CN114726652A - Security equipment management method and system based on L7 proxy - Google Patents

Security equipment management method and system based on L7 proxy Download PDF

Info

Publication number
CN114726652A
CN114726652A CN202210546417.2A CN202210546417A CN114726652A CN 114726652 A CN114726652 A CN 114726652A CN 202210546417 A CN202210546417 A CN 202210546417A CN 114726652 A CN114726652 A CN 114726652A
Authority
CN
China
Prior art keywords
management platform
reverse proxy
security
request
public key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210546417.2A
Other languages
Chinese (zh)
Other versions
CN114726652B (en
Inventor
任帅
靳涛
于慧超
石永杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wangteng Technology Co ltd
Original Assignee
Beijing Wangteng Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wangteng Technology Co ltd filed Critical Beijing Wangteng Technology Co ltd
Priority to CN202210546417.2A priority Critical patent/CN114726652B/en
Publication of CN114726652A publication Critical patent/CN114726652A/en
Application granted granted Critical
Publication of CN114726652B publication Critical patent/CN114726652B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/2895Intermediate processing functionally located close to the data provider application, e.g. reverse proxies
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks

Abstract

The invention relates to a safety equipment management method and a system based on an L7 proxy, wherein the method comprises the following steps: the security equipment starts SSDP service, searches the appointed feature code by a Search method, and detects a target security management platform server; after the security management platform server is searched, the security device initiates an authentication and registration request, and acquires a public key after the registration is successful; the safety management platform regularly checks the health state of the safety equipment; the security device starts an Http reverse proxy service, decrypts, analyzes and authenticates an Http request, forwards the Http request to the security device, encrypts a message through the public key, and returns the encrypted message to the security management platform; the safety equipment management method and system based on the L7 agent can adapt and be compatible with different equipment application programs by utilizing the support of the custom plug-in extension, and avoid the secondary development of the agent program and the application program caused by the compatibility problem.

Description

Security equipment management method and system based on L7 proxy
Technical Field
The invention relates to the technical field of network security equipment management, in particular to a security equipment management method and system based on an L7 proxy.
Background
In order to guarantee the key information security of the production process, modern enterprises usually deploy some network security devices, such as firewalls, gatekeepers, security audit systems, host guards and the like. With the increase of the scale of safety facilities, the difficulty of maintaining a large amount of equipment is increased sharply, centralized management and control become practical requirements of enterprises, and products such as a safety management platform are produced on the basis of the practical requirements.
However, the conventional security management platform has many defects, and when accessing the controlled device, the security device side not only needs to implement networking to receive the platform side instruction, but also migrates the control instruction to the platform side. Therefore, in the implementation process, due to the difference of manufacturers of the controlled equipment and the difference of development languages and architectures, the traditional solution causes the problems of high implementation difficulty, long construction period, poor expansibility, limitation of supported equipment and the like. In order to avoid the fact that each controlled device needs to realize a set of semantic functions communicated with the security management platform, a unified communication layer with irrelevant languages and irrelevant frameworks is needed, research and development personnel can concentrate on services, engineering time is saved, and robust and complete products are delivered more efficiently.
Disclosure of Invention
The safety equipment management method based on the L7 agent can solve the technical problems in the process.
The technical scheme for solving the technical problems is as follows:
in a first aspect, the present invention provides a security device management method based on an L7 agent, including: the method comprises the following steps:
s1: the security equipment starts SSDP service, searches the appointed feature code by a Search method, and detects a target security management platform server;
s2: after the security management platform server is searched, the security device initiates an authentication and registration request, and acquires a public key after the registration is successful;
s3: the safety equipment starts health monitoring service for the safety management platform to regularly check the health state of the safety equipment;
s4: the security device starts an Http reverse proxy service, takes over the flow from the security management platform, decrypts, analyzes and authenticates the Http request, forwards the Http request to the security device, encrypts the message through the public key, and returns the Http reverse proxy service to the security management platform.
In some embodiments, the step S2 further includes:
s21: the safety equipment sends a request to a safety management platform to acquire a verification code, then equipment information and the verification code are packaged and then sent to the safety management platform to be verified, and if the verification is passed, a public key is returned;
s22: the safety equipment uses the public key to encrypt equipment information and then requests the safety management platform to verify the equipment information again, and the registration is returned to be successful after the equipment information passes the verification;
s23: and the safety equipment adds the IP address of the safety management platform into the trusted host, stores the public key, enters an online state at the moment, and prepares to receive and process the instruction of the safety management platform.
In some embodiments, the following operations are performed before the security device starts the Http reverse proxy service in step S4:
the secure device loads the plug-in resource package and then interprets the plug-in source code using yaegi interpreter and loads all the plug-ins into the hook bus, which is managed by the plug-in manager.
In some embodiments, the step S4 further includes the steps of:
s41: creating a reverse proxy processor;
s42: the security device starts an Http service, and registers forward routing to point to the reverse proxy processor;
s43: and adding middleware in the forward route, wherein the middleware works before the forward route request enters the reverse proxy processor and after the reverse proxy processor returns a response.
In some embodiments, the step S43, where the middleware performs work before the forward routing request enters the reverse proxy processor and after the reverse proxy processor returns a response, further includes:
s431: before the forward routing request enters the reverse proxy processor, checking the IP address of the client to be requested, if the requested IP address is not the trusted host, intercepting and returning error information; if the data passes the verification, decrypting by using the public key according to the encryption type field in the request header, writing the decrypted data into a request body, and delivering the data to the reverse proxy processor for processing;
s432: and after the reverse proxy processor returns data, the data is encrypted by using the public key according to the encryption type and returned to the security management platform.
In a second aspect, the present invention provides an L7 agent-based security device management system, including:
the server searching module is used for starting SSDP service, searching the specified feature code by a Search method and detecting a target security management platform server;
the authentication registration module is used for initiating an authentication and registration request by the security equipment after the security management platform server is searched, and acquiring a public key after the registration is successful;
the health monitoring module is used for starting health monitoring service for the safety management platform to regularly check the health state of the safety equipment;
and the reverse proxy module is used for starting an Http reverse proxy service, taking over the flow from the security management platform, decrypting, analyzing and authenticating the Http request, forwarding the Http request to the security device, encrypting the message through the public key, and returning the encrypted message to the security management platform.
In some embodiments, the authentication registration module comprises:
the request verification submodule is used for sending a request to the security management platform to acquire a verification code, then packaging the equipment information and the verification code and sending the packaged equipment information and the verification code to the security management platform for verification, and if the verification is passed, returning a public key;
the registration submodule is used for encrypting the equipment information by using the public key and then requesting the security management platform to verify again, and returning registration success after verification passes;
and the state maintaining submodule is used for enabling the safety equipment to add the IP address of the safety management platform into the trusted host, storing the public key, enabling the safety equipment to enter an online state at the moment, and preparing to receive and process the instruction of the safety management platform.
In some embodiments, further comprising:
and the plug-in configuration module is used for enabling the security device to load the plug-in resource package, then using yaegi interpreter to interpret the plug-in source code, and loading all the plug-ins into a hook bus, wherein the hook bus is managed by the plug-in manager.
In some embodiments, the reverse proxy module comprises:
the processor creating submodule is used for creating a reverse proxy processor;
the Http service sub-module is used for starting Http service, and registering forward routing to point to the reverse proxy processor;
and the middleware sub-module is used for adding middleware into a forward route, and the middleware works before the forward route request enters the reverse proxy processor and after the reverse proxy processor returns a response.
In some embodiments, the middleware sub-module comprises:
the verification processing unit is used for verifying the IP address of the client to be requested before the forward routing request enters the reverse proxy processor, and if the requested IP address is not the trusted host, the client is intercepted and error information is returned; if the data passes the verification, decrypting by using the public key according to the encryption type field in the request header, writing the decrypted data into a request body, and delivering the data to the reverse proxy processor for processing;
and the encryption unit is used for encrypting the data by using the public key according to the encryption type after the reverse proxy processor returns the data, and returning the data to the security management platform.
The beneficial effect of this application is:
the application provides a security device management method and a system based on an L7 proxy, which abstract the communication between a platform and a controlled device into a single layer, realize the functions of service discovery, authentication and authorization, health monitoring, flow control, plug-in extension and the like in the layer, serve as a light proxy service independent of a device application program, are deployed together with the device application program, take over the flow from the platform, and indirectly complete the communication request between the platform and the device through proxy communication. And the support of the custom plug-in extension is provided to adapt and be compatible with different equipment application programs, and the secondary development of the agent program and the application program caused by the compatibility problem is avoided.
Drawings
Fig. 1 is a flowchart of a security device management method based on L7 proxy according to the present application;
FIG. 2 is a sub-flowchart of step S2 of the present application;
FIG. 3 is a sub-flowchart of step S4 of the present application;
FIG. 4 is a sub-flowchart of step S43 of the present application;
FIG. 5 is a flow chart of the security device authentication of the present application;
fig. 6 is a flow chart of the reverse proxy of the present application.
Detailed Description
The principles and features of this invention are described below in conjunction with the following drawings, which are set forth by way of illustration only and are not intended to limit the scope of the invention.
In order that the above objects, features and advantages of the present application can be more clearly understood, the present disclosure will be further described in detail with reference to the accompanying drawings and examples. It is to be understood that the embodiments described are only a few embodiments of the present disclosure, and not all embodiments. The specific embodiments described herein are merely illustrative of the disclosure and are not limiting of the application. All other embodiments that can be derived by one of ordinary skill in the art from the description of the embodiments are intended to be within the scope of the present disclosure.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
Fig. 1 is a flowchart of a security device management method based on an L7 agent according to the present application.
A security device management method based on L7 proxy, which, in conjunction with fig. 1, includes the following steps:
s1: the security equipment starts SSDP service, searches the appointed feature code by a Search method and detects a target security management platform server;
specifically, the method runs with the main service of the target security device through an independent program, firstly, the program runs an SSDP (simple service discovery protocol) service, and searches for a specified feature code (i.e. a feature code corresponding to a security management platform) through a Search method to Search for a security management platform server.
S2: after the security management platform server is searched, the security device initiates an authentication and registration request, and acquires a public key after the registration is successful;
in some embodiments, with reference to fig. 2 and fig. 5, the step S2 further includes:
s21: the safety equipment sends a request to a safety management platform to acquire a verification code, then equipment information and the verification code are packaged and then sent to the safety management platform for verification, and if the verification passes, a public key is returned;
s22: the safety equipment uses the public key to encrypt equipment information and then requests the safety management platform to verify the equipment information again, and the registration is returned to be successful after the equipment information passes the verification;
s23: and the safety equipment adds the IP address of the safety management platform into a trusted host, stores a public key, enters an online state at the moment, and prepares to receive and process the instruction of the safety management platform.
Specifically, after detecting the security management platform, the program sends a request to the security management platform to obtain an authentication code, then packages the device information (the device information includes information such as a device unique identifier, a mac code, an ip address and the like) of the security device together with the authentication code and sends the packaged device information to the security management platform for verification, if the verification of the security management platform is passed, the program returns a public key, the program uses the public key to encrypt the security device information and then requests the platform end to perform verification again, and after the verification is passed, the program returns that the registration is successful.
S3: the safety equipment starts health monitoring service for the safety management platform to regularly check the health state of the safety equipment;
specifically, the program starts the health monitoring service, so that the safety management platform periodically detects the health state of the safety equipment, and presets a time threshold, for example, the application can set the periodic detection time to be 2 seconds, the time threshold to be 5 seconds, if the health state is not normally returned within the set time threshold (i.e., within 5 seconds), the system enters an offline state, and the offline state cannot receive a platform-side instruction until the health state is detected by the platform again.
S4: the security device starts an Http reverse proxy service, takes over the flow from the security management platform, decrypts, analyzes and authenticates the Http request, forwards the Http request to the security device, encrypts the message through the public key, and returns the Http reverse proxy service to the security management platform;
in some embodiments, before the "the security device starts Http reverse proxy service" in step S4, the following operations are performed:
the security device loads the plug-in resource package and then interprets the plug-in source code using yaegi interpreter and loads all the plug-ins into the hook bus, which is managed by the plug-in manager.
Specifically, when the program is started, a specified custom plug-in resource package file is loaded according to the configuration, and the resource package is a source code written in the golang language. The program will parse the mailest file and the source code file in the plug-in package into structured data and persist the structured data to the database. And then, carrying out an initialization process of a plug-in manager, wherein the process can initialize the built-in plug-in (a default function compiled together with the program), then using yaegi interpreter to interpret the source code of the custom plug-in, yaegi directly exposes the function defined in the source code to the program after the interpretation into a function with the same structure, and the custom plug-in can cover the default built-in plug-in with the same name. All plug-ins are loaded into the hook bus, the hook bus is managed by the plug-in manager, and the plug-in manager searches corresponding hook functions from the hook bus when hooks are triggered and constructs a worker co-routine to execute the hook functions.
In some embodiments, with reference to fig. 3 and fig. 6, the step S4 further includes the following steps:
s41: creating a reverse proxy processor;
specifically, the program creates a reverse proxy processor, which works by receiving a request from an upstream, processing a request header, obtaining downstream data from a Connection pool (initialized if no Connection pool exists), writing the downstream data into a buffer, deleting a message header in Connection, copying response header data returned from the downstream into an upstream response header, periodically copying the data from the buffer into a response object, and refreshing the buffer. In addition, a hook program is added into the processor, and the request is preprocessed through a built-in plug-in or a self-defined plug-in.
S42: the security device starts an Http service, and registers forward routing to point to the reverse proxy processor;
s43: and adding middleware in the forward route, wherein the middleware works before the forward route request enters the reverse proxy processor and after the reverse proxy processor returns a response.
In some embodiments, with reference to fig. 4, the step S43 where the middleware performs work before the forward routing request enters the reverse proxy processor and after the reverse proxy processor returns a response further includes:
s431: before the forward routing request enters the reverse proxy processor, checking the IP address of the client to be requested, if the requested IP address is not the trusted host, intercepting and returning error information; if the data passes the verification, the public key is used for decryption according to the encryption type field in the request header, and the decrypted data is written into the request body and is processed by the reverse proxy processor;
s432: and after the reverse proxy processor returns data, the data is encrypted by using the public key according to the encryption type and returned to the security management platform.
Specifically, the program starts the Http service, registers a forward route to the reverse proxy processor created in step S41, and the forward route can process various request methods including GET, POST, PUT, DELETE, and the like. Middleware (middleware) is added into the forward route, and the middleware works before a request enters a processor and after the processor returns a response, which is equivalent to the front-end and back-end steps of the processor. In the pre-step, the IP address of the requested client is checked, if the IP address is not the trusted host (registered security management platform) in step S23, the IP address is intercepted and an error message is returned, if the IP address passes the check, the public key stored in step S23 is used for decryption according to the encryption type field in the request header, the decrypted data is written into the request body and processed by the reverse proxy processor, and after the proxy processor processes the returned data, the post-step encrypts the data by using the public key according to the encryption type and returns the encrypted data to the upstream, i.e., the security management platform, so that the whole security device management process is completed.
The second aspect of the present invention also provides a security device management system based on L7 proxy, including:
the server searching module is used for starting SSDP service, searching the specified feature code by a Search method and detecting a target security management platform server;
the authentication registration module is used for initiating an authentication and registration request by the security equipment after the security management platform server is searched, and acquiring a public key after the registration is successful;
the health monitoring module is used for starting health monitoring service for the safety management platform to regularly check the health state of the safety equipment;
and the reverse proxy module is used for starting an Http reverse proxy service, taking over the flow from the security management platform, decrypting, analyzing and authenticating the Http request, forwarding the Http request to the security device, encrypting the message through the public key, and returning the encrypted message to the security management platform.
In some embodiments, the authentication registration module comprises:
the request verification submodule is used for sending a request to the security management platform to acquire a verification code, then packaging the equipment information and the verification code and sending the packaged equipment information and the verification code to the security management platform for verification, and if the verification is passed, returning a public key;
the registration submodule is used for encrypting the equipment information by using the public key and then requesting the security management platform to verify again, and returning registration success after verification is passed;
and the state maintaining submodule is used for enabling the safety equipment to add the IP address of the safety management platform into the trusted host, storing the public key, enabling the safety equipment to enter an online state at the moment, and preparing to receive and process the instruction of the safety management platform.
In some embodiments, an L7 agent-based security device management system further comprises:
and the plug-in configuration module is used for enabling the security device to load the plug-in resource package, then using yaegi interpreter to interpret the plug-in source code, and loading all the plug-ins into a hook bus, wherein the hook bus is managed by the plug-in manager.
In some embodiments, the reverse proxy module comprises:
the processor creating submodule is used for creating a reverse proxy processor;
the Http service sub-module is used for starting Http service, and registering forward routing to point to the reverse proxy processor;
and the middleware sub-module is used for adding middleware into a forward route, and the middleware works before the forward route request enters the reverse proxy processor and after the reverse proxy processor returns a response.
In some embodiments, the middleware sub-module comprises:
the verification processing unit is used for verifying the IP address of the client to be requested before the forward routing request enters the reverse proxy processor, and if the requested IP address is not the trusted host, intercepting the request and returning error information; if the data passes the verification, decrypting by using the public key according to the encryption type field in the request header, writing the decrypted data into a request body, and delivering the data to the reverse proxy processor for processing;
and the encryption unit is used for encrypting the data by using the public key according to the encryption type after the reverse proxy processor returns the data, and returning the data to the security management platform.
It will be understood by those skilled in the art that although some embodiments described herein include some but not other features included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the application and form different embodiments.
Those skilled in the art will appreciate that the description of each embodiment has a respective emphasis, and reference may be made to the related description of other embodiments for those parts of an embodiment that are not described in detail.
Although the embodiments of the present application have been described in conjunction with the accompanying drawings, those skilled in the art will be able to make various modifications and variations without departing from the spirit and scope of the application, and such modifications and variations are included in the specific embodiments of the present invention as defined in the appended claims, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of various equivalent modifications and substitutions within the technical scope of the present disclosure, and these modifications and substitutions are intended to be included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A security device management method based on an L7 agent is characterized by comprising the following steps:
s1: the security equipment starts SSDP service, searches the appointed feature code by a Search method and detects a target security management platform server;
s2: after the security management platform server is searched, the security device initiates an authentication and registration request, and acquires a public key after the registration is successful;
s3: the safety equipment starts health monitoring service for the safety management platform to regularly check the health state of the safety equipment;
s4: the security device starts an Http reverse proxy service, takes over the flow from the security management platform, decrypts, analyzes and authenticates the Http request, forwards the Http request to the security device, encrypts the message through the public key, and returns the Http reverse proxy service to the security management platform.
2. The L7 agent-based security device management method of claim 1, wherein the step S2 further comprises:
s21: the safety equipment sends a request to a safety management platform to acquire a verification code, then equipment information and the verification code are packaged and then sent to the safety management platform for verification, and if the verification passes, a public key is returned;
s22: the safety equipment uses the public key to encrypt equipment information and then requests the safety management platform to verify the equipment information again, and the registration is returned to be successful after the equipment information passes the verification;
s23: and the safety equipment adds the IP address of the safety management platform into the trusted host, stores the public key, enters an online state at the moment, and prepares to receive and process the instruction of the safety management platform.
3. The method for managing a security device based on L7 agent, according to claim 2, wherein in step S4, before the security device starts Http reverse proxy service, the following operations are performed:
the security device loads the plug-in resource package and then interprets the plug-in source code using yaegi interpreter and loads all the plug-ins into the hook bus, which is managed by the plug-in manager.
4. The L7 agent-based security device management method of claim 3, wherein the step S4 further comprises the steps of:
s41: creating a reverse proxy processor;
s42: the security device starts an Http service, and registers forward routing to point to the reverse proxy processor;
s43: and adding middleware in the forward route, wherein the middleware works before the forward route request enters the reverse proxy processor and after the reverse proxy processor returns a response.
5. The L7 agent-based security device management method of claim 4, wherein the step S43 "the middleware works before the forward routing request enters the reverse proxy processor and after the reverse proxy processor returns a response" further comprises:
s431: before the forward routing request enters the reverse proxy processor, checking the IP address of the client to be requested, if the requested IP address is not the trusted host, intercepting and returning error information; if the data passes the verification, decrypting by using the public key according to the encryption type field in the request header, writing the decrypted data into a request body, and delivering the data to the reverse proxy processor for processing;
s432: and after the reverse proxy processor returns data, the data is encrypted by using the public key according to the encryption type and returned to the security management platform.
6. An L7 agent-based secure device management system, comprising:
the server searching module is used for starting SSDP service, searching the specified feature code by a Search method and detecting a target security management platform server;
the authentication registration module is used for initiating an authentication and registration request by the security equipment after the security management platform server is searched, and acquiring a public key after the registration is successful;
the health monitoring module is used for starting health monitoring service for the safety management platform to regularly check the health state of the safety equipment;
and the reverse proxy module is used for starting an Http reverse proxy service, taking over the flow from the security management platform, decrypting, analyzing and authenticating the Http request, forwarding the Http request to the security device, encrypting the message through the public key, and returning the encrypted message to the security management platform.
7. The L7 agent-based security device management system of claim 6, wherein the authentication registration module comprises:
the request verification submodule is used for sending a request to the security management platform to acquire a verification code, then packaging the equipment information and the verification code and sending the packaged equipment information and the verification code to the security management platform for verification, and if the verification is passed, returning a public key;
the registration submodule is used for encrypting the equipment information by using the public key and then requesting the security management platform to verify again, and returning registration success after verification is passed;
and the state maintaining submodule is used for enabling the safety equipment to add the IP address of the safety management platform into the trusted host, storing the public key, enabling the safety equipment to enter an online state at the moment, and preparing to receive and process the instruction of the safety management platform.
8. The L7 agent-based security device management system of claim 7, further comprising:
and the plug-in configuration module is used for enabling the security device to load the plug-in resource package, then using a yaegi interpreter to interpret plug-in source codes and loading all plug-ins into a hook bus, wherein the hook bus is managed by the plug-in manager.
9. The L7 agent-based security device management system of claim 8, wherein the reverse agent module comprises:
the processor creating submodule is used for creating a reverse proxy processor;
the Http service sub-module is used for starting Http service, and registering forward routing to point to the reverse proxy processor;
and the middleware sub-module is used for adding middleware into a forward route, and the middleware works before the forward route request enters the reverse proxy processor and after the reverse proxy processor returns a response.
10. The L7 agent-based security device management system of claim 9, wherein the middleware submodule comprises:
the verification processing unit is used for verifying the IP address of the client to be requested before the forward routing request enters the reverse proxy processor, and if the requested IP address is not the trusted host, the client is intercepted and error information is returned; if the data passes the verification, the public key is used for decryption according to the encryption type field in the request header, and the decrypted data is written into the request body and is processed by the reverse proxy processor;
and the encryption unit is used for encrypting the data by using the public key according to the encryption type after the reverse proxy processor returns the data, and returning the data to the security management platform.
CN202210546417.2A 2022-05-20 2022-05-20 Security equipment management method and system based on L7 proxy Active CN114726652B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210546417.2A CN114726652B (en) 2022-05-20 2022-05-20 Security equipment management method and system based on L7 proxy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210546417.2A CN114726652B (en) 2022-05-20 2022-05-20 Security equipment management method and system based on L7 proxy

Publications (2)

Publication Number Publication Date
CN114726652A true CN114726652A (en) 2022-07-08
CN114726652B CN114726652B (en) 2022-08-30

Family

ID=82231476

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210546417.2A Active CN114726652B (en) 2022-05-20 2022-05-20 Security equipment management method and system based on L7 proxy

Country Status (1)

Country Link
CN (1) CN114726652B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180270066A1 (en) * 2015-09-25 2018-09-20 Genetec Inc. Secure enrolment of security device for communication with security server
CN110138779A (en) * 2019-05-16 2019-08-16 全知科技(杭州)有限责任公司 A kind of Hadoop platform security control method based on multi-protocols reverse proxy
CN111193720A (en) * 2019-12-16 2020-05-22 中国电子科技集团公司第三十研究所 Trust service adaptation method based on security agent
CN111770092A (en) * 2020-06-29 2020-10-13 华中科技大学 Numerical control system network security architecture and secure communication method and system
CN114499989A (en) * 2021-12-30 2022-05-13 奇安信科技集团股份有限公司 Security device management method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180270066A1 (en) * 2015-09-25 2018-09-20 Genetec Inc. Secure enrolment of security device for communication with security server
CN110138779A (en) * 2019-05-16 2019-08-16 全知科技(杭州)有限责任公司 A kind of Hadoop platform security control method based on multi-protocols reverse proxy
CN111193720A (en) * 2019-12-16 2020-05-22 中国电子科技集团公司第三十研究所 Trust service adaptation method based on security agent
CN111770092A (en) * 2020-06-29 2020-10-13 华中科技大学 Numerical control system network security architecture and secure communication method and system
CN114499989A (en) * 2021-12-30 2022-05-13 奇安信科技集团股份有限公司 Security device management method and device

Also Published As

Publication number Publication date
CN114726652B (en) 2022-08-30

Similar Documents

Publication Publication Date Title
CN111541785B (en) Block chain data processing method and device based on cloud computing
US11088903B2 (en) Hybrid cloud network configuration management
JP5635978B2 (en) Authenticated database connection for applications without human intervention
KR102429633B1 (en) Automatic login method and device between multiple websites
US8417964B2 (en) Software module management device and program
CN110009494B (en) Method and device for monitoring transaction content in block chain
US20180020008A1 (en) Secure asynchronous communications
US20230259386A1 (en) Data processing method based on container engine and related device
CN102638454A (en) Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol
WO2013086968A1 (en) Method, device and system for network security protection
US11663318B2 (en) Decentralized password vault
CN110826049B (en) Single sign-on implementation system based on intelligent enterprise portal
US20230261882A1 (en) Image Management Method and Apparatus
CN114125027A (en) Communication establishing method and device, electronic equipment and storage medium
CN110830493B (en) Single sign-on implementation method based on intelligent enterprise portal
CN114726652B (en) Security equipment management method and system based on L7 proxy
US20100250607A1 (en) Personal information management apparatus and personal information management method
US20150082026A1 (en) Systems and methods for locking an application to device without storing device information on server
CN115423273A (en) Enterprise heterogeneous system integration method, device, equipment and storage medium
CN114861144A (en) Data authority processing method based on block chain
KR102632546B1 (en) Method and system for transferring software artifacts from a source network to a target network
CN114553570B (en) Method, device, electronic equipment and storage medium for generating token
CN116405573B (en) Service-oriented architecture based system, communication method and computer program product
CN115334150B (en) Data forwarding method, device, system, electronic equipment and medium
CN112311771B (en) Method for managing user access equipment, management equipment and network equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant