有限公司 Active defense gateway configuration detection method, device and system

Also Published As

Publication number Publication date
CN113381906B (en) 2022-03-25

Similar Documents

Publication Publication Date Title
CN113381906B (en) Restrictive external network access test method based on government and enterprise system business
US9712493B2 (en) System and method to associate a private user identity with a public user identity
CN102843391B (en) A kind of method for sending information and gateway
US8892778B2 (en) Method and systems for securing remote access to private networks
AU2020202148A1 (en) Rule-based network-threat detection
US20100138559A1 (en) Systems and methods for direction of communication traffic
AU2009304186B2 (en) NAT traversal method and apparatus
US8914510B2 (en) Methods, systems, and computer program products for enhancing internet security for network subscribers
CN108989420A (en) The method and system of registration service, the method and system for calling service
US8861503B2 (en) Method and system for synchronizing data between mobile terminal and internet phone
CN104756462B (en) For carrying out the method and system of TCP TURN operation after restricted firewall
CN115190107B (en) Multi-subsystem management method based on extensive domain name, management terminal and readable storage medium
Martsola et al. Machine to machine communication in cellular networks
Al-Azzawi Towards the security analysis of the five most prominent IPv4aaS technologies
US7457884B2 (en) Network environment notifying method, network environment notifying system, and program
CN114338597A (en) Network access method and device
Al-Azzawi Plans for the security analysis of IPv4aaS technologies
CN111371915B (en) IP address list maintenance method and device and gateway equipment
RU2690752C1 (en) Method, apparatus, computer-readable information media and a system for building connections between a client and a destination device or terminal
CN115442328A (en) Network address conversion method, device, gateway, medium and equipment
UA148416U (en) METHOD OF IDENTIFICATION OF ONLINE USER IN MOBILE NETWORK ON TARGET WEBSITES
CN115914046A (en) VoIP gateway identification method, apparatus, device and storage medium
CN111200652A (en) Application identification method, application identification device and computing equipment
JP2013235541A (en) Web system
EP2680626A1 (en) System and method for establishing a distributed social network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant