CN113645041A - Gateway breaking through safety inspection white list limiting method based on network safety emergency response - Google Patents
Gateway breaking through safety inspection white list limiting method based on network safety emergency response Download PDFInfo
- Publication number
- CN113645041A CN113645041A CN202110915607.2A CN202110915607A CN113645041A CN 113645041 A CN113645041 A CN 113645041A CN 202110915607 A CN202110915607 A CN 202110915607A CN 113645041 A CN113645041 A CN 113645041A
- Authority
- CN
- China
- Prior art keywords
- message
- gateway
- server
- detection platform
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 18
- 238000007689 inspection Methods 0.000 title claims abstract description 4
- 238000001514 detection method Methods 0.000 claims abstract description 54
- 238000004891 communication Methods 0.000 claims description 5
- 239000000284 extract Substances 0.000 claims description 4
- 230000001360 synchronised effect Effects 0.000 claims description 4
- 210000001503 joint Anatomy 0.000 abstract description 3
- 238000012423 maintenance Methods 0.000 abstract description 3
- 238000011144 upstream manufacturing Methods 0.000 abstract description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/565—Conversion or adaptation of application format or content
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a gateway breaking through a safety inspection white list limiting method based on network safety emergency response, which comprises the following operation steps: the source gateway performs identity authentication on the source server, packages the source server message and sends the source server message to the security detection platform; the safety detection platform carries out safety detection on the data message; the target gateway unpacks the message sent by the safety detection platform and sends the message to a server which really provides service; and returning a response message. By extracting the service logic of the butt joint of the application gateway and the safety detection platform, the data message of the upstream application server flows to the downstream safety detection platform through the gateway, so that the message can utilize the detection message detection function of the safety detection platform, and meanwhile, the source server and the access target address server can be horizontally expanded without being limited by a white list, the maintenance and the service expansion of the service are facilitated, and the upgrading cost and the mutual influence between the service are reduced.
Description
Technical Field
The invention relates to the technical field of network communication, in particular to a gateway breaking through a security check white list limiting method based on network security emergency response.
Background
At present, part of security detection platforms set white list restriction of source/target address, appoint network segment of source for initiating request and target address for receiving request, and provide specification and requirement for message format flowing through security detection platform. The traditional mode is that all services are accumulated on a server holding an IP in a white list, the logic of the self service and the platform butt joint is coupled together, the robustness and the expansibility of a program code are poor, the maintenance and the expansion of the service are not facilitated, the upgrading cost is high, and the service is influenced mutually.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides a gateway breaking through the white list restriction method of security check based on network security emergency response, which can effectively solve the problems provided by the background technology.
The technical scheme adopted by the invention for solving the technical problems is as follows:
the gateway breaking through the white list restriction method of security check based on network security emergency response comprises the following operation steps:
step S1, the source gateway authenticates the source server, packages the source server message and sends it to the security detection platform, the source server generates a signature by the agreed signature algorithm and requests the source gateway to obtain an identification with a certain effective duration, the source server writes the identification into the message and sends it to the source gateway, the source gateway identifies the identification of the request message, packages the message and sends it to the security detection platform according to the security detection platform message data standard after identification;
step S2, the safety detection platform carries out safety detection on the data message, mainly detects the safety of the message and sends the detected message to the target gateway;
step S3, the target gateway unpacks the message sent by the safety detection platform, sends the message to a server which really provides service, when the target gateway receives the message, the format of the message is restored according to the convention rule, and the restored message is sent to the server;
and step S4, sending back a response message, and when the target gateway receives the response of the resource server, returning the response result from the original link.
Further, in step S1, the signature generated by the source server exists in the form of parameters and signature required for asymmetric public key encryption of the signature.
Further, in step S1, the source gateway decrypts the message of the source server using the asymmetric private key, and returns the unique identifier if the decrypted result is consistent, otherwise, a request needs to be sent again.
Further, in step S3, the target gateway receives the message from the security detection platform and unpacks it, removes the data package of the security detection platform, and extracts the resource server message sent to the real providing server.
Further, in step S4, the whole process is performed in the state of synchronous communication.
Compared with the prior art, the invention has the beneficial effects that:
the invention can utilize the detection message detection function of the security detection platform, and can horizontally expand the source server and the access target address server without being limited by the white list, thereby being beneficial to the maintenance and the business expansion of the service, and reducing the mutual influence between the upgrading cost and the service.
Drawings
FIG. 1 is a flow chart of the operation steps of the present invention;
FIG. 2 is a schematic diagram of the internal working process of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1-2, the present invention provides a method for a gateway to break through a white list of security checks based on network security emergency response, which mainly aims at the environment of network security 110, and comprises the following operation steps:
step S1, the source gateway authenticates the source server, packages the source server message and sends it to the security detection platform, the source server generates the signature by the appointed signature algorithm and requests the source gateway to obtain the identity with a certain effective duration, the signature generated by the source server exists in the form of the parameter and signature needed by the asymmetric encryption public key encryption signature, the source server writes the identity into the message and sends it to the source gateway, the source gateway identifies the identity of the request message, the source gateway uses the asymmetric private key to decrypt the message of the source server, if the decrypted result is consistent, the unique identity is returned, otherwise, the request is required again, packages the message and sends it to the security detection platform according to the security detection platform message data specification after identification;
step S2, the safety detection platform carries out safety detection on the data message, mainly detects the safety of the message and sends the detected message to the target gateway;
step S3, the target gateway unpacks the message sent by the safety detection platform, sends the message to the server providing the real service, when the target gateway receives the message, the format of the message is restored according to the convention rule, and sends the restored message to the server, the target gateway unpacks the message after receiving the message of the safety detection platform, removes the data package of the safety detection platform, and extracts the resource server message sent to the real service providing server;
and step S4, returning response message, the whole process is carried out in the state of synchronous communication, when the target gateway receives the response of the resource server, the response result is returned from the original link.
Compared with the prior art, the technical scheme has the advantages that the data message of the upstream application server flows to the downstream security detection platform through the gateway by extracting the service logic of the butt joint of the application gateway and the security detection platform, and simultaneously, the detection message detection function of the security detection platform can be utilized, and the source server and the access target address server can be horizontally expanded without being limited by a white list.
The specific embodiment is as follows:
because the security detection platform can package the message format and has the limitation of the source address and the access destination address, a gateway server needs to be deployed in both the source address network segment and the destination address network segment, the gateway server in the source address network segment is called as a source gateway, and the gateway server in the destination address network segment is called as a destination gateway.
The first step is as follows: the source gateway performs identity authentication on the source server, packages the source server message and sends the source server message to the security detection platform, and the operation steps at this stage are as follows:
(1) the source server generates a signature by service, and encrypts parameters and the signature required by the signature by a held asymmetric encryption public key;
(2) the source gateway decrypts the message data by using the asymmetric private key, calculates a signature by using an algorithm consistent with that of the source server, and returns a unique identity (hereinafter called token) if the signature is consistent, wherein the token has timeliness and needs to be requested again when being overdue;
(3) the token is cached by the source server, and network IO and resource overhead of frequently initiating token requests are reduced;
(4) the source server writes the token into an Authorization field of a message request header, writes a request body coding format into a Content-Type field of the message request header, and sends the message to a source gateway;
(5) the source gateway extracts a request line, a request head and a request body of a source server request message, writes the request line, the request head and the request body into a new request message request body by json entry, packages the request message request body into a data packet format required by a security detection platform, and records a request log.
The second step is that: and the safety detection platform carries out safety detection on the data message.
And the security detection platform receives the request message of the source gateway, performs security layer detection, and sends the result to the target gateway if the security layer detection is successful.
The third step: the target gateway unpacks the message sent by the security detection platform and sends the message to a server which really provides service, and the target gateway receives the message sent by the security detection platform and processes the message according to the following steps:
(1) unpacking, removing the data package of the safety detection platform;
(1) extracting the data in the step (1) to obtain a resource server message which is required to be sent to a real service providing server by a source server;
(3) and (3) sending the message in the step (2) and recording a request log.
The fourth step: and returning a response message.
The whole process is synchronous communication, and when the target gateway receives the response of the real resource server providing the service, the response message is returned along the original link.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Claims (5)
1. The method for limiting the gateway to break through the white list of the security check based on the network security emergency response is characterized by comprising the following operation steps of:
step S1, the source gateway authenticates the source server, packages the source server message and sends it to the security detection platform, the source server generates a signature by the agreed signature algorithm and requests the source gateway to obtain an identification with a certain effective duration, the source server writes the identification into the message and sends it to the source gateway, the source gateway identifies the identification of the request message, packages the message and sends it to the security detection platform according to the security detection platform message data standard after identification;
step S2, the safety detection platform carries out safety detection on the data message, mainly detects the safety of the message and sends the detected message to the target gateway;
step S3, the target gateway unpacks the message sent by the safety detection platform, sends the message to a server which really provides service, when the target gateway receives the message, the format of the message is restored according to the convention rule, and the restored message is sent to the server;
and step S4, sending back a response message, and when the target gateway receives the response of the resource server, returning the response result from the original link.
2. The method for gateway breach of security white list restriction based on network security emergency response of claim 1, wherein in step S1, the signature generated by the source server exists in the form of parameters and signature required by asymmetric public key encryption signature.
3. The method for gateway to break through the white list restriction of security inspection based on network security emergency response of claim 1, wherein in step S1, the source gateway decrypts the message of the source server using the asymmetric private key, and if the decrypted result is consistent, the unique id is returned, otherwise, the request is required again.
4. The method for restricting the white list of gateway breakthrough security check based on network security emergency response as claimed in claim 1, wherein in step S3, the target gateway receives the message from the security detection platform and unpacks it, removes the data package of the security detection platform, and extracts the resource server message sent to the real providing server.
5. The method for gateway to break through the white list of security checks based on the network security emergency response of claim 1, wherein in step S4, the whole process is performed in a synchronous communication state.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110915607.2A CN113645041A (en) | 2021-08-10 | 2021-08-10 | Gateway breaking through safety inspection white list limiting method based on network safety emergency response |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110915607.2A CN113645041A (en) | 2021-08-10 | 2021-08-10 | Gateway breaking through safety inspection white list limiting method based on network safety emergency response |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113645041A true CN113645041A (en) | 2021-11-12 |
Family
ID=78420552
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110915607.2A Pending CN113645041A (en) | 2021-08-10 | 2021-08-10 | Gateway breaking through safety inspection white list limiting method based on network safety emergency response |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113645041A (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102158409A (en) * | 2011-04-02 | 2011-08-17 | 杭州华三通信技术有限公司 | Retransmission control method for IP (Internet Protocol) message and equipment thereof |
CN109257357A (en) * | 2018-09-26 | 2019-01-22 | 杭州安恒信息技术股份有限公司 | Industry control network safety protecting method and device based on OPC service |
-
2021
- 2021-08-10 CN CN202110915607.2A patent/CN113645041A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102158409A (en) * | 2011-04-02 | 2011-08-17 | 杭州华三通信技术有限公司 | Retransmission control method for IP (Internet Protocol) message and equipment thereof |
CN109257357A (en) * | 2018-09-26 | 2019-01-22 | 杭州安恒信息技术股份有限公司 | Industry control network safety protecting method and device based on OPC service |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108684041B (en) | System and method for login authentication | |
CN108965215B (en) | Dynamic security method and system for multi-fusion linkage response | |
CN110069918A (en) | A kind of efficient double factor cross-domain authentication method based on block chain technology | |
CN104753674B (en) | A kind of verification method and equipment of application identity | |
TWI796675B (en) | Blockchain-based identity verification method and related hardware | |
CN101447907A (en) | VPN secure access method and system thereof | |
CN102217270A (en) | Using authentication tokens to authorize a firewall to open a pinhole | |
CN110933078B (en) | H5 unregistered user session tracking method | |
CN106100836A (en) | A kind of industrial user's authentication and the method and system of encryption | |
CN107623912A (en) | The method and device of secure communication between a kind of car networking terminal | |
CN103441983A (en) | Information protection method and device based on link layer discovery protocol | |
CN109948357A (en) | A kind of system connecting medical block chain and Internet of Things | |
CN111447283A (en) | Method for realizing information security of power distribution station room system | |
CN109726531A (en) | A kind of marketer terminal security control method based on block chain intelligence contract | |
CN110611661A (en) | Acquired information sharing method and system based on double-authentication multiple-protection measures | |
CN102045310B (en) | Industrial Internet intrusion detection as well as defense method and device | |
CN114867014A (en) | Internet of vehicles access control method, system, medium, equipment and terminal | |
US7216229B2 (en) | Method based on border gateway protocol message for controlling messages security protection | |
CN112822258B (en) | Bank open system access method and system | |
CN113645041A (en) | Gateway breaking through safety inspection white list limiting method based on network safety emergency response | |
CN109688115B (en) | Data security transmission system | |
CN100499649C (en) | Method for realizing safety coalition backup and switching | |
CN113938496B (en) | Block chain network method and system based on Internet of things equipment | |
CN1223145C (en) | Message safety protection method based on boundary gateway protocol message | |
CN109818746A (en) | A kind of method of safe offer restful interface |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |