CN114157466A - System and method for realizing safe cross-network access under network partition - Google Patents
System and method for realizing safe cross-network access under network partition Download PDFInfo
- Publication number
- CN114157466A CN114157466A CN202111414375.9A CN202111414375A CN114157466A CN 114157466 A CN114157466 A CN 114157466A CN 202111414375 A CN202111414375 A CN 202111414375A CN 114157466 A CN114157466 A CN 114157466A
- Authority
- CN
- China
- Prior art keywords
- internal
- machine
- external
- signal
- terminal device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000005192 partition Methods 0.000 title claims abstract description 23
- 238000000034 method Methods 0.000 title claims abstract description 18
- 238000004891 communication Methods 0.000 claims abstract description 26
- 238000001914 filtration Methods 0.000 claims abstract description 24
- 238000006243 chemical reaction Methods 0.000 claims description 8
- 238000002955 isolation Methods 0.000 claims description 2
- 230000008054 signal transmission Effects 0.000 abstract description 6
- 238000004519 manufacturing process Methods 0.000 description 7
- 239000013307 optical fiber Substances 0.000 description 6
- 238000001514 detection method Methods 0.000 description 5
- 230000006855 networking Effects 0.000 description 5
- 238000012795 verification Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 238000012806 monitoring device Methods 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/451—Execution arrangements for user interfaces
- G06F9/452—Remote windowing, e.g. X-Window System, desktop virtualisation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/08—Protocols specially adapted for terminal emulation, e.g. Telnet
Abstract
The invention discloses a system and a method for realizing safe cross-network access under network partition, wherein the system comprises remote terminal equipment, internal and external network safe access equipment and operated terminal equipment; the internal and external network security access equipment comprises an external machine, an internal and external machine cooperation module and a channel management module, wherein the external machine and the internal machine are connected through a minimum signal set channel, and the internal and external machine cooperation module and the channel management module are arranged in the external machine. Cut off extranet and intranet through the intranet safety access equipment that sets up, outer machine passes through internet and remote terminal equipment communication connection, the inner machine passes through the intranet and by operation terminal equipment communication connection, be connected through minimum signal set channel between outer machine and the inner machine, and filter except keyboard signal through the signal filtering unit who sets up, mouse signal or other signals outside the desktop video signal, thereby guarantee the desktop video signal transmission that only allows single direction between inner machine and the outer machine, the mouse keyboard signal transmission of opposite direction, guarantee under the network cuts off the prerequisite, can realize the safe remote operation of crossing the net.
Description
Technical Field
The invention belongs to the technical field of network security, relates to intranet and extranet communication security, and particularly relates to a system and a method for realizing secure cross-network access under network partition.
Background
Remote operational control of computers or digital devices is an important business collaboration and system maintenance tool in the information age.
With the comprehensive application and development of information technology in social and economic activities, the operation of enterprise units depends on an internal information network system. In order to quickly and economically maintain the equipment and system provided by the equipment manufacturer and the system manufacturer to the owner, the equipment manufacturer and the system manufacturer directly access the service network through the internet to operate the equipment and the system. In this internal network information system, a large number of key devices, computers, and a large amount of data concerning the country, social security, and personal privacy are operated. The remote networking operation brings great risks of network attack, data leakage and illegal remote control to equipment and system owners.
Until now, how to prevent internal information leakage while remote networking is operated still does not have a good solution. Especially in recent years, data theft or network attack through remote networking is occurring, which causes great security harm to the country and society. The root of insecurity in remote networking is "networking", i.e., establishing a network connection between a remote vendor-operated terminal and the devices and computers of the home owner's internal network. By utilizing the network connection, network attacks and viruses can directly reach an internal network, and manufacturers and some illegal molecules can steal data or perform some very control without knowing and noticing the data in enterprise units.
Therefore, how under the prerequisite of guaranteeing the network partition, realize the desktop operation of striding the net, both keep remote operation's convenience, but also furthest guarantees data security and network security in the remote operation activity process, is the important problem that is used for awaiting solution.
Disclosure of Invention
The invention aims to solve the technical problems in the prior art and provides a system for realizing the safe cross-network access under the network partition.
The invention also aims to provide a method for realizing the safe cross-network access under the network partition.
In order to achieve the above object, the present invention is achieved by the following technical solutions.
The invention provides a safe cross-network access system for realizing network isolation, which comprises remote terminal equipment, internal and external network safe access equipment and operated terminal equipment;
the internal and external network security access equipment comprises an external machine, an internal and external machine cooperation module and a channel management module, wherein the external machine and the internal machine are connected through a minimum signal set channel; the minimum signal set channel is a signal channel formed by more than one physical channel or more than one virtual channel divided on one physical channel according to a set standard; the external machine is in communication connection with the remote terminal equipment through the Internet, an internal machine and external machine cooperation module in the external machine selects an idle signal channel through a channel management module and sends received keyboard or/and mouse signals to the internal machine; the internal machine establishes communication connection with the operated terminal equipment through an internal network according to the received keyboard or/and mouse signals, and sends desktop video signals of the operated terminal equipment to the external machine through a corresponding signal channel, and the external machine sends the desktop video signals of the operated terminal equipment to the remote terminal equipment through the internet. The signal channel for transmitting mouse or/and keyboard signals may be the same or different from the signal channel for transmitting desktop video signals.
In the above system for implementing secure cross-network access under network partition, the physical channel is implemented by USB data line, optical fiber or twisted pair line, etc. commonly used in the art. The keyboard signal, the mouse signal and the desktop video signal do not use any network physical layer, access layer and network layer protocol, and the physical channel is connected with the internal unit and the external unit through a USB interface or an optical fiber interface, so that the internal unit and the external unit cannot be set as a network interface.
A signal filtering unit is arranged on the minimum signal set channel; the signal filtering unit filters the signal packets transmitted each time, and other signal packets except mouse or keyboard signals in the signal packets received by the external machine and other signal packets except desktop video signals in the signal packets received by the internal machine are blocked. Through the signal filtering unit, the outer machine can be ensured to only transmit keyboard and mouse signals to the inner machine, and the inner machine can only transmit desktop video signals to the outer machine. In the invention, the signal filtering unit can be a single chip microcomputer, an FPGA device or a programmable network card and the like.
In the above system for realizing secure cross-network access under network partition, the remote terminal device, the external unit and the internal unit are all computers, and the operating systems of the external unit and the internal unit can be Windows or UNIX. The operated terminal equipment can be a computer, production equipment, detection equipment, monitoring equipment and the like.
In the above system for implementing the secure cross-network access under the network partition, the remote terminal device is in communication connection with the external machine of the internal and external machine secure access device through VPN, P2P or other means. The number of the remote terminal devices is more than one, and the remote terminal devices can adopt a conventional remote desktop access tool (such as a Windows remote desktop terminal) based on an RDP (remote desktop protocol) and the like to log in an external machine of the internal and external network security access device. In order to further improve the access security, when the remote terminal device logs in the external unit, the short message verification code can be further added, so that only a user with a specified mobile phone number can access the corresponding external unit.
According to the system for realizing the safe cross-network access under the network partition, the external machine is provided with the internal and external machine cooperation module and the channel management module.
In one implementation, the external unit is provided with a remote desktop operating program corresponding to the remote terminal device. In another implementation manner, the external unit may communicate with multiple remote terminal devices at the same time, and at this time, the external unit is provided with more than two virtual desktop instances, which may support more than two virtual desktops. The virtual desktop instance receives and stores keyboard signals, mouse signals, and desktop video signal data. All the outer machine virtual desktop instances correspond to an outer machine operating system, and the outer machine operating system determines which virtual desktop instance is used, or each virtual desktop instance corresponds to an outer machine virtual operating system.
The channel management module is used for managing the signal channels of the minimum signal set and finding an idle signal channel when receiving the sending request. The indoor and outdoor unit cooperation module is used for transmitting a received keyboard or/and mouse signal from the remote terminal device to the indoor unit by using a signal channel found by the channel management module as a special channel; and the internal and external machine cooperation module transmits the desktop video signals transmitted from the extremely small signal set channel to the remote terminal equipment through the Internet by the remote desktop operating program.
In one implementation manner, the internal unit is provided with a remote operation program or designated application software for operating and controlling the operated terminal device. In another implementation manner, an internal machine can communicate with a plurality of operated terminal devices at the same time, and at this time, the internal machine is provided with more than two virtual desktop instances and can support more than two virtual desktops; all the internal machine virtual desktop instances correspond to an internal machine operating system, and the internal machine operating system determines which virtual desktop instance is used, or each virtual desktop instance corresponds to an internal machine virtual operating system; the internal operating system or the virtual operating system is provided with a remote operating program or designated application software for controlling the operated terminal equipment. The internal machine operating system or the virtual operating system is further provided with a resource access control module, the resource access control module is used for providing a usable remote operating program or designated application software according to the authority of an operator of the remote terminal equipment, the remote operating program can be a conventional remote desktop access tool (such as a Windows remote desktop terminal) based on an RDP remote desktop protocol, and can also be an SSH remote terminal tool or an SQL terminal tool, and the like, and the operated terminal equipment is further accessed through the remote operating program. The internal operating system or the virtual operating system is further provided with a conversion module for converting an access result fed back by the operated terminal equipment into a desktop video signal.
The invention further provides a method for realizing safe cross-network access under network partition, which comprises the following two conditions:
in the first case, the intranet and extranet security access device can only satisfy the requirement that one remote terminal device accesses one operated terminal device, and the security cross-network access system provided in the foregoing is used for operating according to the following steps:
s1, the remote terminal device sends the login request of the external machine to the external machine of the internal and external network security access device through the Internet; after successful login, the external machine sends a corresponding desktop video signal to the external machine remote terminal equipment and starts the internal and external machine cooperation module;
s2, the internal and external network cooperation module sends the received keyboard or/and mouse signal of the internal machine desktop login request from the remote terminal equipment to the internal machine through a minimum signal set channel; after successful login, the internal unit sends corresponding desktop video signals to the external unit through the special channel; the outdoor unit further sends the received desktop video signal to the remote terminal equipment;
s3, the internal and external network cooperation module sends the received keyboard or/and mouse signal of the start request of the operated terminal device from the remote terminal device to the internal machine through the minimal signal set channel, when the keyboard or/and mouse signal of the start request of the operated terminal device received by the internal machine meets the requirement, the internal machine starts the remote operation program or the appointed application software for controlling the operated terminal device, and establishes the communication connection between the internal machine and the operated terminal device;
s4, the internal and external network cooperation module sends the received operated terminal device access instruction keyboard or/and mouse signal from the remote terminal device to the internal machine through the minimal signal set channel, the internal machine accesses the operated terminal device through the remote operation program or the appointed application software according to the received operated terminal device access instruction keyboard or/and mouse signal.
The access result fed back by the operated terminal equipment is converted into a desktop video signal through a conversion module arranged on the internal unit, and the desktop video signal is sent to the external unit through a minimum signal set channel. And the external unit further sends the received desktop video signal to the remote terminal equipment.
Further, the signal filtering unit on the minimal signal set channel filters out other signals except the internal unit login request, the operated terminal device start request, or the operated terminal device access command keyboard or/and mouse signal and the desktop video signal sent by the internal unit to the external unit in the steps S2, S3, and S4, so as to ensure data security and network security during the remote operation activity.
In the second case, when the intranet and extranet security access device simultaneously satisfies the requirement that a plurality of remote terminal devices access different operated terminal devices, the security cross-network access system provided in the prior art is used for operating according to the following steps:
s1', the remote terminal device sends the log-in request of the external machine to the external machine of the internal and external network safety access device through the Internet; after successful login, the external machine opens a virtual desktop instance, sends a corresponding desktop video signal to the external machine remote terminal equipment, and starts the internal and external machine cooperation module;
s2', the internal and external network cooperation module sends the received keyboard or/and mouse signal of the internal machine desktop login request from the remote terminal equipment to the internal machine through a minimum signal set channel; after successful login, the internal unit opens a virtual desktop instance and sends a corresponding desktop video signal to the external unit through the dedicated channel; the outdoor unit further sends the received desktop video signal to the remote terminal equipment;
s3', the internal and external network cooperation module sends the received keyboard or/and mouse signals of the starting request of the operated terminal device from the remote terminal device to the internal machine through a minimum signal set channel; when the signals of a keyboard or/and a mouse of the starting request of the operated terminal equipment received by the internal machine meet the requirements, starting a remote operation program or specified application software installed in an internal machine operating system or a virtual operating system, and establishing the communication connection between the internal machine and the operated terminal equipment;
s4' the internal and external network cooperation module sends the received keyboard or/and mouse access instruction of the operated terminal device from the remote terminal device to the internal machine through the minimal signal set channel; and the internal machine operating system or the virtual operating system accesses the operated terminal equipment through a remote operating program or specified application software according to the received access instruction keyboard or/and mouse signals of the operated terminal equipment.
The access result fed back by the operated terminal equipment is converted into a desktop video signal through a conversion module arranged in the internal machine operating system or the virtual operating system, and the desktop video signal is sent to the external machine through a minimum signal set channel. And the external unit further sends the received desktop video signal to the remote terminal equipment.
Further, the signal filtering unit on the minimal signal set channel filters out other signals except the internal unit login request, the operated terminal device start request, or the operated terminal device access command keyboard or/and mouse signal and the desktop video signal sent by the internal unit to the external unit in the steps S2 ', S3 ' and S4 ', so as to ensure data security and network security in the remote operation process.
The system and the method for realizing the safe cross-network access under the network partition have the following beneficial effects that:
(1) the invention separates the outer net and the inner net by the arranged inner net and outer net safety access equipment, the outer machine of the inner net and outer net safety access equipment is connected with the remote terminal equipment by the internet, the inner machine is connected with the operated terminal equipment by the inner net in a communication way, the outer machine and the inner machine are connected by a minimum signal set channel formed by a physical channel, and filters out other signals except keyboard signals, mouse signals or desktop video signals through a signal filtering unit arranged on the channel, therefore, desktop video signal transmission in a single direction is guaranteed between the inner machine and the outer machine, mouse and keyboard signal transmission in the opposite direction is guaranteed, safe cross-network remote operation can be achieved on the premise that a network is isolated, convenience of remote operation is reserved, and data safety and network safety in the remote operation activity process are guaranteed to the maximum extent.
(2) The invention uses the internal machine as the skip host, so that the external machine logging in the internal machine operating system can operate the operated terminal equipment connected with the internal machine in a network.
(3) The invention arranges a resource access control system on the internal machine, and sets the access authority of different users logging in the internal machine to access a software system (such as a remote operation program, a storage data system, a designated client, equipment maintenance software, a browser and the like) in the operated terminal equipment networked with the internal network.
(4) The signal filtering unit is used for encrypting and checking signals transmitted in the extremely small signal set channel, so that only desktop video signals of the indoor unit are transmitted to the outdoor unit, and only keyboard and/or mouse signals from the outdoor unit are transmitted to the indoor unit.
Drawings
Fig. 1 is a schematic structural diagram of a system for implementing secure cross-network access under network partition provided in embodiment 1.
Fig. 2 is a schematic diagram of the infinitesimal signal set channel principle.
Fig. 3 is a schematic structural diagram of a system for implementing secure cross-network access under network partition provided in embodiment 3.
Fig. 4 is a schematic block diagram of the intranet and extranet security access device in embodiment 3.
Detailed Description
The technical solutions of the embodiments of the present invention are clearly and completely described with reference to the accompanying drawings, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, belong to the present invention.
Example 1
The system for realizing the secure cross-network access under the network partition provided by the embodiment is shown in fig. 1. The system comprises remote terminal equipment, internal and external network security access equipment and operated terminal equipment.
The internal and external network security access equipment comprises an external machine and an internal machine which are connected through a minimum signal set channel. And the outdoor unit is in communication connection with the remote terminal equipment through the Internet. The internal machine is in communication connection with the operated terminal equipment through the exchanger.
The remote terminal device, the external unit and the internal unit are computers, and operating systems of the remote terminal device, the external unit and the internal unit can be Windows or UNIX. The operated terminal equipment can be a computer, production equipment, monitoring equipment and the like.
The remote terminal device is communicatively connected to the external unit through a VPN, P2P, or other means. The remote terminal device and the external unit respectively realize the access of the remote terminal device to the external unit through a remote desktop access tool (such as a Windows remote desktop terminal) based on an RDP remote desktop protocol. In order to further improve the access security, when the remote terminal device logs in the external unit, the short message verification code can be further added, so that only a user with a specified mobile phone number can access the corresponding external unit.
As shown in fig. 2, the minimum signal set channel is a signal channel formed by dividing two physical channels or two virtual channels on one physical channel according to a set standard, one signal channel is used for unidirectional transmission of a keyboard/mouse signal sent from the external unit to the internal unit, and the other signal channel is used for unidirectional transmission of a keyboard/mouse signal sent from the internal unit to the external unit. In this embodiment, the physical channel is implemented by a USB data line commonly used in the art; the USB data line may be replaced with an optical fiber or a twisted pair. The keyboard signal, the mouse signal and the desktop video signal do not use any network physical layer, access layer and network layer protocol, and the physical channel is connected with the internal unit and the external unit through the USB interface, so that the internal unit and the external unit cannot be set as the network interface, and the USB interface can be replaced by the optical fiber interface.
And a signal filtering unit is arranged on a physical channel forming the minimum signal set channel. In the embodiment, a single chip microcomputer is used as a filtering unit; an FPGA device or a programmable network card or the like may also be used as the signal filtering unit. The signal filtering unit checks and filters the signal packets transmitted each time, and other signal packets except mouse or keyboard signals in the signal packets received by the external unit and other signal packets except desktop video signals in the signal packets received by the internal unit are blocked. Through the signal filtering unit, the outer machine can be ensured to only transmit keyboard and mouse signals to the inner machine, and the inner machine can only transmit desktop video signals to the outer machine. Further, signals transmitted on the minim signal set channel can be encrypted to increase the security of signal transmission.
The outdoor unit is provided with an indoor and outdoor unit cooperation module and a channel management module. The channel management module is used for managing the signal channels of the minimum signal set and finding an idle signal channel when receiving the sending request. The indoor and outdoor unit cooperation module is used for transmitting a received keyboard or/and mouse signal from the remote terminal device to the indoor unit by using a signal channel found by the channel management module as a special channel; and the internal and external machine cooperation module transmits the desktop video signal transmitted from the extremely small signal set channel to the remote terminal equipment through the Internet by the remote operation program.
The internal machine and the operated terminal equipment can respectively realize the access of the internal machine to the operated terminal equipment through a remote desktop access tool (such as a Windows remote desktop terminal) based on an RDP remote desktop protocol; of course, the access of the internal machine to the operated terminal device can also be realized through other remote operation programs such as an SSH remote terminal tool or an SQL terminal tool, or corresponding application software configured by the operated terminal device itself. The internal machine is further provided with a resource access control module, and the resource access control module is used for providing a usable remote desktop access tool, a usable remote operation program or a designated application software according to the authority of the remote terminal equipment operator. The internal machine is further provided with a conversion module for converting the access result fed back by the operated terminal equipment into a desktop video signal.
In order to further improve the access security, when the remote terminal device logs in the external unit, the short message verification code can be further added, so that only a user with a specified mobile phone number can access the corresponding external unit.
Example 2
The embodiment provides a method for realizing secure cross-network access under network partition, which is implemented by using the secure cross-network access system provided in embodiment 1 according to the following steps:
s1, the remote terminal device sends the login request of the external machine to the external machine of the internal and external network security access device through the Internet; and after the login is successful, the external machine sends the corresponding desktop video signal to the external machine remote terminal equipment, and starts the internal and external machine cooperation module.
The login request here includes an external username and password. And when the user name and the password received by the external unit are legal, the external unit operating system successfully logs in, the external unit sends a corresponding desktop video signal to the external unit remote terminal equipment, and the internal and external unit cooperation module is started.
S2, the internal and external network cooperation module sends the received keyboard or/and mouse signal of the internal machine desktop login request from the remote terminal equipment to the internal machine through a minimum signal set channel; after successful login, the internal unit sends corresponding desktop video signals to the external unit through the special channel; and the outdoor unit further sends the received desktop video signal to the outdoor unit remote terminal equipment. And the external unit further transmits the received desktop video signal to the remote terminal equipment through the Internet.
The remote terminal equipment sends an internal machine login request (comprising a user name and a password) keyboard or/and mouse signals to an external machine through the Internet, an internal and external network cooperation module of the external machine selects one idle signal channel in a minimum signal set channel through a channel management module to serve as a mouse/keyboard signal special channel (the other signal channel serves as a desktop video signal special channel), and the desktop login request keyboard or/and mouse signals are sent to the internal machine through the minimum signal set channel. And when the user name and the password of the internal machine received by the internal machine are legal, the internal machine operating system successfully logs in. The inner machine sends the corresponding desktop video signal to the outer machine through the desktop video signal special channel of the minimum signal set channel. And the external unit further sends the received desktop video signal to the remote terminal equipment.
S3, the internal and external network cooperation module sends the received keyboard or/and mouse signal of the operation terminal device starting request from the remote terminal device to the internal machine through the minimum signal set channel, when the keyboard or/and mouse signal of the operation terminal device starting request received by the internal machine meets the requirement, the internal machine starts the remote operation program or the appointed application software for controlling the operation terminal device, and the communication connection between the internal machine and the operation terminal device is established.
The operation-target terminal device start request is for establishing a communication connection between the internal device and the operation-target terminal device. The operated terminal device can be a computer, and can also be a production device, a detection device, a monitoring device and the like. When the operated terminal device is a computer, the connection between the internal machine and the operated terminal device can be established through a remote desktop access tool based on an RDP remote desktop protocol, an SSH remote terminal tool or an SQL terminal tool or other remote operation programs, so as to access the operated terminal device. When the operated terminal device is a production device, a detection device, a monitoring device, etc., the internal unit can establish connection through corresponding software configured by the devices.
Therefore, the remote terminal device can send a keyboard or/and mouse signal of the start request of the operated terminal device to the external machine through the internet, the internal and external network cooperation module of the external machine sends the received start request of the operated terminal device to the internal machine through the minimal signal set channel through the keyboard/mouse signal special channel, and the internal machine starts a remote operation program or corresponding configured software according to the received start request of the operated terminal device to establish communication connection between the internal machine and the operated terminal device.
Furthermore, in order to ensure the data security of the operated terminal device and avoid the misoperation or malicious operation of the operated terminal device from the remote terminal device by an operator, the use permission can be set by the resource access control module arranged in the internal machine according to the user corresponding to the user name of the internal machine, so that the user can only operate one or some application programs.
S4, the internal and external network cooperation module sends the received operated terminal device access instruction keyboard or/and mouse signal from the remote terminal device to the internal machine through the minimal signal set channel, the internal machine accesses the operated terminal device through the remote operation program or the appointed application software according to the received operated terminal device access instruction keyboard or/and mouse signal.
And after the internal machine and the operated terminal equipment establish communication connection. The remote terminal device accesses the operated terminal device through the internal and external machine safety access device formed by the internal machine and the external machine. The remote terminal device can send the operated terminal device access instruction keyboard or/and mouse signal to the outer machine through the internet, the inner and outer network cooperation module of the outer machine sends the received operated terminal device access instruction to the inner machine through the tiny signal set channel by the keyboard/mouse signal special channel, the inner machine further sends the operated terminal access instruction to the operated terminal device through the inner network, and finally the operated terminal device executes operation according to the access instruction. The access result fed back by the operated terminal equipment is converted into a desktop video signal through a conversion module arranged in the operating system of the internal machine, and the desktop video signal is sent to the external machine through a minimum signal set channel. And the external unit further sends the received desktop video signal to the remote terminal equipment.
Further, the signal filtering unit on the minimal signal set channel filters out signals except the internal unit login request, the internal unit remote operation program starting request in the steps S2, S3 and S4, or other signals except the keyboard or/and mouse signal of the access instruction of the operated terminal device and the desktop video signal sent by the internal unit to the external unit, so as to ensure data security and network security in the remote operation process.
Example 3
The system for realizing the secure cross-network access under the network partition provided by the embodiment is shown in fig. 3. The system comprises remote terminal equipment, internal and external network security access equipment and operated terminal equipment.
The intranet and extranet security access apparatus as shown in fig. 4 includes an outdoor unit and an indoor unit connected via a minimal signal set channel. And the outdoor unit is in communication connection with the remote terminal equipment through the Internet. The internal machine is in communication connection with the operated terminal equipment through the exchanger.
The remote terminal device, the external unit and the internal unit are computers, and operating systems of the remote terminal device, the external unit and the internal unit can be Windows or UNIX. The operated terminal equipment can be a computer, production equipment, monitoring equipment and the like.
The remote terminal device is communicatively connected to the external unit through a VPN, P2P, or other means. The remote terminal device and the external unit respectively realize the access of the remote terminal device to the external unit through a remote desktop access tool (such as a Windows remote desktop terminal) based on an RDP remote desktop protocol. In order to further improve the access security, when the remote terminal device logs in the external unit, the short message verification code can be further added, so that only a user with a specified mobile phone number can access the corresponding external unit.
The minimum signal set channel is a signal channel formed by more than two physical channels or more than two virtual channels divided from one physical channel according to a set standard, and the same signal channel can transmit keyboard or/mouse signals sent to the indoor unit by the outdoor unit and desktop video signals sent to the outdoor unit by the indoor unit. In this embodiment, in the embodiment, the physical channel is implemented by a USB data line commonly used in the art; the USB data line may be replaced with an optical fiber or a twisted pair. The keyboard signal, the mouse signal and the desktop video signal do not use any network physical layer, access layer and network layer protocol, and the physical channel is connected with the internal unit and the external unit through the USB interface, so that the internal unit and the external unit cannot be set as the network interface, and the USB interface can be replaced by the optical fiber interface.
And a signal filtering unit is arranged on a physical channel forming the minimum signal set channel. In the embodiment, a single chip microcomputer is used as a filtering unit; an FPGA device or a programmable network card or the like may also be used as the signal filtering unit. The signal filtering unit checks and filters the signal packets transmitted each time, and other signal packets except mouse or keyboard signals in the signal packets received by the external unit and other signal packets except desktop video signals in the signal packets received by the internal unit are blocked. Through the signal filtering unit, the outer machine can be ensured to only transmit keyboard and mouse signals to the inner machine, and the inner machine can only transmit desktop video signals to the outer machine. Further, signals transmitted on the minim signal set channel can be encrypted to increase the security of signal transmission.
As shown in fig. 4, the external unit is provided with more than two virtual desktop instances, and can support more than two virtual desktops, so that the external unit can communicate with a plurality of remote terminal devices at the same time. All virtual desktop instances correspond to one external operating system. When the external machine receives a login request from the remote terminal equipment, the external machine can randomly start any idle virtual desktop instance and open a virtual desktop.
The outdoor unit is provided with an indoor and outdoor unit cooperation module and a channel management module. The channel management module is used for managing the signal channel of the minimum signal set, finding an idle signal channel when receiving the sending request, and using the idle signal channel as a special channel for transmitting the keyboard/mouse signal and the desktop video signal corresponding to the started virtual desktop instance. The indoor and outdoor unit cooperation module is used for transmitting a received keyboard or/and mouse signal from the remote terminal device to the indoor unit by using a signal channel found by the channel management module as a special channel; and the internal and external machine cooperation module transmits the desktop video signal transmitted from the extremely small signal set channel to the remote terminal equipment through the Internet by the remote operation program.
As shown in fig. 4, the internal unit is provided with more than two virtual desktop instances, which can support more than two virtual desktops, thereby implementing simultaneous communication between the internal unit and a plurality of operated terminal devices. And a virtual operating system corresponding to each virtual desktop instance is installed in the internal machine.
The internal machine virtual operating system and the operated terminal equipment can respectively realize the access of the internal machine to the operated terminal equipment through a remote desktop access tool (such as a Windows remote desktop terminal) based on an RDP remote desktop protocol; of course, the access of the internal machine to the operated terminal device can also be realized through other remote operation programs such as an SSH remote terminal tool or an SQL terminal tool, or corresponding application software configured by the operated terminal device itself. Furthermore, each internal machine virtual operating system is also provided with a resource access control module, and the resource access control module is used for providing a usable remote desktop access tool, a usable remote operating program or a designated application software according to the authority of the remote terminal equipment operator. Furthermore, each internal machine virtual operating system is also provided with a conversion module used for converting the access result fed back by the operated terminal equipment into a desktop video signal.
In order to further improve the access security, when the remote terminal device logs in the external unit, the short message verification code can be further added, so that only a user with a specified mobile phone number can access the corresponding external unit.
Example 4
The embodiment provides a method for realizing secure cross-network access under network partition, which is implemented by using the secure cross-network access system provided in the embodiment 3 according to the following steps:
s1', the remote terminal device sends the log-in request of the external machine to the external machine of the internal and external network safety access device through the Internet; and after the login is successful, the external machine opens a virtual desktop instance, sends a corresponding desktop video signal to the external machine remote terminal equipment, and starts the internal and external machine cooperation module.
The login request here includes an external username and password. And when the user name and the password received by the external unit are legal, the external unit operating system successfully logs in, and starts an external unit virtual desktop instance. And the external machine sends the corresponding desktop video signal to the external machine remote terminal equipment, and simultaneously starts the corresponding internal and external machine cooperation module.
S2', the internal and external network cooperation module sends the received keyboard or/and mouse signal of the internal machine desktop login request from the remote terminal equipment to the internal machine through a minimum signal set channel; after logging in successfully, the internal machine opens a virtual desktop instance and a corresponding virtual operating system, and sends a corresponding desktop video signal to the external machine through the special channel; and the external unit further sends the received desktop video signal to the remote terminal equipment.
The remote terminal device sends a keyboard or/and mouse signal of the internal machine login request (comprising a user name and a password) to the external machine through the Internet. The internal and external network cooperation module of the external machine selects one idle signal channel in the minimum signal set channel through the channel management module as a special channel corresponding to the virtual desktop instance (transmits keyboard/mouse signals sent to the internal machine by the external machine and desktop video signals sent to the external machine by the internal machine) to send a desktop login request keyboard or/and mouse signals to the internal machine through the minimum signal set channel. When the user name and the password of the internal machine received by the internal machine are legal, the internal machine operating system logs in successfully, and the internal machine starts an internal machine virtual desktop instance and a corresponding internal machine virtual operating system. The inner machine sends the corresponding desktop video signal to the outer machine through the desktop video signal special channel of the minimum signal set channel. And the external unit further sends the received desktop video signal to the remote terminal equipment.
S3', the internal and external network cooperation module sends the received keyboard or/and mouse signals of the starting request of the operated terminal device from the remote terminal device to the internal machine through a minimum signal set channel; when the signals of the keyboard or/and the mouse of the starting request of the operated terminal equipment received by the internal machine meet the requirements, starting a remote operation program or specified application software installed by a virtual operation system of the internal machine, and establishing the communication connection between the internal machine and the operated terminal equipment.
The operation-target terminal device start request is for establishing a communication connection between the internal device and the operation-target terminal device. The operated terminal device can be a computer, and can also be a production device, a detection device, a monitoring device and the like. When the operated terminal device is a computer, the connection between the internal machine and the operated terminal device can be established through a remote desktop access tool based on an RDP remote desktop protocol, an SSH remote terminal tool or an SQL terminal tool or other remote operation programs, so as to access the operated terminal device. When the operated terminal device is a production device, a detection device, a monitoring device, etc., the internal unit can establish connection through corresponding software configured by the devices.
Therefore, the remote terminal device can send a keyboard or/and mouse signal of the start request of the operated terminal device to the external machine through the internet, the internal and external network cooperation module of the external machine sends the received start request of the operated terminal device to the internal machine through the minimum signal set channel through the special channel, and the internal machine virtual operating system starts a remote desktop access tool, an SSH remote terminal tool, an SQL terminal tool or configured corresponding software according to the received start request of the operated terminal device, so as to establish communication connection between the internal machine and the operated terminal device.
Furthermore, in order to ensure the data security of the operated terminal device and avoid the misoperation or malicious operation of the operator from the remote terminal device, the use permission can be set by the resource access control module set by the virtual operating system of the internal machine according to the user corresponding to the user name of the internal machine, so that the user can only operate one or some application programs.
S4' the internal and external network cooperation module sends the received keyboard or/and mouse access instruction of the operated terminal device from the remote terminal device to the internal machine through the minimal signal set channel; and the internal machine virtual operating system accesses the operated terminal equipment through a remote operating program or specified application software according to the received operated terminal equipment access instruction keyboard or/and mouse signals.
And after the internal machine and the operated terminal equipment establish communication connection. The remote terminal device accesses the operated terminal device through the internal and external machine safety access device formed by the internal machine and the external machine. The remote terminal device can send the access instruction keyboard or/and mouse signal of the operated terminal device to the external machine through the internet, the external machine internal and external network cooperation module sends the received access instruction of the operated terminal device to the internal machine through the tiny signal set channel by the special channel, the corresponding virtual operating system of the internal machine further sends the access instruction of the operated terminal device to the operated terminal device through the internal network, and finally the operated terminal device executes the operation according to the access instruction. The access result fed back by the operated terminal equipment is converted into a desktop video signal through a conversion module arranged in the virtual operating system of the internal machine, and the desktop video signal is sent to the external machine through a minimum signal set channel. And the external unit further sends the received desktop video signal to the remote terminal equipment.
Further, the signal filtering unit on the minimal signal set channel filters out other signals except the internal unit login request, the operated terminal device start request, or the operated terminal device access command keyboard or/and mouse signal and the desktop video signal sent by the internal unit to the external unit in the steps S2 ', S3 ' and S4 ', so as to ensure data security and network security in the remote operation process.
It will be appreciated by those of ordinary skill in the art that the embodiments described herein are intended to assist the reader in understanding the principles of the invention and are to be construed as being without limitation to such specifically recited embodiments and examples. Those skilled in the art can make various other specific changes and combinations based on the teachings of the present invention without departing from the spirit of the invention, and these changes and combinations are within the scope of the invention.
Claims (10)
1. A secure cross-network access system for realizing network isolation is characterized by comprising remote terminal equipment, internal and external network secure access equipment and operated terminal equipment;
the internal and external network security access equipment comprises an external machine, an internal and external machine cooperation module and a channel management module, wherein the external machine and the internal machine are connected through a minimum signal set channel; the minimum signal set channel is a signal channel formed by more than one physical channel or more than one virtual channel divided on one physical channel according to a set standard; the external machine is in communication connection with the remote terminal equipment through the Internet, an internal machine and external machine cooperation module in the external machine selects an idle signal channel through a channel management module and sends received keyboard or/and mouse signals to the internal machine; the internal machine establishes communication connection with the operated terminal equipment through an internal network according to the received keyboard or/and mouse signals, and sends desktop video signals of the operated terminal equipment to the external machine through a corresponding signal channel, and the external machine sends the desktop video signals of the operated terminal equipment to the remote terminal equipment through the internet.
2. The system according to claim 1, wherein a signal filtering unit is disposed on the minimal signal set channel.
3. The system according to claim 1 or 2, wherein the external unit is provided with more than two virtual desktop instances; the internal machine is provided with more than two virtual desktop instances.
4. The system according to claim 3, wherein all virtual desktop instances of an internal machine correspond to an internal machine operating system, or each virtual desktop instance corresponds to an internal machine virtual operating system.
5. The system according to claim 4, wherein the internal operating system or the virtual operating system further comprises a resource access control module for providing a remote operating program or a specific application software according to the authority of the remote terminal device operator.
6. The system according to claim 4, wherein the internal os or the virtual os further comprises a conversion module for converting an access result fed back from the operated terminal device into a desktop video signal.
7. A method for realizing secure cross-network access under network partition, which is characterized in that the system for realizing secure cross-network access under network partition of claim 1 or 2 is used, and the operation is carried out according to the following steps:
s1, the remote terminal device sends the login request of the external machine to the external machine of the internal and external network security access device through the Internet; after successful login, the external machine sends a corresponding desktop video signal to the external machine remote terminal equipment and starts the internal and external machine cooperation module;
s2, the internal and external network cooperation module sends the received keyboard or/and mouse signal of the internal machine desktop login request from the remote terminal equipment to the internal machine through a minimum signal set channel; after successful login, the internal unit sends corresponding desktop video signals to the external unit through the special channel; the outdoor unit further sends the received desktop video signal to the remote terminal equipment;
s3, the internal and external network cooperation module sends the received keyboard or/and mouse signal of the start request of the operated terminal device from the remote terminal device to the internal machine through the minimal signal set channel, when the keyboard or/and mouse signal of the start request of the operated terminal device received by the internal machine meets the requirement, the internal machine starts the remote operation program or the appointed application software for controlling the operated terminal device, and establishes the communication connection between the internal machine and the operated terminal device;
s4, the internal and external network cooperation module sends the received operated terminal device access instruction keyboard or/and mouse signal from the remote terminal device to the internal machine through the minimal signal set channel, the internal machine accesses the operated terminal device through the remote operation program or the appointed application software according to the received operated terminal device access instruction keyboard or/and mouse signal.
8. The method as claimed in claim 7, wherein the signal filtering unit on the minimal signal set channel filters out signals other than the log-in request of the internal device, the start request of the operated terminal device, or the access command keyboard or/and mouse signal of the operated terminal device and the desktop video signal sent by the internal device to the external device in the above steps S2, S3, and S4.
9. A method for implementing secure cross-network access under network partition, which is characterized in that the system for implementing secure cross-network access under network partition as claimed in any one of claims 3 to 6 is used, and the operation is performed according to the following steps:
s1', the remote terminal device sends the log-in request of the external machine to the external machine of the internal and external network safety access device through the Internet; after successful login, the external machine opens a virtual desktop instance, sends a corresponding desktop video signal to the external machine remote terminal equipment, and starts the internal and external machine cooperation module;
s2', the internal and external network cooperation module sends the received keyboard or/and mouse signal of the internal machine desktop login request from the remote terminal equipment to the internal machine through a minimum signal set channel; after successful login, the internal unit opens a virtual desktop instance and sends a corresponding desktop video signal to the external unit through the dedicated channel; the outdoor unit further sends the received desktop video signal to the remote terminal equipment;
s3', the internal and external network cooperation module sends the received keyboard or/and mouse signals of the starting request of the operated terminal device from the remote terminal device to the internal machine through a minimum signal set channel; when the signals of a keyboard or/and a mouse of the starting request of the operated terminal equipment received by the internal machine meet the requirements, starting a remote operation program or specified application software installed in an internal machine operating system or a virtual operating system, and establishing the communication connection between the internal machine and the operated terminal equipment;
s4' the internal and external network cooperation module sends the received keyboard or/and mouse access instruction of the operated terminal device from the remote terminal device to the internal machine through the minimal signal set channel; and the internal machine operating system or the virtual operating system accesses the operated terminal equipment through a remote operating program or specified application software according to the received access instruction keyboard or/and mouse signals of the operated terminal equipment.
10. The method according to claim 9, wherein the signal filtering unit on the minimal signal set channel filters out signals other than the log-in request of the internal unit, the start request of the operated terminal device, or the access command keyboard or/and mouse signal of the operated terminal device and the desktop video signal sent by the internal unit to the external unit in the steps S2 ', S3 ' and S4 '.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111414375.9A CN114157466A (en) | 2021-11-25 | 2021-11-25 | System and method for realizing safe cross-network access under network partition |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111414375.9A CN114157466A (en) | 2021-11-25 | 2021-11-25 | System and method for realizing safe cross-network access under network partition |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114157466A true CN114157466A (en) | 2022-03-08 |
Family
ID=80457677
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111414375.9A Pending CN114157466A (en) | 2021-11-25 | 2021-11-25 | System and method for realizing safe cross-network access under network partition |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114157466A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115189916A (en) * | 2022-06-10 | 2022-10-14 | 中国司法大数据研究院有限公司 | Method and device for one-stop display of application system under cross-isolation network |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101790090A (en) * | 2010-01-28 | 2010-07-28 | 北京华纬讯电信技术有限公司 | Remote desktop monitor and control system and method |
| US20150150129A1 (en) * | 2013-11-26 | 2015-05-28 | At&T Intellectual Property I, L.P. | Methods, systems, and computer program products for protecting a communication network against internet enabled cyber attacks through use of screen replication from controlled internet access points |
| US20170201491A1 (en) * | 2016-01-12 | 2017-07-13 | Jens Schmidt | Method and system for controlling remote session on computer systems using a virtual channel |
| CN108809975A (en) * | 2018-06-07 | 2018-11-13 | 北京网迅科技有限公司杭州分公司 | A kind of tertiary-structure network system and the method for realizing tertiary-structure network |
| US20190138324A1 (en) * | 2017-11-09 | 2019-05-09 | Vmware, Inc. | Network Isolation in Virtual Desktop Infrastructure |
| CN111131152A (en) * | 2019-11-15 | 2020-05-08 | 苏州浪潮智能科技有限公司 | Automatic verification method and system for cross-platform remote login protection system |
| CN111475867A (en) * | 2020-04-03 | 2020-07-31 | 刘小明 | General safety cooperation system |
| CN112261083A (en) * | 2020-09-21 | 2021-01-22 | 广州汽车集团股份有限公司 | Remote control method and system and virtual machine server |
| CN214337937U (en) * | 2021-04-12 | 2021-10-01 | 成都普沛科技有限公司 | Safety remote network system for realizing communication of internal and external network system under public network-free IP |
| CN214380971U (en) * | 2021-04-12 | 2021-10-08 | 成都普沛科技有限公司 | Internal internet system under network isolation condition |
-
2021
- 2021-11-25 CN CN202111414375.9A patent/CN114157466A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101790090A (en) * | 2010-01-28 | 2010-07-28 | 北京华纬讯电信技术有限公司 | Remote desktop monitor and control system and method |
| US20150150129A1 (en) * | 2013-11-26 | 2015-05-28 | At&T Intellectual Property I, L.P. | Methods, systems, and computer program products for protecting a communication network against internet enabled cyber attacks through use of screen replication from controlled internet access points |
| US20170201491A1 (en) * | 2016-01-12 | 2017-07-13 | Jens Schmidt | Method and system for controlling remote session on computer systems using a virtual channel |
| US20190138324A1 (en) * | 2017-11-09 | 2019-05-09 | Vmware, Inc. | Network Isolation in Virtual Desktop Infrastructure |
| CN108809975A (en) * | 2018-06-07 | 2018-11-13 | 北京网迅科技有限公司杭州分公司 | A kind of tertiary-structure network system and the method for realizing tertiary-structure network |
| CN111131152A (en) * | 2019-11-15 | 2020-05-08 | 苏州浪潮智能科技有限公司 | Automatic verification method and system for cross-platform remote login protection system |
| CN111475867A (en) * | 2020-04-03 | 2020-07-31 | 刘小明 | General safety cooperation system |
| CN112261083A (en) * | 2020-09-21 | 2021-01-22 | 广州汽车集团股份有限公司 | Remote control method and system and virtual machine server |
| CN214337937U (en) * | 2021-04-12 | 2021-10-01 | 成都普沛科技有限公司 | Safety remote network system for realizing communication of internal and external network system under public network-free IP |
| CN214380971U (en) * | 2021-04-12 | 2021-10-08 | 成都普沛科技有限公司 | Internal internet system under network isolation condition |
Non-Patent Citations (2)
| Title |
|---|
| 田强;刘宝旭;章翔陵;: "一种基于虚拟应用的安全防泄漏系统", 信息安全与通信保密, no. 07 * |
| 聂哲;: "基于P2P技术的远程协同通信平台的设计与实现", 计算机应用与软件, no. 08 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115189916A (en) * | 2022-06-10 | 2022-10-14 | 中国司法大数据研究院有限公司 | Method and device for one-stop display of application system under cross-isolation network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210392122A1 (en) | Network connection automation | |
| US9240977B2 (en) | Techniques for protecting mobile applications | |
| US10193848B2 (en) | System and related method for management of devices of a network system via social media interfaces | |
| CN111193698A (en) | Data processing method, device, terminal and storage medium | |
| KR20160072391A (en) | the Integrated Access Security Management for Smart Work Environment and method thereof | |
| CN111277607A (en) | Communication tunnel module, application monitoring module and mobile terminal security access system | |
| US7788704B2 (en) | Method and system for secure connection of peripheral device to processing device | |
| CN114157466A (en) | System and method for realizing safe cross-network access under network partition | |
| CN103036883A (en) | Secure communication method and system of secure server | |
| CN114095184A (en) | Data transmission system and transmission method thereof | |
| JP2008004110A (en) | Device management system | |
| US20210120418A1 (en) | Network access control system | |
| KR100777537B1 (en) | platform system for management dispersed network systems and dispersion management method | |
| JPH09325927A (en) | Remote network management system | |
| CN115189959A (en) | Account login and access management method based on master-slave account | |
| CN115001804B (en) | Bypass access control system, method and storage medium applied to field station | |
| CN213906707U (en) | Switch safety certification system | |
| CN115242460B (en) | Cloud platform security architecture system and implementation method thereof | |
| WO2024066059A1 (en) | Industrial internet security system and method based on sdp and edge computing | |
| CN117596237B (en) | Mobile terminal-based server remote control system and method | |
| CN111064589B (en) | Simple configuration method of UNP client | |
| CN106330885A (en) | Cloud terminal system and method for enforcing security | |
| CN116248302A (en) | SSL VPN communication tunnel module, application monitoring module and mobile terminal safety access system | |
| KR20240048158A (en) | Method and system for controlling federation policy based on zta for enterprise wireless network infrastructure | |
| CN117336703A (en) | Ad hoc network emergency communication system and method based on Beidou |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |