CN113965395B - Method, system and device for safely accessing intranet in real time - Google Patents
Method, system and device for safely accessing intranet in real time Download PDFInfo
- Publication number
- CN113965395B CN113965395B CN202111259983.7A CN202111259983A CN113965395B CN 113965395 B CN113965395 B CN 113965395B CN 202111259983 A CN202111259983 A CN 202111259983A CN 113965395 B CN113965395 B CN 113965395B
- Authority
- CN
- China
- Prior art keywords
- file
- transmitted
- external network
- client
- network client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 238000012795 verification Methods 0.000 claims abstract description 122
- 238000012546 transfer Methods 0.000 claims abstract description 32
- 230000015654 memory Effects 0.000 claims description 16
- 238000002955 isolation Methods 0.000 claims description 15
- 238000010586 diagram Methods 0.000 description 17
- 230000006870 function Effects 0.000 description 10
- 238000004590 computer program Methods 0.000 description 8
- 101100194363 Schizosaccharomyces pombe (strain 972 / ATCC 24843) res2 gene Proteins 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 101100194362 Schizosaccharomyces pombe (strain 972 / ATCC 24843) res1 gene Proteins 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Abstract
The invention discloses a method, a system and a device for safely accessing an intranet in real time, which are used for solving the technical problem that the two sides of a gatekeeper cannot be ensured to safely and timely finish file synchronization in the prior art. The method for safely accessing the intranet comprises the following steps: receiving a file to be transmitted and an access request sent by an external network client of a low security domain through a File Transfer Protocol (FTP) and a hypertext transfer protocol (HTTP); the access request comprises identity information of an external network client and related information related to a file to be transmitted, and the file to be transmitted is stored in an external network unit of the gateway system; verifying whether the identity information and the related information are legal or not, and obtaining a verification result; and according to the verification result, determining whether to ferry the file to be transmitted to an intranet unit of the gatekeeper system so as to upload the file to a file server in a high security domain.
Description
Technical Field
The invention relates to the technical field of data exchange, in particular to a method, a system and a device for safely accessing an intranet in real time.
Background
With the development of informatization, for safety reasons, networks in many important fields are physically isolated and constructed so as to ensure the network safety in the core field.
By "physical isolation" is meant that networks of different security levels are not in direct physical connection at any time, each network being an independent island of information, so that the information security of each network can be guaranteed. However, the information cannot be transmitted between different networks, and thus, a plurality of inconveniences are brought to data exchange.
In the prior art, a network gate is generally arranged among networks with different security levels, and the network gate uses a solid-state switch read-write medium with multiple control functions, so that no physical connection, logical connection and information transmission protocol of communication exist among systems, no information exchange according to the protocol exists, and no protocol ferry is only performed in a data file form. The data transmission between networks with different security levels requires that a file server is deployed between two different networks, a file request from a low security domain will temporarily store a file to the file server at the low security domain side, and a gatekeeper will synchronize the content of the file server in the low security domain to the file server in the high security domain in a timed batch. However, the method relies on the network gate timing synchronization file, has poor real-time performance, and has no verification on the visitor, and potential safety hazards still exist.
In view of this, how to ensure that the two sides of the gatekeeper can safely and real-timely complete file synchronization becomes a technical problem to be solved urgently.
Disclosure of Invention
The invention provides a method, a system and a device for safely accessing an intranet in real time, which are used for solving the technical problem that the two sides of a gatekeeper cannot be ensured to safely and timely finish file synchronization in the prior art.
The first aspect of the present invention provides a method for safely accessing an intranet in real time, which includes:
receiving a file to be transmitted and an access request sent by an external network client of a low security domain through a File Transfer Protocol (FTP) and a hypertext transfer protocol (HTTP); the access request comprises the identity information of the external network client and the related information related to the file to be transmitted, and the file to be transmitted is stored in an external network unit of the gatekeeper system;
verifying whether the identity information and the related information are legal or not, and obtaining a verification result;
and according to the verification result, determining whether to ferry the file to be transmitted to an intranet unit of the gatekeeper system so as to upload the file to a file server in a high security domain.
Optionally, before receiving the file to be transmitted and the access request sent by the extranet client in the low security domain through the file transfer protocol FTP and the hypertext transfer protocol HTTP, the method further includes:
And the user checks whether the file server in the high security domain can accept external access, and registers the file server in the high security domain which can receive external access into the gatekeeper system according to the result of the checking.
Optionally, verifying whether the identity information and the related information are legal or not, to obtain a verification result, including:
verifying whether the external network client is a legal user registered in the gatekeeper system according to the identity information of the external network client included in the access request;
when the external network client is a registered legal user, verifying whether the external network client can obtain the service of the file server according to the related information; the related information comprises a file server resource name accessed by the external network client, a file name of the file to be transmitted and verification information of the file to be transmitted;
when the external network client is a registered legal user and the external network client can obtain the service of the file server according to the related information, determining that the verification result is legal access;
when the external network client is a registered legal user and the external network client is verified to be unable to obtain the service of the file server according to the related information, determining that the verification result is illegal access;
And when the external network client is an unregistered illegal user, determining that the verification result is illegal access.
Optionally, verifying whether the external network client can obtain the service of the file server according to the related information includes:
verifying whether a file server resource name to be accessed by an external network client is registered in the gatekeeper system or not in the related information, and whether the file server can provide service for the external network client or not;
when the resource name of the file server which is required to be accessed by the external network client is registered in the gateway system and the file server can provide service for the external network client, verifying the integrity of the file to be transmitted according to the file name and verification information of the file to be transmitted in the related information;
when the resource name of the file server which is required to be accessed by the external network client is registered in the gatekeeper system, the file server can provide service for the external network client, and the file to be transmitted is complete, determining that the related information related to the file to be transmitted in the access request passes verification;
and when the resource name of the file server which is required to be accessed by the external network client is illegal, and/or the file server can not provide service for the external network client, and/or the file to be transmitted is incomplete, determining that the related information related to the file to be transmitted in the access request is not verified.
Optionally, verifying the integrity of the file to be transmitted according to the file name and verification information of the file to be transmitted in the related information includes:
acquiring first verification information of a file to be transmitted from the external network unit according to the file name of the file to be transmitted;
verifying whether the first verification information is consistent with second verification information in the related information;
if the first verification information is consistent with the second verification information, determining that the file to be transmitted is complete;
and if the first verification information is inconsistent with the second verification information, determining that the file to be transmitted is incomplete.
Optionally, determining whether to ferry the file to be transmitted to an intranet unit of the gatekeeper system according to the verification result includes:
when the verification result is illegal access, discarding the file to be transmitted to an intranet unit of the gatekeeper system, and sending error information to the extranet client;
and when the verification result is legal access, ferrying the file to be transmitted to an intranet unit of the gatekeeper system.
Optionally, sending error information to the external network client includes:
When the external network client is an unregistered illegal user, the error information is unregistered for the user;
when the resource name of the file server which is required to be accessed by the external network client is illegal and/or the external network client does not have access right, the error information is that the user does not have access right;
when the verification information of the file to be transmitted of the external network client is inconsistent with the verification information in the related information, the error information is the error of the file to be transmitted.
In a second aspect, an embodiment of the present application provides a gatekeeper system, including:
the external network unit is used for receiving the access request and the file to be transmitted sent by the external network client of the low-security network domain, verifying the security of the file to be transmitted, and sending the file to be transmitted which passes the security verification to the proprietary isolation exchange unit;
the proprietary isolation exchange unit is configured to perform the method according to the first aspect, so as to receive the file to be transmitted sent by the external network unit while isolating the internal network unit and the external network unit, and ferry the file to be transmitted that passes the security verification to the internal network unit;
the intranet unit is used for receiving the file to be transmitted, which is ferred by the proprietary isolated exchange unit, and forwarding the file to a file server in a high-security intranet; the external network unit, the special isolation exchange unit and the internal network unit are positioned in different networks isolated from each other.
In a third aspect, an embodiment of the present application provides a system for securely accessing an intranet in real time, including:
the low security domain client sends the file to be transmitted to a gatekeeper system by using a File Transfer Protocol (FTP), and sends the access request to the gatekeeper system by using an extended header field of a hypertext transfer protocol (HTTP);
the gatekeeper system is configured to receive the file to be transmitted and the access request sent by the low security domain client, and perform the method according to the first aspect, so as to ferry the file to be transmitted that passes security verification to a high security domain file server according to the access request while guaranteeing isolation of the low security domain and the high security domain;
the high security domain file server is configured to receive the file to be transmitted from the gatekeeper system and provide a service corresponding to the access request to the low security gatekeeper client; wherein the low security domain client and the high security domain file server are located in different networks that are isolated from each other.
In a fourth aspect, an embodiment of the present application provides an apparatus for securely accessing an intranet, including:
at least one processor, and
A memory coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, the at least one processor performing the method of the first aspect by executing the instructions stored by the memory.
The technical scheme in the embodiment of the invention has the following beneficial effects: when the intranet needs to be accessed safely, receiving a file to be transmitted and an access request sent by an external network client of a low security domain through a File Transfer Protocol (FTP) and a hypertext transfer protocol (HTTP); the access request comprises identity information of an external network client and related information related to a file to be transmitted, and the file to be transmitted is stored in an external network unit of the gateway system; verifying whether the identity information and the related information are legal or not, and obtaining a verification result; and according to the verification result, determining whether to ferry the file to be transmitted to an intranet unit of the gatekeeper system so as to upload the file to a file server in a high security domain. The method and the device have the advantages that the identity of the visitor is safely verified, the legal user can access the authorized file server, the uniqueness of the content of the uploaded file is ensured by verifying the related information of the file to be transmitted, the uploaded file is prevented from being tampered, and the safe and real-time synchronization of the files among the network domains with different security levels is completed.
Drawings
Fig. 1 is a flowchart of a method for securely accessing an intranet in real time according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a system for securely accessing an intranet in real time according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a high security domain file server according to an embodiment of the present invention registered with a gatekeeper system;
fig. 4 is a schematic diagram of a corresponding relationship between identity information and related information of an external network client verified by a gatekeeper system according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a gatekeeper system according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of another gatekeeper system according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of another gatekeeper system according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a system for securely accessing an intranet in real time according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application.
In the prior art, in order to complete data exchange between two networks with different security levels, a file server is generally deployed between two different networks, a file request from a low security domain will temporarily store a file to a file server on the low security domain side, and a gatekeeper will synchronize the content of the file server in the low security domain to the file server in the high security domain in a timed batch. However, the exchange mode has poor synchronism, can not perform security verification on the identity of the visitor, can not perform verification on the file sent by the visitor, and has certain potential safety hazard.
Therefore, the invention provides a method, a system and a device for safely accessing an intranet in real time, which are used for solving the technical problem that the two sides of a gatekeeper cannot be ensured to safely and timely finish file synchronization in the prior art.
The following describes the technical scheme provided by the embodiment of the application with reference to the attached drawings.
Referring to fig. 1, the present invention provides a method for safely accessing an intranet in real time, which comprises the following specific schemes:
s101, receiving a file to be transmitted and an access request sent by an extranet client in a low security domain through a File Transfer Protocol (FTP) and a hypertext transfer protocol (HTTP); the access request comprises identity information of an external network client and related information related to a file to be transmitted, and the file to be transmitted is stored in an external network unit of the gateway system;
s102, verifying whether the identity information and the related information are legal or not, and obtaining a verification result;
and S103, determining whether to ferry the file to be transmitted to an intranet unit of the gatekeeper system according to the verification result so as to upload the file to a file server in a high security domain.
For example, referring to fig. 2, fig. 2 is a schematic structural diagram of a system for real-time secure access to an intranet according to an embodiment of the present invention, and fig. 2 includes extranet clients 201 and 202 in a low security domain, a gatekeeper system 203, and a file server 204 in a high security domain. Suppose that extranet client 201 and extranet client 202 need to request the services of file server 204.
The external network clients 201 and 202 upload the files to the gatekeeper system 203 in real time through a file transfer protocol (File Transfer Protocol, FTP) protocol, and send access requests to the gatekeeper system 203 through a hypertext transfer protocol (Hyper Text Transfer Protocol, HTTP).
The gateway system 203 verifies an access request sent by the external network client 201, the access request contains identity information of the external network client 201 and related information of the uploaded file to be transmitted, the external network client 201 is determined to be an illegal user by comparing the access request with the external network client registered in the gateway system 203, verification information of the file to be transmitted uploaded by the external network client 201 is compared with verification information in the access request, and the integrity of the uploaded file to be transmitted is determined to be damaged. The verification result thus obtained is that the external network client 201 is illegally accessed;
the gateway system 203 verifies the access request sent by the external network client 202, wherein the access request contains the identity information of the external network client 202 and the related information of the uploaded file to be transmitted, the external network client 202 is determined to be a legal user in the verification, the uploaded file to be transmitted is complete and has corresponding authority to access the target file server, and therefore the obtained verification result is that the external network client 202 is legal access.
According to the verification result, the gatekeeper system 203 gives up to ferry the file to be transmitted uploaded by the external network client 201 to an internal network unit of the gatekeeper system, and sends error information to the external network client 201;
the gatekeeper system 203 imports the file to be transmitted uploaded by the extranet client 202 into the intranet unit of the gatekeeper system 203 for uploading to the file server 204 of the high security domain.
In the embodiment provided by the invention, when the external client needs to access the intranet, the external client in the low security domain receives the file to be transmitted and the access request sent by the external client through the File Transfer Protocol (FTP) and the hypertext transfer protocol (HTTP); the access request comprises identity information of an external network client and related information related to a file to be transmitted, and the file to be transmitted is stored in an external network unit of the gateway system; verifying whether the identity information and the related information are legal or not, and obtaining a verification result; and according to the verification result, determining whether to ferry the file to be transmitted to an intranet unit of the gatekeeper system so as to upload the file to a file server in a high security domain. The method and the device have the advantages that the identity of the visitor is safely verified, the legal user can access the authorized file server, the uniqueness of the content of the uploaded file is ensured by verifying the related information of the file to be transmitted, the uploaded file is prevented from being tampered, and the safe and real-time synchronization of the files among the network domains with different security levels is completed.
In one possible implementation manner, before receiving a file to be transmitted and an access request sent by an external network client of a low security domain through a file transfer protocol FTP and a hypertext transfer protocol HTTP, the method further includes:
and the user checks whether the file server in the high security domain can accept the external access, and registers the file server in the high security domain which can accept the external access into the gatekeeper system according to the result of the checking.
For example, referring to fig. 3, fig. 3 is a schematic structural diagram of a high security domain file server registered to a gatekeeper system according to an embodiment of the present invention, and fig. 3 includes: file servers 301-303, gatekeeper system 304. Assuming that the IP address of the file server 301 is 192.168.0.1 and the FTP port is 01, the IP address of the file server 302 is 192.168.0.2 and the FTP port is 02, the IP address of the file server 303 is 192.168.0.3 and the FTP port is 03, and the file server 301 and the file server 303 can receive external accesses through user verification and confirmation.
When the file servers 301 to 303 in the high security domain need to receive external access, a user performs an audit in advance to determine whether the external access can be received. At this time, the file server 301 and the file server 303 are confirmed to be able to receive external access, the IP addresses and FTP ports of the file server 301 and the file server 303, the user names and the passwords are registered in the gatekeeper 304, and a corresponding resource name of the file server is obtained, the resource name corresponding to the file server 301 is RES1, and the resource name corresponding to the file server 303 is RES2. The file server 302 is not registered in the gatekeeper system 304 because it does not pass the user audit, and the file server 302 is not visible to extranet clients of the low security domain.
In the embodiment provided by the invention, the file server capable of receiving external access needs to be checked and confirmed by the user, and the confirmed file server is registered in the gatekeeper system and can not receive external access. Therefore, the file server in the high security domain can be ensured to be respectively selected whether to receive external access or not according to the requirements of users, and the file server which does not receive external access is invisible to the outside, so that the security of the file server is ensured.
One possible implementation manner, verifying whether the identity information and the related information are legal or not, and obtaining a verification result includes:
according to the identity information of the external network client included in the access request, verifying whether the external network client is a legal user registered in the gatekeeper system; when the external network client is a registered legal user, verifying whether the external network client can obtain the service of the file server according to the related information; the related information comprises a file server resource name accessed by an external network client, a file name of a file to be transmitted and verification information of the file to be transmitted; when the external network client is a registered legal user and the external network client can obtain the service of the file server according to the related information, determining that the verification result is legal access; when the external network client is a registered legal user and the external network client is verified to be unable to obtain the service of the file server according to the related information, determining that the verification result is illegal access; and when the external network client is an unregistered illegal user, determining that the verification result is illegal access.
The method for verifying whether the external network client can obtain the service of the file server according to the related information comprises the following steps:
verifying whether the resource name of the file server which is required to be accessed by the external network client is registered in the gatekeeper system or not in the related information, and whether the file server can provide service for the external network client or not; when the resource name of the file server which is required to be accessed by the external network client is registered in the network gate system and the file server can provide service for the external network client, verifying the integrity of the file to be transmitted according to the file name and verification information of the file to be transmitted in the related information; when the resource name of the file server which is required to be accessed by the external network client is registered in the network gate system, the file server can provide service for the external network client, and the file to be transmitted is complete, the related information related to the file to be transmitted in the access request is determined to pass verification; when the resource name of the file server which is required to be accessed by the external network client is illegal, and/or the file server cannot provide service for the external network client, and/or the file to be transmitted is incomplete, determining that the related information related to the file to be transmitted in the access request is not verified.
According to the file name and verification information of the file to be transmitted in the related information, verifying the integrity of the file to be transmitted comprises the following steps:
According to the file name of the file to be transmitted, acquiring first verification information of the file to be transmitted from an external network unit; verifying whether the first verification information is consistent with the second verification information in the related information; if the first verification information is consistent with the second verification information, determining that the file to be transmitted is complete; if the first verification information and the second verification information are inconsistent, determining that the file to be transmitted is incomplete.
For example, as shown in fig. 4, fig. 4 is a schematic diagram of a gateway system for verifying correspondence between identity information and related information of an external network client according to an embodiment of the present invention. The figure includes external network clients 401-405 and a gatekeeper system 406. Assuming that a file server 1 and a file server 3 are registered in the gatekeeper system, the file server 1 and the file server 3 can be accessed by a class-A authority, the IP address of the file server 1 is 192.168.0.1, the FTP port is port 1, the resource name of the file server is RES1, the IP address of the file server 3 is 192.168.0.3, the FTP port is port 3, the resource name of the file server is RES2, and the external network clients all use a one-way hash function SHA256 to acquire verification information of a file to be transmitted.
The external network clients 401-405 upload the file to be transmitted and the corresponding access request to the gateway system 406 respectively, wherein the access request sent by the external network client 401 is { user name=932, the file to be transmitted=file1, verification information=6114 cef1bd066b1d63ebd b0fc961677931947287852ff3adc1eb5516bc63520, file server resource name=res 1, and operation type is uploading }; the access request sent by the extranet client 402 is { username=421, file to be transmitted=file 2, verification information=df 9128ecc2de700ac9e16a58f22ff891e4e6d083b3b70e59f951d8e5f77b7b52, file server resource name=res1, operation type is upload }; the access request sent by the extranet client 403 is { username=47, file to be transmitted=file3, authentication information=29 ab0c96874aaa499ebc86bb3d85268b1eab6852fd7df007a9523dc0ecfdfbf2, file server resource name=res 3, operation type is upload }; the access request sent by the extranet client 404 is { username=549, file to be transmitted=file 4, authentication information=c678 f0d2475a0b65708e629c078a1a025652e5abec6004151776ce138948d3db, file server resource name=res 2, operation type is upload }; the access request sent by the extranet client 405 is { user name=481, file to be transmitted=file 5, authentication information=7802a 05037ebec5311ad2dc630cb0d84e1b900c6b705a1c704bd43d2b47b719a, file server resource name=res2, type of operation is upload }.
After receiving the access request sent by the external network client 401, the gatekeeper 406 verifies the identity information of the external network client 401, and the user name of the external network client 401 is 932, which is not registered in the gatekeeper 406, so that the gatekeeper 406 determines that the external network client 401 is an unregistered user, and the sent access request is illegal access.
Gatekeeper system 406 verifies the identity information of the access request sent by extranet client 402 after it receives it. The user name 421 of the extranet client 402 is a legal user registered in the gatekeeper system 406, and the authority thereof is class B. When verifying whether the external network client 402 can obtain the service of the file server according to the related information, since the authority of the external network client 402 is level B and the required file server RES1 needs a level a authority to provide the service, it is determined that the external network client 402 does not have the access authority, and the transmitted access request is illegal access.
The gatekeeper system 406 verifies the identity information of the access request sent by the extranet client 403 after it receives it. The user name 47 of the external network client 403 is a legal user registered in the gatekeeper system 406, and the authority thereof is class a. When verifying whether the external network client 403 can obtain the service of the file server according to the related information, since the resource name of the file server to be accessed is RES3, it is not a file server registered in the gatekeeper system 406 and capable of providing the service to the external network client. Therefore, it is determined that the external network client 403 does not have access rights, and the transmitted access request is illegal access.
The gatekeeper system 406 verifies the identity information of the access request sent by the extranet client 404 after it receives it. The user name of the extranet client 404 is 549, which is a legal user registered in the gatekeeper system 406, and its authority is class a. When verifying whether the external network client 404 can obtain the service of the file server according to the related information, the resource name of the file server to be accessed is RES2, and the authority is class a, so that the external network client 404 can receive the service of the file server 3 corresponding to RES 2. When the file to be transmitted by the extranet client 404 is verified, the corresponding file is queried in the extranet unit of the gatekeeper system 406 according to the file name (file 4) in the access request, the one-way hash function SHA256 is used for calculating that the first verification information is 69151d7b5df6df 88a1859430bd8ebc31be23534f59a5e4bf4b7946d0cef2557, the second verification information obtained by the gatekeeper system 406 from the related information of the access request is c678f0d2475a0b65708e629c078a1a025652e5abec6004151776ce138948d3db, the two are inconsistent, the integrity of the file 4 of the file to be transmitted is destroyed, and the file 4 is incomplete. Therefore, it is determined that the file to be transmitted uploaded by the external network client 404 is wrong, and the transmitted access request is illegal access.
The gatekeeper system 406 verifies the identity information of the access request sent by the extranet client 405 after it receives it. The user name of the extranet client 405 is 481, which is a legal user registered in the gatekeeper system 406, and its authority is class a. When verifying whether the external network client 405 can obtain the service of the file server according to the related information, the resource name of the file server to be accessed is RES2, and the authority is class a, so that the external network client can receive the service of the file server 3 corresponding to RES 2. When the external network client 405 verifies the file to be transmitted, the corresponding file is queried in the external network unit of the gateway system 406 according to the file name (file 5) in the access request, the one-way hash function SHA256 is used to calculate that the first verification information is 7802a05037ebec5311ad2dc630cb0d84e1b900c6b705a 1b 43d2b47b719a, and the second verification information obtained by the gateway system 406 from the related information of the access request is 7802a05037ebec5311ad2dc630cb0d84e1b900c 705a1c704bd43d2b 719a, which are consistent, and the file 5 is complete. Thus, the access request sent by the external network client 405 is determined to be a legitimate access.
In practical application, the gatekeeper system and the external network client can verify the file to be transmitted by using various one-way hash functions, and the one-way hash functions can select algorithms such as SHA-256, SHA-384, SHA-512 and the like according to the security requirement of the user.
In the embodiment provided by the invention, after receiving the file to be transmitted and the access request sent by the external network client, the gateway system verifies the identity information, the authority information, whether the uploaded file to be transmitted is complete or not and the like of the external network client, and after confirming that the external network client is a legal user and accesses the file server legally, the file to be transmitted is complete, the gateway system provides corresponding service for the external network client. Therefore, the high-security domain network is protected to the greatest extent, the possibility that the high-security domain is attacked by the network is reduced, the access control is increased, meanwhile, the pressure of the high-security domain server can be relieved to the greatest extent, and the real-time high-security access request of the file is ensured to be realized between different security domain networks through the gatekeeper system.
In one possible implementation manner, determining whether to ferry a file to be transmitted to an intranet unit of a gatekeeper system according to a verification result includes:
when the verification result is illegal access, discarding the file to be transmitted, ferrying to an intranet unit of the gatekeeper system, and sending error information to an extranet client; and when the verification result is legal access, ferrying the file to be transmitted to an intranet unit of the gatekeeper system.
Wherein, send the error message to the external network customer end, including:
when the external network client is an unregistered illegal user, the error information is unregistered for the user; when the resource name of the file server which is required to be accessed by the external network client is illegal and/or the external network client does not have access right, the error information is that the user does not have access right; when the verification information of the file to be transmitted of the external network client is inconsistent with the verification information in the related information, the error information is the error of the file to be transmitted.
For example, taking the example in fig. 4 as an example, where the external network client 401 is an unregistered user, the transmitted access request is illegal access; the external network client 402 does not have access rights, and the transmitted access request is illegal access; the external network client 403 does not have access rights, and the transmitted access request is illegal access; the file to be transmitted uploaded by the external network client 404 is wrong, and the transmitted access request is illegal access; the access request sent by the extranet client 405 is a legitimate access.
The gatekeeper system 406 ferries the file to be transmitted (file 5) uploaded by the extranet client 405 to the intranet unit of the gatekeeper system 406.
The gatekeeper system 406 gives up the file to be transmitted uploaded by the external network clients 401-404 to be ferred to the intranet unit of the gatekeeper system 406. And transmits error information "the user is not registered" to the external network client 401; sending error information "the user does not have access rights" to the extranet clients 402 and 403; an error message "file error to be transmitted" is sent to the extranet client 404.
In the embodiment provided by the invention, the gateway system only ferries the file to be transmitted uploaded by the verified external network client to the internal network unit, so that the network security of the high-security domain network is ensured; and sending corresponding error information to the external network client which does not pass verification, so that a user can conveniently correct an access request and a file to be transmitted, and better obtain service.
Based on the same inventive concept, the present invention provides a gatekeeper system, see fig. 5, comprising:
the file receiving module 501 is configured to receive a file to be transmitted and an access request sent by an external network client in a low security domain through a file transfer protocol FTP and a hypertext transfer protocol HTTP; the access request comprises identity information of an external network client and related information related to a file to be transmitted, and the file to be transmitted is stored in an external network unit of the gateway system;
the security verification module 502 is configured to verify whether the identity information and the related information are legal, and obtain a verification result;
and the file ferrying module 503 is configured to determine whether to ferry the file to be transmitted to an intranet unit of the gatekeeper system according to the verification result, so as to upload the file to the file server in the high security domain.
In one possible implementation, the file receiving module 501 is further configured to:
And the user checks whether the file server in the high security domain can accept the external access, and registers the file server in the high security domain which can accept the external access into the gatekeeper system according to the result of the checking.
In one possible implementation, the security verification module 502 is further configured to:
according to the identity information of the external network client included in the access request, verifying whether the external network client is a legal user registered in the gatekeeper system;
when the external network client is a registered legal user, verifying whether the external network client can obtain the service of the file server according to the related information; the related information comprises a file server resource name accessed by an external network client, a file name of a file to be transmitted and verification information of the file to be transmitted;
when the external network client is a registered legal user and the external network client can obtain the service of the file server according to the related information, determining that the verification result is legal access;
when the external network client is a registered legal user and the external network client is verified to be unable to obtain the service of the file server according to the related information, determining that the verification result is illegal access;
and when the external network client is an unregistered illegal user, determining that the verification result is illegal access.
In one possible implementation, the security verification module 502 is further configured to:
verifying whether the resource name of the file server which is required to be accessed by the external network client is registered in the gatekeeper system or not in the related information, and whether the file server can provide service for the external network client or not;
when the resource name of the file server which is required to be accessed by the external network client is registered in the network gate system and the file server can provide service for the external network client, verifying the integrity of the file to be transmitted according to the file name and verification information of the file to be transmitted in the related information;
when the resource name of the file server which is required to be accessed by the external network client is registered in the network gate system, the file server can provide service for the external network client, and the file to be transmitted is complete, the related information related to the file to be transmitted in the access request is determined to pass verification;
when the resource name of the file server which is required to be accessed by the external network client is illegal, and/or the file server cannot provide service for the external network client, and/or the file to be transmitted is incomplete, determining that the related information related to the file to be transmitted in the access request is not verified.
In one possible implementation, the security verification module 502 is further configured to:
According to the file name of the file to be transmitted, acquiring first verification information of the file to be transmitted from an external network unit;
verifying whether the first verification information is consistent with the second verification information in the related information;
if the first verification information is consistent with the second verification information, determining that the file to be transmitted is complete;
if the first verification information and the second verification information are inconsistent, determining that the file to be transmitted is incomplete.
In one possible implementation, the file ferry module 503 is further configured to:
when the verification result is illegal access, discarding the file to be transmitted, ferrying to an intranet unit of the gatekeeper system, and sending error information to an extranet client;
and when the verification result is legal access, ferrying the file to be transmitted to an intranet unit of the gatekeeper system.
In one possible implementation, the file ferry module 503 is further configured to:
when the external network client is an unregistered illegal user, the error information is unregistered for the user;
when the resource name of the file server which is required to be accessed by the external network client is illegal and/or the external network client does not have access right, the error information is that the user does not have access right;
when the verification information of the file to be transmitted of the external network client is inconsistent with the verification information in the related information, the error information is the error of the file to be transmitted.
Based on the same inventive concept, the present application provides a gatekeeper system, see fig. 6, comprising:
the external network unit 601 is configured to receive an access request and a file to be transmitted sent by an external network client of a low security network domain, verify security of the file to be transmitted, and send the file to be transmitted that passes the security verification to the proprietary isolation exchange unit 602;
the proprietary isolation exchange unit 602 is configured to perform the method for safely accessing the intranet in real time as described above, so as to receive the file to be transmitted sent by the external network unit 601 while isolating the intranet unit 603 from the external network unit 601, and ferry the file to be transmitted that passes the security verification to the intranet unit 603;
the intranet unit 603 is configured to receive the file to be transmitted, which is ferred by the proprietary isolation exchange unit 602, and forward the file to a file server in the high-security intranet; the external network unit 601, the dedicated isolation switching unit 602, and the internal network unit 603 are located in different networks isolated from each other.
For example, as shown in fig. 7, fig. 7 is a schematic structural diagram of a gatekeeper system according to an embodiment of the present invention, and an external network unit 601 includes: FTP module 6011, web service module 6012, security verification module 6013, and file synchronization module 6014; the intranet unit 603 includes: the system comprises a monitoring module 6031, an information analysis module 6032 and an uploading module 6033.
After the external network client in the low security network domain sends the access request and the file to be transmitted to the external network unit 601 of the gatekeeper system, the FTP module 6011 receives the file to be transmitted sent by the external network client through the FTP protocol, the web service module 6012 receives the access request sent by the external network client through the HTTP protocol, and after the access request passes the verification of the security verification module 6013, the authenticated access request and the file to be transmitted are synchronized to the proprietary isolated switching unit 602 through the file synchronization module 6014. The proprietary isolated switching unit 602 ferries the synchronized file to the intranet unit 603. When the monitoring module 6031 in the intranet unit 603 monitors that a new file to be transmitted exists, the information analyzing module 6032 is called to analyze the file to be transmitted. The uploading module 6033 uploads the file to be transmitted to the corresponding file server in the high-security network domain according to the file server analyzed by the information analyzing module 6032.
In the embodiment provided by the invention, after receiving the access request and the file to be transmitted sent by the external network client in the low-security network domain, the external network unit performs security verification, and synchronizes the verified file to be transmitted to the special isolation exchange unit. And the proprietary isolation exchange unit ferries the file to be transmitted to the intranet unit. And the intranet unit analyzes the file to be transmitted and uploads the file to a file server in the high-security intranet. Thereby ensuring that the network domains with different security levels are kept isolated and simultaneously ferrying the secure files to be transmitted to the high-security network domain.
Based on the same inventive concept, the present application provides a system for safely accessing an intranet, referring to fig. 8, the system for safely accessing the intranet in real time includes:
the low security domain client 801 is configured to send a file to be transmitted and an access request to the gatekeeper system 802 through a file transfer protocol FTP and a hypertext transfer protocol HTTP;
the gatekeeper system 802 is configured to receive a file to be transmitted and an access request sent by the low security domain client 801, and perform the method for securely accessing an intranet as described above, so as to ferry the file to be transmitted that passes security verification to the high security domain file server according to the access request while guaranteeing isolation of the low security domain and the high security domain;
a high security domain file server 803 for receiving a file to be transmitted from the gatekeeper system 802 and providing a service corresponding to the access request to the low security domain client 801; wherein the low security domain client 801 and the high security domain file server 803 are located in different networks that are isolated from each other.
The low security domain client 801 is specifically configured to:
using a File Transfer Protocol (FTP) to send a file to be transferred to a network gate system;
the access request is sent to the gatekeeper system using the hypertext transfer protocol HTTP.
Based on the same inventive concept, an embodiment of the present invention provides a device for safely accessing an intranet in real time, where the device for safely accessing the intranet may be an electronic device such as a personal computer, and the device may include:
at least one processor, the processor is configured to implement the steps of the method for securely accessing an intranet according to the embodiment of the present application when executing the computer program stored in the memory.
In the alternative, the processor may be a central processing unit, an application specific integrated circuit (ASIC for short, in english: application Specific Integrated Circuit), or one or more integrated circuits for controlling the execution of the program.
Optionally, the device for protecting data integrity further includes a Memory connected to the at least one processor, where the Memory may include a Read Only Memory (ROM), a random access Memory (Random Access Memory, RAM), and a disk Memory. The memory is used for storing data required by the processor when running, i.e. instructions executable by at least one processor, and the at least one processor performs the method as shown in figure one by executing the instructions stored by the memory. Wherein the number of memories is one or more.
The embodiment of the application further provides a computer storage medium, wherein the computer storage medium stores computer instructions, and when the computer instructions run on a computer, the computer is caused to perform the steps of the method for safely accessing an intranet in real time as above.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.
Claims (8)
1. A method for securely accessing an intranet in real time, applied to a gatekeeper system arranged between networks with different security levels, the method comprising:
receiving a file to be transmitted and an access request respectively sent by an extranet client in a low security domain through a File Transfer Protocol (FTP) and a hypertext transfer protocol (HTTP); the access request comprises identity information of the external network client and related information related to the file to be transmitted, the file to be transmitted is stored in an external network unit of the gatekeeper system, and the related information comprises a file server resource name of a file server accessed by the external network client, a file name of the file to be transmitted and verification information;
according to the identity information, verifying whether the external network client is a legal user registered in the gatekeeper system; when the external network client is the registered legal user, sequentially verifying whether the resource name of the file server is registered in the gatekeeper system, whether the file server can provide service for the external network client, verifying the integrity of the file to be transmitted according to the file name of the file to be transmitted and verification information, if each content in the sequential verification passes verification, determining that the related information passes verification, and the external network client can obtain the service of the file server, and if any content in the sequential verification does not pass verification, determining that the related information does not pass verification, and the external network client cannot obtain the service of the file server;
And determining whether to ferry the file to be transmitted to an intranet unit of the gatekeeper system according to whether the extranet client can obtain the service of the file server so as to upload the file to the file server in a high security domain.
2. The method of claim 1, wherein prior to receiving the file to be transferred and the access request sent by the extranet client of the low security domain via file transfer protocol FTP and hypertext transfer protocol HTTP, further comprising:
and the user checks whether the file server in the high security domain can accept external access, and registers the file server in the high security domain which can receive external access into the gatekeeper system according to the result of the checking.
3. The method of claim 1, wherein verifying the integrity of the file to be transmitted based on the file name of the file to be transmitted and verification information comprises:
acquiring first verification information of a file to be transmitted from the external network unit according to the file name of the file to be transmitted;
verifying whether the first verification information is consistent with second verification information in the related information;
if the first verification information is consistent with the second verification information, determining that the file to be transmitted is complete;
And if the first verification information is inconsistent with the second verification information, determining that the file to be transmitted is incomplete.
4. The method of claim 1, wherein determining whether to ferry the file to be transmitted to an intranet unit of the gatekeeper system according to the authentication result of the identity information and whether the extranet client can obtain the service of the file server according to the related information comprises:
when the external network client is an unregistered illegal user or the external network client is a registered legal user and the external network client cannot obtain the service of the file server, the file to be transmitted is abandoned to be ferred to an intranet unit of the gatekeeper system, and error information is sent to the external network client;
and when the external network client is a registered legal user and the external network client can obtain the service of the file server, ferrying the file to be transmitted to an intranet unit of the gatekeeper system.
5. The method of claim 4, wherein sending error information to the extranet client comprises:
when the external network client is an unregistered illegal user, the error information is unregistered for the user;
When the resource name of the file server which is required to be accessed by the external network client is illegal and/or the external network client does not have access right, the error information is that the user does not have access right;
when the verification information of the file to be transmitted of the external network client is inconsistent with the verification information in the related information, the error information is the error of the file to be transmitted.
6. A gatekeeper system comprising:
the external network unit is used for receiving the access request and the file to be transmitted sent by the external network client of the low-security network domain, verifying the security of the file to be transmitted, and sending the file to be transmitted which passes the security verification to the proprietary isolation exchange unit;
the proprietary isolation exchange unit is configured to perform the method according to any one of claims 1 to 5, so as to receive the file to be transmitted sent by the external network unit while isolating the internal network unit from the external network unit, and ferry the file to be transmitted that passes the security verification to the internal network unit;
the intranet unit is used for receiving the file to be transmitted, which is ferred by the proprietary isolated exchange unit, and forwarding the file to a file server in a high-security intranet; the external network unit, the proprietary isolated switching unit and the internal network unit are positioned in different networks isolated from each other.
7. A system for securely accessing an intranet in real time, comprising:
the low security domain client is used for sending the file to be transmitted to the gatekeeper system by using a File Transfer Protocol (FTP), and sending the access request to the gatekeeper system by using an extended header field of a hypertext transfer protocol (HTTP);
the gatekeeper system is configured to receive the file to be transmitted and the access request sent by the low security domain client, and perform the method according to any one of claims 1 to 5, so as to ferry the file to be transmitted that passes security verification to a high security domain file server according to the access request while guaranteeing isolation between the low security domain and the high security domain;
the high security domain file server is configured to receive the file to be transmitted from the gatekeeper system and provide a service corresponding to the access request to the low security gatekeeper client; wherein the low security domain client and the high security domain file server are located in different networks that are isolated from each other.
8. An apparatus for securely accessing an intranet, comprising:
at least one processor, and
a memory coupled to the at least one processor;
Wherein the memory stores instructions executable by the at least one processor, the at least one processor performing the method of any of claims 1-5 by executing the instructions stored by the memory.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111259983.7A CN113965395B (en) | 2021-10-28 | 2021-10-28 | Method, system and device for safely accessing intranet in real time |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111259983.7A CN113965395B (en) | 2021-10-28 | 2021-10-28 | Method, system and device for safely accessing intranet in real time |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113965395A CN113965395A (en) | 2022-01-21 |
| CN113965395B true CN113965395B (en) | 2024-02-09 |
Family
ID=79467824
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111259983.7A Active CN113965395B (en) | 2021-10-28 | 2021-10-28 | Method, system and device for safely accessing intranet in real time |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113965395B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114710333A (en) * | 2022-03-23 | 2022-07-05 | 未鲲(上海)科技服务有限公司 | Data transmission and verification method, system, computer equipment and storage medium |
| CN117240618B (en) * | 2023-11-13 | 2024-03-01 | 中国联合网络通信集团有限公司 | Household cloud box access method, device, equipment and storage medium |
Citations (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2004206670A (en) * | 2002-10-30 | 2004-07-22 | Nippon Telegr & Teleph Corp <Ntt> | Use right management system, method, and device with mechanism therefor |
| CN102208982A (en) * | 2011-04-28 | 2011-10-05 | 广州汇智通信技术有限公司 | Isolation gateway |
| CN103491072A (en) * | 2013-09-06 | 2014-01-01 | 北京信息控制研究所 | Boundary access control method based on double one-way separation gatekeepers |
| CN104363221A (en) * | 2014-11-10 | 2015-02-18 | 青岛微智慧信息有限公司 | Network safety isolation file transmission control method |
| CN104573914A (en) * | 2014-12-05 | 2015-04-29 | 国家电网公司 | Gateway measurement acquisition and operation maintenance management system and application thereof |
| CN105656883A (en) * | 2015-12-25 | 2016-06-08 | 冶金自动化研究设计院 | Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network |
| CN105812387A (en) * | 2016-05-09 | 2016-07-27 | 北京航天数控系统有限公司 | Unidirectional safe data exchange device |
| CN106060003A (en) * | 2016-05-09 | 2016-10-26 | 北京航天数控系统有限公司 | Network boundary unidirectional isolated transmission device |
| CN106341397A (en) * | 2016-08-25 | 2017-01-18 | 柏盟(北京)科技发展有限公司 | Industrial safety isolation GAP |
| CN206272653U (en) * | 2016-12-07 | 2017-06-20 | 常州华龙通信科技股份有限公司 | A kind of one-way isolation shutter |
| CN109120651A (en) * | 2018-11-07 | 2019-01-01 | 成都华栖云科技有限公司 | A kind of realization method and system improving teaching network file transmission fluency |
| CN109309730A (en) * | 2018-10-31 | 2019-02-05 | 北京国信宏数科技有限责任公司 | A kind of believable document transmission method and system |
| CN110620791A (en) * | 2019-10-10 | 2019-12-27 | 江苏亨通工控安全研究院有限公司 | Industrial safety data ferrying system with early warning function |
| CN110933025A (en) * | 2019-10-21 | 2020-03-27 | 武汉神库小匠科技有限公司 | Multi-source heterogeneous data cross-domain synchronous shared storage method, device, equipment and medium |
| CN111641650A (en) * | 2020-05-29 | 2020-09-08 | 中京天裕科技(北京)有限公司 | Industrial data unidirectional import system and method |
| CN111740993A (en) * | 2020-06-18 | 2020-10-02 | 河南优易信息技术有限公司 | Internal and external network safety data exchange method |
| CN112346758A (en) * | 2020-10-09 | 2021-02-09 | 北京国电通网络技术有限公司 | Digital infrastructure service updating platform, updating method and electronic equipment |
| CN112448957A (en) * | 2020-11-27 | 2021-03-05 | 成都新希望金融信息有限公司 | Network isolation method, device, system, server and readable storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160261576A1 (en) * | 2015-03-05 | 2016-09-08 | M-Files Oy | Method, an apparatus, a computer program product and a server for secure access to an information management system |
| US9762563B2 (en) * | 2015-10-14 | 2017-09-12 | FullArmor Corporation | Resource access system and method |
-
2021
- 2021-10-28 CN CN202111259983.7A patent/CN113965395B/en active Active
Patent Citations (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2004206670A (en) * | 2002-10-30 | 2004-07-22 | Nippon Telegr & Teleph Corp <Ntt> | Use right management system, method, and device with mechanism therefor |
| CN102208982A (en) * | 2011-04-28 | 2011-10-05 | 广州汇智通信技术有限公司 | Isolation gateway |
| CN103491072A (en) * | 2013-09-06 | 2014-01-01 | 北京信息控制研究所 | Boundary access control method based on double one-way separation gatekeepers |
| CN104363221A (en) * | 2014-11-10 | 2015-02-18 | 青岛微智慧信息有限公司 | Network safety isolation file transmission control method |
| CN104573914A (en) * | 2014-12-05 | 2015-04-29 | 国家电网公司 | Gateway measurement acquisition and operation maintenance management system and application thereof |
| CN105656883A (en) * | 2015-12-25 | 2016-06-08 | 冶金自动化研究设计院 | Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network |
| CN105812387A (en) * | 2016-05-09 | 2016-07-27 | 北京航天数控系统有限公司 | Unidirectional safe data exchange device |
| CN106060003A (en) * | 2016-05-09 | 2016-10-26 | 北京航天数控系统有限公司 | Network boundary unidirectional isolated transmission device |
| CN106341397A (en) * | 2016-08-25 | 2017-01-18 | 柏盟(北京)科技发展有限公司 | Industrial safety isolation GAP |
| CN206272653U (en) * | 2016-12-07 | 2017-06-20 | 常州华龙通信科技股份有限公司 | A kind of one-way isolation shutter |
| CN109309730A (en) * | 2018-10-31 | 2019-02-05 | 北京国信宏数科技有限责任公司 | A kind of believable document transmission method and system |
| CN109120651A (en) * | 2018-11-07 | 2019-01-01 | 成都华栖云科技有限公司 | A kind of realization method and system improving teaching network file transmission fluency |
| CN110620791A (en) * | 2019-10-10 | 2019-12-27 | 江苏亨通工控安全研究院有限公司 | Industrial safety data ferrying system with early warning function |
| CN110933025A (en) * | 2019-10-21 | 2020-03-27 | 武汉神库小匠科技有限公司 | Multi-source heterogeneous data cross-domain synchronous shared storage method, device, equipment and medium |
| CN111641650A (en) * | 2020-05-29 | 2020-09-08 | 中京天裕科技(北京)有限公司 | Industrial data unidirectional import system and method |
| CN111740993A (en) * | 2020-06-18 | 2020-10-02 | 河南优易信息技术有限公司 | Internal and external network safety data exchange method |
| CN112346758A (en) * | 2020-10-09 | 2021-02-09 | 北京国电通网络技术有限公司 | Digital infrastructure service updating platform, updating method and electronic equipment |
| CN112448957A (en) * | 2020-11-27 | 2021-03-05 | 成都新希望金融信息有限公司 | Network isolation method, device, system, server and readable storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 南京广电集团融媒发布平台信息安全策略;杨旸;吴永生;;电视工程(01);第54-56页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113965395A (en) | 2022-01-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3443519B1 (en) | System of security using blockchain protocol | |
| EP1997271B1 (en) | Intersystem single sign-on | |
| US8220032B2 (en) | Methods, devices, and computer program products for discovering authentication servers and establishing trust relationships therewith | |
| CN113965395B (en) | Method, system and device for safely accessing intranet in real time | |
| US11184336B2 (en) | Public key pinning for private networks | |
| JP7309880B2 (en) | Timestamp-based authentication including redirection | |
| CN104363207A (en) | Multi-factor security enhancement authorization and authentication method | |
| KR101631635B1 (en) | Method, device, and system for identity authentication | |
| CN111800378A (en) | Login authentication method, device, system and storage medium | |
| CN111131216A (en) | File encryption and decryption method and device | |
| JP2007280393A (en) | Device and method for controlling computer login | |
| CN115277168B (en) | Method, device and system for accessing server | |
| CN115242546A (en) | Industrial control system access control method based on zero trust architecture | |
| CN113678131A (en) | Protecting online applications and web pages using blockchains | |
| US20230246816A1 (en) | Zero trust authentication | |
| WO2022177876A1 (en) | Zero trust authentication | |
| CN112738005A (en) | Access processing method, device, system, first authentication server and storage medium | |
| CN114978677A (en) | Asset access control method, device, electronic equipment and computer readable medium | |
| CN113901428A (en) | Login method and device of multi-tenant system | |
| KR20180034199A (en) | Unified login method and system based on single sign on service | |
| CN112822217A (en) | Server access method, device, equipment and storage medium | |
| CN117155716B (en) | Access verification method and device, storage medium and electronic equipment | |
| US20230319530A1 (en) | Communication control method and communication device | |
| KR102609368B1 (en) | System for controlling network access and method of the same | |
| KR102583604B1 (en) | System for controlling data flow based on logical connection identification and method of the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |