CN114726652A - Security equipment management method and system based on L7 proxy - Google Patents
Security equipment management method and system based on L7 proxy Download PDFInfo
- Publication number
- CN114726652A CN114726652A CN202210546417.2A CN202210546417A CN114726652A CN 114726652 A CN114726652 A CN 114726652A CN 202210546417 A CN202210546417 A CN 202210546417A CN 114726652 A CN114726652 A CN 114726652A
- Authority
- CN
- China
- Prior art keywords
- management platform
- reverse proxy
- security
- request
- public key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/2895—Intermediate processing functionally located close to the data provider application, e.g. reverse proxies
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
Abstract
The invention relates to a safety equipment management method and a system based on an L7 proxy, wherein the method comprises the following steps: the security equipment starts SSDP service, searches the appointed feature code by a Search method, and detects a target security management platform server; after the security management platform server is searched, the security device initiates an authentication and registration request, and acquires a public key after the registration is successful; the safety management platform regularly checks the health state of the safety equipment; the security device starts an Http reverse proxy service, decrypts, analyzes and authenticates an Http request, forwards the Http request to the security device, encrypts a message through the public key, and returns the encrypted message to the security management platform; the safety equipment management method and system based on the L7 agent can adapt and be compatible with different equipment application programs by utilizing the support of the custom plug-in extension, and avoid the secondary development of the agent program and the application program caused by the compatibility problem.
Description
Technical Field
The invention relates to the technical field of network security equipment management, in particular to a security equipment management method and system based on an L7 proxy.
Background
In order to guarantee the key information security of the production process, modern enterprises usually deploy some network security devices, such as firewalls, gatekeepers, security audit systems, host guards and the like. With the increase of the scale of safety facilities, the difficulty of maintaining a large amount of equipment is increased sharply, centralized management and control become practical requirements of enterprises, and products such as a safety management platform are produced on the basis of the practical requirements.
However, the conventional security management platform has many defects, and when accessing the controlled device, the security device side not only needs to implement networking to receive the platform side instruction, but also migrates the control instruction to the platform side. Therefore, in the implementation process, due to the difference of manufacturers of the controlled equipment and the difference of development languages and architectures, the traditional solution causes the problems of high implementation difficulty, long construction period, poor expansibility, limitation of supported equipment and the like. In order to avoid the fact that each controlled device needs to realize a set of semantic functions communicated with the security management platform, a unified communication layer with irrelevant languages and irrelevant frameworks is needed, research and development personnel can concentrate on services, engineering time is saved, and robust and complete products are delivered more efficiently.
Disclosure of Invention
The safety equipment management method based on the L7 agent can solve the technical problems in the process.
The technical scheme for solving the technical problems is as follows:
in a first aspect, the present invention provides a security device management method based on an L7 agent, including: the method comprises the following steps:
s1: the security equipment starts SSDP service, searches the appointed feature code by a Search method, and detects a target security management platform server;
s2: after the security management platform server is searched, the security device initiates an authentication and registration request, and acquires a public key after the registration is successful;
s3: the safety equipment starts health monitoring service for the safety management platform to regularly check the health state of the safety equipment;
s4: the security device starts an Http reverse proxy service, takes over the flow from the security management platform, decrypts, analyzes and authenticates the Http request, forwards the Http request to the security device, encrypts the message through the public key, and returns the Http reverse proxy service to the security management platform.
In some embodiments, the step S2 further includes:
s21: the safety equipment sends a request to a safety management platform to acquire a verification code, then equipment information and the verification code are packaged and then sent to the safety management platform to be verified, and if the verification is passed, a public key is returned;
s22: the safety equipment uses the public key to encrypt equipment information and then requests the safety management platform to verify the equipment information again, and the registration is returned to be successful after the equipment information passes the verification;
s23: and the safety equipment adds the IP address of the safety management platform into the trusted host, stores the public key, enters an online state at the moment, and prepares to receive and process the instruction of the safety management platform.
In some embodiments, the following operations are performed before the security device starts the Http reverse proxy service in step S4:
the secure device loads the plug-in resource package and then interprets the plug-in source code using yaegi interpreter and loads all the plug-ins into the hook bus, which is managed by the plug-in manager.
In some embodiments, the step S4 further includes the steps of:
s41: creating a reverse proxy processor;
s42: the security device starts an Http service, and registers forward routing to point to the reverse proxy processor;
s43: and adding middleware in the forward route, wherein the middleware works before the forward route request enters the reverse proxy processor and after the reverse proxy processor returns a response.
In some embodiments, the step S43, where the middleware performs work before the forward routing request enters the reverse proxy processor and after the reverse proxy processor returns a response, further includes:
s431: before the forward routing request enters the reverse proxy processor, checking the IP address of the client to be requested, if the requested IP address is not the trusted host, intercepting and returning error information; if the data passes the verification, decrypting by using the public key according to the encryption type field in the request header, writing the decrypted data into a request body, and delivering the data to the reverse proxy processor for processing;
s432: and after the reverse proxy processor returns data, the data is encrypted by using the public key according to the encryption type and returned to the security management platform.
In a second aspect, the present invention provides an L7 agent-based security device management system, including:
the server searching module is used for starting SSDP service, searching the specified feature code by a Search method and detecting a target security management platform server;
the authentication registration module is used for initiating an authentication and registration request by the security equipment after the security management platform server is searched, and acquiring a public key after the registration is successful;
the health monitoring module is used for starting health monitoring service for the safety management platform to regularly check the health state of the safety equipment;
and the reverse proxy module is used for starting an Http reverse proxy service, taking over the flow from the security management platform, decrypting, analyzing and authenticating the Http request, forwarding the Http request to the security device, encrypting the message through the public key, and returning the encrypted message to the security management platform.
In some embodiments, the authentication registration module comprises:
the request verification submodule is used for sending a request to the security management platform to acquire a verification code, then packaging the equipment information and the verification code and sending the packaged equipment information and the verification code to the security management platform for verification, and if the verification is passed, returning a public key;
the registration submodule is used for encrypting the equipment information by using the public key and then requesting the security management platform to verify again, and returning registration success after verification passes;
and the state maintaining submodule is used for enabling the safety equipment to add the IP address of the safety management platform into the trusted host, storing the public key, enabling the safety equipment to enter an online state at the moment, and preparing to receive and process the instruction of the safety management platform.
In some embodiments, further comprising:
and the plug-in configuration module is used for enabling the security device to load the plug-in resource package, then using yaegi interpreter to interpret the plug-in source code, and loading all the plug-ins into a hook bus, wherein the hook bus is managed by the plug-in manager.
In some embodiments, the reverse proxy module comprises:
the processor creating submodule is used for creating a reverse proxy processor;
the Http service sub-module is used for starting Http service, and registering forward routing to point to the reverse proxy processor;
and the middleware sub-module is used for adding middleware into a forward route, and the middleware works before the forward route request enters the reverse proxy processor and after the reverse proxy processor returns a response.
In some embodiments, the middleware sub-module comprises:
the verification processing unit is used for verifying the IP address of the client to be requested before the forward routing request enters the reverse proxy processor, and if the requested IP address is not the trusted host, the client is intercepted and error information is returned; if the data passes the verification, decrypting by using the public key according to the encryption type field in the request header, writing the decrypted data into a request body, and delivering the data to the reverse proxy processor for processing;
and the encryption unit is used for encrypting the data by using the public key according to the encryption type after the reverse proxy processor returns the data, and returning the data to the security management platform.
The beneficial effect of this application is:
the application provides a security device management method and a system based on an L7 proxy, which abstract the communication between a platform and a controlled device into a single layer, realize the functions of service discovery, authentication and authorization, health monitoring, flow control, plug-in extension and the like in the layer, serve as a light proxy service independent of a device application program, are deployed together with the device application program, take over the flow from the platform, and indirectly complete the communication request between the platform and the device through proxy communication. And the support of the custom plug-in extension is provided to adapt and be compatible with different equipment application programs, and the secondary development of the agent program and the application program caused by the compatibility problem is avoided.
Drawings
Fig. 1 is a flowchart of a security device management method based on L7 proxy according to the present application;
FIG. 2 is a sub-flowchart of step S2 of the present application;
FIG. 3 is a sub-flowchart of step S4 of the present application;
FIG. 4 is a sub-flowchart of step S43 of the present application;
FIG. 5 is a flow chart of the security device authentication of the present application;
fig. 6 is a flow chart of the reverse proxy of the present application.
Detailed Description
The principles and features of this invention are described below in conjunction with the following drawings, which are set forth by way of illustration only and are not intended to limit the scope of the invention.
In order that the above objects, features and advantages of the present application can be more clearly understood, the present disclosure will be further described in detail with reference to the accompanying drawings and examples. It is to be understood that the embodiments described are only a few embodiments of the present disclosure, and not all embodiments. The specific embodiments described herein are merely illustrative of the disclosure and are not limiting of the application. All other embodiments that can be derived by one of ordinary skill in the art from the description of the embodiments are intended to be within the scope of the present disclosure.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
Fig. 1 is a flowchart of a security device management method based on an L7 agent according to the present application.
A security device management method based on L7 proxy, which, in conjunction with fig. 1, includes the following steps:
s1: the security equipment starts SSDP service, searches the appointed feature code by a Search method and detects a target security management platform server;
specifically, the method runs with the main service of the target security device through an independent program, firstly, the program runs an SSDP (simple service discovery protocol) service, and searches for a specified feature code (i.e. a feature code corresponding to a security management platform) through a Search method to Search for a security management platform server.
S2: after the security management platform server is searched, the security device initiates an authentication and registration request, and acquires a public key after the registration is successful;
in some embodiments, with reference to fig. 2 and fig. 5, the step S2 further includes:
s21: the safety equipment sends a request to a safety management platform to acquire a verification code, then equipment information and the verification code are packaged and then sent to the safety management platform for verification, and if the verification passes, a public key is returned;
s22: the safety equipment uses the public key to encrypt equipment information and then requests the safety management platform to verify the equipment information again, and the registration is returned to be successful after the equipment information passes the verification;
s23: and the safety equipment adds the IP address of the safety management platform into a trusted host, stores a public key, enters an online state at the moment, and prepares to receive and process the instruction of the safety management platform.
Specifically, after detecting the security management platform, the program sends a request to the security management platform to obtain an authentication code, then packages the device information (the device information includes information such as a device unique identifier, a mac code, an ip address and the like) of the security device together with the authentication code and sends the packaged device information to the security management platform for verification, if the verification of the security management platform is passed, the program returns a public key, the program uses the public key to encrypt the security device information and then requests the platform end to perform verification again, and after the verification is passed, the program returns that the registration is successful.
S3: the safety equipment starts health monitoring service for the safety management platform to regularly check the health state of the safety equipment;
specifically, the program starts the health monitoring service, so that the safety management platform periodically detects the health state of the safety equipment, and presets a time threshold, for example, the application can set the periodic detection time to be 2 seconds, the time threshold to be 5 seconds, if the health state is not normally returned within the set time threshold (i.e., within 5 seconds), the system enters an offline state, and the offline state cannot receive a platform-side instruction until the health state is detected by the platform again.
S4: the security device starts an Http reverse proxy service, takes over the flow from the security management platform, decrypts, analyzes and authenticates the Http request, forwards the Http request to the security device, encrypts the message through the public key, and returns the Http reverse proxy service to the security management platform;
in some embodiments, before the "the security device starts Http reverse proxy service" in step S4, the following operations are performed:
the security device loads the plug-in resource package and then interprets the plug-in source code using yaegi interpreter and loads all the plug-ins into the hook bus, which is managed by the plug-in manager.
Specifically, when the program is started, a specified custom plug-in resource package file is loaded according to the configuration, and the resource package is a source code written in the golang language. The program will parse the mailest file and the source code file in the plug-in package into structured data and persist the structured data to the database. And then, carrying out an initialization process of a plug-in manager, wherein the process can initialize the built-in plug-in (a default function compiled together with the program), then using yaegi interpreter to interpret the source code of the custom plug-in, yaegi directly exposes the function defined in the source code to the program after the interpretation into a function with the same structure, and the custom plug-in can cover the default built-in plug-in with the same name. All plug-ins are loaded into the hook bus, the hook bus is managed by the plug-in manager, and the plug-in manager searches corresponding hook functions from the hook bus when hooks are triggered and constructs a worker co-routine to execute the hook functions.
In some embodiments, with reference to fig. 3 and fig. 6, the step S4 further includes the following steps:
s41: creating a reverse proxy processor;
specifically, the program creates a reverse proxy processor, which works by receiving a request from an upstream, processing a request header, obtaining downstream data from a Connection pool (initialized if no Connection pool exists), writing the downstream data into a buffer, deleting a message header in Connection, copying response header data returned from the downstream into an upstream response header, periodically copying the data from the buffer into a response object, and refreshing the buffer. In addition, a hook program is added into the processor, and the request is preprocessed through a built-in plug-in or a self-defined plug-in.
S42: the security device starts an Http service, and registers forward routing to point to the reverse proxy processor;
s43: and adding middleware in the forward route, wherein the middleware works before the forward route request enters the reverse proxy processor and after the reverse proxy processor returns a response.
In some embodiments, with reference to fig. 4, the step S43 where the middleware performs work before the forward routing request enters the reverse proxy processor and after the reverse proxy processor returns a response further includes:
s431: before the forward routing request enters the reverse proxy processor, checking the IP address of the client to be requested, if the requested IP address is not the trusted host, intercepting and returning error information; if the data passes the verification, the public key is used for decryption according to the encryption type field in the request header, and the decrypted data is written into the request body and is processed by the reverse proxy processor;
s432: and after the reverse proxy processor returns data, the data is encrypted by using the public key according to the encryption type and returned to the security management platform.
Specifically, the program starts the Http service, registers a forward route to the reverse proxy processor created in step S41, and the forward route can process various request methods including GET, POST, PUT, DELETE, and the like. Middleware (middleware) is added into the forward route, and the middleware works before a request enters a processor and after the processor returns a response, which is equivalent to the front-end and back-end steps of the processor. In the pre-step, the IP address of the requested client is checked, if the IP address is not the trusted host (registered security management platform) in step S23, the IP address is intercepted and an error message is returned, if the IP address passes the check, the public key stored in step S23 is used for decryption according to the encryption type field in the request header, the decrypted data is written into the request body and processed by the reverse proxy processor, and after the proxy processor processes the returned data, the post-step encrypts the data by using the public key according to the encryption type and returns the encrypted data to the upstream, i.e., the security management platform, so that the whole security device management process is completed.
The second aspect of the present invention also provides a security device management system based on L7 proxy, including:
the server searching module is used for starting SSDP service, searching the specified feature code by a Search method and detecting a target security management platform server;
the authentication registration module is used for initiating an authentication and registration request by the security equipment after the security management platform server is searched, and acquiring a public key after the registration is successful;
the health monitoring module is used for starting health monitoring service for the safety management platform to regularly check the health state of the safety equipment;
and the reverse proxy module is used for starting an Http reverse proxy service, taking over the flow from the security management platform, decrypting, analyzing and authenticating the Http request, forwarding the Http request to the security device, encrypting the message through the public key, and returning the encrypted message to the security management platform.
In some embodiments, the authentication registration module comprises:
the request verification submodule is used for sending a request to the security management platform to acquire a verification code, then packaging the equipment information and the verification code and sending the packaged equipment information and the verification code to the security management platform for verification, and if the verification is passed, returning a public key;
the registration submodule is used for encrypting the equipment information by using the public key and then requesting the security management platform to verify again, and returning registration success after verification is passed;
and the state maintaining submodule is used for enabling the safety equipment to add the IP address of the safety management platform into the trusted host, storing the public key, enabling the safety equipment to enter an online state at the moment, and preparing to receive and process the instruction of the safety management platform.
In some embodiments, an L7 agent-based security device management system further comprises:
and the plug-in configuration module is used for enabling the security device to load the plug-in resource package, then using yaegi interpreter to interpret the plug-in source code, and loading all the plug-ins into a hook bus, wherein the hook bus is managed by the plug-in manager.
In some embodiments, the reverse proxy module comprises:
the processor creating submodule is used for creating a reverse proxy processor;
the Http service sub-module is used for starting Http service, and registering forward routing to point to the reverse proxy processor;
and the middleware sub-module is used for adding middleware into a forward route, and the middleware works before the forward route request enters the reverse proxy processor and after the reverse proxy processor returns a response.
In some embodiments, the middleware sub-module comprises:
the verification processing unit is used for verifying the IP address of the client to be requested before the forward routing request enters the reverse proxy processor, and if the requested IP address is not the trusted host, intercepting the request and returning error information; if the data passes the verification, decrypting by using the public key according to the encryption type field in the request header, writing the decrypted data into a request body, and delivering the data to the reverse proxy processor for processing;
and the encryption unit is used for encrypting the data by using the public key according to the encryption type after the reverse proxy processor returns the data, and returning the data to the security management platform.
It will be understood by those skilled in the art that although some embodiments described herein include some but not other features included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the application and form different embodiments.
Those skilled in the art will appreciate that the description of each embodiment has a respective emphasis, and reference may be made to the related description of other embodiments for those parts of an embodiment that are not described in detail.
Although the embodiments of the present application have been described in conjunction with the accompanying drawings, those skilled in the art will be able to make various modifications and variations without departing from the spirit and scope of the application, and such modifications and variations are included in the specific embodiments of the present invention as defined in the appended claims, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of various equivalent modifications and substitutions within the technical scope of the present disclosure, and these modifications and substitutions are intended to be included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A security device management method based on an L7 agent is characterized by comprising the following steps:
s1: the security equipment starts SSDP service, searches the appointed feature code by a Search method and detects a target security management platform server;
s2: after the security management platform server is searched, the security device initiates an authentication and registration request, and acquires a public key after the registration is successful;
s3: the safety equipment starts health monitoring service for the safety management platform to regularly check the health state of the safety equipment;
s4: the security device starts an Http reverse proxy service, takes over the flow from the security management platform, decrypts, analyzes and authenticates the Http request, forwards the Http request to the security device, encrypts the message through the public key, and returns the Http reverse proxy service to the security management platform.
2. The L7 agent-based security device management method of claim 1, wherein the step S2 further comprises:
s21: the safety equipment sends a request to a safety management platform to acquire a verification code, then equipment information and the verification code are packaged and then sent to the safety management platform for verification, and if the verification passes, a public key is returned;
s22: the safety equipment uses the public key to encrypt equipment information and then requests the safety management platform to verify the equipment information again, and the registration is returned to be successful after the equipment information passes the verification;
s23: and the safety equipment adds the IP address of the safety management platform into the trusted host, stores the public key, enters an online state at the moment, and prepares to receive and process the instruction of the safety management platform.
3. The method for managing a security device based on L7 agent, according to claim 2, wherein in step S4, before the security device starts Http reverse proxy service, the following operations are performed:
the security device loads the plug-in resource package and then interprets the plug-in source code using yaegi interpreter and loads all the plug-ins into the hook bus, which is managed by the plug-in manager.
4. The L7 agent-based security device management method of claim 3, wherein the step S4 further comprises the steps of:
s41: creating a reverse proxy processor;
s42: the security device starts an Http service, and registers forward routing to point to the reverse proxy processor;
s43: and adding middleware in the forward route, wherein the middleware works before the forward route request enters the reverse proxy processor and after the reverse proxy processor returns a response.
5. The L7 agent-based security device management method of claim 4, wherein the step S43 "the middleware works before the forward routing request enters the reverse proxy processor and after the reverse proxy processor returns a response" further comprises:
s431: before the forward routing request enters the reverse proxy processor, checking the IP address of the client to be requested, if the requested IP address is not the trusted host, intercepting and returning error information; if the data passes the verification, decrypting by using the public key according to the encryption type field in the request header, writing the decrypted data into a request body, and delivering the data to the reverse proxy processor for processing;
s432: and after the reverse proxy processor returns data, the data is encrypted by using the public key according to the encryption type and returned to the security management platform.
6. An L7 agent-based secure device management system, comprising:
the server searching module is used for starting SSDP service, searching the specified feature code by a Search method and detecting a target security management platform server;
the authentication registration module is used for initiating an authentication and registration request by the security equipment after the security management platform server is searched, and acquiring a public key after the registration is successful;
the health monitoring module is used for starting health monitoring service for the safety management platform to regularly check the health state of the safety equipment;
and the reverse proxy module is used for starting an Http reverse proxy service, taking over the flow from the security management platform, decrypting, analyzing and authenticating the Http request, forwarding the Http request to the security device, encrypting the message through the public key, and returning the encrypted message to the security management platform.
7. The L7 agent-based security device management system of claim 6, wherein the authentication registration module comprises:
the request verification submodule is used for sending a request to the security management platform to acquire a verification code, then packaging the equipment information and the verification code and sending the packaged equipment information and the verification code to the security management platform for verification, and if the verification is passed, returning a public key;
the registration submodule is used for encrypting the equipment information by using the public key and then requesting the security management platform to verify again, and returning registration success after verification is passed;
and the state maintaining submodule is used for enabling the safety equipment to add the IP address of the safety management platform into the trusted host, storing the public key, enabling the safety equipment to enter an online state at the moment, and preparing to receive and process the instruction of the safety management platform.
8. The L7 agent-based security device management system of claim 7, further comprising:
and the plug-in configuration module is used for enabling the security device to load the plug-in resource package, then using a yaegi interpreter to interpret plug-in source codes and loading all plug-ins into a hook bus, wherein the hook bus is managed by the plug-in manager.
9. The L7 agent-based security device management system of claim 8, wherein the reverse agent module comprises:
the processor creating submodule is used for creating a reverse proxy processor;
the Http service sub-module is used for starting Http service, and registering forward routing to point to the reverse proxy processor;
and the middleware sub-module is used for adding middleware into a forward route, and the middleware works before the forward route request enters the reverse proxy processor and after the reverse proxy processor returns a response.
10. The L7 agent-based security device management system of claim 9, wherein the middleware submodule comprises:
the verification processing unit is used for verifying the IP address of the client to be requested before the forward routing request enters the reverse proxy processor, and if the requested IP address is not the trusted host, the client is intercepted and error information is returned; if the data passes the verification, the public key is used for decryption according to the encryption type field in the request header, and the decrypted data is written into the request body and is processed by the reverse proxy processor;
and the encryption unit is used for encrypting the data by using the public key according to the encryption type after the reverse proxy processor returns the data, and returning the data to the security management platform.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210546417.2A CN114726652B (en) | 2022-05-20 | 2022-05-20 | Security equipment management method and system based on L7 proxy |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210546417.2A CN114726652B (en) | 2022-05-20 | 2022-05-20 | Security equipment management method and system based on L7 proxy |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114726652A true CN114726652A (en) | 2022-07-08 |
CN114726652B CN114726652B (en) | 2022-08-30 |
Family
ID=82231476
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210546417.2A Active CN114726652B (en) | 2022-05-20 | 2022-05-20 | Security equipment management method and system based on L7 proxy |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114726652B (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180270066A1 (en) * | 2015-09-25 | 2018-09-20 | Genetec Inc. | Secure enrolment of security device for communication with security server |
CN110138779A (en) * | 2019-05-16 | 2019-08-16 | 全知科技(杭州)有限责任公司 | A kind of Hadoop platform security control method based on multi-protocols reverse proxy |
CN111193720A (en) * | 2019-12-16 | 2020-05-22 | 中国电子科技集团公司第三十研究所 | Trust service adaptation method based on security agent |
CN111770092A (en) * | 2020-06-29 | 2020-10-13 | 华中科技大学 | Numerical control system network security architecture and secure communication method and system |
CN114499989A (en) * | 2021-12-30 | 2022-05-13 | 奇安信科技集团股份有限公司 | Security device management method and device |
-
2022
- 2022-05-20 CN CN202210546417.2A patent/CN114726652B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180270066A1 (en) * | 2015-09-25 | 2018-09-20 | Genetec Inc. | Secure enrolment of security device for communication with security server |
CN110138779A (en) * | 2019-05-16 | 2019-08-16 | 全知科技(杭州)有限责任公司 | A kind of Hadoop platform security control method based on multi-protocols reverse proxy |
CN111193720A (en) * | 2019-12-16 | 2020-05-22 | 中国电子科技集团公司第三十研究所 | Trust service adaptation method based on security agent |
CN111770092A (en) * | 2020-06-29 | 2020-10-13 | 华中科技大学 | Numerical control system network security architecture and secure communication method and system |
CN114499989A (en) * | 2021-12-30 | 2022-05-13 | 奇安信科技集团股份有限公司 | Security device management method and device |
Also Published As
Publication number | Publication date |
---|---|
CN114726652B (en) | 2022-08-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111541785B (en) | Block chain data processing method and device based on cloud computing | |
US11088903B2 (en) | Hybrid cloud network configuration management | |
JP5635978B2 (en) | Authenticated database connection for applications without human intervention | |
KR102429633B1 (en) | Automatic login method and device between multiple websites | |
US8417964B2 (en) | Software module management device and program | |
CN110009494B (en) | Method and device for monitoring transaction content in block chain | |
US20180020008A1 (en) | Secure asynchronous communications | |
US20230259386A1 (en) | Data processing method based on container engine and related device | |
CN102638454A (en) | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol | |
WO2013086968A1 (en) | Method, device and system for network security protection | |
US11663318B2 (en) | Decentralized password vault | |
CN110826049B (en) | Single sign-on implementation system based on intelligent enterprise portal | |
US20230261882A1 (en) | Image Management Method and Apparatus | |
CN114125027A (en) | Communication establishing method and device, electronic equipment and storage medium | |
CN110830493B (en) | Single sign-on implementation method based on intelligent enterprise portal | |
CN114726652B (en) | Security equipment management method and system based on L7 proxy | |
US20100250607A1 (en) | Personal information management apparatus and personal information management method | |
US20150082026A1 (en) | Systems and methods for locking an application to device without storing device information on server | |
CN115423273A (en) | Enterprise heterogeneous system integration method, device, equipment and storage medium | |
CN114861144A (en) | Data authority processing method based on block chain | |
KR102632546B1 (en) | Method and system for transferring software artifacts from a source network to a target network | |
CN114553570B (en) | Method, device, electronic equipment and storage medium for generating token | |
CN116405573B (en) | Service-oriented architecture based system, communication method and computer program product | |
CN115334150B (en) | Data forwarding method, device, system, electronic equipment and medium | |
CN112311771B (en) | Method for managing user access equipment, management equipment and network equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |