CN114584523B - Safe link sinking method - Google Patents
Safe link sinking method Download PDFInfo
- Publication number
- CN114584523B CN114584523B CN202210257482.3A CN202210257482A CN114584523B CN 114584523 B CN114584523 B CN 114584523B CN 202210257482 A CN202210257482 A CN 202210257482A CN 114584523 B CN114584523 B CN 114584523B
- Authority
- CN
- China
- Prior art keywords
- link
- internal node
- secure
- client
- remote
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 20
- 238000012795 verification Methods 0.000 claims abstract description 28
- 230000007246 mechanism Effects 0.000 claims abstract description 9
- 230000003993 interaction Effects 0.000 claims description 12
- 238000012544 monitoring process Methods 0.000 claims description 7
- 238000005516 engineering process Methods 0.000 claims description 6
- 238000004891 communication Methods 0.000 claims description 2
- 238000012790 confirmation Methods 0.000 description 4
- 230000007547 defect Effects 0.000 description 4
- 238000011161 development Methods 0.000 description 4
- 230000002457 bidirectional effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000003032 molecular docking Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
Abstract
The invention discloses a secure link sinking method, and relates to the technical field of remote links. The invention comprises the following steps: starting a public network server to receive and monitor link requests of an intranet and a remote client; performing authority verification and pairing, and sending a link application simulated as an opposite end to the two ends in a source IP spoofing mode after the pairing is confirmed; and the link establishment between the intranet and the remote client is realized by relying on a secure connection exchange verification mechanism. The invention realizes the remote access capability based on TCP or UDP through the secure tunnel, has high efficiency, safety and stability, accords with the secure access capability of the zero-trust architecture, thereby providing the enterprise with high-efficiency and stable remote office capability on the premise of ensuring the information security, and being particularly important to the capability of supporting remote, convenience and high efficiency based on the security of zero-trust without reducing the office convenience and the requirement of no region distinction of the informationized agent.
Description
Technical Field
The invention belongs to the technical field of remote links, and particularly relates to a safe link sinking method.
Background
Zero trust is a thorough subversion of the traditional security model assumption: all things within an organization network should be trusted, and indeed, once in the network, users (including threat actors and malicious insiders) are free to move laterally, access and even reveal any data beyond their rights, which is obviously a large vulnerability, and zero trust network access is considered: any content which can not be trusted to enter and exit the network should be created a brand new boundary with data as a center, the data is protected through the technology of strengthening the body and verifying, the remote office is more and more urgent under the current global epidemic situation background, meanwhile, the brand new working mode is adopted, various cross-region cooperation requirements are more and more increased, along with the continuous development of informatization construction, more requirements are also provided for the working mode of the brand new digital age, and besides the requirements of the joint office of the past multi-local-company, more remote joint office requirements are provided under the current development background of high-speed iteration of mass economy, civilian, society and personal application.
The existing remote assistance software or office software has a plurality of obvious defects, the defects also limit the development of the remote office software, firstly the security problem is that data leakage is easy to occur, secondly the convenience is insufficient, most of the remote assistance tools are based on a window-type interaction mode, operators realize a remote desktop-like linking mode through software on own computers, and then the operators realize remote operation through operating hosts, so that the inconvenience and the great reduction of efficiency are caused, finally the performance is low and unstable, the existing remote mode often needs a public network server for docking, and meanwhile, the subsequent operation link maintenance is required through a cloud server, so that the smoothness and the performance stability of remote operation are also insufficient.
Disclosure of Invention
The invention aims to provide a safe link sinking method, which solves the problems that the existing remote assistance software or office software has a plurality of obvious defects, the defects also limit the development of the remote office software, firstly, the safety problem is easy to cause data leakage, secondly, the convenience is insufficient, most of the remote assistance tools are based on a window-type interaction mode, operators realize a remote desktop-like linking mode through software on own computer, and then realize remote operation through operating hosts, thereby causing a great deal of inconvenience and greatly reducing the efficiency, and finally, the existing remote mode is low in performance and unstable, and a public network server is often required to be used for docking, and meanwhile, the subsequent operation link is required to be maintained through a cloud server, so that the technical problems of poor smoothness and performance stability of remote operation are also caused.
In order to achieve the purpose, the invention is realized by the following technical scheme:
A secure link sinking method, comprising the steps of:
Starting a public network server to receive and monitor link requests of an intranet and a remote client;
performing authority verification and pairing, and sending a link application simulated as an opposite end to the two ends in a source IP spoofing mode after the pairing is confirmed;
The link establishment between the intranet and the far-end client is realized by relying on a secure connection exchange verification mechanism, and a verification random code corresponding to the link is obtained from the server side through keep interaction while the connection is established;
And realizing a two-way verification mechanism by verifying the random code, and establishing a secure tunnel according to the encryption technology.
Optionally, after the public network server is started, the public network server uses a monitoring service to monitor an internal node query service and a monitoring client link request service, and the internal node query service periodically and circularly performs link query by the internal node.
Optionally, when a certain client initiates a link request to a certain internal node, the server receives the link request of the client, and performs user confirmation, and the link request with successful confirmation is performed, the server can query whether the internal node to be linked is online according to the request, and after finding the online and connectable internal node, performs confirmation of the link permission of the user and the internal node, and after verification, the server sends a link application instruction to both ends.
Optionally, after receiving the instruction, the client fills in the link of the IP with the purpose of the IP of the internal node according to the instruction carrying information and sends the link request to the internal node by the server.
Optionally, the internal node receives the information of the received link application and then carries out reply information aiming at the client, after receiving the reply information, the client completes the establishment of the link between the client and the internal node, completes the link sinking from the public network service network proxy mode to the point-to-point direct link, and extracts dynamic verification information from the server content according to the two previous received server contents to carry out trusted bidirectional verification.
Optionally, after verification is successful, a secure tunnel is established based on an optional encryption algorithm on the basis of the established connection.
The embodiment of the invention has the following beneficial effects:
According to the embodiment of the invention, the remote access capability based on TCP or UDP is realized through the secure tunnel, and meanwhile, the secure access capability based on the TCP or UDP is high-efficiency, safe and stable, and meets the secure access capability of a zero-trust architecture, so that the high-efficiency and stable remote office capability is provided for enterprises on the premise of ensuring the information security, the remote, convenient and efficient supporting capability based on the security of zero-trust is particularly important under the condition of not reducing the office convenience and no regional distinction of an informatization agent, and the method plays a great pushing role for the high-efficiency office service of the enterprises, thereby helping the enterprises to push related services more quickly.
Of course, it is not necessary for any one product to practice the invention to achieve all of the advantages set forth above at the same time.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application. In the drawings:
FIG. 1 is a schematic diagram of a tunnel establishment operation according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a method of establishing an embodiment of the present invention;
FIG. 3 is a flowchart illustrating steps of an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. The following description of at least one exemplary embodiment is merely exemplary in nature and is in no way intended to limit the invention, its application, or uses.
In order to keep the following description of the embodiments of the present invention clear and concise, the detailed description of known functions and known components thereof have been omitted.
Referring to fig. 1-3, in this embodiment, a method for sinking a secure link is provided, which includes the following steps:
Starting a public network server to receive and monitor link requests of an intranet and a remote client;
performing authority verification and pairing, and sending a link application simulated as an opposite end to the two ends in a source IP spoofing mode after the pairing is confirmed;
The link establishment between the intranet and the far-end client is realized by relying on a secure connection exchange verification mechanism, and a verification random code corresponding to the link is obtained from the server side through keep interaction while the connection is established;
And realizing a two-way verification mechanism by verifying the random code, and establishing a secure tunnel according to the encryption technology.
The application of one aspect of the embodiment is: the method comprises the steps of receiving and monitoring a link request of an intranet and a remote client through a public network server, carrying out authority verification and pairing through the public network server, sending a link application simulated as an opposite end to two ends in a source IP spoofing mode after the pairing is confirmed, realizing link establishment of the intranet and the remote client by relying on a secure connection exchange verification mechanism, obtaining a verification random code corresponding to the link from the server through keep interaction while establishing connection, realizing a two-way verification mechanism through the random code, and finally establishing a secure tunnel according to an encryption technology to realize secure link tunnel establishment capability of a remote client computer and an intranet node.
The remote access capability based on TCP or UDP is realized through the secure tunnel, and meanwhile, the secure access capability based on the TCP or UDP is high-efficiency, security and stability, and meets the secure access capability of a zero-trust architecture, so that the high-efficiency and stable remote office capability is provided for enterprises on the premise of ensuring information security, the capability of supporting the remote, convenient and high-efficiency based on the zero-trust security is particularly important under the conditions of not reducing the office convenience and no region distinction of an informationized agent, the great pushing effect is played for the high-efficiency office service of the enterprises, and the enterprises are helped to push related services faster.
As shown in fig. 3, after the public network server is started in this embodiment, the public network server uses a monitoring service to perform a monitoring internal node query service and a monitoring client link request service. The internal node query service performs link queries by internal node timing loops. When a client initiates a link request to an internal node, the server receives the link request of the client and performs user authentication. The server can inquire whether the internal node which needs to be linked is online according to the request of the server when the link request is successfully confirmed. After finding out the online and connectable internal node, carrying out the confirmation of the link authority of the user and the internal node, and after verification, sending a link application instruction to two ends by a server. After receiving the instruction, the client fills the link of the IP (pseudo IP) of the internal node as a target IP according to the information carried by the instruction and transmits the link, and simultaneously the server transmits and receives the link application to the internal node. And after receiving the information of the received link application, the internal node carries out reply information aiming at the client, and after receiving the reply information, the client completes the establishment of the link between the client and the internal node. And finishing the sinking of a link linked to a point-to-point direct link by a public network service network proxy mode, and extracting dynamic verification information from the two previously received server contents to perform trusted bidirectional verification. After verification is successful, a secure tunnel is established based on an established connection based on an optional encryption algorithm (SSL and the like, a server agent mode is avoided through SSL encryption technology, the possibility of hijacking data in the middle is avoided, and accordingly the security capability is achieved), a client side achieves remote, efficient, convenient, safe and direct connection access capability for content application through the tunnel, a single tunnel mode of VPN is distinguished, on the basis that each connection is established by an independent tunnel, a remote computer can achieve the security communication capability with an intranet through the tunnel, remote access is achieved, the mode is based on a TCP protocol layer and a UDP protocol layer, transparent capability for an application layer is achieved, direct access of the remote computer to the intranet application is achieved without independent opening of an independent window, direct access of the remote computer to the intranet application is achieved without matching of the intranet computer, the use mode of the remote computer completely consistent with the intranet application access operation is achieved, the convenience of use is greatly improved, interaction after the establishment of the secure link is achieved in a point-to-point direct interaction mode, the public network is not dependent on the server, the service is not affected by the service point-to-point interaction performance and the public network, the service is greatly affected by the service link performance and the service is not achieved, and the service performance is greatly is not affected by the mutual interaction performance and the service right.
The above embodiments may be combined with each other.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein.
In the description of the present invention, it should be understood that the azimuth or positional relationships indicated by the azimuth terms such as "front, rear, upper, lower, left, right", "lateral, vertical, horizontal", and "top, bottom", etc., are generally based on the azimuth or positional relationships shown in the drawings, merely to facilitate description of the present invention and simplify the description, and these azimuth terms do not indicate and imply that the apparatus or elements referred to must have a specific azimuth or be constructed and operated in a specific azimuth, and thus should not be construed as limiting the scope of protection of the present invention; the orientation word "inner and outer" refers to inner and outer relative to the contour of the respective component itself.
Claims (10)
1. A method of secure link subsidence comprising the steps of:
Starting a public network server to receive and monitor link requests of an intranet and a remote client;
performing authority verification and pairing, and sending a link application simulated as an opposite end to the two ends in a source IP spoofing mode after the pairing is confirmed;
The link establishment between the intranet and the far-end client is realized by relying on a secure connection exchange verification mechanism, and a verification random code corresponding to the link is obtained from the server side through keep interaction while the connection is established;
A two-way verification mechanism is realized through verifying the random code, and a secure tunnel is established according to an encryption technology;
The client side realizes remote and direct connection access capability to the content application through the secure tunnel, distinguishes a single tunnel mode with VPN, based on independent tunnel establishment of each connection, the remote computer can realize secure communication capability with the intranet through the secure tunnel, thereby realizing remote access, and the mode is based on TCP and UDP protocol layers, can realize transparent capability to the application layer, realizes direct access to the intranet application by the remote computer without independent opening of an independent window or cooperation of the intranet computer, and realizes a use mode of completely consistent intranet application access and intranet access operation by the remote computer; the interaction after the link is established realizes the direct interaction from point to point, does not depend on a public network server, and the service performance is not influenced by the public network server.
2. The method of claim 1, wherein after the public network server is started, the public network server uses a listening service to perform a listening internal node query service and a monitoring client link request service.
3. A method of secure link sinking as defined in claim 2, wherein the internal node query service performs the link query by internal node timing loops.
4. A method of secure link sinking as defined in claim 3 wherein when a client initiates a link request to an internal node, the server accepts the client link request and performs user authentication.
5. The method of claim 4, wherein the server queries whether the internal node to which the link is required is online based on the request to determine the successful link request.
6. The method of claim 5, wherein the user and the internal node link authority is confirmed after an online and connectable internal node is found, and the server sends a link application command to both ends after verification.
7. The method of claim 6, wherein after receiving the instruction, the client fills in the link of the IP as the destination of the IP of the internal node according to the information carried by the instruction and sends the link request to the internal node, and the server sends the link request to the internal node.
8. The method of claim 7, wherein the internal node receives the response message from the client after receiving the link request message, and the client completes the establishment of the link between the client and the internal node after receiving the response message.
9. The method of claim 8, wherein the sinking of the link from the public service network proxy to the point-to-point direct link is accomplished by extracting dynamic authentication information from two previously received server content for trusted two-way authentication.
10. A method of secure link sinking according to claim 9, wherein the secure tunnel is established based on an optional encryption algorithm based on the established connection after verification is successful.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210257482.3A CN114584523B (en) | 2022-03-16 | Safe link sinking method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210257482.3A CN114584523B (en) | 2022-03-16 | Safe link sinking method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114584523A CN114584523A (en) | 2022-06-03 |
| CN114584523B true CN114584523B (en) | 2024-06-28 |
Family
ID=
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101854313A (en) * | 2009-09-27 | 2010-10-06 | 济南维优科技开发有限公司 | Remote access gateway surpassing NAT based on P2P-VPN technology |
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101854313A (en) * | 2009-09-27 | 2010-10-06 | 济南维优科技开发有限公司 | Remote access gateway surpassing NAT based on P2P-VPN technology |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3432523B1 (en) | Method and system for connecting a terminal to a virtual private network | |
| US9667601B2 (en) | Proxy SSL handoff via mid-stream renegotiation | |
| US7975024B2 (en) | Virtual personal computer access over multiple network sites | |
| US20100318605A1 (en) | Approach for managing state information by a group of servers that services a group of clients | |
| US7769871B2 (en) | Technique for sending bi-directional messages through uni-directional systems | |
| EP1714434B1 (en) | Addressing method and apparatus for establishing host identity protocol (hip) connections between legacy and hip nodes | |
| WO2017124837A1 (en) | Proxy method, server and client for sslvpn, and processing method thereof | |
| US8474023B2 (en) | Proactive credential caching | |
| CN112087750B (en) | Access and switching authentication method and system under satellite network intermittent communication scene | |
| CN111628976B (en) | Message processing method, device, equipment and medium | |
| CN112332901B (en) | Heaven and earth integrated mobile access authentication method and device | |
| CN100401706C (en) | Access method and system for client end of virtual private network | |
| KR20190052541A (en) | Method and apparatus for providing network path between service server and user terminal | |
| CN114389885B (en) | Method for safely opening private cloud database to public cloud | |
| CN103684958A (en) | Method and system for providing flexible VPN (virtual private network) service and VPN service center | |
| CN115499235A (en) | DNS-based zero-trust network authorization method and system | |
| CN114584523B (en) | Safe link sinking method | |
| CN112653506B (en) | Block chain-based handover flow method for spatial information network | |
| CN112825521A (en) | Trusted identity management method, system, equipment and storage medium for block chain application | |
| CN114584523A (en) | Safety link sinking method | |
| CN116233071A (en) | Method for accessing intranet resources by client and readable storage medium | |
| CN105898720B (en) | A kind of processing method of short message, apparatus and system | |
| WO2020133603A1 (en) | Dr mode protection method and device | |
| CN101541001A (en) | Method and system for updating base key | |
| CN100536471C (en) | Method for effective protecting signalling message between mobile route and hometown agent |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |