CN114499989A - Security device management method and device - Google Patents
Security device management method and device Download PDFInfo
- Publication number
- CN114499989A CN114499989A CN202111651814.8A CN202111651814A CN114499989A CN 114499989 A CN114499989 A CN 114499989A CN 202111651814 A CN202111651814 A CN 202111651814A CN 114499989 A CN114499989 A CN 114499989A
- Authority
- CN
- China
- Prior art keywords
- security
- management
- security device
- reverse proxy
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000007726 management method Methods 0.000 title claims abstract description 309
- 238000000034 method Methods 0.000 claims abstract description 49
- 230000004044 response Effects 0.000 claims description 36
- 238000004590 computer program Methods 0.000 claims description 25
- 230000005540 biological transmission Effects 0.000 claims description 15
- 238000004891 communication Methods 0.000 description 25
- 238000010586 diagram Methods 0.000 description 13
- 238000005516 engineering process Methods 0.000 description 13
- 230000006870 function Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 239000000523 sample Substances 0.000 description 5
- 230000000694 effects Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
本发明提供一种安全设备管理方法及装置,其中应用于管理设备的方法包括:接收一个或多个安全设备发送的设备注册信息;与每个所述安全设备建立反向代理隧道,所述反向代理隧道是由所述安全设备基于SSH协议主动请求建立的;基于所述反向代理隧道向每个所述安全设备发送配置消息,所述配置消息用于配置所述安全设备。本发明提供的安全设备管理方法,实现了管理设备对安全设备的集中管理,并且提高了安全设备管理的安全性。
The present invention provides a security device management method and device, wherein the method applied to the management device includes: receiving device registration information sent by one or more security devices; establishing a reverse proxy tunnel with each of the security devices, and the reverse proxy tunnel The tunnel to the proxy is actively requested to be established by the security device based on the SSH protocol; a configuration message is sent to each security device based on the reverse proxy tunnel, where the configuration message is used to configure the security device. The security device management method provided by the invention realizes the centralized management of the security device by the management device, and improves the security of the security device management.
Description
技术领域technical field
本发明涉及计算机技术领域,尤其涉及一种安全设备管理方法及装置。The present invention relates to the field of computer technology, and in particular, to a method and device for managing security equipment.
背景技术Background technique
对于一个大型的网络(如企业内部网),由于其中不同局域网具有不同的用途,因此会在不同的区域部署很多台防火墙等边界安全设备。但由于防火墙的安全性设置(如ACL配置),防火墙的管理端口对于管理设备来说,是不可访问的,因此只能对防火墙一一设置,无法通过管理设备对防火墙进行统一管理。For a large network (such as an enterprise intranet), since different local area networks have different purposes, many border security devices such as firewalls will be deployed in different areas. However, due to the security settings of the firewall (such as ACL configuration), the management port of the firewall is inaccessible to the management device. Therefore, only the firewalls can be set one by one, and the firewall cannot be managed uniformly through the management device.
发明内容SUMMARY OF THE INVENTION
本发明提供一种安全设备管理方法及装置,用以解决现有技术中无法统一管理安全设备的缺陷,实现对安全设备的集中管理。The present invention provides a security device management method and device, which are used to solve the defect that the security devices cannot be managed uniformly in the prior art, and realize the centralized management of the security devices.
第一方面,本发明提供一种安全设备管理方法,应用于管理设备,包括:In a first aspect, the present invention provides a security device management method, which is applied to management devices, including:
接收一个或多个安全设备发送的设备注册信息;Receive device registration information from one or more security devices;
与每个所述安全设备建立反向代理隧道,所述反向代理隧道是由所述安全设备基于SSH协议主动请求建立的;establishing a reverse proxy tunnel with each of the security devices, where the reverse proxy tunnel is actively requested to be established by the security device based on the SSH protocol;
基于所述反向代理隧道向每个所述安全设备发送配置消息,所述配置消息用于配置所述安全设备。A configuration message is sent to each of the security devices based on the reverse proxy tunnel, the configuration message being used to configure the security device.
可选地,所述接收一个或多个安全设备发送的设备注册信息,包括:Optionally, the receiving device registration information sent by one or more security devices includes:
接收每个所述安全设备发送的第一认证消息,所述第一认证消息包括所述安全设备的SSL证书信息;receiving a first authentication message sent by each of the security devices, where the first authentication message includes SSL certificate information of the security device;
向每个所述安全设备发送第一认证响应消息,所述第一认证响应消息包括所述管理设备的SSL证书信息;sending a first authentication response message to each of the security devices, where the first authentication response message includes the SSL certificate information of the management device;
接收每个所述安全设备发送的注册消息,所述注册消息包括所述安全设备的设备信息;receiving a registration message sent by each of the security devices, where the registration message includes device information of the security device;
基于所述设备信息确定监听端口,所述监听端口与所述设备信息对应的安全设备一一绑定,用于对应的安全设备基于所述监听端口监听所述管理设备的消息。A listening port is determined based on the device information, and the listening port is bound to the security device corresponding to the device information one by one, so that the corresponding security device listens to the message of the management device based on the listening port.
可选地,所述与每个所述安全设备建立反向代理隧道,包括:Optionally, establishing a reverse proxy tunnel with each of the security devices includes:
向每个所述安全设备发送注册响应消息,所述注册响应消息包括所述监听端口的端口信息;sending a registration response message to each of the security devices, where the registration response message includes port information of the listening port;
接收每个所述安全设备发送的隧道建立请求消息,基于所述隧道建立请求消息和所述监听端口建立所述反向代理隧道。receiving a tunnel establishment request message sent by each of the security devices, and establishing the reverse proxy tunnel based on the tunnel establishment request message and the listening port.
可选地,所述方法还包括:Optionally, the method further includes:
接收每个所述安全设备发送的公钥,所述公钥用于所述管理设备对传输数据进行加解密,所述传输数据为所述安全设备与所述管理设备之间传输的数据。A public key sent by each security device is received, where the public key is used by the management device to encrypt and decrypt transmission data, where the transmission data is data transmitted between the security device and the management device.
可选地,所述向每个所述安全设备发送配置消息之前,还包括:Optionally, before the sending a configuration message to each of the security devices, the method further includes:
向每个所述安全设备发送第二认证消息,所述第二认证消息用于所述安全设备对所述管理设备进行设备管理权限认证,所述管理权限是所述安全设备预先分配的。A second authentication message is sent to each of the security devices, where the second authentication message is used by the security device to perform device management authority authentication on the management device, and the management authority is pre-allocated by the security device.
可选地,所述配置消息的发送是基于django-http-proxy开源库实现的。Optionally, the sending of the configuration message is implemented based on the django-http-proxy open source library.
第二方面,本发明还提供一种安全设备管理方法,应用于安全设备,包括:In a second aspect, the present invention also provides a security device management method, which is applied to security devices, including:
向管理设备发送设备注册信息;Send device registration information to the management device;
与所述管理设备建立反向代理隧道,所述反向代理隧道是由所述安全设备基于SSH协议主动请求建立的;Establishing a reverse proxy tunnel with the management device, where the reverse proxy tunnel is actively requested to be established by the security device based on the SSH protocol;
基于所述反向代理隧道接收所述管理设备发送的配置消息,所述配置消息用于配置所述安全设备。A configuration message sent by the management device is received based on the reverse proxy tunnel, where the configuration message is used to configure the security device.
可选地,所述向管理设备发送设备注册信息,包括:Optionally, the sending device registration information to the management device includes:
向所述管理设备发送第一认证消息,所述第一认证消息包括所述安全设备的SSL证书信息;sending a first authentication message to the management device, where the first authentication message includes SSL certificate information of the security device;
接收所述管理设备发送的第一认证响应消息,所述第一认证响应消息包括所述管理设备的SSL证书信息;receiving a first authentication response message sent by the management device, where the first authentication response message includes SSL certificate information of the management device;
向所述管理设备发送注册消息,所述注册消息包括所述安全设备的设备信息。A registration message is sent to the management device, the registration message including device information of the security device.
可选地,所述与所述管理设备建立反向代理隧道,包括:Optionally, the establishing a reverse proxy tunnel with the management device includes:
接收所述管理设备发送的注册响应消息,所述注册响应消息包括监听端口的端口信息,所述监听端口是所述管理设备基于所述设备信息确定的,与所述设备信息对应的安全设备一一绑定,用于对应的安全设备基于所述监听端口监听所述管理设备的消息;Receive a registration response message sent by the management device, where the registration response message includes port information of a listening port, the listening port is determined by the management device based on the device information, and a security device corresponding to the device information is a security device. a binding, for the corresponding security device to monitor the message of the management device based on the listening port;
向所述管理设备发送隧道建立请求消息,基于所述隧道建立请求消息和所述监听端口建立反向代理隧道。Sending a tunnel establishment request message to the management device, and establishing a reverse proxy tunnel based on the tunnel establishment request message and the listening port.
可选地,所述方法还包括:Optionally, the method further includes:
向所述管理设备发送公钥,所述公钥用于所述管理设备对传输数据进行加解密,所述传输数据为所述安全设备与所述管理设备之间传输的数据。Send a public key to the management device, where the public key is used by the management device to encrypt and decrypt transmission data, where the transmission data is data transmitted between the security device and the management device.
可选地,所述接收所述管理设备发送的配置消息之前,还包括:Optionally, before receiving the configuration message sent by the management device, the method further includes:
接收所述管理设备发送的第二认证消息;receiving a second authentication message sent by the management device;
基于所述第二认证消息对所述管理设备进行设备管理权限认证,所述管理权限是所述安全设备预先分配的。Perform device management authority authentication on the management device based on the second authentication message, where the management authority is pre-allocated by the security device.
第三方面,本发明还提供一种安全设备管理装置,应用于管理设备,包括:In a third aspect, the present invention also provides a security device management device, which is applied to management devices, including:
第一接收模块,用于接收一个或多个安全设备发送的设备注册信息;a first receiving module, configured to receive device registration information sent by one or more security devices;
第一隧道建立模块,用于与每个所述安全设备建立反向代理隧道,所述反向代理隧道是由所述安全设备基于SSH协议主动请求建立的;a first tunnel establishment module, configured to establish a reverse proxy tunnel with each of the security devices, where the reverse proxy tunnel is actively requested to be established by the security device based on the SSH protocol;
第一发送模块,用于基于所述反向代理隧道向每个所述安全设备发送配置消息,所述配置消息用于配置所述安全设备。a first sending module, configured to send a configuration message to each of the security devices based on the reverse proxy tunnel, where the configuration message is used to configure the security device.
第四方面,本发明还提供一种安全设备管理装置,应用于安全设备,包括:In a fourth aspect, the present invention also provides a security device management device, which is applied to security devices, including:
第二发送模块,用于向管理设备发送设备注册信息;a second sending module, configured to send device registration information to the management device;
第二隧道建立模块,用于与所述管理设备建立反向代理隧道,所述反向代理隧道是由所述安全设备基于SSH协议主动请求建立的;a second tunnel establishment module, configured to establish a reverse proxy tunnel with the management device, where the reverse proxy tunnel is actively requested to be established by the security device based on the SSH protocol;
第二接收模块,用于基于所述反向代理隧道接收所述管理设备发送的配置消息,所述配置消息用于配置所述安全设备。The second receiving module is configured to receive, based on the reverse proxy tunnel, a configuration message sent by the management device, where the configuration message is used to configure the security device.
第五方面,本发明还提供一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现如第一方面所述安全设备管理方法的步骤,或第二方面所述安全设备管理方法的步骤。In a fifth aspect, the present invention further provides an electronic device, comprising a memory, a processor, and a computer program stored in the memory and running on the processor, the processor implementing the program as described in the first aspect when the processor executes the program The steps of the security device management method, or the steps of the security device management method described in the second aspect.
第六方面,本发明还提供一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现如第一方面所述安全设备管理方法的步骤,或第二方面所述安全设备管理方法的步骤。In a sixth aspect, the present invention also provides a non-transitory computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, implements the steps of the method for managing a security device according to the first aspect, or the first aspect. The second aspect includes the steps of the security device management method.
第七方面,本发明还提供一种计算机程序产品,包括计算机程序,所述计算机程序被处理器执行时实现如第一方面所述安全设备管理方法的步骤,或第二方面所述安全设备管理方法的步骤。In a seventh aspect, the present invention further provides a computer program product, including a computer program, which, when executed by a processor, implements the steps of the security device management method described in the first aspect, or the security device management method described in the second aspect. steps of the method.
本发明实施例提供的安全设备管理方法,通过反向代理隧道实现了管理设备向安全设备主动发送消息,进而实现了通过管理设备对安全设备集中管理的功能,由于反向代理隧道是安全设备主动请求建立的,反向代理隧道不公开安全设备的管理端口,因此保证了安全性;并且反向代理隧道是基于SSH协议建立的,SSH协议能够有效防止管理过程中信息泄漏的问题,提高了安全设备管理的安全性;另外本发明实施例中的设备注册,实现了根据网络组织业务需要对扩展设备进行设备注册的业务需求,从而使安全设备不仅可以集中管控防火墙设备,也可管理探针、VPN以及子安全设备等边界安全设备。The security device management method provided by the embodiment of the present invention realizes that the management device actively sends messages to the security device through the reverse proxy tunnel, and further realizes the function of centralized management of the security device through the management device. The reverse proxy tunnel does not expose the management port of the security device, so the security is guaranteed; and the reverse proxy tunnel is established based on the SSH protocol, which can effectively prevent the problem of information leakage during the management process and improve the security. The security of device management; in addition, the device registration in the embodiment of the present invention realizes the business requirement of registering the expansion device according to the business needs of the network organization, so that the security device can not only centrally control the firewall device, but also manage the probe, Border security devices such as VPNs and sub-security devices.
附图说明Description of drawings
为了更清楚地说明本发明或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to explain the present invention or the technical solutions in the prior art more clearly, the following will briefly introduce the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are the For some embodiments of the invention, for those of ordinary skill in the art, other drawings can also be obtained according to these drawings without any creative effort.
图1是本发明提供的反向代理的流程示意图;1 is a schematic flowchart of a reverse proxy provided by the present invention;
图2是本发明实施例提供的应用场景示意图;2 is a schematic diagram of an application scenario provided by an embodiment of the present invention;
图3是本发明实施例提供的安全设备管理方法的流程示意图之一;3 is one of the schematic flowcharts of the security device management method provided by the embodiment of the present invention;
图4是本发明实施例提供的安全设备管理方法的流程示意图之二;4 is a second schematic flowchart of a method for managing a security device provided by an embodiment of the present invention;
图5是本发明实施例提供的安全设备管理方法的流程示意图之三;5 is a third schematic flowchart of a method for managing a security device provided by an embodiment of the present invention;
图6是本发明实施例提供的安全设备管理方法的反向代理示意图;6 is a schematic diagram of a reverse proxy of a security device management method provided by an embodiment of the present invention;
图7是本发明实施例提供的安全设备管理装置的结构示意图之一;7 is one of the schematic structural diagrams of a security device management apparatus provided by an embodiment of the present invention;
图8是本发明实施例提供的安全设备管理装置的结构示意图之二;8 is a second schematic structural diagram of a security device management apparatus provided by an embodiment of the present invention;
图9是本发明实施例提供的电子设备的结构示意图;9 is a schematic structural diagram of an electronic device provided by an embodiment of the present invention;
图10是本发明实施例提供的电子设备的结构示意图。FIG. 10 is a schematic structural diagram of an electronic device provided by an embodiment of the present invention.
具体实施方式Detailed ways
为使本发明的目的、技术方案和优点更加清楚,下面将结合本发明中的附图,对本发明中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the objectives, technical solutions and advantages of the present invention clearer, the technical solutions in the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are part of the embodiments of the present invention. , not all examples. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.
下面对本发明涉及的技术术语作一介绍:Below is an introduction to the technical terms involved in the present invention:
反向代理(Reverse Proxy):是指以代理服务器来接受internet上的连接请求,然后将请求转发给内部网络上的服务器,并将从服务器上得到的结果返回给internet上请求连接的客户端,此时代理服务器对外就表现为一个服务器。图1是本发明提供的反向代理的流程示意图,如图1所示,通过一个代理服务器(也可以称为反向代理服务器)来接收用户(用户设备A、用户设备B和用户设备C)的请求,并将请求分配到代理的服务器上(服务器A、服务器B和服务器C),如此不同的用户可以通过请求反向代理服务器来获取相同的服务。Reverse Proxy: refers to a proxy server that accepts connection requests on the Internet, then forwards the request to a server on the internal network, and returns the results obtained from the server to the client requesting a connection on the Internet. At this time, the proxy server appears as a server to the outside world. Fig. 1 is a schematic flow diagram of a reverse proxy provided by the present invention. As shown in Fig. 1, a proxy server (also referred to as a reverse proxy server) is used to receive users (user equipment A, user equipment B and user equipment C) The request is distributed to the proxy server (server A, server B and server C), so that different users can obtain the same service by requesting the reverse proxy server.
SSH(Secure Shell):SSH为建立在应用层基础上的安全协议。SSH是较可靠地、专为远程登录会话和其他网络服务提供的安全性协议。SSH (Secure Shell): SSH is a security protocol based on the application layer. SSH is a more reliable security protocol designed for remote login sessions and other network services.
ACL(Access Control Lists,访问控制列表):是一种基于包过滤的访问控制技术,它可以根据设定的条件对接口上的数据包进行过滤,允许其通过或丢弃。ACL (Access Control Lists, Access Control List): It is an access control technology based on packet filtering, which can filter the data packets on the interface according to the set conditions, allowing them to pass or discard them.
图2是本发明实施例提供的应用场景示意图,如图2所示,图2展示了管理设备以及安全设备常见的部署方式,安全设备和管理设备都属于子网,但由于安全性设置(如防火墙的ACL设置),安全设备的管理端口对于管理设备来说,是不可访问的。而安全设备则可以通过网络发现管理设备。在这种场景下,常规的反向代理技术是无法满足管理设备管理安全设备的需求,因此本发明实施例提供一种安全设备管理方法,用以实现管理设备对安全设备的集中管理。FIG. 2 is a schematic diagram of an application scenario provided by an embodiment of the present invention. As shown in FIG. 2, FIG. 2 shows a common deployment method of management devices and security devices. Both security devices and management devices belong to subnets, but due to security settings (such as ACL settings of the firewall), the management port of the security device is inaccessible to the management device. The security device can discover the management device through the network. In this scenario, the conventional reverse proxy technology cannot meet the requirements of management devices for managing security devices. Therefore, embodiments of the present invention provide a security device management method to implement centralized management of security devices by management devices.
下面结合图3-图6描述本发明实施例提供的安全设备管理方法。The following describes the security device management method provided by the embodiment of the present invention with reference to FIG. 3 to FIG. 6 .
图3是本发明实施例提供的安全设备管理方法的流程示意图之一,如图3所示,发明实施例提供的安全设备管理方法,应用于管理设备,包括:FIG. 3 is one of the schematic flowcharts of the security device management method provided by the embodiment of the present invention. As shown in FIG. 3 , the security device management method provided by the embodiment of the present invention is applied to management devices, including:
步骤110,接收一个或多个安全设备发送的设备注册信息;
具体地,安全设备是指用于安全领域的边界设备,也称为边界安全防护设备,如防火墙、探针、vpn或子管理设备。示例性地,对于大型网络系统,可以由防火墙向子管理设备发送设备注册信息,子管理设备向管理设备发送设备注册信息,形成多级管理。设备注册信息用于将安全设备接入管理设备的集中管理。Specifically, a security device refers to a border device used in the security field, also called a border security protection device, such as a firewall, a probe, a VPN, or a sub-management device. Exemplarily, for a large network system, the firewall may send device registration information to the sub-management device, and the sub-management device may send the device registration information to the management device to form multi-level management. The device registration information is used to centrally manage the access of the security device to the management device.
示例性地,管理设备基于ssl协议与安全设备建立的底层通信通道。管理设备通过所述底层通信通道接收一个或多个安全设备发送的设备注册信息。Exemplarily, the management device establishes an underlying communication channel with the security device based on the ssl protocol. The management device receives device registration information sent by one or more security devices through the underlying communication channel.
步骤120,与每个所述安全设备建立反向代理隧道,所述反向代理隧道是由所述安全设备基于SSH协议主动请求建立的;
具体地,反向代理隧道用于管理设备和安全设备之间的通信,反向代理隧道是由安全设备主动请求建立的SSH隧道,可以绑定管理设备的一个端口,对所述绑定的管理设备端口进行监听,监测到有基于所述端口发送的数据(如HTTP请求报文),将所述数据转发至安全设备。Specifically, the reverse proxy tunnel is used for communication between the management device and the security device. The reverse proxy tunnel is an SSH tunnel that is actively requested by the security device to be established. It can bind a port of the management device, and manage the binding. The device port is monitored, data sent based on the port (such as an HTTP request message) is detected, and the data is forwarded to the security device.
步骤130,基于所述反向代理隧道向每个所述安全设备发送配置消息,所述配置消息用于配置所述安全设备。Step 130: Send a configuration message to each of the security devices based on the reverse proxy tunnel, where the configuration message is used to configure the security device.
具体地,所述配置消息中包括配置信息(如安全策略),所述配置信息用于配置所述安全设备。所述配置信息可以是管理设备基于用户在管理设备上的输入获得的;也可以是基于用户设备向管理设备发送的用户配置消息获得的,所述用户配置消息是基于用户在用户设备上的输入生成的,所述用户配置消息中包括配置信息。Specifically, the configuration message includes configuration information (such as a security policy), and the configuration information is used to configure the security device. The configuration information may be obtained by the management device based on the user's input on the management device; or may be obtained based on a user configuration message sent by the user device to the management device, where the user configuration message is based on the user's input on the user device. generated, the user configuration message includes configuration information.
本发明实施例提供的安全设备管理方法,通过反向代理隧道实现了管理设备向注册的一个或多个安全设备主动发送消息,实现了管理设备对安全设备的集中管理功能,由于反向代理隧道是安全设备主动请求建立的,反向代理隧道不公开安全设备的管理端口,因此避免了安全设备的管理端口被其他设备入侵,提高了安全性;并且反向代理隧道是基于SSH协议建立的,SSH协议能够有效防止管理过程中信息泄漏的问题,提高了安全设备管理的安全性;另外本发明实施例中的设备注册,实现了根据网络组织业务需要对扩展设备进行设备注册的业务需求,从而使管理设备不仅可以集中管控防火墙设备,也可管理探针、VPN以及子安全设备等边界安全设备。The security device management method provided by the embodiment of the present invention realizes that the management device actively sends a message to one or more registered security devices through the reverse proxy tunnel, and realizes the centralized management function of the security device by the management device. It is established by the active request of the security device. The reverse proxy tunnel does not expose the management port of the security device, so the management port of the security device is prevented from being invaded by other devices, and the security is improved; and the reverse proxy tunnel is established based on the SSH protocol. The SSH protocol can effectively prevent the problem of information leakage in the management process, and improve the security of security device management; in addition, the device registration in the embodiment of the present invention realizes the business requirements of device registration for extended devices according to network organization business needs, thereby The management device can not only centrally manage and control firewall devices, but also manage border security devices such as probes, VPNs, and sub-security devices.
下面,对上述步骤在具体实施例中的可能的实现方式做进一步说明。In the following, possible implementation manners of the above steps in specific embodiments are further described.
步骤110,接收一个或多个安全设备发送的设备注册信息。Step 110: Receive device registration information sent by one or more security devices.
可选地,所述接收一个或多个安全设备发送的设备注册信息,包括:Optionally, the receiving device registration information sent by one or more security devices includes:
步骤111,接收每个所述安全设备发送的第一认证消息,所述第一认证消息包括所述安全设备的SSL证书信息;Step 111: Receive a first authentication message sent by each of the security devices, where the first authentication message includes the SSL certificate information of the security device;
步骤112,向每个所述安全设备发送第一认证响应消息,所述第一认证响应消息包括所述管理设备的SSL证书信息;Step 112: Send a first authentication response message to each of the security devices, where the first authentication response message includes the SSL certificate information of the management device;
可以理解的是,管理设备在建立反向代理隧道之前由于无法获知安全设备的端口,因此无法主动向安全设备发送消息,但管理设备可以开放一个通信端口,用于接收安全设备主动发送的消息,并响应于安全设备主动发送的消息,向安全设备发送响应消息(response消息),从而实现被动消息传输,如步骤110中所述的管理设备基于ssl协议与安全设备建立的底层通信通道。示例性地,安全设备可以基于用户的输入获知管理设备的开放端口,从而与管理设备建立单向通信连接,向管理设备发送通信消息。It is understandable that the management device cannot actively send messages to the security device because it cannot know the port of the security device before establishing the reverse proxy tunnel, but the management device can open a communication port for receiving messages actively sent by the security device. In response to the message actively sent by the security device, a response message (response message) is sent to the security device, thereby implementing passive message transmission. As described in
对于安全设备的SSL证书信息和管理设备的SSL证书信息,SSL证书是一种配置在服务器上数字证书,也被称为SSL服务器证书,具有服务器身份验证和数据传输加密的功能。该步骤中采用SSL证书双向交换技术对安全设备和管理设备进行身份认证。For the SSL certificate information of the security device and the SSL certificate information of the management device, the SSL certificate is a digital certificate configured on the server, also called the SSL server certificate, which has the functions of server authentication and data transmission encryption. In this step, the SSL certificate bidirectional exchange technology is used to authenticate the identity of the security device and the management device.
步骤113,接收每个所述安全设备发送的注册消息,所述注册消息包括所述安全设备的设备信息;Step 113: Receive a registration message sent by each of the security devices, where the registration message includes device information of the security device;
具体地,设备信息可以包括设备名称等。Specifically, the device information may include a device name and the like.
可选地,管理设备接收安全设备发送的包含安全设备自身的信息的心跳信息(也可以称为心跳包或心跳报文等,本实施例对名称不作限定)。Optionally, the management device receives heartbeat information (which may also be referred to as a heartbeat packet or a heartbeat message, etc., and the name is not limited in this embodiment) sent by the security device and including information about the security device itself.
步骤114,基于所述设备信息确定监听端口,所述监听端口与所述设备信息对应的安全设备一一绑定,用于对应的安全设备基于所述监听端口监听所述管理设备的消息。Step 114: Determine a listening port based on the device information, and the listening port is bound to the security device corresponding to the device information one by one, so that the corresponding security device listens to the message of the management device based on the listening port.
具体地,管理设备基于设备信息和端口协商技术为安全设备分配监听端口(也可以称为侦听端口),管理设备在空闲的安全端口上为安全设备分配一个监听端口,所述监听端口将会与安全设备进行绑定。监听端口用于将管理设备的消息发送给安全设备。示例性地,将端口8888作为监听端口与安全设备001进行绑定。Specifically, the management device allocates a listening port (also referred to as a listening port) to the security device based on the device information and the port negotiation technology, and the management device allocates a listening port to the security device on the idle security port, and the listening port will Bind with security device. The listening port is used to send messages from the management device to the security device. Exemplarily, use port 8888 as the listening port to bind with the security device 001.
步骤120,与每个所述安全设备建立反向代理隧道,所述反向代理隧道是由所述安全设备基于SSH协议主动请求建立的。Step 120: Establish a reverse proxy tunnel with each of the security devices, where the reverse proxy tunnel is actively requested to be established by the security device based on the SSH protocol.
可选地,所述与每个所述安全设备建立反向代理隧道,包括:Optionally, establishing a reverse proxy tunnel with each of the security devices includes:
步骤121,向每个所述安全设备发送注册响应消息,所述注册响应消息包括所述监听端口的端口信息;Step 121: Send a registration response message to each of the security devices, where the registration response message includes port information of the listening port;
具体地,响应于安全设备发送的注册消息,向安全设备发送注册响应消息,将步骤114中确定的监听端口的端口信息(如端口号)发送给安全设备。示例性地,接收到安全设备001发送的注册消息后,向安全设备001发送注册响应消息,注册响应消息中包括监听端口8888的端口号。Specifically, in response to the registration message sent by the security device, a registration response message is sent to the security device, and the port information (eg, port number) of the listening port determined in step 114 is sent to the security device. Exemplarily, after receiving the registration message sent by the security device 001, a registration response message is sent to the security device 001, and the registration response message includes the port number of the listening port 8888.
步骤122,接收每个所述安全设备发送的隧道建立请求消息,基于所述隧道建立请求消息和所述监听端口建立所述反向代理隧道。Step 122: Receive a tunnel establishment request message sent by each of the security devices, and establish the reverse proxy tunnel based on the tunnel establishment request message and the listening port.
具体地,接收安全设备发送的隧道建立请求消息,所述隧道建立请求消息是安全设备接收到监听端口的端口信息后,主动向管理设备发送的。示例性地,隧道建立请求消息中可以包括以下信息:安全设备的设备信息;对应的监听端口的端口号;管理设备信息。安全设备会分配一个管理端口用于反向代理隧道建立,与管理设备进行通信,但是为提高安全性,安全设备的管理端口是不公开的。反向代理隧道建立后,基于监听端口发送的数据,都会通过反向代理隧道发送到安全设备。示例性地,安全设备001能够基于反向代理隧道对端口8888进行端口监听,并获取管理设备基于端口8888发送的数据。Specifically, a tunnel establishment request message sent by the security device is received, where the tunnel establishment request message is actively sent to the management device by the security device after receiving the port information of the listening port. Exemplarily, the tunnel establishment request message may include the following information: device information of the security device; port number of the corresponding listening port; management device information. The security device will allocate a management port for reverse proxy tunnel establishment and communication with the management device, but to improve security, the management port of the security device is not exposed. After the reverse proxy tunnel is established, the data sent based on the listening port will be sent to the security device through the reverse proxy tunnel. Exemplarily, the security device 001 can perform port listening on port 8888 based on the reverse proxy tunnel, and obtain data sent by the management device based on port 8888.
可选地,所述方法还包括:Optionally, the method further includes:
接收每个所述安全设备发送的公钥,所述公钥用于所述管理设备对传输数据进行加解密,所述传输数据为所述安全设备与所述管理设备之间传输的数据。A public key sent by each security device is received, where the public key is used by the management device to encrypt and decrypt transmission data, where the transmission data is data transmitted between the security device and the management device.
具体地,公钥和私钥是一一对应的,公钥和私钥是安全设备生成的。由管理设备对安全设备的公钥进行管理,可以实现基于公钥登录,即安全设备无需输入密码登录管理设备(即建立SSH连接)。Specifically, the public key and the private key are in one-to-one correspondence, and the public key and the private key are generated by the security device. The management device manages the public key of the security device, which can realize login based on the public key, that is, the security device does not need to enter a password to log in to the management device (that is, establish an SSH connection).
步骤130,基于所述反向代理隧道向每个所述安全设备发送配置消息,所述配置消息用于配置所述安全设备。Step 130: Send a configuration message to each of the security devices based on the reverse proxy tunnel, where the configuration message is used to configure the security device.
可选地,所述向每个所述安全设备发送配置消息之前,还包括:Optionally, before the sending a configuration message to each of the security devices, the method further includes:
步骤1301,向每个所述安全设备发送第二认证消息,所述第二认证消息用于所述安全设备对所述管理设备进行设备管理权限认证,所述管理权限是所述安全设备预先分配的。Step 1301: Send a second authentication message to each of the security devices, where the second authentication message is used by the security device to perform device management authority authentication on the management device, and the management authority is pre-allocated by the security device. of.
具体地,安全设备为管理设备分配一个拥有管理权限的账号,在与安全设备建立HTTP连接时,管理设备需要通过安全设备分配的账号进行身份认证,进而实现管理安全设备的目的。可以理解的是,HTTP请求用于对安全设备进行设置,HTTP请求可以通过反向代理隧道传输。Specifically, the security device assigns an account with management authority to the management device. When establishing an HTTP connection with the security device, the management device needs to perform identity authentication through the account assigned by the security device, thereby achieving the purpose of managing the security device. It is understood that HTTP requests are used to configure the security device, and HTTP requests can be tunneled through a reverse proxy.
本发明实施例提供的安全设备管理方法,采用了角色权限认证机制,防止除管理设备之外的服务器进入安全设备的管理端口,提高了安全设备管理的安全性。The security device management method provided by the embodiment of the present invention adopts a role authority authentication mechanism to prevent servers other than the management device from entering the management port of the security device, thereby improving the security of security device management.
可选地,所述配置消息的发送是基于django-http-proxy开源库实现的。Optionally, the sending of the configuration message is implemented based on the django-http-proxy open source library.
django-http-proxy开源库可以将从Django服务器的请求代理到其他服务器上。基于django-http-proxy开源库的请求转发功能,实现反向代理隧道中的HTTP请求的转发与响应。示例性地,管理设备通过HTTP请求向安全设备发送配置信息,基于django-http-proxy开源库,实现将HTTP请求从管理设备转发至安全设备,以及安全设备对HTTP请求的响应消息回传。The django-http-proxy open source library can proxy requests from Django servers to other servers. Based on the request forwarding function of the django-http-proxy open source library, it realizes the forwarding and response of HTTP requests in the reverse proxy tunnel. Exemplarily, the management device sends configuration information to the security device through an HTTP request, and based on the django-http-proxy open source library, the HTTP request is forwarded from the management device to the security device, and the security device returns a response message to the HTTP request.
可选地,所述方法还包括:管理设备接收安全设备发送的断开消息。Optionally, the method further includes: the management device receives a disconnection message sent by the security device.
图4是本发明实施例提供的安全设备管理方法的流程示意图之二,如图4所示,本发明实施例提供的安全设备管理方法,应用于安全设备,包括:FIG. 4 is a second schematic flowchart of a method for managing a security device provided by an embodiment of the present invention. As shown in FIG. 4 , the method for managing a security device provided by an embodiment of the present invention, applied to a security device, includes:
步骤210,向管理设备发送设备注册信息;
步骤220,与所述管理设备建立反向代理隧道,所述反向代理隧道是由所述安全设备基于SSH协议主动请求建立的;
步骤230,基于所述反向代理隧道接收所述管理设备发送的配置消息,所述配置消息用于配置所述安全设备。Step 230: Receive a configuration message sent by the management device based on the reverse proxy tunnel, where the configuration message is used to configure the security device.
关于安全设备、管理设备以及反向代理隧道的介绍,参见图3中的介绍,此处不再赘述。For the introduction of the security device, the management device and the reverse proxy tunnel, refer to the introduction in FIG. 3 , and details are not repeated here.
本发明实施例提供的安全设备管理方法,通过安全设备主动向管理设备请求建立反向代理隧道,实现了管理设备对安全设备的集中管理功能,由于反向代理隧道是安全设备主动请求建立的,反向代理隧道不公开安全设备的管理端口,因此避免了安全设备的管理端口被其他设备入侵,提高了安全性;并且反向代理隧道是基于SSH协议建立的,SSH协议能够有效防止管理过程中信息泄漏的问题,提高了安全设备管理的安全性;另外本发明实施例中的设备注册,实现了根据网络组织业务需要对扩展设备进行设备注册的业务需求,从而使防火墙、探针、VPN以及子安全设备等边界安全设备都可以向管理设备发起设备注册,实现集中管理。In the security device management method provided by the embodiment of the present invention, the security device actively requests the management device to establish a reverse proxy tunnel, thereby realizing the centralized management function of the security device by the management device. Since the reverse proxy tunnel is actively requested by the security device to establish, The reverse proxy tunnel does not expose the management port of the security device, so the management port of the security device is prevented from being invaded by other devices, and the security is improved; and the reverse proxy tunnel is established based on the SSH protocol, which can effectively prevent the management process. The problem of information leakage improves the security of security device management; in addition, the device registration in the embodiment of the present invention realizes the business requirement of registering the extended device according to the business needs of the network organization, so that the firewall, probe, VPN and Border security devices such as child security devices can initiate device registration with the management device to implement centralized management.
下面,对上述步骤在具体实施例中的可能的实现方式做进一步说明。In the following, possible implementation manners of the above steps in specific embodiments are further described.
步骤210,向管理设备发送设备注册信息。Step 210: Send device registration information to the management device.
可选地,所述向管理设备发送设备注册信息,包括:Optionally, the sending device registration information to the management device includes:
向所述管理设备发送第一认证消息,所述第一认证消息包括所述安全设备的SSL证书信息;sending a first authentication message to the management device, where the first authentication message includes SSL certificate information of the security device;
接收所述管理设备发送的第一认证响应消息,所述第一认证响应消息包括所述管理设备的SSL证书信息;receiving a first authentication response message sent by the management device, where the first authentication response message includes SSL certificate information of the management device;
向所述管理设备发送注册消息,所述注册消息包括所述安全设备的设备信息。A registration message is sent to the management device, the registration message including device information of the security device.
关于SSL证书和注册消息的介绍,参见图3中的介绍,此处不再赘述。For the introduction of the SSL certificate and the registration message, refer to the introduction in FIG. 3 , which will not be repeated here.
步骤220,与所述管理设备建立反向代理隧道,所述反向代理隧道是由所述安全设备基于SSH协议主动请求建立的。Step 220: Establish a reverse proxy tunnel with the management device, where the reverse proxy tunnel is actively requested to be established by the security device based on the SSH protocol.
可选地,所述与所述管理设备建立反向代理隧道,包括:Optionally, the establishing a reverse proxy tunnel with the management device includes:
步骤221,接收所述管理设备发送的注册响应消息,所述注册响应消息包括监听端口的端口信息,所述监听端口是所述管理设备基于所述设备信息确定的,与所述设备信息对应的安全设备一一绑定,用于对应的安全设备基于所述监听端口监听所述管理设备的消息;Step 221: Receive a registration response message sent by the management device, where the registration response message includes port information of a listening port, and the listening port is determined by the management device based on the device information and corresponds to the device information. The security devices are bound one by one, for the corresponding security device to monitor the message of the management device based on the listening port;
步骤222,向所述管理设备发送隧道建立请求消息,基于所述隧道建立请求消息和所述监听端口建立反向代理隧道。Step 222: Send a tunnel establishment request message to the management device, and establish a reverse proxy tunnel based on the tunnel establishment request message and the listening port.
示例性地,接收所述管理设备发送的注册响应消息,注册响应消息中包括管理设备分配给安全设备001的监听端口的端口号8888,安全设备001的管理端口号为3000(可以理解的是,管理端口3000对于除安全设备001以外的设备都是未知的)用于与管理设备通信。此时由安全设备001的管理端口3000向管理设备发起隧道建立请求,SSH在管理设备端绑定监听端口8888,在安全设备端绑定请求消息发送端口(即管理端口3000),安全设备通过反向代理隧道监听8888端口的数据,将基于端口8888发送的数据转发至安全设备。由于此时通过监听转发数据至安全设备的请求消息发送端口,无需管理设备按照“本地地址;本地端口;目标地址;目标端口”的命令格式向安全设备发送消息,实现了在不公开安全设备的管理端口的情况下,建立反向代理隧道,实现安全设备和管理设备的通信。Exemplarily, receiving the registration response message sent by the management device, the registration response message includes the port number 8888 of the listening port assigned by the management device to the security device 001, and the management port number of the security device 001 is 3000 (it can be understood that, Management port 3000, unknown to devices other than security device 001) is used to communicate with management devices. At this time, the management port 3000 of the security device 001 initiates a tunnel establishment request to the management device. SSH binds the listening port 8888 on the management device and binds the request message sending port (ie the management port 3000) on the security device. Monitor the data on port 8888 to the proxy tunnel, and forward the data sent based on port 8888 to the security device. At this time, by monitoring the request message sending port for forwarding data to the security device, there is no need for the management device to send messages to the security device according to the command format of "local address; local port; target address; target port". In the case of the management port, a reverse proxy tunnel is established to realize the communication between the security device and the management device.
可选地,所述方法还包括:Optionally, the method further includes:
向所述管理设备发送公钥,所述公钥用于所述管理设备对传输数据进行加解密,所述传输数据为所述安全设备与所述管理设备之间传输的数据。Send a public key to the management device, where the public key is used by the management device to encrypt and decrypt transmission data, where the transmission data is data transmitted between the security device and the management device.
具体地,安全设备通过SSH-keygen生成自己的公钥和私钥。公钥则是公开的,可以对外发送。公钥和私钥是一一对应的,每一个私钥都有且仅有一个对应的公钥,反之亦然。示例性地,安全设备通过步骤112中所述的单向通信连接公钥发送至管理设备。基于管理设备管理安全设备的公钥,可以实现公钥登录。安全设备请求基于SSH连接管理设备,管理设备将一个随机字符串发送给安全设备;安全设备根据自己的私钥加密这个随机字符串之后再发送给管理设备;管理设备接收到加密后的字符串之后用公钥解密,如果正确就让安全设备登录,否则拒绝。公钥登录可以解决每次登录管理设备(即建立SSH连接)都要输入密码的问题,提高安全设备管理的便捷性,并且通过公钥私钥非对称加密,还可以提高安全设备管理的安全性。Specifically, the security device generates its own public and private keys through SSH-keygen. The public key is public and can be sent to the outside world. There is a one-to-one correspondence between public keys and private keys, and each private key has one and only one corresponding public key, and vice versa. Exemplarily, the security device sends the public key to the management device through the one-way communication connection described in step 112 . Based on the public key of the management device to manage the security device, public key login can be implemented. The security device requests to connect to the management device based on SSH, and the management device sends a random string to the security device; the security device encrypts the random string according to its own private key and sends it to the management device; after the management device receives the encrypted string Decrypt with the public key and let the security device log in if correct, otherwise reject. Public key login can solve the problem of entering a password every time you log in to the management device (ie, establish an SSH connection), improve the convenience of security device management, and improve the security of security device management through asymmetric encryption of public and private keys .
步骤230,基于所述反向代理隧道接收所述管理设备发送的配置消息,所述配置消息用于配置所述安全设备。Step 230: Receive a configuration message sent by the management device based on the reverse proxy tunnel, where the configuration message is used to configure the security device.
可选地,所述接收所述管理设备发送的配置消息之前,还包括:Optionally, before receiving the configuration message sent by the management device, the method further includes:
接收所述管理设备发送的第二认证消息;receiving a second authentication message sent by the management device;
基于所述第二认证消息对所述管理设备进行设备管理权限认证,所述管理权限是所述安全设备预先分配的。Perform device management authority authentication on the management device based on the second authentication message, where the management authority is pre-allocated by the security device.
关于设备管理权限认证的介绍,参见图3中的介绍,此处不再赘述。For the introduction of device management authority authentication, refer to the introduction in FIG. 3 , which will not be repeated here.
本发明实施例提供的安全设备管理方法,采用了角色权限认证机制,防止除管理设备之外的服务器进入安全设备的管理端口,提高了安全设备管理的安全性。The security device management method provided by the embodiment of the present invention adopts a role authority authentication mechanism to prevent servers other than the management device from entering the management port of the security device, thereby improving the security of security device management.
可选地,安全设备基于ssl协议与管理设备之间建立底层通信通道。安全设备通过所述底层通信通道向管理设备发送设备注册信息。Optionally, an underlying communication channel is established between the security device and the management device based on the ssl protocol. The security device sends device registration information to the management device through the underlying communication channel.
可选地,所述方法还包括:安全设备向所述管理设备发送包含安全设备自身的信息的心跳信息(也可以称为心跳包或心跳报文等,本实施例对名称不作限定),所述心跳信息是所述安全设备基于所述底层通信通道发送的。Optionally, the method further includes: the security device sends heartbeat information (which may also be referred to as a heartbeat packet or a heartbeat message, etc., and the name is not limited in this embodiment) including the information of the security device itself to the management device, so the The heartbeat information is sent by the security device based on the underlying communication channel.
可选地,所述方法还包括:安全设备向所述管理设备发送断开消息,所述断开消息用于指示管理设备断开连接。Optionally, the method further includes: the security device sends a disconnection message to the management device, where the disconnection message is used to instruct the management device to disconnect.
本发明实施例提供的安全设备管理方法,通过安全设备向所述管理设备发送断开消息,可以实现在安全设备检测到当前连接不稳定或连接不安全等场景下,主动向管理设备发送断开消息,进一步提高安全设备管理的安全性。In the security device management method provided by the embodiment of the present invention, the security device sends a disconnection message to the management device, so that the security device can actively send a disconnection message to the management device when the security device detects that the current connection is unstable or the connection is unsafe. messages to further improve the security of secure device management.
图5是本发明实施例提供的安全设备管理方法的流程示意图之三,如图5所示,本发明实施例提供的安全设备管理方法,包括:设备注册、隧道建立以及反向代理。FIG. 5 is the third schematic flowchart of the security device management method provided by the embodiment of the present invention. As shown in FIG. 5 , the security device management method provided by the embodiment of the present invention includes: device registration, tunnel establishment, and reverse proxy.
具体地,考虑到反向代理隧道的安全性,在设备注册时采用了SSL证书交换技术来进行管理设备和安全设备的身份认证,此外在为安全设备分配隧道端口时,采用了端口协商技术,管理设备在空闲的安全端口上会为安全设备随机分配一个监听端口,该端口将会与安全设备进行绑定。Specifically, considering the security of the reverse proxy tunnel, the SSL certificate exchange technology is used to authenticate the identity of the management device and the security device during device registration. The management device will randomly assign a listening port to the security device on the free security port, and the port will be bound to the security device.
在隧道建立过程中,考虑到安全设备与管理设备独特的部署场景,将安全设备的公钥在管理设备上进行管理,并将上一步协商出的监听端口发送给安全设备,并由安全设备主动建立到管理设备的反向代理隧道,此步骤保障了安全设备的自主性与安全性,避免了端口暴露的风险。During the tunnel establishment process, considering the unique deployment scenarios of the security device and the management device, the public key of the security device is managed on the management device, and the listening port negotiated in the previous step is sent to the security device, and the security device actively Establish a reverse proxy tunnel to the management device. This step ensures the autonomy and security of the security device and avoids the risk of port exposure.
最后一步为反向代理过程,为防止除管理设备之外的服务进入安全设备的管理端口,采用了角色权限认证机制,安全设备为管理设备分配一个拥有管理权限的账号,在与安全设备建立HTTP连接时,管理设备需要通过账号安全设备分配的账号进行身份认证,进而实现管理安全设备的目的,此外反向代理隧道中的http请求的转发与响应,基于django-http-proxy开源库进行了实现,基于django-http-proxy开源库可以将从Django服务的请求代理到其他服务器上的功能,将管理设备的HTTP请求发送至安全设备,并且维护了每次管理设备登录到安全设备的会话(session)信息。The last step is the reverse proxy process. In order to prevent services other than the management device from entering the management port of the security device, a role authorization authentication mechanism is adopted. The security device assigns an account with management rights to the management device, and establishes HTTP with the security device When connecting, the management device needs to authenticate through the account assigned by the account security device, so as to achieve the purpose of managing the security device. In addition, the forwarding and response of http requests in the reverse proxy tunnel are implemented based on the django-http-proxy open source library. , based on the django-http-proxy open source library, which can proxy requests from Django services to other servers, send HTTP requests from the management device to the security device, and maintain the session for each management device to log in to the security device. )information.
本发明实施例提供的安全设备管理方法,在内网场景中安全规则的限制下,实现管理设备到安全设备的管理端口的反向代理,进而实现对防火墙等边界安全设备进行更加便捷的集中管理需求;本发明实施例采用SSH技术来实现安全可靠并且扩展性强的反向代理框架。在保障安全性上,采用了SSH技术所具备的隧道加密技术,结合设备注册、端口协商和管理权限认证手段,实现了管理设备到安全设备的安全管理技术。另外,以SSH反向代理技术为基础,增加了设备认证以及数据传输等技术,使得该反向代理具有强大的扩展性能。The security device management method provided by the embodiment of the present invention realizes the reverse proxy from the management device to the management port of the security device under the restriction of the security rules in the intranet scenario, thereby realizing more convenient centralized management of border security devices such as firewalls Requirements; the embodiment of the present invention adopts the SSH technology to realize a reverse proxy framework that is safe, reliable and highly scalable. In terms of security, the tunnel encryption technology of SSH technology is adopted, combined with the means of device registration, port negotiation and management authority authentication, to realize the security management technology from management device to security device. In addition, based on the SSH reverse proxy technology, technologies such as device authentication and data transmission are added, which makes the reverse proxy have powerful scalability.
图6是本发明实施例提供的安全设备管理方法的反向代理示意图,如图6所示,本发明实施例提供的安全设备管理方法,用户设备向管理设备发送安全设备配置消息,管理设备向安全设备转发该配置消息,实现了用户设备对安全设备进行集中管理的效果。FIG. 6 is a schematic diagram of a reverse proxy of the security device management method provided by the embodiment of the present invention. As shown in FIG. 6 , in the security device management method provided by the embodiment of the present invention, the user equipment sends a security device configuration message to the management device, and the management device sends a security device configuration message to the management device. The security device forwards the configuration message, thereby realizing the effect of centralized management of the security device by the user equipment.
本发明实施例提供的安全设备管理方法,第一,通过反向代理技术来通过一台管理设备来对部署在不同区域的安全设备进行统一的集中管理,极大的提高使用者部署防火墙的便捷性;第二,对于防火墙等安全设备,处于不同子网的设备,会存在ACL(访问控制列表)规则限制。SSH反向代理可以在保障安全性的基础上提供强大的内网穿透能力;第三,提高了安全性,SSH反向代理所建立的数据隧道是加密隧道。SSH会自动加密和解密所有SSH客户端与服务端之间的网络数据;第四,增加了扩展性:基于反向代理框架,可以根据网络各自业务的扩展设备认证等业务需求。从而使管理设备不仅可以集中管控防火墙设备,也可管理探针、VPN以及管理设备自身等类似的边界安全设备。In the security device management method provided by the embodiment of the present invention, firstly, the reverse proxy technology is used to perform unified and centralized management of security devices deployed in different areas through a management device, which greatly improves the convenience for users to deploy firewalls. Second, for security devices such as firewalls, devices in different subnets will be restricted by ACL (Access Control List) rules. The SSH reverse proxy can provide powerful intranet penetration capabilities on the basis of ensuring security; third, to improve security, the data tunnel established by the SSH reverse proxy is an encrypted tunnel. SSH will automatically encrypt and decrypt all network data between the SSH client and the server. Fourth, it increases the scalability: based on the reverse proxy framework, it can be extended according to the business requirements of the network's respective business, such as device authentication. Therefore, the management device can not only centrally manage and control firewall devices, but also manage probes, VPNs, and similar border security devices such as the management device itself.
下面对本发明提供的安全设备管理装置进行描述,下文描述的安全设备管理装置与上文描述的安全设备管理方法可相互对应参照。The security device management apparatus provided by the present invention is described below, and the security device management device described below and the security device management method described above can be referred to each other correspondingly.
图7是本发明实施例提供的安全设备管理装置的结构示意图,如图7所示,本发明实施例提供一种安全设备管理装置,应用于管理设备,包括:第一接收模块710、第一隧道建立模块720和第一发送模块730;FIG. 7 is a schematic structural diagram of a security device management device provided by an embodiment of the present invention. As shown in FIG. 7 , an embodiment of the present invention provides a security device management device, which is applied to management devices and includes: a
第一接收模块710,用于接收一个或多个安全设备发送的设备注册信息;a
可选地,第一接收模块710能够维持安全设备与管理设备之间的长连接,示例性地,第一接收模块基于ssl连接维持安全设备与管理设备之间的底层通信通道。第一接收模块710,用于接收一个或多个安全设备发送的设备注册信息。第一接收模块710,还用于接收安全设备发送的设备信息,示例性地,管理设备通过第一接收模块710接收安全设备发送的包含安全设备自身的信息的心跳信息(也可以称为心跳包或心跳报文等,本实施例对名称不作限定);第一接收模块710,还用于接收安全设备断开的消息;可选地,第一接收模块710,还用于管理注册成功后的安全设备与管理设备的会话通道。可选地,第一接收模块710,还用于安全设备与管理设备之间通信连接的建立、维护以及清理工作。Optionally, the
第一隧道建立模块720,用于与每个所述安全设备建立反向代理隧道,所述反向代理隧道是由所述安全设备基于SSH协议主动请求建立的;a first
第一发送模块730,用于基于所述反向代理隧道向每个所述安全设备发送配置消息,所述配置消息用于配置所述安全设备。The
在此需要说明的是,本发明实施例提供的上述装置,能够实现上述方法实施例所实现的所有方法步骤,且能够达到相同的技术效果,在此不再对本实施例中与方法实施例相同的部分及有益效果进行具体赘述。It should be noted here that the above-mentioned device provided by the embodiment of the present invention can realize all the method steps realized by the above-mentioned method embodiment, and can achieve the same technical effect, and the same as the method embodiment in this embodiment is not repeated here. The parts and beneficial effects will be described in detail.
图8是本发明实施例提供的安全设备管理装置的结构示意图,如图8所示,本发明实施例提供一种安全设备管理装置,应用于安全设备,包括:第二发送模块810、第二隧道建立模块820和第二接收模块830;FIG. 8 is a schematic structural diagram of a security device management apparatus provided by an embodiment of the present invention. As shown in FIG. 8 , an embodiment of the present invention provides a security device management apparatus, which is applied to a security device and includes: a
第二发送模块810,用于向管理设备发送设备注册信息;The
第二隧道建立模块820,用于与所述管理设备建立反向代理隧道,所述反向代理隧道是由所述安全设备基于SSH协议主动请求建立的;A second
第二接收模块830,用于基于所述反向代理隧道接收所述管理设备发送的配置消息,所述配置消息用于配置所述安全设备。The
在此需要说明的是,本发明实施例提供的上述装置,能够实现上述方法实施例所实现的所有方法步骤,且能够达到相同的技术效果,在此不再对本实施例中与方法实施例相同的部分及有益效果进行具体赘述。It should be noted here that the above-mentioned device provided by the embodiment of the present invention can realize all the method steps realized by the above-mentioned method embodiment, and can achieve the same technical effect, and the same as the method embodiment in this embodiment is not repeated here. The parts and beneficial effects will be described in detail.
图9示例了一种电子设备的实体结构示意图,如图9所示,该电子设备可以包括:处理器(processor)910、通信接口(Communications Interface)920、存储器(memory)930和通信总线940,其中,处理器910,通信接口920,存储器930通过通信总线940完成相互间的通信。处理器910可以调用存储器930中的逻辑指令,以执行一种安全设备管理方法,该方法应用于管理设备,包括:接收一个或多个安全设备发送的设备注册信息;与每个所述安全设备建立反向代理隧道,所述反向代理隧道是由所述安全设备基于SSH协议主动请求建立的;基于所述反向代理隧道向每个所述安全设备发送配置消息,所述配置消息用于配置所述安全设备。FIG. 9 illustrates a schematic diagram of the physical structure of an electronic device. As shown in FIG. 9 , the electronic device may include: a processor (processor) 910, a communication interface (Communications Interface) 920, a memory (memory) 930, and a
此外,上述的存储器930中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。In addition, the above-mentioned logic instructions in the
图10示例了一种电子设备的实体结构示意图,如图10所示,该电子设备可以包括:处理器(processor)1010、通信接口(Communications Interface)1020、存储器(memory)1030和通信总线1040,其中,处理器1010,通信接口1020,存储器1030通过通信总线1040完成相互间的通信。处理器1010可以调用存储器1030中的逻辑指令,以执行一种安全设备管理方法,该方法应用于安全设备,包括:向管理设备发送设备注册信息;与所述管理设备建立反向代理隧道,所述反向代理隧道是由所述安全设备基于SSH协议主动请求建立的;基于所述反向代理隧道接收所述管理设备发送的配置消息,所述配置消息用于配置所述安全设备。FIG. 10 illustrates a schematic diagram of the physical structure of an electronic device. As shown in FIG. 10 , the electronic device may include: a processor (processor) 1010, a communication interface (Communications Interface) 1020, a memory (memory) 1030, and a
此外,上述的存储器1030中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。In addition, the above-mentioned logic instructions in the
另一方面,本发明还提供一种计算机程序产品,所述计算机程序产品包括计算机程序,计算机程序可存储在非暂态计算机可读存储介质上,所述计算机程序被处理器执行时,计算机能够执行上述各方法所提供的一种安全设备管理方法,该方法应用于管理设备,包括:接收一个或多个安全设备发送的设备注册信息;与每个所述安全设备建立反向代理隧道,所述反向代理隧道是由所述安全设备基于SSH协议主动请求建立的;基于所述反向代理隧道向每个所述安全设备发送配置消息,所述配置消息用于配置所述安全设备。In another aspect, the present invention also provides a computer program product, the computer program product includes a computer program, the computer program can be stored on a non-transitory computer-readable storage medium, and when the computer program is executed by a processor, the computer can Execute a security device management method provided by the above methods, the method is applied to management devices, and includes: receiving device registration information sent by one or more security devices; establishing a reverse proxy tunnel with each of the security devices, so The reverse proxy tunnel is actively requested to be established by the security device based on the SSH protocol; a configuration message is sent to each of the security devices based on the reverse proxy tunnel, where the configuration message is used to configure the security device.
本发明还提供一种计算机程序产品,所述计算机程序产品包括计算机程序,计算机程序可存储在非暂态计算机可读存储介质上,所述计算机程序被处理器执行时,计算机能够执行上述各方法所提供的一种安全设备管理方法,该方法应用于安全设备,包括:向管理设备发送设备注册信息;与所述管理设备建立反向代理隧道,所述反向代理隧道是由所述安全设备基于SSH协议主动请求建立的;基于所述反向代理隧道接收所述管理设备发送的配置消息,所述配置消息用于配置所述安全设备。The present invention also provides a computer program product, the computer program product includes a computer program, the computer program can be stored on a non-transitory computer-readable storage medium, and when the computer program is executed by a processor, the computer can execute the above methods. Provided is a security device management method, which is applied to a security device and includes: sending device registration information to a management device; establishing a reverse proxy tunnel with the management device, where the reverse proxy tunnel is used by the security device Actively request establishment based on the SSH protocol; and receive a configuration message sent by the management device based on the reverse proxy tunnel, where the configuration message is used to configure the security device.
又一方面,本发明还提供一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现以执行上述各方法提供的一种安全设备管理方法,该方法应用于管理设备,包括:接收一个或多个安全设备发送的设备注册信息;与每个所述安全设备建立反向代理隧道,所述反向代理隧道是由所述安全设备基于SSH协议主动请求建立的;基于所述反向代理隧道向每个所述安全设备发送配置消息,所述配置消息用于配置所述安全设备。In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium on which a computer program is stored, and the computer program is implemented when executed by a processor to execute a security device management method provided by the above methods, the The method is applied to a management device, comprising: receiving device registration information sent by one or more security devices; establishing a reverse proxy tunnel with each of the security devices, and the reverse proxy tunnel is initiated by the security device based on the SSH protocol. requesting establishment; sending a configuration message to each of the security devices based on the reverse proxy tunnel, where the configuration message is used to configure the security device.
本发明还提供一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现以执行上述各方法提供的一种安全设备管理方法,该方法应用于安全设备,包括:向管理设备发送设备注册信息;与所述管理设备建立反向代理隧道,所述反向代理隧道是由所述安全设备基于SSH协议主动请求建立的;基于所述反向代理隧道接收所述管理设备发送的配置消息,所述配置消息用于配置所述安全设备。The present invention also provides a non-transitory computer-readable storage medium on which a computer program is stored, the computer program is implemented by a processor to execute a security device management method provided by the above methods, and the method is applied to security The device includes: sending device registration information to a management device; establishing a reverse proxy tunnel with the management device, where the reverse proxy tunnel is actively requested to be established by the security device based on the SSH protocol; based on the reverse proxy tunnel A configuration message sent by the management device is received, where the configuration message is used to configure the security device.
以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The device embodiments described above are only illustrative, wherein the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed over multiple network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment. Those of ordinary skill in the art can understand and implement it without creative effort.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。From the description of the above embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on this understanding, the above-mentioned technical solutions can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic A disc, an optical disc, etc., includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the methods described in various embodiments or some parts of the embodiments.
最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that it can still be The technical solutions described in the foregoing embodiments are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (16)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111651814.8A CN114499989B (en) | 2021-12-30 | 2021-12-30 | Safety equipment management method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111651814.8A CN114499989B (en) | 2021-12-30 | 2021-12-30 | Safety equipment management method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114499989A true CN114499989A (en) | 2022-05-13 |
| CN114499989B CN114499989B (en) | 2024-07-26 |
Family
ID=81508124
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111651814.8A Active CN114499989B (en) | 2021-12-30 | 2021-12-30 | Safety equipment management method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114499989B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114726652A (en) * | 2022-05-20 | 2022-07-08 | 北京网藤科技有限公司 | Security equipment management method and system based on L7 proxy |
| CN115037525A (en) * | 2022-05-18 | 2022-09-09 | 深圳奇迹智慧网络有限公司 | Multi-connection dynamic security shell protocol reverse proxy system and method |
| CN118018604A (en) * | 2024-04-09 | 2024-05-10 | 创意信息技术股份有限公司 | A cloud-edge integrated reverse proxy method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2003021464A2 (en) * | 2001-09-05 | 2003-03-13 | Rubenstein, Allen, I. | Secure remote access between peers |
| CN102333075A (en) * | 2010-06-30 | 2012-01-25 | 丛林网络公司 | The many service VPN networking clients that dynamic fault shifts that have that are used for mobile device |
| CN108965256A (en) * | 2018-06-15 | 2018-12-07 | 四川斐讯全智信息技术有限公司 | A kind of system and method remotely managing embedded device based on SSH reverse tunnel |
| CN111711659A (en) * | 2020-05-22 | 2020-09-25 | 北京天维信通科技有限公司 | Method and device for remotely managing terminal, equipment and storage medium thereof |
| CN111901304A (en) * | 2020-06-28 | 2020-11-06 | 北京可信华泰信息技术有限公司 | Registration method and device of mobile security equipment, storage medium and electronic device |
| CN113259344A (en) * | 2021-05-11 | 2021-08-13 | 商汤国际私人有限公司 | Remote access method and device, electronic equipment and storage medium |
-
2021
- 2021-12-30 CN CN202111651814.8A patent/CN114499989B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2003021464A2 (en) * | 2001-09-05 | 2003-03-13 | Rubenstein, Allen, I. | Secure remote access between peers |
| CN102333075A (en) * | 2010-06-30 | 2012-01-25 | 丛林网络公司 | The many service VPN networking clients that dynamic fault shifts that have that are used for mobile device |
| CN108965256A (en) * | 2018-06-15 | 2018-12-07 | 四川斐讯全智信息技术有限公司 | A kind of system and method remotely managing embedded device based on SSH reverse tunnel |
| CN111711659A (en) * | 2020-05-22 | 2020-09-25 | 北京天维信通科技有限公司 | Method and device for remotely managing terminal, equipment and storage medium thereof |
| CN111901304A (en) * | 2020-06-28 | 2020-11-06 | 北京可信华泰信息技术有限公司 | Registration method and device of mobile security equipment, storage medium and electronic device |
| CN113259344A (en) * | 2021-05-11 | 2021-08-13 | 商汤国际私人有限公司 | Remote access method and device, electronic equipment and storage medium |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115037525A (en) * | 2022-05-18 | 2022-09-09 | 深圳奇迹智慧网络有限公司 | Multi-connection dynamic security shell protocol reverse proxy system and method |
| CN114726652A (en) * | 2022-05-20 | 2022-07-08 | 北京网藤科技有限公司 | Security equipment management method and system based on L7 proxy |
| CN118018604A (en) * | 2024-04-09 | 2024-05-10 | 创意信息技术股份有限公司 | A cloud-edge integrated reverse proxy method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114499989B (en) | 2024-07-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11432347B2 (en) | Peer to peer networking and sharing systems and methods | |
| CN114499989B (en) | Safety equipment management method and device | |
| US10609152B2 (en) | Creation of remote direct access path via internet to firewalled device using multi-site session forwarding | |
| US8607301B2 (en) | Deploying group VPNS and security groups over an end-to-end enterprise network | |
| US7739728B1 (en) | End-to-end IP security | |
| KR101093902B1 (en) | Method and system for managing access authentication for user in local management domain when user accesses IP network | |
| JP2022550356A (en) | Methods, systems, and computer-readable media for providing multi-tenant software-defined wide area network (SD-WAN) nodes | |
| US7941549B2 (en) | Protocol exchange and policy enforcement for a terminal server session | |
| JP2023514736A (en) | Method and system for secure communication | |
| US11088996B1 (en) | Secure network protocol and transit system to protect communications deliverability and attribution | |
| EP1942629A1 (en) | Method and system for object-based multi-level security in a service oriented architecture | |
| JP2005518117A (en) | How to initiate a connection through a firewall and NAT | |
| CN107231336A (en) | A kind of access control method, device and the gateway device of LAN Intranet resource | |
| RU2008146517A (en) | POLICY MANAGED ACCOUNT DEPARTMENT FOR UNIFIED NETWORK REGISTRATION AND SECURE ACCESS TO NETWORK RESOURCES | |
| AU2006268313A1 (en) | Unified architecture for remote network access | |
| CN102255920A (en) | Method and device for sending VPN (Virtual Private Network) configuration information | |
| CN114995214A (en) | Method, system, device, equipment and storage medium for remotely accessing application | |
| JP2014510480A (en) | Network communication system and method | |
| WO2019120160A1 (en) | Method and device for data storage, and distributed storage system | |
| CN111064742A (en) | A method, device and related equipment for realizing intranet access based on network proxy | |
| WO2014001871A1 (en) | System and method for facilitating communication between multiple networks | |
| WO2020029793A1 (en) | Internet access behavior management system, device and method | |
| CN114928459A (en) | Connection method and computer readable medium for private communication architecture | |
| US20200287868A1 (en) | Systems and methods for in-band remote management | |
| TWI836974B (en) | Private and secure chat connection mechanism for use in a private communication architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Country or region after: China Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant after: QAX Technology Group Inc. Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant before: QAX Technology Group Inc. Country or region before: China Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |