CN114584523A - Safety link sinking method - Google Patents
Safety link sinking method Download PDFInfo
- Publication number
- CN114584523A CN114584523A CN202210257482.3A CN202210257482A CN114584523A CN 114584523 A CN114584523 A CN 114584523A CN 202210257482 A CN202210257482 A CN 202210257482A CN 114584523 A CN114584523 A CN 114584523A
- Authority
- CN
- China
- Prior art keywords
- link
- internal node
- client
- secure
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/70—Admission control; Resource allocation
- H04L47/82—Miscellaneous aspects
- H04L47/825—Involving tunnels, e.g. MPLS
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a safe link sinking method, and relates to the technical field of remote links. The invention comprises the following steps: starting a public network server to receive and monitor an intranet and remote client link request; performing authority verification and pairing, and sending a link application simulated as an opposite terminal to the two ends in a source IP deception mode after the pairing is confirmed; and the link establishment of the intranet and the remote client is realized by relying on a secure connection exchange verification mechanism. The invention realizes the remote access capability based on TCP or UDP through the secure tunnel, has high efficiency, safety and stability, conforms to the secure access capability of a zero trust framework, thereby providing high-efficiency and stable teleworking capability for enterprises on the premise of ensuring information security, and the capability of safely supporting remote, convenient and efficient based on zero trust is particularly important under the condition of not reducing the office convenience of an informatization agency and having no requirement of regional distinction.
Description
Technical Field
The invention belongs to the technical field of remote link, and particularly relates to a safe link sinking method.
Background
Zero trust is a complete subversion of the traditional security model assumptions: all things in the organization network should be trusted, and in fact, once in the network, users (including threat actors and malicious insiders) are free to move laterally, access, and even reveal any data outside their rights, which is obviously a big hole, and zero trust network access considers: the method has the advantages that any content entering and exiting a network cannot be trusted, a brand-new boundary with data as a center is created, the data is protected through a strong identity verification technology, remote office is more and more urgent under the background of large global epidemic situation at present, meanwhile, a brand-new working mode is adopted, various cross-regional cooperation requirements are more and more, along with continuous development of informatization construction, more requirements are provided for a working mode of a brand-new digital era, and in addition to the requirements of joint office of multiple original subsidiaries, more remote joint office requirements are provided under the development background of high-speed iteration of current massive economy, civil life, society and personal application.
Present remote assistance software or office software all have a lot of obvious not enough, these not enough also restricted the development of remote office software, firstly be exactly the security problem, cause data leakage easily, secondly it is not enough to be convenient, most remote assistance tools all are based on window formula interactive mode, operating personnel realizes the linking mode of similar remote desktop through software on own computer, remote operation is realized to rethread operation host computer, this causes very much inconvenient and the very big reduction of efficiency of operation, last performance is low and unstable, present remote mode often needs the server of a public network to dock, need carry out the maintenance of follow-up operation link through the high in the clouds server simultaneously, this fluency that also causes remote operation, the stability of performance is not enough.
Disclosure of Invention
The invention aims to provide a safe link sinking method, which solves the obvious defects of the prior remote assistance software or office software, these deficiencies, which also limit the development of teleworking software, are firstly security issues, which are prone to data leakage, secondly, the convenience is insufficient, most remote assistance tools are based on a window type interactive mode, operators realize a remote desktop-like link mode through software on own computers and then realize remote operation through operating a host machine, this causes a lot of inconvenience and efficiency, and finally, the performance is low and unstable, and the existing remote mode usually needs a server of a public network for docking, meanwhile, the subsequent operation link needs to be maintained through the cloud server, which also causes the technical problems of insufficient fluency and performance stability of remote operation.
In order to achieve the purpose, the invention is realized by the following technical scheme:
a secure link sinking method comprising the steps of:
starting a public network server to receive and monitor an intranet and remote client link request;
carrying out authority verification and pairing, and sending a link application simulated as an opposite terminal to the two terminals in a source IP deception mode after the pairing is confirmed;
the method comprises the steps that a link between an intranet and a remote client is established by relying on a secure connection exchange verification mechanism, and a verification random code corresponding to the link is obtained from a server through keep live interaction while the link is established;
and realizing a bidirectional verification mechanism by verifying the random code, and establishing a secure tunnel according to an encryption technology.
Optionally, after the public network server is started, the public network server uses a monitoring service to perform a monitoring internal node query service and a monitoring client link request service, and the internal node query service performs link query periodically and circularly by the internal node.
Optionally, when a client initiates a link request to an internal node, the server receives the link request from the client, performs user authentication, and performs a successful link request, and the server queries whether the internal node to be linked is online according to the request, and performs link authorization confirmation between the user and the internal node after finding the online and connectable internal node, and sends a link application instruction to both ends after verification.
Optionally, after receiving the instruction, the client fills the link of the destination IP which is the internal node IP according to the instruction carried information and sends the link, and the server sends and receives the link application to the internal node.
Optionally, the internal node receives the information of the received link application and then performs reply information for the client, the client completes establishment of a link between the client and the internal node after receiving the reply information, completes link sinking of a link from a public network service network proxy mode to a point-to-point direct link, and extracts dynamic verification information from two previously received server contents to perform trusted two-way verification.
Optionally, after the verification is successful, a secure tunnel is established based on an optional encryption algorithm on the basis of the established connection.
The embodiment of the invention has the following beneficial effects:
the embodiment of the invention realizes the remote access capability based on TCP or UDP through the secure tunnel, has high efficiency, safety and stability, conforms to the secure access capability of a zero trust architecture, thereby providing high-efficiency and stable remote office capability for enterprises on the premise of ensuring information security, and has the important capability of supporting remote, convenient and efficient based on the zero trust security under the condition of not reducing the office convenience of an informatization agency and having no requirement of regional distinction, thereby playing a great role in promoting the high-efficiency office business of the enterprises and helping the enterprises to promote the related business more quickly.
Of course, it is not necessary for any product in which the invention is practiced to achieve all of the above-described advantages at the same time.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the invention and, together with the description, serve to explain the invention and not to limit the invention. In the drawings:
fig. 1 is a schematic diagram of tunnel establishment according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a setup method according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating steps of a process according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the invention, its application, or uses.
To maintain the following description of the embodiments of the present invention clear and concise, a detailed description of known functions and known components of the invention have been omitted.
Referring to fig. 1-3, in the present embodiment, a method for sinking a secure link is provided, which includes the following steps:
starting a public network server to receive and monitor a link request between an internal network and a remote client;
carrying out authority verification and pairing, and sending a link application simulated as an opposite terminal to the two terminals in a source IP deception mode after the pairing is confirmed;
the method comprises the steps that a link between an intranet and a remote client is established by relying on a secure connection exchange verification mechanism, and a verification random code corresponding to the link is obtained from a server through keep live interaction while the link is established;
and realizing a bidirectional verification mechanism by verifying the random code, and establishing a secure tunnel according to an encryption technology.
The application of one aspect of the embodiment is as follows: the method comprises the steps of firstly receiving and monitoring an intranet and remote client link request through a public network server, carrying out authority verification and pairing through the public network server, sending link applications simulated as opposite ends to two ends in a source IP deception mode after the pairing is confirmed, realizing the link establishment of an intranet and a remote client by relying on a secure connection exchange verification mechanism, acquiring a verification random code corresponding to the link from a server end through keep live interaction while establishing the connection, realizing a bidirectional verification mechanism through the random code, and finally establishing a secure tunnel according to an encryption technology to realize the secure link tunnel establishment capability of a remote client computer and an intranet node.
The remote access capability based on TCP or UDP is realized through the safety tunnel, and meanwhile, the system has high efficiency, safety and stability, and accords with the safety access capability of a zero trust architecture, so that the high-efficiency and stable teleworking capability is provided for enterprises on the premise of ensuring information safety, under the conditions of not reducing the office convenience of an information agent and having no requirement of regional distinction, the system can support remote, convenient and efficient capability based on zero trust safety and is particularly important, thereby playing a great promotion role in promoting the high-efficiency office business of the enterprises, and helping the enterprises to promote the related business of the enterprises more quickly.
As shown in fig. 3, after the public network server is started, the public network server uses a monitoring service to perform a monitoring internal node query service and a monitoring client link request service. The internal node query service periodically and circularly queries the links by the internal nodes. When a client initiates a link request to an internal node, the server receives the link request of the client and performs user authentication. And if the server is authenticated to be successful in the link request, the server inquires whether the internal node needing to be linked is online according to the request. And after finding the online and connectable internal node, confirming the link authority of the user and the internal node, and sending a link application instruction to the two ends by the server after verification. After receiving the instruction, the client fills the link of the internal node IP (pseudo IP) as the destination IP according to the instruction carrying information and sends the link, and meanwhile, the server sends a link receiving application to the internal node. And the internal node receives the information of the received link application and then carries out reply information aiming at the client, and the client finishes the establishment of the link between the client and the internal node after receiving the reply information. And finishing the link sinking of the point-to-point direct link in a public network service network proxy mode, and extracting dynamic verification information from the contents of the two servers received before to perform credible two-way verification. After the connection is successfully verified, a safety tunnel is established based on an optional encryption algorithm (SSL and the like, a server agent mode is avoided through an SSL encryption technology, the possibility of hijacking data in the middle is also avoided, and the safety capability is realized), a client side realizes the remote, efficient, convenient, safe and direct connection access capability to content application through the tunnel, a single tunnel mode with VPN is distinguished, based on that each connection is established as an independent tunnel, a remote computer can realize the safety communication capability with an intranet through the tunnel, so that the remote access is realized, and the mode is based on a TCP and UDP protocol layer mode, realizes the transparent capability to an application layer, so that the direct access of the remote computer to the intranet application can be realized without independently opening an independent window or matching an intranet computer, the use mode that the remote computer accesses the intranet application and the intranet access is completely consistent is achieved, the use convenience is greatly improved, point-to-point direct interaction is achieved for interaction after the link is established due to the safe link sinking mode, the public network server is not relied on, the use performance is not affected by the public network server (the public network server is only responsible for link point pairing and link authority confirming work), the stability and the performance are greatly improved, and the interaction response is basically not different from the intranet.
The above embodiments may be combined with each other.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein.
In the description of the present invention, it is to be understood that the orientation or positional relationship indicated by the orientation words such as "front, rear, upper, lower, left, right", "lateral, vertical, horizontal" and "top, bottom", etc. are usually based on the orientation or positional relationship shown in the drawings, and are only for convenience of description and simplicity of description, and in the case of not making a reverse description, these orientation words do not indicate and imply that the device or element being referred to must have a specific orientation or be constructed and operated in a specific orientation, and therefore, should not be considered as limiting the scope of the present invention; the terms "inner and outer" refer to the inner and outer relative to the profile of the respective component itself.
Claims (10)
1. A secure link sinking method, comprising the steps of:
starting a public network server to receive and monitor an intranet and remote client link request;
carrying out authority verification and pairing, and sending a link application simulated as an opposite terminal to the two terminals in a source IP deception mode after the pairing is confirmed;
the method comprises the steps that a link between an intranet and a remote client is established by relying on a secure connection exchange verification mechanism, and a verification random code corresponding to the link is obtained from a server through keep live interaction while the link is established;
and realizing a bidirectional verification mechanism by verifying the random code, and establishing a secure tunnel according to an encryption technology.
2. The method as claimed in claim 1, wherein after the public network server is started, the public network server uses a listening service to perform listening to an internal node inquiry service and a monitoring client link request service.
3. A secure link down method as recited in claim 2, wherein the internal node query service periodically cycles the link query by the internal node.
4. A secure link subsidence method as claimed in claim 3, wherein when a client initiates a link request to an internal node, the server receives the client link request and performs user authentication.
5. A secure link subsidence method as claimed in claim 4, wherein the server queries whether the internal node to be linked is on-line according to its request by confirming the successful link request.
6. A method as claimed in claim 5, wherein after finding an on-line and connectable internal node, the user is confirmed to link with the internal node, and after verification, the server sends a link application command to both ends.
7. The method as claimed in claim 6, wherein the client fills the link of the destination IP which is an IP of the internal node according to the information carried by the command after receiving the command, and transmits the link, and the server transmits a link receiving request to the internal node.
8. The method as claimed in claim 7, wherein the internal node performs a reply message to the client after receiving the message of the link request, and the client completes establishment of the link between the client and the internal node after receiving the reply message.
9. The method as claimed in claim 8, wherein link sinking from proxy mode of public network service network to direct link to point is accomplished, and trusted bidirectional authentication is performed based on two previously received dynamic authentication information extracted from the server content.
10. A secure link subsidence method as claimed in claim 9, wherein the secure tunnel is established based on an optional encryption algorithm on the basis of the established connection after the authentication is successful.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210257482.3A CN114584523A (en) | 2022-03-16 | 2022-03-16 | Safety link sinking method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210257482.3A CN114584523A (en) | 2022-03-16 | 2022-03-16 | Safety link sinking method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114584523A true CN114584523A (en) | 2022-06-03 |
Family
ID=81780378
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210257482.3A Pending CN114584523A (en) | 2022-03-16 | 2022-03-16 | Safety link sinking method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114584523A (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101854313A (en) * | 2009-09-27 | 2010-10-06 | 济南维优科技开发有限公司 | Remote access gateway surpassing NAT based on P2P-VPN technology |
| CN102035904A (en) * | 2010-12-10 | 2011-04-27 | 北京中科大洋科技发展股份有限公司 | Method for converting TCP network communication server into client |
| US8443435B1 (en) * | 2010-12-02 | 2013-05-14 | Juniper Networks, Inc. | VPN resource connectivity in large-scale enterprise networks |
| US20150150114A1 (en) * | 2012-01-30 | 2015-05-28 | Martello Technologies Corporation | Method and System for Providing Secure Remote External Client Access to Device or Service on a Remote Network |
| CN205792725U (en) * | 2016-06-16 | 2016-12-07 | 中国汽车工业工程有限公司 | A kind of long distance control system of remote equipment |
| CN110324205A (en) * | 2019-07-05 | 2019-10-11 | 视联动力信息技术股份有限公司 | A kind of monitor method, monitoring device, electronic equipment and storage medium |
| US20200296009A1 (en) * | 2007-06-12 | 2020-09-17 | Icontrol Networks, Inc. | Communication protocols in integrated systems |
| CN112825521A (en) * | 2019-11-21 | 2021-05-21 | 树根互联技术有限公司 | Trusted identity management method, system, equipment and storage medium for block chain application |
| CN113872957A (en) * | 2021-09-24 | 2021-12-31 | 上海幻电信息科技有限公司 | Intranet equipment connection method and system based on SSH reverse tunnel |
-
2022
- 2022-03-16 CN CN202210257482.3A patent/CN114584523A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200296009A1 (en) * | 2007-06-12 | 2020-09-17 | Icontrol Networks, Inc. | Communication protocols in integrated systems |
| CN101854313A (en) * | 2009-09-27 | 2010-10-06 | 济南维优科技开发有限公司 | Remote access gateway surpassing NAT based on P2P-VPN technology |
| US8443435B1 (en) * | 2010-12-02 | 2013-05-14 | Juniper Networks, Inc. | VPN resource connectivity in large-scale enterprise networks |
| CN102035904A (en) * | 2010-12-10 | 2011-04-27 | 北京中科大洋科技发展股份有限公司 | Method for converting TCP network communication server into client |
| US20150150114A1 (en) * | 2012-01-30 | 2015-05-28 | Martello Technologies Corporation | Method and System for Providing Secure Remote External Client Access to Device or Service on a Remote Network |
| CN205792725U (en) * | 2016-06-16 | 2016-12-07 | 中国汽车工业工程有限公司 | A kind of long distance control system of remote equipment |
| CN110324205A (en) * | 2019-07-05 | 2019-10-11 | 视联动力信息技术股份有限公司 | A kind of monitor method, monitoring device, electronic equipment and storage medium |
| CN112825521A (en) * | 2019-11-21 | 2021-05-21 | 树根互联技术有限公司 | Trusted identity management method, system, equipment and storage medium for block chain application |
| CN113872957A (en) * | 2021-09-24 | 2021-12-31 | 上海幻电信息科技有限公司 | Intranet equipment connection method and system based on SSH reverse tunnel |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8474023B2 (en) | Proactive credential caching | |
| EP3432523B1 (en) | Method and system for connecting a terminal to a virtual private network | |
| US9578007B2 (en) | Secure transmission of a session identifier during service authentication | |
| CN104754582B (en) | Safeguard the client and method of BYOD safety | |
| US20060064589A1 (en) | Setting information distribution apparatus, method, program, medium, and setting information reception program | |
| EP2031793A1 (en) | Framework of managing network security and information processing method thereof | |
| CN110958111A (en) | Electric power mobile terminal identity authentication mechanism based on block chain | |
| US8055780B2 (en) | Method of managing information and information processing apparatus | |
| CN111447180B (en) | Security access control strategy for power Internet of things edge access management system | |
| CN114389885B (en) | Method for safely opening private cloud database to public cloud | |
| CN103684958A (en) | Method and system for providing flexible VPN (virtual private network) service and VPN service center | |
| CN104408777A (en) | Internet attendance management system and method based on P2P communication realized by NAT traversal | |
| CN104955036B (en) | Safe networking method and apparatus under public Wi-Fi environment | |
| CN211352206U (en) | IPSec VPN cryptographic machine based on quantum key distribution | |
| CN106533894A (en) | Brand new secure instant messaging system | |
| CN112825521A (en) | Trusted identity management method, system, equipment and storage medium for block chain application | |
| CN109040225A (en) | A kind of dynamic port desktop access management method and system | |
| CN114584523A (en) | Safety link sinking method | |
| US20050132183A1 (en) | Method and system for user created personal private network (PPN) with secure communications and data transfer | |
| CN1301608C (en) | Method for implementing peer-to-peer WLAN with center certification | |
| CN105208010A (en) | Reverse-SSH-based cross-local-area-network remote data connecting method | |
| KR20090014573A (en) | Method and apparatus for managing a vpn tunnel | |
| CN101541001A (en) | Method and system for updating base key | |
| CN111431928A (en) | VPN-based intelligent substation network security management method and system | |
| CN114448662B (en) | Bank enterprise communication system and communication method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |