CN114726574A - Safety isolation protection system and safety isolation protection method - Google Patents
Safety isolation protection system and safety isolation protection method Download PDFInfo
- Publication number
- CN114726574A CN114726574A CN202210190510.4A CN202210190510A CN114726574A CN 114726574 A CN114726574 A CN 114726574A CN 202210190510 A CN202210190510 A CN 202210190510A CN 114726574 A CN114726574 A CN 114726574A
- Authority
- CN
- China
- Prior art keywords
- message
- data
- encrypted
- user
- processing unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 91
- 238000002955 isolation Methods 0.000 title claims abstract description 55
- 238000012545 processing Methods 0.000 claims abstract description 233
- 238000005538 encapsulation Methods 0.000 claims abstract description 76
- 238000004806 packaging method and process Methods 0.000 claims abstract description 42
- 230000005540 biological transmission Effects 0.000 description 26
- 230000008569 process Effects 0.000 description 23
- 238000004422 calculation algorithm Methods 0.000 description 19
- 238000004458 analytical method Methods 0.000 description 12
- 238000001914 filtration Methods 0.000 description 12
- 238000004891 communication Methods 0.000 description 10
- 238000007689 inspection Methods 0.000 description 10
- 238000004590 computer program Methods 0.000 description 8
- 230000009471 action Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000003993 interaction Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 4
- 230000009467 reduction Effects 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000006798 recombination Effects 0.000 description 1
- 238000005215 recombination Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000005641 tunneling Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
Abstract
The application provides a safety isolation protection system and a safety isolation protection method, and relates to the technical field of data processing. The inner end processing unit is used for carrying out security check on a first message received from the intranet, and after the first message passes the check, encrypting first data in the first message; packaging the encrypted first encrypted data according to a set first message packaging protocol to obtain a first encrypted message; sending the first encrypted message to a data control unit; the data control unit is used for sending the received first encrypted message to the external processing unit; the outer end processing unit is used for analyzing the first encrypted data from the received first encrypted message according to a set first message encapsulation protocol; decrypting first data from the first encrypted data, and packaging the decrypted first data according to a message packaging protocol of the first message to obtain a first packaged message; and sending the first encapsulation message to the external network.
Description
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a security isolation protection system and a security isolation protection method.
Background
With the continuous and deep development of electronic government construction, more and more information needs to be exchanged between internal networks and external networks of many government departments, financial institutions, enterprises and public institutions, medical industries and business organizations, resources are shared more and more frequently, the dependence degree on important data service systems and data application systems is increased day by day, the problems of database security and data security are generally concerned, the traditional security isolation and information exchange systems are widely applied because of the advantages of reliable information transmission, safe information exchange and the like, but the traditional method cannot ensure the damage and the leakage of data information in the transmission process and after the information transmission is finished, the strict examination of information security is lacked, and the protection measures of security level must be provided while the information interaction is carried out between internal and external networks.
Currently, a special protocol channel and a special transmission protocol are adopted between isolated networks to complete data transmission and information exchange between an intranet and an extranet, and the direction of data transmission can be completed through the direction of the channel, namely the channel from the intranet to the extranet or the channel from the extranet to the intranet, so that the intranet and the extranet are completely disconnected; and then, the network threat below a session layer and the access control of the security data are shielded through protocol decapsulation and recombination, but the security isolation and information exchange are more focused on the transmission involved between isolation networks, and the important information or data lacks security guarantee, so that the tampering and leakage of the data in the transmission process cannot be guaranteed.
Therefore, how to protect important information or data in a security isolation network is achieved, and improving the security of data in the data transmission process is one of the considerable technical problems.
Disclosure of Invention
In view of this, the present application provides a security isolation protection system and a security isolation protection method, so as to protect important information or data in a security isolation network and improve the security of data in a data transmission process.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of the present application, there is provided a safety isolation protection system comprising: connect the inner processing unit of intranet and the outer end processing unit who connects the outer net, inner processing unit with outer end processing unit passes through data control unit alternately, wherein:
the inner end processing unit is used for carrying out security check on a first message received from an intranet, and after the first message passes the check, encrypting first data in the first message; packaging the encrypted first encrypted data according to a set first message packaging protocol to obtain a first encrypted message; sending the first encrypted message to the data control unit;
the data control unit is used for receiving the first encrypted message and sending the first encrypted message to an external processing unit;
the outer end processing unit is configured to parse the first encrypted data from the received first encrypted packet according to the set first packet encapsulation protocol; decrypting the first data from the first encrypted data, and packaging the decrypted first data according to a message packaging protocol of the first message to obtain a first packaged message; and sending the first encapsulation message to the external network.
According to a second aspect of the present application, there is provided a security isolation protection method applied to an internal end processing unit connected to an intranet, the method including:
carrying out security check on a first message received from an intranet;
after the check is passed, encrypting the first data in the first message;
and packaging the encrypted first encrypted data according to a set first message packaging protocol to obtain a first encrypted message and sending the first encrypted message to an external network.
According to a third aspect of the present application, there is provided a security isolation protection method applied in an external end processing unit connected to an external network, the method including:
receiving a first encrypted message, wherein the first encrypted message is obtained by encrypting first data in the first message and encapsulating the first data according to a set first message encapsulation protocol after security check on the first message received by an intranet is passed;
analyzing the first encrypted data from the first encrypted message according to the set first message encapsulation protocol;
decrypting the first data from the first encrypted data;
packaging the decrypted first data according to the message packaging protocol of the first message to obtain a first packaging message;
and sending the first encapsulation message to the external network.
According to a fourth aspect of the present application, there is provided an electronic device, comprising a processor and a machine-readable storage medium, the machine-readable storage medium storing a computer program capable of being executed by the processor, the processor being caused by the computer program to perform the method provided by the first aspect of the embodiments of the present application.
According to a fifth aspect of the present application, there is provided a machine-readable storage medium storing a computer program which, when invoked and executed by a processor, causes the processor to perform the method provided by the first aspect of the embodiments of the present application.
The beneficial effects of the embodiment of the application are as follows:
the inner end processing network can carry out security check on a first message received from the intranet, encrypt data in the first message after the check is passed, then package the first encrypted data, send the first encrypted message to the outer end processing unit through the data control unit, the outer end processing unit can analyze the first encrypted data from the first encrypted message after receiving the first encrypted message, then decrypt the first encrypted data to obtain the first data, and package the first data by using a message packaging protocol corresponding to the first message, so that a first packaged message with the same format as the first message is obtained by reduction and sent to the extranet. Therefore, the protection of important information or data in the security isolation network is realized, and the security and the accuracy of the data in the data transmission process are improved.
Drawings
Fig. 1 is a schematic structural diagram of a safety isolation protection system provided in an embodiment of the present application;
fig. 2 is one of interaction flow diagrams of an internal processing unit, a data control unit, and an external processing unit provided in an embodiment of the present application;
FIG. 3 is a schematic structural diagram of another safety isolation protection system provided by an embodiment of the present application;
fig. 4 is a second schematic view illustrating an interaction flow of the internal-end processing unit, the data control unit, and the external-end processing unit according to an embodiment of the present application;
FIG. 5 is an exemplary diagram of user roles provided by an embodiment of the application;
fig. 6 is a schematic flowchart of a security isolation protection method according to an embodiment of the present application;
fig. 7 is a schematic flow chart of another security isolation protection method provided in the embodiment of the present application;
fig. 8 is a schematic hardware structure diagram of an electronic device implementing a security isolation protection method according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with aspects such as the present application.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the corresponding listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The following describes the security isolation protection system and the security isolation protection method provided in the present application in detail.
Referring to fig. 1, fig. 1 is an architecture diagram of a safety isolation protection system provided in the present application, which may include: connect the inner processing unit of intranet and the outer end processing unit who connects the outer net, inner processing unit passes through the data control unit with outer end processing unit and interacts, through setting up above-mentioned safety isolation protection system, can be used for data transmission and information interaction between the isolation network, wherein: the interaction flow among the inner-end processing unit, the outer-end processing unit and the data control unit can be shown in fig. 2, and can include the following steps:
s201, the inner end processing unit performs security check on a first message received from the intranet, and after the first message passes the security check, the inner end processing unit performs encryption processing on first data in the first message.
In this step, the inner-end processing unit is connected to an intranet (inner-end network) and configured to pre-process traffic data from the intranet, and then transmit the traffic data to the outer-end processing unit. Specifically, after receiving a first message from the intranet, the inner-end processing unit performs security check on the first message to identify whether the first message has a potential safety hazard, so as to achieve the purpose of shielding network attack and unauthorized access. After the first message is passed through the security check, that is, when it is determined that the first message has no potential safety hazard, the inner-end processing unit analyzes the first data from the first message, and encrypts the analyzed first data.
Specifically, the inner end processing unit may perform protocol stripping on the first packet, for example, strip a network protocol header from the first packet according to the TCP/IP protocol, obtain valid information for security check from the network protocol header, and perform security check on the valid information.
Optionally, the inner end processing unit may perform security check on the first packet according to the following method: and the inner end processing unit carries out security check on the first message according to a pre-configured security policy.
Specifically, the security policy is to match a specific message by specifying filtering conditions such as a source IP address, a destination IP address, a protocol, a port, a user, a time period, and the like, and process the message according to a preset policy action; and if the message does not match any strategy, discarding the message. When the filtering condition is not configured in the security policy, the policy will match all messages. Based on the above principle, the inner-end processing unit can perform security inspection on the first message according to the built-in security policy rule to shield network attack and unauthorized access.
It should be noted that, when the first message is not checked, the first message may be discarded and logged. On the basis, the inner end processing unit is also used for carrying out rules and records on security policies, intrusion checks, policy filtering and access control in the inner end processing unit so as to form a complete log and display the log to a user, thereby facilitating the tracking and positioning of the user.
Specifically, the inner-end processing unit in this embodiment may further include an inner-end log auditing module, where the inner-end log auditing module is configured to record a message discarded in the inner-end processing unit to form a log for displaying, so that a user can conveniently view the log; in addition, the inner-end log auditing module can also be used for carrying out rules and recording on security strategies, intrusion inspection, strategy filtration and access control in the inner-end processing unit so as to form a complete log and display the complete log to a user, thereby facilitating the tracking and positioning of the user.
On this basis, in order to ensure the security and reliability of data transmission between the intranet and the extranet in the security isolation network, the inner end processing unit performs an encryption operation on the first data in the first message when the security verification of the effective information passes, and specifically, but not limited to, the encryption of the first data is realized by adopting a symmetric encryption algorithm ABE encryption method, so that the confidentiality and the integrity of the data are increased. In addition, the implementation of the ABE encryption algorithm is mature, compared with other encryption algorithms, the algorithm is high in safety, strong in practicability, high in calculation speed and low in influence on transmission delay, and therefore the instantaneity of data transmission from the internal network to the external network cannot be influenced even if the ABE encryption algorithm is adopted.
Optionally, an inner end proxy service module, an inner end security policy module, an inner end network protocol stripping module, an inner end data depth analysis module, and an inner end data encryption module are built in the inner end processing unit, as shown in fig. 3, wherein the inner end proxy service module is configured to receive a first message from an intranet, send the first message to the inner end security policy module, and perform security check on the first message by using the inner end security policy module, and specifically, may perform security check on the first message by using a built-in security policy; after the first message passes the inspection, the inner end security policy module sends the first message passing the inspection to the inner end network protocol stripping module, so that the inner end network protocol stripping module strips a network protocol packet header from the first message and obtains effective information for security inspection from the network protocol packet header; sending the effective information and first data (load data) in the first message to an inner-end data deep analysis module so that the inner-end data deep analysis module identifies and processes the effective information to confirm whether the effective information has network attack or potential safety hazard; when the valid information does not have network attack and/or potential safety hazard, the inner-end data deep analysis module sends the first data to the inner-end data encryption module, and the inner-end data encryption module encrypts the first data, so that the information is prevented from being leaked and damaged in the transmission process from the internal network to the external network, and the transmission requirements of confidentiality, safety and integrity of the data information are met.
Optionally, the inner-end processing unit further includes an inner-end policy management module, please refer to fig. 3. The inner end policy management module is used for managing security policies, business rules and the like in the inner end processing unit. By setting the inner-end policy management module, an authorized user can use the inner-end policy management module to modify data checking and filtering rules, so that when the inner-end security policy module performs security checking, the latest security policy can be obtained from the inner-end policy management module, and then the security checking is performed on the effective information in the first message according to the latest security policy, thereby ensuring the timeliness of the security policy and further ensuring the validity of the security checking.
It should be noted that the first message may be a data message or a service message, which is not limited in this application.
S202, the inner end processing unit encapsulates the encrypted first encrypted data according to a set first message encapsulation protocol to obtain a first encrypted message.
In this step, in order to ensure that the first encrypted data is transmitted to the external network, the inner-end processing unit performs encapsulation processing on the first encrypted data according to a first message encapsulation protocol negotiated with the outer-end processing unit, so as to obtain a first encrypted message.
It should be noted that the inner-end processing unit further includes an inner-end dedicated protocol encapsulation module, as also shown in fig. 3. On the basis, the inner end data encryption module sends the first encrypted data obtained by encryption to the inner end special protocol encapsulation message, and the inner end special protocol encapsulation message encapsulates the first encrypted data by using the set first message encapsulation protocol, so that the first encrypted message is obtained.
Optionally, the first packet encapsulation protocol may be, but is not limited to, a dedicated protocol, such as a customized non-standard communication protocol.
S203, the inner end processing unit sends the first encrypted message to the data control unit.
In this step, a first dedicated channel is provided between the inner end processing unit and the data control unit, and on this basis, the inner end processing unit can send the first encrypted message to the data control unit through the first dedicated channel.
Specifically, when the inner-end control unit includes each module shown in fig. 3, the inner-end dedicated protocol encapsulation module may achieve the purpose of sending the first encrypted packet to the data control unit through the first dedicated channel.
It should be noted that the first dedicated channel may be, but is not limited to, a channel supporting protocols such as TCP, UDP, HTTP, FTP, and the like, and may be configured according to actual situations.
S204, the data control unit receives the first encrypted message and sends the first encrypted message to an external processing unit.
In this step, after receiving the first encrypted message, the data control unit may forward the first encrypted message to the external processing unit in a ferry manner.
It should be noted that the data control unit generally interacts with the external processing unit through the second dedicated channel, and on this basis, the data control unit may forward the first encrypted message to the external processing unit through the second dedicated channel. And the outer end processing unit is connected with the outer network, so that the aim of safely reaching the outer network by the data of the inner network is fulfilled.
It should be noted that the second dedicated channel may be, but is not limited to, a channel supporting protocols such as TCP, UDP, HTTP, FTP, and the like, and may be configured according to actual situations.
S205, the outer end processing unit analyzes the first encrypted data from the received first encrypted message according to the set first message encapsulation protocol.
In this step, in order to accurately send the first data to the external network, the external processing unit may analyze the first encrypted data from the first encrypted message according to the first message encapsulation protocol after receiving the first encrypted message.
It should be noted that, the inner-end processing unit and the outer-end processing unit may negotiate a packet encapsulation protocol in advance, and then, when performing data encapsulation or decapsulation, may perform corresponding operations according to the negotiated encapsulation protocol.
Optionally, the external-end processing unit includes an external-end dedicated protocol parsing module, which may also be shown in fig. 3. On the basis, the outer-end special protocol analysis module can acquire the first encrypted message, and then the first encrypted message is analyzed according to the first message encapsulation protocol, so that the first encrypted data can be analyzed.
S206, the outer end processing unit decrypts the first data from the first encrypted data, and encapsulates the decrypted first data according to the message encapsulation protocol of the first message to obtain a first encapsulated message.
In this step, since the first encrypted data is securely sent to the external processing unit connected to the external network, if the data reaching the external network is encrypted, the device in the external network may not be able to decrypt the first data from the first encrypted data because the device does not know the decryption algorithm, and therefore the external processing unit needs to decrypt the first encrypted data to decrypt the first data. Specifically, the external-end processing unit may perform decryption processing of the first encrypted data using the ABE decryption algorithm, thereby decrypting the first data. After the first data is decrypted, in order to enable the first data to be sent to the external network according to the format sent by the internal network, the external-end processing unit performs encapsulation processing on the first data according to the message encapsulation protocol corresponding to the first message, so that a first encapsulated message with the message format identical to that of the first message can be obtained.
It should be noted that, the external processing unit and the internal processing unit may have decryption and encryption algorithms and the like built therein in advance for subsequent data decryption/encryption processing.
Optionally, the external-end processing unit further includes an external-end data decryption module and an external-end protocol restoration module, please refer to fig. 3. On the basis, the outer end special protocol analysis module sends the analyzed first encrypted data to the outer end data decryption module, then the outer end data decryption module analyzes the first data from the first encrypted data by using a decryption algorithm corresponding to the encryption algorithm executed by the inner end data encryption module, and sends the decrypted first data to the outer end protocol restoration module, and the outer end protocol restoration module encapsulates the first data by using a message encapsulation format corresponding to the first message, so that a first encapsulated message is obtained.
And S207, the outer end processing unit sends the first encapsulation message to the outer network.
In this step, after the outer-end processing unit encapsulates the first data according to the packet encapsulation protocol corresponding to the first packet to obtain the first encapsulated packet, the first encapsulated packet can be understood as being restored because the packet format of the first encapsulated packet is the same as that of the first packet, and thus the first encapsulated packet can be sent to the external network.
Optionally, the external-end processing unit further includes an external-end proxy service module, please refer to fig. 3. On this basis, the outer-end protocol restoring module can send the first encapsulation message to the outer-end proxy service module, so that the outer-end proxy service module sends the first encapsulation message to the outer network. Therefore, the aim of safely and accurately reaching the outer network by the data of the inner network is fulfilled.
By implementing the security isolation protection method shown in fig. 2, the inner-end processing network performs security check on a first message received from the intranet, encrypts data in the first message after the check is passed, encapsulates the first encrypted data, and sends the first encrypted message to the outer-end processing unit through the data control unit, and the outer-end processing unit receives the first encrypted message, can parse the first encrypted data from the first encrypted message, then decrypts the first encrypted data to obtain the first data, and encapsulates the first data by using a message encapsulation protocol corresponding to the first message, so as to restore the first encapsulated message with the same format as the first message, and send the first encapsulated message to the extranet. Therefore, the protection of important information or data in the security isolation network is realized, and the security and the accuracy of the data in the data transmission process are improved.
Based on any of the foregoing embodiments, in this embodiment, when the first packet is a data access packet, the first data includes user data of a user; the inner end processing module is further configured to parse the user data from the first data, identify the user data, and determine a user role of the user; and controlling the access authority of the user to access the intranet according to the determined user role.
Specifically, in order to implement data access control, a user role function is introduced to implement different degrees of data access control based on different user roles, and further implement fine-grained access control of the user roles.
Specifically, the user roles may include, but are not limited to, a system user role, a business user role, a temporary user role, and the like, where the system user role is a system user of the security isolation system itself, and may be, but is not limited to, a system administrator, a system operator, a system auditor, and the like, as shown with reference to fig. 5; the service user role is a user added according to the service access requirement, and may be but not limited to a user of a Web application, a user of a database application, a user of an FTP application, and the like, as shown in fig. 5; the temporary user role is a user role provided for an alien person or set for a special group; one user role is equivalent to one user group, and different user authorities, data operation authorities and data access ranges can be set in a user-defined mode aiming at different user roles, so that the problem of excessive consumption of equipment resources under the condition of a large number of users can be solved, the complexity of user management is reduced, and the management efficiency is improved.
It should be noted that fig. 5 is only an illustration of the user role, and does not limit the user role.
On this basis, after receiving the first data, the external-end processing unit may identify the user data in the first data, further identify the user data to determine a user role of the user, and then control subsequent data access rights of the user according to the user role, where the data access rights may be, but are not limited to, at least one of a data operation right and a data access range. Therefore, the control of the access authority of different user roles is realized, the management efficiency of the user is improved, and the purpose that the user with low authority cannot acquire data (important) with high authority is achieved.
Optionally, after the outer-end agent module in the outer-end processing unit obtains the first encapsulation message, the outer-end agent module may analyze the first data from the first encapsulation message because the first encapsulation message corresponds to the first message, identify the user data from the first data, determine a user role, and control the access permission of the user according to the determined user role.
Based on any of the above embodiments, in this embodiment, when the first packet is a service packet, the first data includes a post attribute of the user; the external end processing module is further configured to analyze the post attribute from the first data; and controlling the service processing authority of the user according to the post attribute.
Specifically, in order to implement control of service processing, a function of post attributes is introduced to implement different degrees of service processing permission control based on different post attributes, and further implement fine-grained access control of service processing based on the post attributes. And by introducing the post attributes, the service processing of the corresponding post attributes is realized based on different service requirements.
Specifically, in this embodiment, the data authority is separated from the service authority, the role of the user determines the data authority of the user, and the position where the user is located determines the type of the application service that the user can access, so as to improve flexibility and security of service access. Based on the principle, the method can self-define service access rules on two levels of data and service at an external processing unit, and carry out fine-grained service access control based on different service requirements, wherein the service accessible by a user is restricted by a rule set in a rule engine, different rule sets correspond to different post attributes, and each post attribute and the attribute of the rule comprise: client address, post, application class, protocol class and priority, etc. On this basis, after the post attribute is analyzed from the first data in the first encapsulation message by the external-end processing unit, the post attribute can be used for matching with the corresponding accessible service rule engine, and further the application service accessible by the user is confirmed, so that the purpose of controlling the service processing of the user is achieved.
Optionally, the external-end processing unit further includes an external-end access control module, please refer to fig. 3. On this basis, after the outer end agent module analyzes the first data from the first encapsulation message, the outer end agent module can send the first data to the outer end access control module, so that the outer end access control module can analyze the post attribute of the user from the first data, and then control the service processing authority of the user according to the post attribute. Thereby achieving flexibility and security of service access.
Optionally, based on any of the above embodiments, in this embodiment, the inner-end processing unit and the outer-end processing unit may further execute an interaction flow shown in fig. 4, and may include the following steps:
s401, the external end processing unit receives a second message from the external network, and after the second message is checked to pass, the second message is encrypted.
In this step, the outer-end processing unit is connected to an outer network (outer-end network) and used to preprocess traffic data from the outer network and then transmit the traffic data to the inner-end processing unit. Specifically, after receiving the second message from the external network, the external processing unit performs security check on the second message to identify whether the second message has a potential safety hazard, thereby achieving the purpose of shielding network attack and unauthorized access. After the second message is passed through the security check, that is, when it is determined that the second message has no potential safety hazard, the external-end processing unit may analyze the second data from the second message, and encrypt the analyzed second data.
Specifically, the outer-end processing unit may perform protocol stripping on the second packet, for example, strip a network protocol header from the second packet according to the TCP/IP protocol, obtain valid information for security check from the network protocol header, and perform security check on the valid information.
Optionally, the outer-end processing unit may perform security check on the second packet according to the following method: and the outer end processing unit carries out security check on the second message according to a pre-configured security policy.
Specifically, the security policy is to match a specific message by specifying filtering conditions such as a source IP address, a destination IP address, a protocol, a port, a user, a time period, and the like, and process the message according to a preset policy action; and if the message does not match any strategy, discarding the message. When the filtering condition is not configured in the security policy, the policy will match all messages. Based on the above principle, the external processing unit may perform security inspection on the second packet according to the built-in security policy rule to shield network attack and unauthorized access.
It should be noted that, when the second message fails to be checked, the second message may be discarded and logged. On the basis, in addition, the external processing unit is also used for carrying out rules and records on security policies, intrusion checks, policy filtering and access control in the external processing unit so as to form a complete log and display the log to a user, thereby facilitating the tracking and positioning of the user. Specifically, the external-end processing unit in this embodiment may further include an external-end log auditing module, where the external-end log auditing module is configured to record a message discarded in the external-end processing unit to form a log for displaying, so that a user can conveniently view the log; in addition, the external log auditing module can also be used for carrying out rules and records on security policies, intrusion inspection, policy filtering and access control in the external processing unit so as to form complete logs and display the logs to users, thereby facilitating the tracking and positioning of the users.
On this basis, in order to ensure the security and reliability of data transmission between the external network and the internal network in the security isolation network, when the security verification of the valid information passes, the external processing unit performs an encryption operation on the second data (which may be understood as application layer data) in the second message, and specifically, but not limited to, the ABE encryption method may be used to implement encryption of the second data, thereby increasing the confidentiality and integrity of the data. In addition, because the implementation of the ABE encryption algorithm is mature, compared with other encryption algorithms, the algorithm has high safety, strong practicability and high calculation speed, and has low influence on transmission delay, the real-time performance of data transmission from an external network to an internal network cannot be influenced even if the ABE encryption algorithm is adopted.
Optionally, an external end proxy service module, an external end security policy module, an external end network protocol stripping module, an external end data depth analysis module, and an external end data encryption module are built in the external end processing unit, as also shown in fig. 3. The external-end proxy service module is used for receiving a second message from an external network, then sending the second message to the external-end security policy module, and performing security check on the second message by the external-end security policy module, specifically, performing security check on the second message by using a built-in security policy; after the second message passes the inspection, the outer-end security policy module sends the second message passing the inspection to the outer-end network protocol stripping module, so that the outer-end network protocol stripping module strips the network protocol packet header from the second message and obtains effective information for security inspection from the network protocol packet header; sending the effective information and second data (load data) in the second message to an outer-end data deep analysis module so that the outer-end data deep analysis module identifies and processes the effective information to confirm whether the effective information has network attack or potential safety hazard; when the valid information does not have network attack and/or potential safety hazard, the outer-end data deep analysis module sends the second data to the outer-end data encryption module, and the outer-end data encryption module encrypts the second data, so that the information is prevented from being leaked and damaged in the transmission process from the outer network to the inner network, and the transmission requirements of confidentiality, safety and integrity of the data information are met.
Optionally, the external-end processing unit further includes an external-end policy management module, please refer to fig. 3. The outer-end policy management module is used for managing security policies, business rules and the like in the outer-end processing unit. By arranging the outer-end strategy management module, an authorized user can use the outer-end strategy management module to modify data checking and filtering rules, so that when the outer-end safety strategy module carries out safety checking, the latest safety strategy can be obtained from the outer-end strategy management module, and then the safety checking is carried out on the effective information in the second message according to the latest safety strategy, thereby ensuring the timeliness of the safety strategy and further ensuring the effectiveness of the safety checking. In addition, the business rules in the external end processing unit can be set in the external end security policy management module, on this basis, when the external end access control module performs the business authority control, the rules can be obtained from the external end security policy management module, and then the business processing authority of the user can be confirmed according to the user post.
It should be noted that the second message may be a data message or a service message, which is not limited in this application.
S402, the outer end processing unit packages the encrypted second encrypted data according to a set second message package protocol to obtain a second encrypted message.
In this step, in order to ensure that the second encrypted data is transmitted to the intranet, the outer-end processing unit performs encapsulation processing on the second encrypted data according to a second message encapsulation protocol negotiated with the inner-end processing unit, so as to obtain a second encrypted message.
It should be noted that the outer-end processing unit further includes an outer-end dedicated protocol encapsulation module, as also shown in fig. 3. On the basis, the outer-end data encryption module sends the encrypted second encrypted data to the outer-end special protocol encapsulation message, and the outer-end special protocol encapsulation message encapsulates the second encrypted data by using the set second message encapsulation protocol, so that the second encrypted message is obtained.
Optionally, the second tunneling protocol may be, but is not limited to, a dedicated protocol, such as a customized non-standard communication protocol.
And S403, the external end processing unit sends the second encrypted message to the data control unit.
In this step, a second dedicated channel is provided between the external processing unit and the data control unit, and on this basis, the external processing unit may send a second encrypted message to the data control unit through the second dedicated channel.
Specifically, when the external-end control unit includes the modules shown in fig. 3, the external-end dedicated protocol encapsulation module may achieve the purpose of sending the second encrypted packet to the data control unit through the second dedicated channel.
It should be noted that the second dedicated channel may be, but is not limited to, a channel supporting protocols such as TCP, UDP, HTTP, FTP, and the like, and may be configured according to actual situations.
S404, the data control unit receives the second encrypted message and forwards the second encrypted message to the inner end processing unit.
In this step, after receiving the second encrypted message, the data control unit may forward the second encrypted message to the inner end processing unit in a ferry manner. Specifically, the data control unit may send the second encrypted message to the inner-end processing unit through a first dedicated channel between the data control unit and the inner-end processing unit.
S405, the inner end processing unit analyzes the second encrypted data from the received second encrypted message according to the set second message encapsulation protocol.
In this step, in order to accurately send the second data to the intranet, the inner-end processing unit may parse the second encrypted data from the second encrypted message according to the second message encapsulation protocol after receiving the second encrypted message.
It should be noted that the outer-end processing unit and the inner-end processing unit may negotiate a packet encapsulation protocol in advance, and then may perform corresponding operations according to the negotiated encapsulation protocol when performing data encapsulation or decapsulation.
Optionally, the inner-end processing unit includes an inner-end dedicated protocol parsing module, which may also be shown in fig. 3. On the basis, the inner end special protocol analysis module can obtain the second encrypted message, and then the second encrypted message is analyzed according to the second message encapsulation protocol, so that the second encrypted data can be analyzed.
S406, the inner end processing unit analyzes the second data from the second encrypted data, and encapsulates the decrypted second data according to the message encapsulation protocol of the second message to obtain a second encapsulated message.
In this step, since the second encrypted data is securely sent to the internal processing unit connected to the intranet, if the data reaching the intranet is encrypted, the device in the intranet may not be able to decrypt the second data from the second encrypted data because the decryption algorithm is unknown, and therefore the internal processing unit needs to decrypt the second encrypted data to decrypt the second data. Specifically, the inner-end processing unit may perform decryption processing of the second encrypted data using the ABE decryption algorithm, thereby decrypting the second data. After the second data is decrypted, in order to enable the second data to be sent to the internal network according to the format sent by the external network, the internal end processing unit encapsulates the second data according to the message encapsulation protocol corresponding to the second message, so that a second encapsulation message with the message format identical to that of the second message can be obtained.
It should be noted that, the internal end processing unit and the external end processing unit may have decryption and encryption algorithms and the like built therein in advance for subsequent data decryption/encryption processing.
Optionally, the inner-end processing unit further includes an inner-end data decryption module and an inner-end protocol restoration module, please refer to fig. 3. On the basis, the inner end special protocol analysis module sends the analyzed second encrypted data to the inner end data decryption module, then the inner end data decryption module analyzes the second data from the second encrypted data by using a decryption algorithm corresponding to the encryption algorithm executed by the outer end data encryption calculation module, and sends the decrypted second data to the inner end protocol reduction module, and the inner end protocol reduction module performs encapsulation processing on the second data by using a message encapsulation format corresponding to the second message, so that a second encapsulated message is obtained.
And S407, the inner end processing unit sends the second encapsulation message to the intranet.
In this step, after the inner end processing unit encapsulates the second data according to the packet encapsulation protocol corresponding to the second packet to obtain the second encapsulated packet, the second encapsulated packet can be understood as being restored because the packet formats of the second encapsulated packet and the second packet are the same, so that the second encapsulated packet can be sent to the intranet.
Optionally, as the home processing unit further includes a home agent service module, please refer to fig. 3. On this basis, the inner end protocol reduction module can send the second encapsulation message to the inner end proxy service module, so that the inner end proxy service module sends the second encapsulation message to the intranet. Therefore, the aim of safely and accurately reaching the intranet by the extranet data is fulfilled.
By implementing the security isolation protection method shown in fig. 4, the outer-end processing network performs security check on the second message received from the outer network, encrypts data in the second message after the check is passed, encapsulates the second encrypted data, and sends the second encrypted message to the inner-end processing unit through the data control unit, and the inner-end processing unit can parse the second encrypted data from the second encrypted message after receiving the second encrypted message, then decrypts the second encrypted data to obtain second data, and encapsulates the second data by using a message encapsulation protocol corresponding to the second message, so as to restore the second encapsulated message with the same format as the second message, and send the second encapsulated message to the inner network. Therefore, the protection of important information or data in the security isolation network is realized, and the security and the accuracy of the data in the data transmission process are improved.
Optionally, when the second packet is a data access packet, the second data includes user data of a user; the inner end processing module is further configured to parse the user data from the second data, identify the user data, and determine a user role of the user; and controlling the access authority of the user to access the intranet according to the determined user role.
Specifically, the description of the user roles may refer to the description of the user roles in the endpoint processing unit in the figure, and is not described in detail here. On this basis, after receiving the second data, the inner-end processing unit may identify the user data in the second data, further identify the user data to determine a user role of the user, and then control subsequent data access rights of the user according to the user role, where the data access rights may be, but are not limited to, at least one of a data operation right and a data access range. Therefore, the control of the access authority of different user roles is realized, the management efficiency of the user is improved, and the purpose that the user with low authority cannot acquire data (important) with high authority is achieved.
Optionally, after the inner-end agent module in the inner-end processing unit obtains the second encapsulated message, the inner-end agent module may analyze the second data from the second encapsulated message because the second encapsulated message corresponds to the second message, identify the user data from the second data, determine a user role, and control the access authority of the user according to the determined user role.
Based on any of the above embodiments, in this embodiment, when the second packet is a service packet, the second data includes a post attribute of the user; the inner end processing module is further configured to analyze the post attribute from the second data; and controlling the service processing authority of the user according to the post attribute.
Specifically, in order to implement control of service processing, a post attribute function is introduced into the internal processing module to implement different service processing permission controls based on different post attributes to implement different degrees of service processing, thereby implementing fine-grained access control of service processing based on the post attributes. And by introducing the post attributes, the service processing of the corresponding post attributes is realized based on different service requirements.
Specifically, in this embodiment, the data permission is separated from the service permission, the role of the user determines the data permission of the user, and the position where the user is located determines the type of the application service that the user can access, so as to improve the flexibility and security of service access. Based on the principle, the method can self-define service access rules on two levels of data and service at an inner end processing unit, and carry out fine-grained service access control based on different service requirements, wherein the service accessible by a user is restricted by a rule set in a rule engine, different rule sets correspond to different post attributes, and each post attribute and the attribute of the rule comprise: client address, post, application class, protocol class and priority, etc. On the basis, after the post attribute is analyzed from the second data in the second encapsulation message by the inner end processing unit, the post attribute can be used for matching with the corresponding accessible service rule engine, and further the accessible application service of the user is confirmed, so that the purpose of controlling the service processing of the user is achieved.
Optionally, the inner-end processing unit further includes an inner-end access control module, please refer to fig. 3. On the basis, after the inner end agent module analyzes the second data from the second encapsulation message, the second data can be sent to the inner end access control module, so that the inner end access control module can analyze the post attribute of the user from the second data and then control the service processing authority of the user according to the post attribute. Flexibility and security of service access is thereby achieved.
In addition, the service rules in the inner end processing unit can be set in the inner end security policy management module, on the basis, when the inner end access control module performs service authority control, the rules can be obtained from the inner end security policy management module, and then the service processing authority of the user is confirmed according to the user post.
Based on the same inventive concept, the embodiment further provides a security isolation protection method for an internal end processing unit connected to the intranet, where the internal end processing unit is trusted for the intranet, and may be an electronic device for executing the security isolation protection method; when the internal processing unit executes the method, the method can be implemented according to the flow shown in fig. 6, and includes the following steps:
s601, carrying out security check on the first message received from the intranet.
S602, after the check is passed, the first data in the first message is encrypted.
S603, packaging the encrypted first encrypted data according to a set first message packaging protocol to obtain a first encrypted message and sending the first encrypted message to an external network.
It should be noted that, the processing procedure of the inner end processing unit in executing steps S601 to S603 may refer to the above-mentioned related description of the inner end processing unit in fig. 2, and is not described in detail here.
Optionally, the method for protecting security isolation provided in this embodiment may further include the following steps: receiving a second encrypted message, wherein the second encrypted message is obtained by encrypting second data in a second message received by an external network and packaging the second data according to a set second message packaging protocol after the security check of the second message is passed; analyzing the second encrypted data from the received second encrypted message according to the set second message encapsulation protocol; parsing the second data from the second encrypted data; packaging the decrypted second data according to the message packaging protocol of the second message to obtain a second packaged message; and sending the second encapsulation message to the intranet.
Specifically, the implementation process of this embodiment may refer to the relevant implementation process of the inner-end processing unit in fig. 4, and is not described in detail here.
Optionally, when the inner end processing unit performs security check on the first packet received from the intranet, the following process may be performed: and carrying out security check on the first message according to a pre-configured security policy.
Specifically, the processing procedure of the inner end processing unit checking the first packet may refer to the relevant description of the inner end processing unit on step S201 in fig. 2, and is not described in detail here.
It is noted that when the first message is not checked, the first message may be discarded and logged. On the basis, the inner end processing unit is also used for carrying out rules and records on security policies, intrusion checks, policy filtering and access control in the inner end processing unit so as to form a complete log and display the log to a user, thereby facilitating the tracking and positioning of the user.
Optionally, based on any one of the foregoing embodiments, in this embodiment, when the second packet is a data access packet, the second data includes user data of a user; on this basis, the safety isolation protection method provided by this embodiment further includes: analyzing the user data from the second data; identifying the user data and confirming the user role of the user; and controlling the access authority of the user to access the intranet according to the determined user role.
Specifically, the implementation of the above process may refer to the description process of the inner end processing unit involved in the embodiment shown in fig. 4, and is not described in detail here.
Optionally, based on any one of the foregoing embodiments, in this embodiment, when the second packet is a service packet, the second data includes a post attribute of a user; on this basis, the method for protecting security isolation provided by this embodiment further includes: analyzing the position attribute from the second data; and controlling the service processing authority of the user according to the post attribute.
Specifically, the implementation of the above process may refer to the description process of the inner end processing unit involved in the embodiment shown in fig. 4, and is not described in detail here.
By implementing the flow shown in fig. 6, the inner-end processing network performs security check on the first message received from the intranet, encrypts data in the first message after the check is passed, and then sends the first encrypted message to the outside through the data control unit after the first encrypted data is encapsulated, so that not only is the protection of important information or data in the security isolation network realized, but also the security and accuracy of data in the data transmission process are improved.
Based on the same inventive concept, the embodiment further provides a security isolation protection method for an external processing unit connected to an external network, where the external processing unit is trusted with respect to the external network, and may be an electronic device for executing the security isolation protection method; when the external processing unit executes the method, the external processing unit may be implemented according to a flow shown in fig. 7, and includes the following steps:
s701, receiving a first encrypted message, wherein the first encrypted message is obtained by encrypting first data in the first message and encapsulating the first data according to a set first message encapsulation protocol after security check on the first message received by an intranet is passed.
S702, the first encrypted data is analyzed from the first encrypted message according to the set first message encapsulation protocol.
S703, decrypting the first data from the first encrypted data.
S704, packaging the decrypted first data according to the message packaging protocol of the first message to obtain a first packaged message.
S705, the first encapsulation message is sent to the external network.
It should be noted that, when the outer-end processing unit executes the processing procedures of steps S701 to S705, reference may be made to the above-mentioned related description of the outer-end processing unit in fig. 2, and a detailed description thereof is omitted here.
By implementing the method shown in fig. 7, the inner-end processing network performs security check on the first message received from the intranet, encrypts data in the first message after the check is passed, then packages the first encrypted data, and sends the first encrypted message to the outer-end processing unit through the data control unit, and the outer-end processing unit can parse the first encrypted data from the first encrypted message after receiving the first encrypted message, then decrypts the first encrypted data to obtain the first data, and packages the first data by using a message packaging protocol corresponding to the first message, so as to restore the first packaged message with the same format as the first message, and send the first packaged message to the extranet. Therefore, the protection of important information or data in the security isolation network is realized, and the security and the accuracy of the data in the data transmission process are improved.
Optionally, the method for protecting security isolation provided in this embodiment may further include the following steps: receiving a second message from the external network; after the second message is checked to pass, encrypting second data in the second message; packaging the encrypted second encrypted data according to a set second message packaging protocol to obtain a second encrypted message; and sending the second encrypted message to the data control unit.
Specifically, the implementation process of this embodiment may refer to the relevant implementation process of the external processing unit in fig. 4, and is not described in detail here.
Optionally, the outer-end processing unit may check the second packet according to the following method: and carrying out security check on the second message according to a pre-configured security policy.
Specifically, the processing procedure of the outer-end processing unit for checking the first packet may refer to the related description of the step S401 in fig. 4 by the outer-end processing unit, and is not described in detail here.
It is noted that when the second message is not checked, the second message may be discarded and logged. On the basis, in addition, the external processing unit is also used for carrying out rules and records on security policies, intrusion checks, policy filtering and access control in the external processing unit so as to form a complete log and display the log to a user, thereby facilitating the tracking and positioning of the user.
Optionally, when the first packet is a data access packet, the first data includes user data of a user; on this basis, the method for protecting safety isolation provided by this embodiment further includes: analyzing the user data from the first data; identifying the user data and confirming the user role of the user; and controlling the access authority of the user to access the intranet according to the determined user role.
Specifically, the implementation of the above process may refer to the description process of the external-end processing unit in the embodiment shown in fig. 2, and is not described in detail here.
Optionally, based on any one of the embodiments, in this embodiment, when the first packet is a service packet, the first data includes a post attribute of a user; on this basis, the method for protecting security isolation provided by this embodiment further includes: analyzing the position attribute from the first data; and controlling the service processing authority of the user according to the post attribute.
Specifically, the implementation of the above process may refer to the description process of the external-end processing unit in the embodiment shown in fig. 2, and is not described in detail here.
Based on the same inventive concept, the embodiment of the application provides an electronic device, which can be a device connected with an intranet in a security isolation protection system or a device connected with an extranet in the security isolation protection system. As shown in fig. 8, the electronic device includes a processor 801 and a machine-readable storage medium 802, where the machine-readable storage medium 802 stores a computer program capable of being executed by the processor 801, and the processor 801 is caused by the computer program to execute the security isolation protection method provided in any embodiment of the present application. In addition, the electronic device further comprises a communication interface 803 and a communication bus 804, wherein the processor 801, the communication interface 803 and the machine-readable storage medium 802 are communicated with each other through the communication bus 804.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM), a DDR SRAM (Double Data Synchronous Random Access Memory), and a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In addition, the embodiment of the present application provides a machine-readable storage medium, which stores a computer program, and when the computer program is called and executed by a processor, the computer program causes the processor to execute the security isolation protection method provided by the embodiment of the present application.
For the embodiments of the electronic device and the machine-readable storage medium, since the contents of the related methods are substantially similar to those of the foregoing embodiments of the methods, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the embodiments of the methods.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The implementation process of the functions and actions of each unit/module in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the units/modules described as separate parts may or may not be physically separate, and the parts displayed as units/modules may or may not be physical units/modules, may be located in one place, or may be distributed on a plurality of network units/modules. Some or all of the units/modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (16)
1. A security isolation protection system, comprising: connect the inner processing unit of intranet and the outer end processing unit who connects the outer net, inner processing unit with outer end processing unit passes through data control unit alternately, wherein:
the inner end processing unit is used for carrying out security check on a first message received from the intranet, and after the first message passes the check, encrypting first data in the first message; packaging the encrypted first encrypted data according to a set first message packaging protocol to obtain a first encrypted message; sending the first encrypted message to the data control unit;
the data control unit is used for receiving the first encrypted message and sending the first encrypted message to an external processing unit;
the outer end processing unit is configured to parse the first encrypted data from the received first encrypted packet according to the set first packet encapsulation protocol; decrypting the first data from the first encrypted data, and packaging the decrypted first data according to a message packaging protocol of the first message to obtain a first packaged message; and sending the first encapsulation message to the external network.
2. The system of claim 1,
the external processing unit is further configured to receive a second message from an external network, and encrypt second data in the second message after the second message is checked; packaging the encrypted second encrypted data according to a set second message packaging protocol to obtain a second encrypted message; sending the second encrypted message to the data control unit;
the data control unit is further configured to receive the second encrypted packet and forward the second encrypted packet to the inner-end processing unit;
the inner end processing unit is further configured to parse the second encrypted data from the received second encrypted message according to the set second message encapsulation protocol; analyzing the second data from the second encrypted data, and encapsulating the decrypted second data according to a message encapsulation protocol of the second message to obtain a second encapsulated message; and sending the second encapsulation message to the intranet.
3. The system of claim 1 or 2, wherein the interior end processing unit interacts with the data control unit through a first dedicated channel; and the outer end processing unit interacts with the data control unit through a second dedicated channel.
4. The system of claim 2,
the inner end processing unit is specifically configured to perform security check on the first packet according to a pre-configured security policy;
and/or the presence of a gas in the gas,
the outer end processing unit is further configured to perform security check on the second packet according to a pre-configured security policy.
5. The system of claim 1, wherein when the first message is a data access message, the first data comprises user data of a user;
the external end processing module is further configured to parse the user data from the first data, identify the user data, and determine a user role of the user; and controlling the access authority of the user to access the intranet according to the determined user role.
6. The system according to claim 1, wherein when the first message is a service message, the first data includes a position attribute of a user;
the outer end processing module is further configured to analyze the post attribute from the first data; and controlling the service processing authority of the user according to the post attribute.
7. The system of claim 2, wherein when the second message is a data access message, the second data comprises user data of a user;
the inner end processing module is further configured to parse the user data from the second data, identify the user data, and determine a user role of the user; and controlling the access authority of the user to access the intranet according to the determined user role.
8. The system according to claim 2, wherein when the second message is a service message, the second data includes a position attribute of a user;
the inner end processing module is further configured to analyze the post attribute from the second data; and controlling the service processing authority of the user according to the post attribute.
9. A security isolation protection method is applied to an internal end processing unit connected with an intranet, and comprises the following steps:
carrying out security check on a first message received from an intranet;
after the check is passed, encrypting the first data in the first message;
and packaging the encrypted first encrypted data according to a set first message packaging protocol to obtain a first encrypted message and sending the first encrypted message to an external network.
10. The method of claim 9, further comprising:
receiving a second encrypted message, wherein the second encrypted message is obtained by encrypting second data in a second message received by an external network and packaging the second data according to a set second message packaging protocol after the security check of the second message is passed;
analyzing the second encrypted data from the received second encrypted message according to the set second message encapsulation protocol;
parsing the second data from the second encrypted data;
packaging the decrypted second data according to the message packaging protocol of the second message to obtain a second packaged message;
and sending the second encapsulation message to the intranet.
11. The method of claim 10, wherein when the second message is a data access message, the second data comprises user data of a user; the method further comprises the following steps:
analyzing the user data from the second data;
identifying the user data and confirming the user role of the user;
and controlling the access authority of the user to access the intranet according to the determined user role.
12. The method according to claim 10, wherein when the second message is a service message, the second data includes a position attribute of a user; the method further comprises:
analyzing the position attribute from the second data;
and controlling the service processing authority of the user according to the post attribute.
13. A safety isolation protection method is applied to an external end processing unit connected with an external network, and comprises the following steps:
receiving a first encrypted message, wherein the first encrypted message is obtained by encrypting first data in the first message and encapsulating the first data according to a set first message encapsulation protocol after security check on the first message received by an intranet is passed;
analyzing the first encrypted data from the first encrypted message according to the set first message encapsulation protocol;
decrypting the first data from the first encrypted data;
packaging the decrypted first data according to the message packaging protocol of the first message to obtain a first packaging message;
and sending the first encapsulation message to the external network.
14. The method of claim 13, further comprising:
receiving a second message from the external network;
after the second message is checked to pass, encrypting second data in the second message;
packaging the encrypted second encrypted data according to a set second message packaging protocol to obtain a second encrypted message;
and sending the second encrypted message to the data control unit.
15. The method of claim 13, wherein when the first message is a data access message, the first data comprises user data of a user; the method further comprises the following steps:
analyzing the user data from the first data;
identifying the user data and confirming the user role of the user;
and controlling the access authority of the user to access the intranet according to the determined user role.
16. The method according to claim 13, wherein when the first message is a service message, the first data includes a position attribute of a user; the method further comprises the following steps:
analyzing the position attribute from the first data;
and controlling the service processing authority of the user according to the post attribute.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210190510.4A CN114726574A (en) | 2022-02-28 | 2022-02-28 | Safety isolation protection system and safety isolation protection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210190510.4A CN114726574A (en) | 2022-02-28 | 2022-02-28 | Safety isolation protection system and safety isolation protection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114726574A true CN114726574A (en) | 2022-07-08 |
Family
ID=82235976
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210190510.4A Withdrawn CN114726574A (en) | 2022-02-28 | 2022-02-28 | Safety isolation protection system and safety isolation protection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114726574A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105812387A (en) * | 2016-05-09 | 2016-07-27 | 北京航天数控系统有限公司 | Unidirectional safe data exchange device |
| CN111711615A (en) * | 2020-05-29 | 2020-09-25 | 成都金隼智安科技有限公司 | Knowledge base information synchronization system and method for edge security computing node |
| CN112073375A (en) * | 2020-08-07 | 2020-12-11 | 中国电力科学研究院有限公司 | Isolation device and isolation method suitable for power Internet of things client side |
| CN112671719A (en) * | 2020-12-08 | 2021-04-16 | 山东鲁能软件技术有限公司 | Network security isolation method and device based on data stripping and construction method thereof |
-
2022
- 2022-02-28 CN CN202210190510.4A patent/CN114726574A/en not_active Withdrawn
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105812387A (en) * | 2016-05-09 | 2016-07-27 | 北京航天数控系统有限公司 | Unidirectional safe data exchange device |
| CN111711615A (en) * | 2020-05-29 | 2020-09-25 | 成都金隼智安科技有限公司 | Knowledge base information synchronization system and method for edge security computing node |
| CN112073375A (en) * | 2020-08-07 | 2020-12-11 | 中国电力科学研究院有限公司 | Isolation device and isolation method suitable for power Internet of things client side |
| CN112671719A (en) * | 2020-12-08 | 2021-04-16 | 山东鲁能软件技术有限公司 | Network security isolation method and device based on data stripping and construction method thereof |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8443190B2 (en) | Method for securing a two-way communications channel and device for implementing said method | |
| US10356068B2 (en) | Security key generator module for security sensitive applications | |
| US20050050316A1 (en) | Passive SSL decryption | |
| CN205670253U (en) | A kind of trusted gateway system of industrial control system | |
| US9692759B1 (en) | Control of cloud application access for enterprise customers | |
| CN110971407B (en) | Internet of things security gateway communication method based on quantum key | |
| Khosroshahi et al. | Security technology by using firewall for smart grid | |
| Peng | Research on the Technology of Computer Network Security Protection | |
| Neu et al. | An approach for detecting encrypted insider attacks on OpenFlow SDN Networks | |
| Nair et al. | Security attacks in internet of things | |
| CN114726574A (en) | Safety isolation protection system and safety isolation protection method | |
| CN113242255B (en) | Intelligent flow analysis method and system based on enterprise security | |
| CN113608907B (en) | Database auditing method, device, equipment, system and storage medium | |
| Nugraha et al. | Towards the classification of confidentiality capabilities in trustworthy service level agreements | |
| CN114679322A (en) | Flow security auditing method, system and computer equipment | |
| CN110233859B (en) | Novel wind control method and wind control system | |
| Yina | Discussion on computer network security technology and firewall technology | |
| CN112350922A (en) | Mail processing method, device, server and storage medium | |
| US20150067343A1 (en) | Tamper resistance of aggregated data | |
| Resul et al. | Cryptolog: A new approach to provide log security for digital forensics | |
| Liu | Research on Core Technology Based on Computer Information System Security Architecture | |
| Ganguli | Security and Privacy in Big Data Access Controls | |
| KR102152313B1 (en) | Method for real-time encryption packet separation and identification in high speed traffic and interworking with yara detection on identified packet, and apparatus thereof | |
| Ştefan et al. | Considerations Regarding the Security and Safety of Internet of Things | |
| Longzhu et al. | Research and exploration of the data security compliance inspection technology based on the large-scale call platform of the customer service center |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20220708 |
|
| WW01 | Invention patent application withdrawn after publication |