CN113472877A - Electric power data communication network system - Google Patents

Electric power data communication network system Download PDF

Info

Publication number
CN113472877A
CN113472877A CN202110728495.XA CN202110728495A CN113472877A CN 113472877 A CN113472877 A CN 113472877A CN 202110728495 A CN202110728495 A CN 202110728495A CN 113472877 A CN113472877 A CN 113472877A
Authority
CN
China
Prior art keywords
dmz
unit
module
network
user terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110728495.XA
Other languages
Chinese (zh)
Inventor
陈琳
罗建国
林磊
徐惠
王婷婷
税洁
任婷
谢鸿燕
张询
黄媚
杨蕴琳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Power Supply Bureau Co Ltd
Original Assignee
Shenzhen Power Supply Bureau Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Power Supply Bureau Co Ltd filed Critical Shenzhen Power Supply Bureau Co Ltd
Priority to CN202110728495.XA priority Critical patent/CN113472877A/en
Publication of CN113472877A publication Critical patent/CN113472877A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a power data communication network system, which comprises an intranet module, a data processing module and a data processing module, wherein the intranet module is used for providing services of an IDC unit for a user terminal or an intranet terminal which is subjected to security verification by an extranet module; the outer network module is used for carrying out security verification on the user terminal which requests to connect the inner network and connecting the user terminal which passes the security verification into the inner network module; the internal network module comprises a DMZ unit and an IDC unit, the DMZ unit and the IDC unit are isolated through a safety isolation network gate, and when a user terminal passing safety verification is connected into the internal network module, the DMZ unit can be connected with the IDC unit. The invention breaks through the access restriction of DMZ to the internal network, and leads the portable intelligent service terminal in the external network area to reach the DMZ area through APN and VPN connection so as to smoothly access the background service of IDC area, thereby realizing a plurality of functions of electric charge investigation and payment, bill printing, business expansion change service transaction and the like.

Description

Electric power data communication network system
Technical Field
The invention relates to the technical field of power data communication, in particular to a power data communication network system.
Background
For safety reasons, a power grid company divides the network of the company into different network domains, and the security policy in each network domain is different. The portable intelligent service terminal supports high-speed networks such as 4G, WIFI and the like, is in an external network environment, and mainly uses 3 network domains of a power grid if an external network mode is to be implemented: public network area, DMZ (thinned zone) area, IDC (Internet Data center) area. Wherein, a specific port of the DMZ area opens access right to the public network, but the public network can only access websites in the white list when accessed from the DMZ area. The IDC zone does not allow access to the external network and the DMZ zone, but the IDC zone can access the DMZ zone. And the database of the power grid is not allowed to be installed in the DMZ area, but only in the IDC area, and some data interfaces of sensitive data can be called from the IDC area, so that various functions of electric charge investigation and payment, bill printing, business expansion change business transaction and the like cannot be realized. Therefore, a system is needed to break through the access restriction of the DMZ to the internal network, so that the portable intelligent service terminal in the external network area can reach the DMZ area through the APN and VPN connection to smoothly access the background service of the IDC area, thereby realizing multiple functions of electric charge investigation and payment, bill printing, business expansion change transaction and the like.
Disclosure of Invention
The invention aims to provide an electric power data communication network system, which breaks through the access limit of a DMZ to an internal network, so that a portable intelligent service terminal in an external network area can reach a DMZ area through APN and VPN connection, and background service of an IDC area can be smoothly accessed.
In one aspect, there is provided a power data communication network system, including:
the intranet module is used for providing services of the IDC unit for the user terminal or the intranet terminal which is subjected to the security verification of the extranet module;
the outer network module is used for carrying out security verification on the user terminal which requests to connect the inner network and connecting the user terminal which passes the security verification into the inner network module;
the internal network module comprises a DMZ unit and an IDC unit, the DMZ unit and the IDC unit are isolated through a safety isolation network gate, and when a user terminal passing safety verification is connected into the internal network module, the DMZ unit can be connected with the IDC unit.
Preferably, the extranet module is provided with a security firewall with VPN control, and is configured to perform authentication of validity of a user name and authentication of validity of authority by requesting a user terminal connected to an intranet through a VPN, and to access the authenticated user terminal to the intranet module.
Preferably, the DMZ unit is configured to filter the power grid service transaction request of the user terminal, and transmit the filtered power grid service transaction request to the server; and returning the processing result obtained from the server to the user terminal.
Preferably, the intranet module further includes a power grid service handling client, and the power grid service handling client is configured to obtain a power grid service handling request of the client terminal and send the power grid service handling request to the DMZ unit.
Preferably, the IDC unit includes a grid service handling server, and is configured to obtain a grid service handling request filtered by the DMZ unit, process the filtered self-service grid service handling request, and push a processing result to the DMZ unit.
Preferably, the DMZ unit further includes an extranet access agent module; the extranet access agent module comprises: the external network access web component is used for filtering static access in the power grid service transaction request and sending the filtered power grid service transaction request to the external network access service handling pre-positioned component; the extranet access service handling front-end assembly is used for assembling the filtered self-service power grid service handling requests into request objects, putting the request objects into the DMZ data isolation area, acquiring processing results from the DMZ data isolation area, and outputting return pages of the processing results back to the power grid service handling client; and the DMZ data isolation area is used for carrying out isolation processing on the data transmitted by the DMZ unit.
Preferably, the method further comprises the following steps: and the marketing center module is communicated with the ICD unit through the DMZ unit and is used for performing service handling on corresponding power grid service handling requests.
Preferably, the method further comprises the following steps: and the mobile application platform is used for realizing the transfer of the internal network and the external network to provide transfer service for the service terminal and accessing the data of the IDC unit through the transfer service.
In summary, the embodiment of the invention has the following beneficial effects:
the power data communication network system provided by the invention breaks through the access restriction of the DMZ to the internal network, so that the portable intelligent service terminal in the external network area can be connected to the DMZ area through the APN and VPN modes to smoothly access the background service of the IDC area, thereby realizing various functions of electric charge investigation and payment, bill printing, business expansion change service transaction and the like. And the internal and external network transfer service is realized, so that the service terminal can access the data in the IDC area through transfer.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is within the scope of the present invention for those skilled in the art to obtain other drawings based on the drawings without inventive exercise.
Fig. 1 is a schematic diagram of an electric power data communication network system according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of an extranet access agent module according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings.
Fig. 1 is a schematic diagram of an embodiment of a power data communication network system according to the present invention. In this embodiment, the method comprises:
the intranet module is used for providing services of the IDC unit for the user terminal or the intranet terminal which is subjected to the security verification of the extranet module; the internal network module comprises a DMZ unit and an IDC unit, the DMZ unit and the IDC unit are isolated through a safety isolation network gate, and when a user terminal passing safety verification is connected into the internal network module, the DMZ unit can be connected with the IDC unit. It can be understood that the power internal and external network security architecture comprises an external network region (internal network module), an internal network region (external network module); the intranet area comprises a DMZ area and an IDC area; a safety firewall with VPN control is arranged between the external network area and the DMZ area, a user side of the external network area can access the internal network area through the VPN, and the DMZ area and the IDC area are isolated through a safety isolation network gate; when a terminal user VPN in an external network area accesses an internal network, authentication including the legality and authority legality of a user name needs to be carried out.
In a specific embodiment, the intranet module further includes a power grid service handling client, and the power grid service handling client is configured to obtain a power grid service handling request of the client terminal and send the power grid service handling request to the DMZ unit.
Specifically, the DMZ unit is configured to filter a power grid service transaction request of an acquired user terminal, and transmit the filtered power grid service transaction request to a server; and returning the processing result obtained from the server to the user terminal. As shown in fig. 2, the DMZ unit further includes an extranet access agent module; the extranet access agent module comprises: the external network access web component is used for filtering static access in the power grid service transaction request and sending the filtered power grid service transaction request to the external network access service handling pre-positioned component; the extranet access service handling front-end assembly is used for assembling the filtered self-service power grid service handling requests into request objects, putting the request objects into the DMZ data isolation area, acquiring processing results from the DMZ data isolation area, and outputting return pages of the processing results back to the power grid service handling client; and the DMZ data isolation area is used for carrying out isolation processing on the data transmitted by the DMZ unit. It can be understood that the extranet access web component filters static access in the power grid service transaction request, and sends the filtered power grid service transaction request to the extranet access service transaction front-end component; the extranet access service handling front-end component assembles the filtered self-service power grid service handling requests into request objects, and the request objects are placed in a DMZ data isolation area; the power grid service handling server side acquires the request object from the DMZ data isolation area, and pushes the processing result to the DMZ data isolation area after accessing the power grid service processing system according to the request object to obtain the processing result; the external network access service handling front-end component is used for acquiring a processing result from the DMZ data isolation area, forming a return page of the processing result and returning the return page of the processing result to the power grid service handling client; and the power grid business handling client displays the return page.
And the IDC unit comprises a power grid service handling server used for acquiring the power grid service handling request filtered by the DMZ unit, processing the filtered self-service power grid service handling request and pushing a processing result to the DMZ unit. It can be understood that the grid service handling client acquires a grid service handling request and sends the grid service handling request to the DMZ area; filtering a power grid service transaction request in the DMZ area; the power grid service handling server side acquires the filtered power grid service handling request from the DMZ area, accesses the power grid service processing system according to the filtered power grid service handling request to obtain a processing result, and pushes the processing result to the DMZ area; the DMZ region returns the processing result to the power grid service handling client; and displaying the processing result by the power grid business handling client.
The outer network module is used for carrying out security verification on the user terminal which requests to connect the inner network and connecting the user terminal which passes the security verification into the inner network module; it can be understood that, when the end user accesses the internal network through the VPN, the authentication of the validity of the user name: based on the user name and the password, by utilizing the uniqueness of the personal communication number and through the personal communication number of the user and the authentication information of the server side, when the user logs in the power grid application each time, the dynamic password is sent to the communication number of the authorized user, and the authentication of the login identity of the user is realized again. The authority legitimacy authentication, the authorization and authentication of access authority to different terminal users, including the control to the core module through the dynamic password, and the access to the rear part through the dynamic password authentication.
In a specific embodiment, the extranet module is provided with a security firewall with VPN control, and is configured to perform user name validity authentication and authority validity authentication by requesting a user terminal connected to an intranet through a VPN, and to access the authenticated user terminal to the intranet module.
The power data communication network system in this embodiment further includes: and the marketing center station module is in data intercommunication with the ICD unit through the DMZ unit and is used for performing service handling on corresponding power grid service handling requests and finishing functions of power charge inquiry, bill data inquiry, business expansion change service handling and the like by means of a marketing center station interface. And the mobile application platform is used for realizing the transfer of the internal network and the external network to provide transfer service for the service terminal and accessing the data of the IDC unit through the transfer service.
In summary, the embodiment of the invention has the following beneficial effects:
the power data communication network system breaks through the access limit of the DMZ to the internal network, so that the portable intelligent service terminal in the external network area is connected to the DMZ area through the APN and the VPN mode to smoothly access the background service of the IDC area, and thus, various functions of electric charge investigation and payment, bill printing, business expansion change service handling and the like are realized; and the internal and external network transfer service is realized, so that the service terminal can access the data in the IDC area through transfer.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present invention, and it is therefore to be understood that the invention is not limited by the scope of the appended claims.

Claims (8)

1. A power data communication network system, comprising:
the intranet module is used for providing services of the IDC unit for the user terminal or the intranet terminal which is subjected to the security verification of the extranet module;
the outer network module is used for carrying out security verification on the user terminal which requests to connect the inner network and connecting the user terminal which passes the security verification into the inner network module;
the internal network module comprises a DMZ unit and an IDC unit, the DMZ unit and the IDC unit are isolated through a safety isolation network gate, and when a user terminal passing safety verification is connected into the internal network module, the DMZ unit can be connected with the IDC unit.
2. The system according to claim 1, wherein the extranet module is provided with a security firewall with VPN control for requesting authentication of validity and authority validity of the user name of the user terminal connected to the intranet through VPN and accessing the authenticated user terminal to the intranet module.
3. The system of claim 2, wherein the DMZ unit is configured to filter the grid service transaction request of the user terminal, and transmit the filtered grid service transaction request to the server; and returning the processing result obtained from the server to the user terminal.
4. The system of claim 3, wherein the intranet module further comprises a grid service transaction client, and the grid service transaction client is configured to obtain a grid service transaction request of the client terminal and send the grid service transaction request to the DMZ unit.
5. The system of claim 4, wherein the IDC unit comprises a grid service handling service for obtaining grid service handling requests filtered by the DMZ unit, processing the filtered self-service grid service handling requests, and pushing the processing results to the DMZ unit.
6. The system of claim 5, wherein the DMZ unit further comprises an extranet access agent module; the extranet access agent module comprises: the external network access web component is used for filtering static access in the power grid service transaction request and sending the filtered power grid service transaction request to the external network access service handling pre-positioned component; the extranet access service handling front-end assembly is used for assembling the filtered self-service power grid service handling requests into request objects, putting the request objects into the DMZ data isolation area, acquiring processing results from the DMZ data isolation area, and outputting return pages of the processing results back to the power grid service handling client; and the DMZ data isolation area is used for carrying out isolation processing on the data transmitted by the DMZ unit.
7. The system of claim 6, further comprising: and the marketing center module is communicated with the ICD unit through the DMZ unit and is used for performing service handling on corresponding power grid service handling requests.
8. The system of claim 7, further comprising: and the mobile application platform is used for realizing the transfer of the internal network and the external network to provide transfer service for the service terminal and accessing the data of the IDC unit through the transfer service.
CN202110728495.XA 2021-06-29 2021-06-29 Electric power data communication network system Pending CN113472877A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110728495.XA CN113472877A (en) 2021-06-29 2021-06-29 Electric power data communication network system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110728495.XA CN113472877A (en) 2021-06-29 2021-06-29 Electric power data communication network system

Publications (1)

Publication Number Publication Date
CN113472877A true CN113472877A (en) 2021-10-01

Family

ID=77873902

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110728495.XA Pending CN113472877A (en) 2021-06-29 2021-06-29 Electric power data communication network system

Country Status (1)

Country Link
CN (1) CN113472877A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104065485A (en) * 2014-07-04 2014-09-24 中国南方电网有限责任公司 Power grid dispatching mobile platform safety guaranteeing and controlling method
CN104301410A (en) * 2014-10-16 2015-01-21 浪潮软件集团有限公司 Self-service tax handling terminal design method for realizing internal and external network interconnection in client monitoring mode
CN104363165A (en) * 2014-11-14 2015-02-18 华东电网有限公司 Information interactive system under internal and external network isolation environment and data integrating method
CN105119986A (en) * 2015-08-12 2015-12-02 国家电网公司 Web reverse proxy method based on preconnect
CN107978104A (en) * 2017-11-27 2018-05-01 广东金赋科技股份有限公司 What support intranet and extranet interconnected does tax system and does tax method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104065485A (en) * 2014-07-04 2014-09-24 中国南方电网有限责任公司 Power grid dispatching mobile platform safety guaranteeing and controlling method
CN104301410A (en) * 2014-10-16 2015-01-21 浪潮软件集团有限公司 Self-service tax handling terminal design method for realizing internal and external network interconnection in client monitoring mode
CN104363165A (en) * 2014-11-14 2015-02-18 华东电网有限公司 Information interactive system under internal and external network isolation environment and data integrating method
CN105119986A (en) * 2015-08-12 2015-12-02 国家电网公司 Web reverse proxy method based on preconnect
CN107978104A (en) * 2017-11-27 2018-05-01 广东金赋科技股份有限公司 What support intranet and extranet interconnected does tax system and does tax method

Similar Documents

Publication Publication Date Title
US7185360B1 (en) System for distributed network authentication and access control
CN103581184B (en) The method and system of mobile terminal accessing corporate intranet server
CN101374050B (en) Apparatus, system and method for implementing identification authentication
CN104158824B (en) Genuine cyber identification authentication method and system
US11750561B2 (en) Method and apparatus for providing secure internal directory service for hosted services
CN101729514B (en) Method, device and system for implementing service call
CN105229987A (en) The initiatively mobile authentication of associating
CN107172054A (en) A kind of purview certification method based on CAS, apparatus and system
CN101404643B (en) Wireless single-point login system based on IPSEC technology and its operation method
WO2009120771A2 (en) Accessing secure network resources
CN107113613B (en) Server, mobile terminal, network real-name authentication system and method
CN103986734B (en) Authentication management method and authentication management system applicable to high-security service system
CN103685204A (en) Resource authentication method based on internet of things resource sharing platform
CN105681259A (en) Open authorization method and apparatus and open platform
CN107864475A (en) The quick authentication methods of WiFi based on Portal+ dynamic passwords
WO2010123385A1 (en) Identifying and tracking users in network communications
CN109962892A (en) A kind of authentication method and client, server logging in application
CN112039873A (en) Method for accessing business system by single sign-on
CN111200601B (en) Method and system for butting user and application based on universal transfer service
CN106713315A (en) Login method and device for plug-in application
CN108462671A (en) A kind of authentication protection method and system based on reverse proxy
CN102083066B (en) Unified safety authentication method and system
CN113472877A (en) Electric power data communication network system
CN114218550A (en) Single sign-on method and device, electronic equipment and storage medium
WO2009090428A1 (en) Mobile approval system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination