CN114826754B - Communication method and system between different networks, storage medium and electronic device - Google Patents

Communication method and system between different networks, storage medium and electronic device Download PDF

Info

Publication number
CN114826754B
CN114826754B CN202210488217.6A CN202210488217A CN114826754B CN 114826754 B CN114826754 B CN 114826754B CN 202210488217 A CN202210488217 A CN 202210488217A CN 114826754 B CN114826754 B CN 114826754B
Authority
CN
China
Prior art keywords
network
access request
protocol
relay server
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210488217.6A
Other languages
Chinese (zh)
Other versions
CN114826754A (en
Inventor
周正文
郭一鸣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Everbright Bank Co Ltd
Original Assignee
China Everbright Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Everbright Bank Co Ltd filed Critical China Everbright Bank Co Ltd
Priority to CN202210488217.6A priority Critical patent/CN114826754B/en
Publication of CN114826754A publication Critical patent/CN114826754A/en
Application granted granted Critical
Publication of CN114826754B publication Critical patent/CN114826754B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention provides a communication method and system between different networks, a storage medium and an electronic device. The method comprises the following steps: under the condition that a second relay server deployed in a second network receives a protocol inference result of a first access request reported by a first relay server through a network communication link, analyzing the protocol inference result to obtain the request inference result, wherein the network security of the first network is lower than that of the second network, and the network communication link is a communication link established by the second relay server to the first relay server; determining a second server matched with the first access request according to the protocol configuration information under the condition that the request deducing result indicates that the first access request is legal; a service link is established between the network communication link and the second server to complete the communication link for the first client to access the second server. The problem of low safety of data transmission across networks in the related technology is solved, and the effect of improving the safety of data transmission across networks is achieved.

Description

Communication method and system between different networks, storage medium and electronic device
Technical Field
The embodiment of the invention relates to the technical field of computer security, in particular to a communication method and system between different networks, a storage medium and an electronic device.
Background
With the development of the internet, the application of internet finance gradually becomes the trend of the development of the internet, and banks integrate financial services into various scenes of social life through cooperation with service providers of various industries. In the transmission of data such as financial files across networks, the security of data transmission needs to be ensured.
In order to ensure the security of data in the process of transmitting data across networks, a network structure based on security isolation is generally adopted, a file transmission platform of a banking system and an isolation area is established, and as shown in fig. 1, a banking network (hereinafter referred to as NET-1), an isolation area (NET-2), the internet (NET-3) and a cooperation service network (NET-4) are sequentially arranged from a banking intranet to a cooperation service network, so that four-layer network structures are formed. To implement communication routing in the isolation zone, nginnx software is typically deployed in the isolation zone as an application communication relay. Based on a four-layer network structure, two docking modes exist between a banking network and a cooperative service network, and each mode has two processes of receiving and transmitting:
In a first mode, the banking network provides a transmission server:
(1) File transmission flow
1. The cooperation service network installs a special transmission client provided by a banking network, installs a certificate issued by the banking network, encrypts sensitive data by adopting technologies such as digital envelope and the like, and accesses a DMZ isolation area from the Internet through a Https/Sftp and other security protocol channels;
2. after the data enter the DMZ isolation area, the data are required to pass through the Nginx of the DMZ area, and the data are sent to a file transmission platform of a banking network by the Nginx through a reverse proxy technology;
3. distributing the data to each application system by a file transmission platform of a banking network, and decrypting the data by each application system through an encryption system;
(2) File receiving process
1. Each application system of the banking network adopts a digital envelope technology, is connected with an encryption system, encrypts data, and distributes the encrypted sensitive data to a file transmission platform;
2. The cooperation service network installs a certificate issued by a bank by using a special transmission client provided by the bank network, accesses Nginx of a DMZ isolation area from the Internet through Https/Sftp and other safety protocol channels, and is connected with a file transmission platform of the bank network through a reverse proxy of the Nginx;
3. And the collaboration service network downloads the data on the file transmission platform and decrypts the data.
In a second mode, the partner provides a transmission service end:
(1) The file sending process comprises the following steps:
1. Each application system of the banking network adopts a digital envelope technology, is connected with an encryption system, encrypts data, and distributes the encrypted sensitive data to a file transmission platform;
2. The file transmission platform adopts a client or standard protocol provided by a cooperative service network, and is connected with Nginx of a DMZ isolation area, and the Nginx is connected with the file transmission platform through a reverse proxy to send data to the cooperative service network;
3. The collaboration service network decrypts the received data using soft encryption techniques.
(2) The file receiving process comprises the following steps:
1. The file transmission platform adopts a client or standard protocol provided by a cooperative service network, and is connected with Nginx of a DMZ isolation area, and the Nginx is connected with the file transmission platform through a reverse proxy to capture data from the file transmission platform;
2. The file transmission platform transmits the captured data to each application system of the banking network after disinfection.
In the data transmission flow, service endpoint information between sensitive networks is generally configured in a region with a lower security degree, so that the service endpoint information is easy to leak, and the disclosure of the service endpoint information enables an attack to bypass an application and attack a server, so that potential safety hazards exist in data transmission.
Disclosure of Invention
The embodiment of the invention provides a communication method and system between different networks, a storage medium and an electronic device, which are used for at least solving the problem of low security of data transmission across networks in the related technology.
According to an embodiment of the present invention, there is provided a communication method between different networks, including: when a second relay server deployed in a second network receives a protocol estimation result of a first access request reported by a first relay server through a network communication link, the protocol estimation result is analyzed to obtain a request estimation result, wherein the first relay server is deployed in the first network, the first access request is an access request initiated by a first client in the first network and accessing the second network, the network security of the first network is lower than that of the second network, and the network communication link is a communication link established by the second relay server to the first relay server; determining a second server matched with the first access request according to protocol configuration information under the condition that the request inference result indicates that the first access request is legal, wherein the protocol configuration information is a corresponding relation between each protocol type and the server in the second network; and establishing a service link between the network communication link and the second server to complete the communication link of the first client accessing the second server.
In one exemplary embodiment, parsing the protocol inference results to obtain a request inference result includes: analyzing the protocol estimation result to obtain the protocol characteristics of the first access request; determining the communication protocol type of the first access request according to the protocol characteristics of the first access request; obtaining a request deducing result indicating that the first access request is legal under the condition that the communication protocol type of the first access request hits a preset communication protocol type in the second network; and obtaining a request deducing result indicating that the first access request is illegal under the condition that the communication protocol type of the first access request is not in the preset communication protocol type in the second network.
In an exemplary embodiment, determining a second server matching the first access request according to the protocol configuration information includes: and determining a server corresponding to the communication protocol type of the first access request in the protocol configuration information as a second server matched with the first access request.
In an exemplary embodiment, when the second relay server receives, through the network communication link, a first proxy request reported by the first relay server, the first proxy request is parsed to obtain proxy account information, where the first proxy request is a proxy request initiated by the first client and accessing a target server in the second network; verifying whether the proxy account information is legal or not; and under the condition that the proxy account information is validated, establishing a service link between the network communication link and the target server so as to complete the communication link of the first client to access the target server in the second network.
In an exemplary embodiment, when the second relay server receives a second access request initiated by a second client, a second application link with the second relay server of the second client is established, where the second access request is used to request access to the first network; acquiring protocol characteristics of the second access request through the second application link, and determining whether the second access request is legal or not; and when the second access request is legal, determining a first server matched with the second access request, and transmitting service information of the first server to the first relay server through the network communication link so that the first relay server establishes service connection between the network communication link and the first server to complete the communication link of the second client accessing the first network.
In an exemplary embodiment, in a case that the second relay server receives a second proxy request initiated by a second client, a second application link with the second relay server of the second client is established, where the second proxy request is used to request access to a target server in the first network; acquiring proxy account information of the second proxy request through the second application link, and verifying whether the proxy account information is legal or not; and under the condition that the proxy account information is validated, sending the proxy account information to the first relay server through the network communication link so that the first relay server establishes service connection between the network communication link and the target server to complete the communication link of the second client to access the target server in the first network.
According to another embodiment of the present invention, there is provided a communication method between different networks, including: under the condition that a first relay server deployed in a first network receives a first access request initiated by a first client, establishing a first application link with the first client, wherein the first access request is used for requesting to access a second network, and the network security of the first network is lower than that of the second network; acquiring protocol characteristics of the first access request through the first application link, and carrying out protocol inference on the protocol characteristics of the first access request to obtain a protocol inference result, wherein the protocol inference result is a validity verification result of the first relay server on the communication protocol of the first access request; and reporting the protocol estimation result to a second relay server through a network communication link when the protocol estimation result indicates that the first access request is legal, so that the second relay server establishes an application link between the network communication link and the second server when the request estimation result obtained by analyzing the protocol estimation result indicates that the first access request is legal, and completes the communication link of the first client accessing the second network, wherein the network communication link is a communication link established by the second relay server to the first relay server.
In an exemplary embodiment, obtaining the protocol feature of the first access request through the first application link, and performing protocol inference on the protocol feature of the first access request to obtain a protocol inference result, where the method includes: intercepting the first N bytes of the first access request through the first application link as protocol characteristics of the first access request; determining the communication protocol type of the first access request according to the byte format of the first N bytes; under the condition that the communication protocol type of the first access request hits the preset communication protocol type in the first network, a protocol inference result indicating that the first access request is legal is obtained; and obtaining a protocol inference result indicating that the first access request is illegal under the condition that the communication protocol type of the first access request is not in the preset communication protocol type in the second network.
In an exemplary embodiment, under the condition that the first relay server receives a first proxy request of the first client, a first application link with the first client is established, where the first proxy request is used to request to access a target server in the second network, and the first proxy request carries proxy account information; and reporting the first proxy request to the second relay server through the network communication link, so that the second relay server establishes a service link between the network communication link and the target server under the condition that the proxy account information is verified to be legal, and the communication link of the first client accessing the target server in the second network is completed.
In an exemplary embodiment, when the first relay server receives, through the network communication link, a second access request sent by the second relay server, determining a first server indicated by the second access request, where the second access request is an access request initiated by a second client in the second network and used for accessing the first network; and establishing a service link between the network communication link and the first server to complete the communication link of the second client accessing the first network.
In an exemplary embodiment, when the first relay server receives, through the network communication link, a second proxy request sent by the second relay server, determining a target server in the first network indicated by the second proxy request, where the second proxy request is a proxy request initiated by a second client in the second network for accessing the target server in the first network; and establishing a service link between the network communication link and the target server to complete the communication link of the second client accessing the target server in the first network.
According to another embodiment of the present invention, there is provided a communication system between different networks, including: a first client located in a first network, a target server located in a second network, a first relay server deployed in the first network, and a second relay server deployed in the second network, wherein the network security of the first network is lower than that of the second network, the first relay server is used for establishing a first application link with the first client when receiving a first access request initiated by the first client, acquiring protocol characteristics of the first access request through the first application link, performing protocol inference on the protocol characteristics of the first access request to obtain a protocol inference result, and reporting the protocol inference result to the second relay server through a network communication link when the protocol inference result indicates that the first access request is legal, wherein the network communication link is a communication link established by the second relay server to the first relay server, and the first access request is used for requesting access to the second network; and the second relay server is configured to analyze the protocol estimation result to obtain a request estimation result when the protocol estimation result is received through the network communication link, determine a target server matching the first access request according to protocol configuration information when the request estimation result indicates that the first access request is legal, and establish a service connection between the network communication link and the target server to complete a communication link of the first client accessing the target server, where the protocol configuration information is a correspondence between each protocol type and a server in the second network.
According to a further embodiment of the invention, there is also provided a computer readable storage medium having stored therein a computer program, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.
According to a further embodiment of the invention, there is also provided an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
By the invention, under the condition that a second relay server deployed in a second network receives a protocol inference result of a first access request reported by a first relay server through a network communication link, the protocol inference result is analyzed to obtain a request inference result, wherein the first relay server is deployed in the first network, the first access request is an access request which is initiated by a first client in the first network and accesses the second network, the network security of the first network is lower than that of the second network, the network communication link is a communication link which is established by the second relay server to the first relay server, the second server matched with the first access request is determined according to protocol configuration information under the condition that the request inference result indicates that the first access request is legal, the protocol configuration information is the corresponding relation between each protocol type and the server in the second network, establishing a service link between a network communication link and a second server so as to complete a communication link of a first client accessing the second server, based on the deployment of a first relay server in a first network and the deployment of a second relay server in a second network, when the first client in the first network with lower network security initiates an access request to the second network, verifying the access legitimacy through the first relay server and the second relay server, storing protocol configuration information for indicating the corresponding relation between the protocol type and the server in the second relay server with higher network security only, establishing the communication link of the first client accessing the second network in the first network to the first relay server through the second relay server, the unsafe behavior of the application for attacking the network can be avoided in a targeted manner. Therefore, the problem of lower safety of data transmission across networks in the related technology can be solved, and the effect of improving the safety of data transmission across networks is achieved.
Drawings
Fig. 1 is a network architecture diagram of a communication method between different networks in the related art;
FIG. 2 is a block diagram of the hardware architecture of a computer terminal running a method of communication between different networks according to an embodiment of the present invention;
FIG. 3 is a flow chart of a method of communication between different networks according to an embodiment of the invention;
FIG. 4 is a flow chart of a method of communication between different networks according to an embodiment of the invention;
fig. 5 is a block diagram of a communication device between different networks according to another embodiment of the present invention;
Fig. 6 is a block diagram of a communication device between different networks according to another embodiment of the present invention;
FIG. 7 is a system network architecture diagram of communications between different networks according to an embodiment of the invention;
Fig. 8 is a network architecture diagram of communication between different networks according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings in conjunction with the embodiments.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order.
In order to facilitate understanding of the technical solution provided by the present invention, the following explains the technical terms that will be involved in the embodiments of the present invention.
Forward proxy: is a server located between the client and the target server, and in order to obtain content from the target server, the client sends a proxy request to the proxy server specifying the target server address, and the proxy server forwards the request to the target server and returns the obtained content to the client.
Reverse proxy: is a server located between the client and the target server, receives the request from the client by the proxy server, forwards the request to the target server according to a certain routing rule, and returns the content obtained from the target server to the client, where the proxy server is a reverse proxy server, and the client has no access to the target server information.
IO multiplexing: the method is mainly used for a scene that a server processes a plurality of sockets simultaneously, and can use one thread to manage the read-write process of a group of sockets based on system calls such as select, epoll and the like.
Link level multiplexing: link level multiplexing means that a service layer can create multiple virtual links on the basis of sharing the same physical TCP link connection, and simultaneously send requests and responses of multiple services, i.e. multiple service data flows can be carried simultaneously on one physical TCP connection, and multiple bidirectional request-response data packets are sent simultaneously.
The method embodiments provided in the embodiments of the present application may be performed in a mobile terminal, a computer terminal or similar computing device. Taking the example of running on a computer terminal, fig. 2 is a block diagram of the hardware structure of the computer terminal running the communication method between different networks according to the embodiment of the present application. As shown in fig. 2, the computer terminal may include one or more (only one is shown in fig. 2) processors 202 (the processor 202 may include, but is not limited to, a microprocessor (Central Processing Unit, MCU) or a processing device such as a programmable logic device (Field Programmable GATE ARRAY, FPGA)) and a memory 204 for storing data, where the computer terminal may further include a transmission device 206 for communication functions and an input-output device 208. It will be appreciated by those skilled in the art that the configuration shown in fig. 2 is merely illustrative and is not intended to limit the configuration of the computer terminal described above. For example, the computer terminal may also include more or fewer components than shown in FIG. 2, or have a different configuration than shown in FIG. 2.
The memory 204 may be used to store computer programs, such as software programs and modules of application software, such as a computer program corresponding to a subject behavior authority control method in an embodiment of the present invention, and the processor 202 executes the computer program stored in the memory 204 to perform various functional applications and data processing, that is, implement the above-mentioned method. Memory 204 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, memory 204 may further include memory located remotely from processor 202, which may be connected to the computer terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission means 206 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of a computer terminal. In one example, the transmission device 206 includes a network adapter (Network Interface Controller, simply referred to as a NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 206 may be a Radio Frequency (RF) module, which is used to communicate with the internet wirelessly.
Fig. 3 is a flow chart of a communication method between different networks according to an embodiment of the present invention, as shown in fig. 3, the flow includes the following steps:
Step S302, under the condition that a second relay server deployed in a second network receives a protocol estimation result of a first access request reported by a first relay server through a network communication link, analyzing the protocol estimation result to obtain a request estimation result;
in step S302, the first relay server is deployed in the first network, the first access request is an access request initiated by a first client in the first network to access the second network, the network security of the first network is lower than that of the second network, and the network communication link is a communication link established by the second relay server to the first relay server.
Step S304, determining a second server matched with the first access request according to protocol configuration information under the condition that the request deducing result indicates that the first access request is legal;
In step S304, the protocol configuration information is a correspondence between each protocol type in the second network and the server.
In step S306, a service link between the network communication link and the second server is established to complete the communication link of the first client accessing the second server.
A network firewall is arranged between the first network and the second network and is used for isolating the first network and the second network, and a first relay server deployed in the first network and a second relay server deployed in the second network are communication relay servers and are respectively positioned at two sides of the network firewall. The network communication link is a physical communication link established by the second relay server to the first relay server, and is not limited to a TCP link, and a communication link between the first relay server and the second relay server and crossing a network firewall is realized.
The network communication link is a necessary link for communication between the first network and the second network, the network communication link is a communication link which is established from a link layer only from the second relay server with high safety to the first relay server with low safety, a firewall policy of designating a port to the first relay server by the second relay server is only opened between the first network and the second network, and other access links are all prohibited by the firewall policy, so that the establishment of other illegal communication links which do not pass through the network communication link is avoided.
The network communication link is a bidirectional communication link, and is not limited to creating multiple virtual links to realize that different service requests and service responses are sent through different virtual links at the same time, and one physical TCP link can simultaneously carry multiple service data streams through multiple virtual links and simultaneously send multiple bidirectional request-response data packets.
The network communication link establishes a set of TCP long connections in multiplexed form from the second relay server to the first relay server, one TCP long connection carrying multiple data streams simultaneously, sending multiple, bi-directional request-response packets simultaneously. The first relay server may receive an access request from a first client in the first network and forward to the second relay server, and receive a response from the second relay server from a server in the second network and forward to the first client. The second relay server may receive an access request from a second client in the second network and forward to the first relay server, receive a response from the first relay server from the server in the first network and forward to the second client. The TCP long connection at the same time has a request and a response sent by the first relay server to the second relay server, a request and a response received from the second relay server, a request and a response sent by the second relay server to the first relay server, and a request and a response received from the first relay server.
The communication between the first network and the second network based on the relay server supports two forms of forward proxy and reverse proxy, and it is to be noted that the protocol configuration information (routing information) of the reverse proxy is only stored in the second relay server with high security, the request destination address of the forward proxy is only stored in the memory of the second relay server with high security, and the routing information with persistent form does not exist on the first relay server with low security.
In an exemplary embodiment, the parsing the protocol inference result in step S302 of the present embodiment, to obtain a request inference result, includes:
s302-1, analyzing a protocol inference result to obtain protocol characteristics of a first access request;
s302-2, determining the communication protocol type of the first access request according to the protocol characteristics of the first access request;
s302-3-1, obtaining a request inference result indicating that the first access request is legal under the condition that the communication protocol type of the first access request hits the preset communication protocol type in the second network;
S302-3-2, obtaining a request deducing result indicating that the first access request is illegal in case that the communication protocol type of the first access request does not hit the preset communication protocol type in the second network.
The protocol inference result is a protocol inference result of whether the first access request judged by the first relay server is a legal access request or not, which is obtained by the first relay server through the first application link and is not limited by the protocol type judgment of the communication protocol type of the first access request when the first relay server receives the access request initiated by the first client. The first relay server sends the obtained protocol deduction result to the second relay server through the network communication link, the second relay server obtains the communication protocol type of the first access request from the protocol deduction result, and whether the communication protocol type of the first access request hits the preset communication protocol type in the second network is judged again. The preset communication protocol type in the second network is a communication protocol type supported by the second network.
And in the case that the request inference result obtained by the second relay server indicates that the first access request is illegal, notifying the first relay server of the inference result of the first access request by the network communication link so as to enable the first relay server to disconnect the first application link with the first client.
In an exemplary embodiment, determining a second server matching the first access request according to the protocol configuration information in step S304 of the present embodiment includes: and determining a server corresponding to the communication protocol type of the first access request in the protocol configuration information as a second server matched with the first access request.
And under the condition that the request inference result obtained by the second relay server indicates that the first access request is legal, determining a second server corresponding to the communication protocol type of the first access request according to the protocol configuration information stored in the second relay server, and establishing a service link with the second server, so that a first client in a first network is utilized to access a complete communication link of the second network by utilizing the first application link, the network communication link and the service link of the second relay server and the second server, and carrying out safe data transmission between the first client and the second network through the complete communication link of the first client and the second server. In case any one of the first application link, the network communication link, the second relay server and the service link of the second server is disconnected, the entire communication link will be automatically disconnected.
The protocol configuration information is corresponding information of each protocol type and the server in the second network, and is not limited to routing information of each protocol type and the corresponding server port, so that the corresponding server is allocated to the first client for communication based on the protocol type of the access request.
In one exemplary embodiment, in the case that the second relay server receives the first proxy request reported by the first relay server through the network communication link:
S1-1, analyzing a first proxy request to obtain proxy account information, wherein the first proxy request is a proxy request initiated by a first client and accessing a target server in a second network;
s1-2, verifying whether the proxy account information is legal;
S1-3, under the condition that the proxy account information is validated to be legal, establishing a service link between the network communication link and the target server so as to complete the communication link of the first client accessing the target server in the second network.
When the first relay server initiates a forward proxy request to the second relay server based on the first client, the first relay server sends the proxy account information to the second relay server through a network communication link so that the second relay server verifies whether the proxy account information is legal or not.
The proxy account information is not limited to include an authentication account and an account password for accessing the target server, and in the case that the second relay server verifies that the proxy account information is illegal, the first relay server is notified that the first proxy request is illegal through the network communication link so that the first relay server disconnects the application link with the first client that initiated the first proxy request
And under the condition that the second relay server verifies that the proxy account information is legal, establishing a service link between the network communication link and the target server so as to form a complete communication link between the first client in the first network and the target server of the second network by utilizing the first application link between the first relay server and the first client and the network communication link and the service link between the second relay server and the target server, and carrying out safe data transmission between the first client and the target server of the second network through the complete communication link between the first client and the target server. In case any one of the first application link, the network communication link, the second relay server and the service link of the target server is disconnected, the entire communication link will be automatically disconnected.
In one exemplary embodiment, in the case that the second relay server receives the second access request initiated by the second client:
S2-1, establishing a second application link with a second relay server of a second client, wherein a second access request is used for requesting to access the first network;
s2-2, acquiring protocol characteristics of a second access request through a second application link, and determining whether the second access request is legal or not;
S2-3, under the condition that the second access request is legal, determining a first server matched with the second access request, and sending service information of the first server to a first relay server through a network communication link, so that the first relay server establishes service connection between the network communication link and the first server, and the communication link of the second client accessing the first network is completed.
Under the condition that a second client in a second network initiates a reverse proxy access request to a first network, when receiving the second access request of the second client, the second relay server establishes a second application link with the second client, and obtains the protocol characteristics of the second access request to judge whether the second access request is legal or not. The second relay server judges whether the second access request is legal or not, and determines the protocol type of the second access request according to the protocol characteristics of the second access request, so as to judge whether the protocol type of the second access request hits the preset protocol type in the second relay server or not. And under the condition that the second access request does not hit the preset protocol type in the second relay server, determining that the second access request is illegal, informing a second client that the second access request is illegal through a second application link, and disconnecting the application link with the second client.
And under the condition that the second access request is legal, determining a first server matched with the protocol characteristics of the second access request, and transmitting the information of the first server to a first relay server through a network communication link so that the first relay server establishes a network communication link and a service link of the first server, thereby constructing a complete communication link of the second client accessing the first network. And carrying out safe data transmission between the second client and the first server in the first network through a complete communication link between the second client and the first server. In case any of the second application link, the network communication link, the service link of the first relay server and the first server is disconnected, the entire communication link will be automatically disconnected.
In one exemplary embodiment, in the event that the second relay server receives a second client-initiated second proxy request:
S3-1, establishing a second application link with a second relay server of a second client, wherein a second proxy request is used for requesting to access a target server in the first network;
S3-2, acquiring proxy account information of a second proxy request through a second application link, and verifying whether the proxy account information is legal or not;
and S3-3, under the condition that the proxy account information is validated, sending the proxy account information to the first relay server through a network communication link, so that the first relay server establishes service connection between the network communication link and the target server, and the communication link of the second client accessing the target server in the first network is completed.
Under the condition that a second client in a second network initiates a forward proxy access request to a first network, when receiving a second proxy request of the second client, a second relay server establishes a second application link with the second client, acquires proxy account information of the second proxy request, and judges whether the second proxy request is legal or not. The second relay server judges whether the second proxy request is legal or not, and is not limited to acquiring the authentication account number and the account number password of the access target server carried by the second proxy request, and whether the authentication account number and the account number password are correct or not is verified.
And under the condition that any one of the authentication account number and the account number password is incorrect, determining that the second proxy request is illegal, informing a second client that the second proxy request is illegal through a second application link, and disconnecting the application link with the second client.
Under the condition that the authentication account number and the account number password are both correct, determining that the second proxy request is legal, determining the IP address and port information of the target server corresponding to the second proxy request, transmitting the IP address and port information of the target server to the first relay server through a network communication link, so that the first relay server establishes a service link between the network communication link and the target server according to the IP address and port information of the target server, and a second application link between the second relay server and the second client, a complete communication link between the network communication link and the first relay server and the service link between the first relay server and the target server form a second client in the second network to access the target server of the first network, and carrying out safe data transmission between the second client and the target server of the first network through the complete communication link between the second client and the target server. In case any of the second application link, the network communication link, the service link of the first relay server and the target server is disconnected, the entire communication link will be automatically disconnected.
In the above embodiment of the present invention, the protocol inference result is parsed to obtain the request inference result when the second relay server deployed in the second network receives the protocol inference result of the first access request reported by the first relay server through the network communication link, where the first relay server is deployed in the first network, the first access request is an access request initiated by the first client in the first network and accessing the second network, the network security of the first network is lower than that of the second network, the network communication link is a communication link established by the second relay server to the first relay server, in the case that the request inference result indicates that the first access request is legal, the second server matched with the first access request is determined according to the protocol configuration information, where the protocol configuration information is a correspondence between each protocol type and the server in the second network, a service link between the network communication link and the second server is established to complete the communication link of the first client to access the second server, the communication link is deployed in the first network and the second relay server is established in the second network and the second network is higher than that the second client is deployed in the first network and the second client is used to establish the communication link between the first client and the second server is higher than that the first client is authorized to establish the first access request through the first network and the second network, the unsafe behavior of the application for attacking the network can be avoided in a targeted manner. Therefore, the problem of lower safety of data transmission across networks in the related technology can be solved, and the effect of improving the safety of data transmission across networks is achieved.
Fig. 4 is a flow chart of a communication method between different networks according to yet another embodiment of the present invention, as shown in fig. 4, the flow includes the following steps:
Step S402, under the condition that a first relay server deployed in a first network receives a first access request initiated by a first client, a first application link with the first client is established;
In the above step S402, the first access request is used to request access to the second network, and the network security of the first network is lower than that of the second network.
Step S404, obtaining the protocol characteristics of the first access request through the first application link, and carrying out protocol inference on the protocol characteristics of the first access request to obtain a protocol inference result;
In the above step S404, the protocol inference result is a validity verification result of the communication protocol of the first access request by the first relay server.
Step S404, when the protocol deducing result indicates that the first access request is legal, reporting the protocol deducing result to the second relay server through the network communication link, so that the second relay server establishes an application link between the network communication link and the second server to complete the communication link of the first client accessing the second network when the request deducing result obtained by analyzing the protocol deducing result indicates that the first access request is legal;
in step S406, the network communication link is a communication link established by the second relay server to the first relay server.
The above is not limited to the process flow of the first relay server deployed by the first network when the first client in the first network initiates the reverse proxy request access to the second network.
In an exemplary embodiment, in step S404, the protocol feature of the first access request is obtained through the first application link, and the protocol inference is performed on the protocol feature of the first access request, so as to obtain a protocol inference result, which includes:
S404-1, intercepting the first N bytes of the first access request through the first application link as protocol characteristics of the first access request;
s404-2, determining the communication protocol type of the first access request according to the byte format of the first N bytes;
s404-3-1, obtaining a protocol inference result indicating that the first access request is legal under the condition that the communication protocol type of the first access request hits the preset communication protocol type in the first network;
S404-3-2, obtaining a protocol inference result indicating that the first access request is illegal in case that the communication protocol type of the first access request does not hit the preset communication protocol type in the first network.
When a first client in a first network requests access to a reverse proxy initiated by a second network, the first relay server establishes a first application link with the first client, intercepts the first N bytes in the first access request through the first application link, the first N bytes are not limited to a protocol header of the access request, and determines the communication protocol type of the first access request according to the protocol characteristics of the protocol header. Judging whether the first access request hits a preset communication protocol type in the first relay server or not, so as to obtain a protocol inference result whether the first access request is legal or not.
And under the condition that the first relay server determines that the first access request is illegal, informing the first client of the deducing result of the first access request by the first application link, and disconnecting the first application link. And when the first relay server determines that the first access request is legal, transmitting a protocol inference result to the second relay server through a network communication link, determining the first server corresponding to the first access request when the second relay server verifies that the first access request is legal, establishing a service link between the communication network link and the first server, thus constructing a complete communication link of the first client accessing the second network, and completing the safe data transmission between the first client and the second network based on the complete communication link.
In one exemplary embodiment, in the event that the first relay server receives a first proxy request for the first client:
S4-1, establishing a first application link with a first client, wherein a first proxy request is used for requesting to access a target server in a second network, and the first proxy request carries proxy account information;
s4-2, reporting the first proxy request to the second relay server through the network communication link, so that the second relay server establishes a service link between the network communication link and the target server under the condition that the proxy account information is verified to be legal, and the communication link of the first client accessing the target server in the second network is completed.
Under the condition that a first client in a first network initiates a forward proxy access request to a second network, a first relay server establishes a first application link with the first client based on the first proxy request, acquires an IP address, port information and proxy account information of a target server indicated by the first proxy request based on the first application link, and sends the information to a second relay server through a network communication link so that the second relay server verifies whether the proxy account information is legal or not.
And under the condition that the second relay server verifies that the proxy account information is illegal, informing the first relay server that the proxy account information is illegal through a network communication link, so that the first relay server breaks the application link with the first client.
And under the condition that the second relay server verifies that the proxy account information is legal, establishing a service link between the network communication link and a target server in the second network, thereby establishing a complete communication link of the first client accessing the target server of the second network, and completing the safe data transmission between the first client and the second network based on the complete communication link.
In one exemplary embodiment, in the event that the first relay server receives the second access request sent by the second relay server over the network communication link:
s5-1, determining a first server indicated by a second access request, wherein the second access request is an access request initiated by a second client in a second network and used for accessing the first network;
s5-2, establishing a service link between the network communication link and the first server to complete the communication link of the second client accessing the first network.
In the case that a second client in the second network initiates a reverse proxy access request to the first network, the first relay server receives the second access request through the network communication link, determines the first server indicated by the second access request, and thus establishes a service link between the network communication link and the first server to construct a complete communication link for the second client to access the first network.
In one exemplary embodiment, in the event that the first relay server receives a second proxy request sent by the second relay server over the network communication link:
S6-1, determining a target server in the first network indicated by a second proxy request, wherein the second proxy request is a proxy request initiated by a second client in the second network and used for accessing the target server in the first network;
s6-2, establishing a service link between the network communication link and the target server to complete the communication link of the second client accessing the target server in the first network.
In the case that a second client in the second network initiates a forward proxy access request to the first network, the first relay server receives information indicating a target server through a network communication link, so as to determine the target server indicated by the second proxy request, and thus establish a service link between the network communication link and the target server, so as to construct a complete communication link of the second client accessing the target server of the first network.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. Read-Only Memory/Random Access Memory (ROM/RAM), magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
In this embodiment, a communication device between different networks is further provided, and the device is used to implement the foregoing embodiments and preferred embodiments, which are not described in detail. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 5 is a block diagram of a communication device between different networks according to an embodiment of the present invention, not limited to deployment in a second network, the device comprising:
The parsing unit 502 is configured to parse the protocol inference result to obtain a request inference result when a second relay server deployed in a second network receives the protocol inference result of a first access request reported by a first relay server through a network communication link, where the first relay server is deployed in the first network, the first access request is an access request initiated by a first client in the first network to access the second network, the network security of the first network is lower than that of the second network, and the network communication link is a communication link established by the second relay server to the first relay server;
A determining unit 504, configured to determine, according to protocol configuration information, a second server that matches the first access request, where the request inference result indicates that the first access request is legal, where the protocol configuration information is a correspondence between each protocol type in the second network and the server;
An establishing unit 506 is configured to establish a service link between the network communication link and the second server, so as to complete the communication link that the first client accesses the second server.
Optionally, the parsing unit 502 is further configured to parse a protocol inference result to obtain a protocol feature of the first access request; determining a communication protocol type of the first access request according to the protocol characteristics of the first access request; under the condition that the communication protocol type of the first access request hits the preset communication protocol type in the second network, obtaining a request inference result indicating that the first access request is legal; in case the communication protocol type of the first access request does not hit a preset communication protocol type in the second network, a request inference result is obtained indicating that the first access request is illegal.
Optionally, the determining unit is further configured to determine, in the protocol configuration information, a server corresponding to the communication protocol type of the first access request as a second server matching the first access request.
The communication device between different networks further comprises a first processing unit, which is used for analyzing the first proxy request to obtain proxy account information under the condition that the second relay server receives the first proxy request reported by the first relay server through a network communication link, wherein the first proxy request is a proxy request initiated by the first client and accessing a target server in the second network; verifying whether the proxy account information is legal or not; and under the condition that the proxy account information is validated, establishing a service link between the network communication link and the target server so as to finish the communication link of the first client accessing the target server in the second network.
The communication device between different networks further comprises a second processing unit, configured to establish a second application link with a second relay server of the second client when the second relay server receives a second access request initiated by the second client, where the second access request is used to request access to the first network; acquiring protocol characteristics of a second access request through a second application link, and determining whether the second access request is legal or not; and under the condition that the second access request is legal, determining a first server matched with the second access request, and sending service information of the first server to a first relay server through a network communication link so that the first relay server establishes service connection between the network communication link and the first server to finish the communication link of the second client accessing the first network.
The communication device between different networks further comprises a third processing unit, configured to establish a second application link with a second relay server of the second client when the second relay server receives a second proxy request initiated by the second client, where the second proxy request is used to request access to a target server in the first network; acquiring proxy account information of a second proxy request through a second application link, and verifying whether the proxy account information is legal or not; and under the condition that the proxy account information is validated, sending the proxy account information to the first relay server through a network communication link, so that the first relay server establishes service connection between the network communication link and the target server, and the communication link of the second client accessing the target server in the first network is completed.
Fig. 6 is a block diagram of a communication device between different networks according to another embodiment of the present invention, not limited to being deployed in a first network, including:
An establishing unit 602, configured to establish a first application link with a first client when a first relay server deployed in a first network receives a first access request initiated by the first client, where the first access request is used to request access to a second network, and the network security of the first network is lower than that of the second network;
An inference unit 604, configured to obtain a protocol feature of the first access request through the first application link, and perform protocol inference on the protocol feature of the first access request to obtain a protocol inference result, where the protocol inference result is a validity verification result of the first relay server on the communication protocol of the first access request;
And a reporting unit 606, configured to report the protocol inference result to the second relay server through the network communication link when the protocol inference result indicates that the first access request is legal, so that the second relay server establishes an application link between the network communication link and the second server to complete the communication link of the first client accessing the second network when the request inference result obtained by parsing the protocol inference result indicates that the first access request is legal, where the network communication link is a communication link established by the second relay server to the first relay server.
Optionally, the inference unit 604 is further configured to intercept the first N bytes of the first access request through the first application link as a protocol feature of the first access request; determining the communication protocol type of the first access request according to the byte format of the first N bytes; under the condition that the communication protocol type of the first access request hits the preset communication protocol type in the first network, a protocol inference result indicating that the first access request is legal is obtained; in case the communication protocol type of the first access request does not hit a preset communication protocol type in the second network, a protocol inference result is obtained indicating that the first access request is illegal.
The communication device between different networks further comprises a first processing unit, configured to establish a first application link with the first client when the first relay server receives a first proxy request of the first client, where the first proxy request is used for requesting to access a target server in the second network, and the first proxy request carries proxy account information; and reporting the first proxy request to the second relay server through the network communication link, so that the second relay server establishes a service link between the network communication link and the target server under the condition that the proxy account information is verified to be legal, and the communication link of the first client accessing the target server in the second network is completed.
The communication device between different networks further comprises a second processing unit, configured to determine, when the first relay server receives, through the network communication link, a second access request sent by the second relay server, where the second access request is an access request initiated by a second client in the second network and used for accessing the first network; a service link is established between the network communication link and the first server to complete the communication link for the second client to access the first network.
The communication device between different networks further comprises a third processing unit, configured to determine, when the first relay server receives, through a network communication link, a second proxy request sent by the second relay server, where the second proxy request is a proxy request initiated by a second client in the second network and used to access the target server in the first network, where the target server in the first network is indicated by the second proxy request; a service link is established between the network communication link and the target server to complete the communication link for the second client to access the target server in the first network.
It should be noted that each of the above modules may be implemented by software or hardware, and for the latter, it may be implemented by, but not limited to: the modules are all located in the same processor; or the above modules may be located in different processors in any combination.
In order to facilitate understanding of the technical solutions provided by the present invention, the following detailed description will be made with reference to embodiments of specific scenarios.
Fig. 7 is a schematic structural diagram of a communication system between different networks according to an embodiment of the invention, and as shown in fig. 7, the communication system between different networks includes: a first client 101 located in a first network 100 and a target server located in a second network 200, and a first relay server 110 deployed in the first network 100 and a second relay server 210 deployed in the second network 200, wherein the first network 100 is less network-secure than the second network 200, wherein:
The first relay service 110 is configured to establish a first application link with the first client when a first access request initiated by the first client is received, obtain a protocol feature of the first access request through the first application link, and perform protocol inference on the protocol feature of the first access request to obtain a protocol inference result, and report the protocol inference result to the second relay server through a network communication link when the protocol inference result indicates that the first access request is legal, where the network communication link is a communication link established by the second relay server to the first relay server, and the first access request is used for requesting access to the second network;
The second relay server 210 is configured to parse the protocol inference result to obtain a request inference result when the protocol inference result is received through the network communication link, determine a target server matching the first access request according to the protocol configuration information when the request inference result indicates that the first access request is legal, and establish a service connection between the network communication link and the target server to complete a communication link of the first client accessing the target server, where the protocol configuration information is a correspondence between each protocol type and the server in the second network.
The target server in the second network 200 may be the second server 202 or may be a proxy server. The target server may be a matching server determined based on the protocol type of the first access request, or may be a server, such as a proxy server, designated by the first client 101 when the access request is initiated.
The secure relay is composed of a first relay server 110 deployed in the first network 100 and a second relay server 210 deployed in the second network 200, where the first relay server 110 and the second relay server 210 are in a many-to-many relationship in data transmission, and perform bidirectional communication according to a certain load balancing mechanism. The underlying TCP link between the first relay server 110 and the second relay server 210 only allows the establishment of the second relay server 210 with high security to the first relay server 110 with low security, that is, only the firewall with the second relay server 210 designating the port to the first relay server 110 is opened between the first network 100 and the second network 200, other access link firewall policies are all prohibited, for example, the first client 101 establishes the access link to the second server 202, the first relay server 110 establishes the access link to the second relay server 210, the second relay server 210 establishes the access link to the first server 102, the second client establishes the access link to the first server 102, etc. are all prohibited.
The bi-directional communication between the first relay server 110 and the second relay server 210 in the secure relay establishes a set of TCP long connections in a multiplexed form by the second relay server 210 to the first relay server 110. One TCP long connection may carry multiple bi-directional data streams at the same time. Communication between the first network 100 and the second network 200 through the secure relay supports both forms of forward proxy and reverse proxy.
The first relay server 110 and the second relay server 210 are not limited to each including a multiplexing communication module, and the multiplexing communication module in the second relay server 210 establishes a set of TCP long connections to the multiplexing communication module in the first relay server 110, and the multiplexing module is not limited to use for:
Managing and maintaining mutual authentication and TCP long connection heartbeat and reconnection mechanisms between the first relay server and the second relay server;
managing a mapping relation and load balancing between a TCP connection between a first relay server and a second relay server or a TCP connection between a relay server and a client or a TCP long connection in a multiplexing module and a server in a network;
the creation and destruction of TCP connections between the relay servers and clients are managed.
The establishment of the communication link by the multiplex communication module in the proxy request of the first network and the second network is not limited to that shown in fig. 8. The second network 200 is more secure than the first network 100 and the multiplex communication module of the second relay server 210 of the second network 200 establishes a set of TCP long connections to the multiplex communication module of the first relay server 110 of the first network 100.
The execution of the reverse proxy request procedure by the first network 100 to the second network 200 is not limited to:
1) The first client 101 initiates an access request to the first relay server 110, the first client 101 establishes a TCP connection with a reverse proxy request portal of the first relay server 110, and sends the first access request.
2) The first relay server 110 intercepts the first few bytes of the first access request and infers the application protocol type of the first access request from the application protocol characteristics (protocol header format). When the application protocol of the first access request is not a plurality of protocol types preset in the first relay server 110, deducing that the first access request is illegal, disconnecting the TCP connection with the first client 101; in the case that the application protocol type of the first access request is a plurality of protocol types preset in the first relay server 110, the first access request is inferred to be legal, a virtual connection (mapping relation) between the TCP connection and the TCP long connection of the multiplexing communication module is established, and the protocol inference result and the protocol header are reported to the second relay server 210 through the multiplexing communication module.
3) The second relay server 210 determines whether the application protocol of the first access request is a plurality of protocol types preset in the second relay server 210 by analyzing the protocol inference result and the protocol header. When the application protocol of the first access request is not a plurality of protocol types preset in the second relay server 210, the first access request is judged to be illegal, and the first relay server 110 is informed of the judgment result through the multiplexing communication module, so that the first relay server 110 disconnects the TCP connection with the first client 101. When the application protocol of the first access request is the multi-protocol type preset in the second relay server 210, the first access request is judged to be legal, a TCP connection is established with a corresponding server (for example, the second server 202) based on the reverse proxy configuration information stored locally in the second relay server 210, and a virtual connection between the TCP connection and a multiplexing communication module (reverse proxy request exit) is established, and the multiplexing module notifies that the full link establishment of the first relay server 110 is successful.
4) The first relay server 110 plays back the first several bytes for deducing the protocol type, and the complete link from the first client 101 to the second server 202 is formally established, and the request and the response can be normally sent and received. The complete link can send a request and receive a response for a plurality of times, and if any section of connection is disconnected, the complete link is automatically disconnected.
The first network 100 performs the forward proxy request procedure to the second network 200 is not limited to:
1) The first client 101 establishes a TCP connection with the forward proxy request portal of the first relay server 110, and initiates a proxy handshake request (carrying the target server IP, port, proxy authentication account, password) through the TCP connection.
2) The first relay server 110 establishes a virtual connection (mapping relation) of the TCP connection and the TCP long connection of the multiplex communication module, and reports the proxy handshake request to the second relay server 210 through the multiplex communication module.
3) The second relay server 210 determines whether the target server IP, port, proxy authentication account, and password in the proxy handshake request are legal. When the determination is illegal, the first relay server 110 is notified of the determination result by the multiplex communication module, so that the first relay server 110 disconnects the TCP with the first client 101. When it is judged that the full link establishment is legal, a TCP connection with a target server (for example, the second server 202) is established, a virtual connection between the TCP connection and a multiplexing communication module (forward proxy request exit) is established, and the multiplexing module notifies the first relay server 110 that the full link establishment is successful.
4) The first relay server 110 returns a proxy success response to the first client 101, and the first client 101 transmits a request and receives a response based on the complete chain. The complete link can send a request and receive a response for a plurality of times, and if any section of connection is disconnected, the complete link is automatically disconnected.
The execution of the reverse proxy request procedure by the second network 200 to the first network 100 is not limited to:
1) The second client 201 initiates an access request to the second relay server 210, the second client 201 establishes a TCP connection with the reverse proxy request portal of the second relay server 210, and sends a second access request.
2) The second relay server 210 intercepts the first few bytes of the second access request and infers the application protocol type of the second access request from the application protocol characteristics (protocol header format). When the application protocol of the second access request is not a plurality of protocol types preset in the second relay server 210, deducing that the second access request is illegal, disconnecting the TCP connection with the second client 201; in the case where the application protocol type of the second access request is a plurality of protocol types preset in the second relay server 210, it is inferred that the second access request is legal, a virtual connection (mapping relationship) of the TCP connection and the TCP long connection of the multiplex communication module is established, and information of the server (for example, the first server 102) to which the second client 201 requests access is transmitted to the first relay server 110 through the multiplex communication module.
3) Upon receiving the server information, the first relay server 110 establishes a TCP connection with the server (e.g., the first server 102), and establishes a virtual connection between the TCP connection and the multiplexing communication module (reverse proxy request exit), and notifies the second relay server 210 that the full link establishment is successful through the multiplexing module.
4) The second relay server 210 plays back the first few bytes used to infer the protocol type, and the complete link from the second client 201 to the first server 102 is formally established, and can normally send requests and receive responses. The complete link can send a request and receive a response for a plurality of times, and if any section of connection is disconnected, the complete link is automatically disconnected.
The execution of the forward proxy request flow by the second network 200 to the first network 100 is not limited to:
1) The second client 201 establishes a TCP connection with the forward proxy request portal of the second relay server 210 and initiates a proxy handshake request (carrying the target server IP, port, proxy authentication account, password) over the TCP connection.
2) The second relay server 210 determines whether the target server IP, port, proxy authentication account, and password in the proxy handshake request are legal. When the judgment is illegal, the TCP connection with the second client 201 is disconnected. When judging legal, establishing virtual connection between the TCP connection and the multiplexing communication module (forward proxy request entrance), and transmitting information of the target server to the first relay server 110 through the multiplexing communication module.
3) The first relay server 110, upon receiving the target server information, establishes a TCP connection with the server (e.g., the first server 102), and establishes a virtual connection between the TCP connection and the multiplexing communication module (forward proxy request egress), and notifies the second relay server 210 that the full link establishment is successful through the multiplexing module.
4) The second relay server 210 returns a proxy success response to the second client 201, and the second client 201 transmits a request and receives a response based on the complete link. The complete link can send a request and receive a response for a plurality of times, and if any section of connection is disconnected, the complete link is automatically disconnected.
Embodiments of the present invention also provide a computer readable storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.
In one exemplary embodiment, the computer readable storage medium may include, but is not limited to: a usb disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory RAM), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing a computer program.
An embodiment of the invention also provides an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
In an exemplary embodiment, the electronic apparatus may further include a transmission device connected to the processor, and an input/output device connected to the processor.
Specific examples in this embodiment may refer to the examples described in the foregoing embodiments and the exemplary implementation, and this embodiment is not described herein.
It will be appreciated by those skilled in the art that the modules or steps of the invention described above may be implemented in a general purpose computing device, they may be concentrated on a single computing device, or distributed across a network of computing devices, they may be implemented in program code executable by computing devices, so that they may be stored in a storage device for execution by computing devices, and in some cases, the steps shown or described may be performed in a different order than that shown or described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple modules or steps of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the principle of the present invention should be included in the protection scope of the present invention.

Claims (14)

1. A method of communication between different networks, for use with a second relay server deployed in a second network, the method comprising:
Under the condition that the second relay server receives a protocol inference result of a first access request reported by a first relay server through a network communication link, the protocol inference result is analyzed to obtain a request inference result, wherein the first relay server is deployed in a first network, the first access request is an access request initiated by a first client in the first network and accessing the second network, the network security of the first network is lower than that of the second network, the network communication link is a communication link established by the second relay server to the first relay server, and the protocol inference result is a validity verification result of the first relay server on a communication protocol of the first access request;
determining a second server matched with the first access request according to protocol configuration information under the condition that the request inference result indicates that the first access request is legal, wherein the protocol configuration information is the corresponding relation between each protocol type and the server in the second network;
And establishing a service link between the network communication link and the second server to complete the communication link of the first client accessing the second server.
2. The method of claim 1, wherein parsing the protocol inference results to obtain request inference results comprises:
Analyzing the protocol inference result to obtain the protocol characteristics of the first access request;
determining a communication protocol type of the first access request according to the protocol characteristics of the first access request;
Obtaining a request inference result indicating that the first access request is legal under the condition that the communication protocol type of the first access request hits the preset communication protocol type in the second network;
And obtaining a request inference result indicating that the first access request is illegal under the condition that the communication protocol type of the first access request is not in hit of the preset communication protocol type in the second network.
3. The method of claim 2, wherein determining a second server matching the first access request based on protocol configuration information comprises: and determining a server corresponding to the communication protocol type of the first access request in the protocol configuration information as a second server matched with the first access request.
4. A method according to any one of claims 1-3, characterized in that:
analyzing the first proxy request to obtain proxy account information under the condition that the second relay server receives the first proxy request reported by the first relay server through the network communication link, wherein the first proxy request is a proxy request which is initiated by the first client and accesses a target server in the second network;
verifying whether the proxy account information is legal or not;
And under the condition that the proxy account information is validated, establishing a service link between the network communication link and the target server so as to complete the communication link of the first client accessing the target server in the second network.
5. A method according to any one of claims 1-3, characterized in that:
establishing a second application link with a second relay server of a second client under the condition that the second relay server receives a second access request initiated by the second client, wherein the second access request is used for requesting to access the first network;
Acquiring protocol characteristics of the second access request through the second application link, and determining whether the second access request is legal or not;
And under the condition that the second access request is legal, determining a first server matched with the second access request, and sending service information of the first server to the first relay server through the network communication link so that the first relay server establishes service connection between the network communication link and the first server to complete the communication link of the second client accessing the first network.
6. A method according to any one of claims 1-3, characterized in that:
establishing a second application link with a second relay server of a second client under the condition that the second relay server receives a second proxy request initiated by the second client, wherein the second proxy request is used for requesting to access a target server in the first network;
acquiring proxy account information of the second proxy request through the second application link, and verifying whether the proxy account information is legal or not;
And under the condition that the proxy account information is validated, sending the proxy account information to the first relay server through the network communication link so that the first relay server establishes service connection between the network communication link and the target server and completes the communication link of the second client to access the target server in the first network.
7. A method of communication between different networks, for use with a first relay server deployed in a first network, the method comprising:
Under the condition that the first relay server receives a first access request initiated by a first client, a first application link with the first client is established, wherein the first access request is used for requesting to access a second network, and the network security of the first network is lower than that of the second network;
acquiring protocol characteristics of the first access request through the first application link, and carrying out protocol inference on the protocol characteristics of the first access request to obtain a protocol inference result, wherein the protocol inference result is a validity verification result of the first relay server on the communication protocol of the first access request;
And when the protocol inference result indicates that the first access request is legal, reporting the protocol inference result to a second relay server through a network communication link, so that the second relay server establishes an application link between the network communication link and the second server to complete the communication link of the first client accessing the second network when the request inference result obtained by analyzing the protocol inference result indicates that the first access request is legal, wherein the network communication link is a communication link established by the second relay server to the first relay server.
8. The method of claim 7, wherein obtaining the protocol feature of the first access request via the first application link and performing protocol inference on the protocol feature of the first access request to obtain a protocol inference result comprises:
Intercepting the first N bytes of the first access request through the first application link as protocol characteristics of the first access request;
Determining the communication protocol type of the first access request according to the byte format of the first N bytes;
obtaining a protocol inference result indicating that the first access request is legal under the condition that the communication protocol type of the first access request hits a preset communication protocol type in the first network;
And under the condition that the communication protocol type of the first access request is not in hit with the preset communication protocol type in the second network, obtaining a protocol inference result indicating that the first access request is illegal.
9. The method according to claim 7 or 8, characterized in that:
Under the condition that the first relay server receives a first proxy request of the first client, a first application link with the first client is established, wherein the first proxy request is used for requesting to access a target server in the second network, and proxy account information is carried in the first proxy request;
and reporting the first proxy request to the second relay server through the network communication link, so that the second relay server establishes a service link between the network communication link and the target server under the condition that the proxy account information is verified to be legal, and the communication link of the first client accessing the target server in the second network is completed.
10. The method according to claim 7 or 8, characterized in that:
Determining a first server indicated by a second access request under the condition that the first relay server receives the second access request sent by the second relay server through the network communication link, wherein the second access request is an access request initiated by a second client in the second network and used for accessing the first network;
And establishing a service link between the network communication link and the first server to complete the communication link of the second client accessing the first network.
11. The method according to claim 7 or 8, characterized in that:
Determining a target server in the first network indicated by the second proxy request under the condition that the first relay server receives the second proxy request sent by the second relay server through the network communication link, wherein the second proxy request is a proxy request initiated by a second client in the second network and used for accessing the target server in the first network;
And establishing a service link between the network communication link and the target server to complete the communication link of the second client accessing the target server in the first network.
12. A communication system between different networks, comprising: a first client located in a first network and a target server located in a second network, and a first relay server deployed in the first network and a second relay server deployed in the second network, wherein the first network has a lower network security than the second network, wherein,
The first relay server is configured to establish a first application link with the first client under the condition that a first access request initiated by the first client is received, obtain a protocol feature of the first access request through the first application link, and perform protocol inference on the protocol feature of the first access request to obtain a protocol inference result, and report the protocol inference result to a second relay server through a network communication link under the condition that the protocol inference result indicates that the first access request is legal, where the network communication link is a communication link established by the second relay server to the first relay server, the first access request is used for requesting access to the second network, and the protocol inference result is a validity verification result of a communication protocol of the first relay server to the first access request;
The second relay server is configured to parse the protocol inference result to obtain a request inference result when the protocol inference result is received through the network communication link, determine a target server matched with the first access request according to protocol configuration information when the request inference result indicates that the first access request is legal, and establish service connection between the network communication link and the target server to complete a communication link of the first client accessing the target server, where the protocol configuration information is a correspondence between each protocol type and a server in the second network.
13. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program, wherein the computer program is arranged to execute the method of any of the claims 1 to 6 or 7 to 11 when run.
14. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to run the computer program to perform the method of any of the claims 1 to 6 or 7 to 11.
CN202210488217.6A 2022-05-06 2022-05-06 Communication method and system between different networks, storage medium and electronic device Active CN114826754B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210488217.6A CN114826754B (en) 2022-05-06 2022-05-06 Communication method and system between different networks, storage medium and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210488217.6A CN114826754B (en) 2022-05-06 2022-05-06 Communication method and system between different networks, storage medium and electronic device

Publications (2)

Publication Number Publication Date
CN114826754A CN114826754A (en) 2022-07-29
CN114826754B true CN114826754B (en) 2024-06-11

Family

ID=82511369

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210488217.6A Active CN114826754B (en) 2022-05-06 2022-05-06 Communication method and system between different networks, storage medium and electronic device

Country Status (1)

Country Link
CN (1) CN114826754B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115834584B (en) * 2022-11-23 2024-05-24 重庆紫光华山智安科技有限公司 Cross-network data transmission method, device, equipment and medium
CN116112560B (en) * 2023-04-10 2023-06-30 广东电网有限责任公司佛山供电局 Data uplink and proxy method and system based on Reactive mechanism
CN116743738B (en) * 2023-07-20 2024-04-05 北京道迩科技有限公司 Log transmission method and device and electronic equipment
CN116708381B (en) * 2023-08-04 2023-11-14 腾讯科技(深圳)有限公司 Cross-network data transmission method and device, storage medium and electronic equipment
CN117240599B (en) * 2023-11-07 2024-02-20 国家工业信息安全发展研究中心 Security protection method, device, equipment, network and storage medium

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9021117B1 (en) * 2012-06-29 2015-04-28 Emc Corporation Dynamically selectable transport for kernel driver management
CN106790161A (en) * 2016-12-29 2017-05-31 武汉华星光电技术有限公司 It is a kind of to ensure server security and mitigate the communication system and method for fire wall pressure
CN109802936A (en) * 2018-11-22 2019-05-24 北京奇艺世纪科技有限公司 A kind of network data access method, device and electronic equipment
CN109962913A (en) * 2019-03-11 2019-07-02 北京信安世纪科技股份有限公司 Proxy server and Proxy Method based on secure socket layer protocol
CN110839027A (en) * 2019-11-14 2020-02-25 北京京东尚科信息技术有限公司 User authentication method, device, proxy server and network service system
CN111431956A (en) * 2019-01-10 2020-07-17 阿里巴巴集团控股有限公司 Cross-network service access method, device, system and storage medium
CN111698334A (en) * 2020-06-24 2020-09-22 昆明东电科技有限公司 Network service method and system of dual reverse proxy between intranet and extranet
CN111818100A (en) * 2020-09-04 2020-10-23 腾讯科技(深圳)有限公司 Method for configuring channel across networks, related equipment and storage medium
CN111865868A (en) * 2019-04-24 2020-10-30 顺丰科技有限公司 Cross-network regional service calling method and system
CN111865900A (en) * 2020-06-03 2020-10-30 中邮消费金融有限公司 RPC protocol-based cross-network regional proxy access method and system
CN112165480A (en) * 2020-09-22 2021-01-01 北京字跳网络技术有限公司 Information acquisition method and device and electronic equipment
CN113542274A (en) * 2021-07-15 2021-10-22 南京中孚信息技术有限公司 Cross-domain data transmission method, device, server and storage medium
CN114070578A (en) * 2021-09-27 2022-02-18 杭州安恒信息技术股份有限公司 User private network intranet intercommunication method, system, computer and storage medium
CN114205149A (en) * 2021-12-06 2022-03-18 华云数据(厦门)网络有限公司 Network communication method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9660961B2 (en) * 2013-05-03 2017-05-23 Dell Products L.P. Virtual desktop accelerator with enhanced bandwidth usage

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9021117B1 (en) * 2012-06-29 2015-04-28 Emc Corporation Dynamically selectable transport for kernel driver management
CN106790161A (en) * 2016-12-29 2017-05-31 武汉华星光电技术有限公司 It is a kind of to ensure server security and mitigate the communication system and method for fire wall pressure
CN109802936A (en) * 2018-11-22 2019-05-24 北京奇艺世纪科技有限公司 A kind of network data access method, device and electronic equipment
CN111431956A (en) * 2019-01-10 2020-07-17 阿里巴巴集团控股有限公司 Cross-network service access method, device, system and storage medium
CN109962913A (en) * 2019-03-11 2019-07-02 北京信安世纪科技股份有限公司 Proxy server and Proxy Method based on secure socket layer protocol
CN111865868A (en) * 2019-04-24 2020-10-30 顺丰科技有限公司 Cross-network regional service calling method and system
CN110839027A (en) * 2019-11-14 2020-02-25 北京京东尚科信息技术有限公司 User authentication method, device, proxy server and network service system
CN111865900A (en) * 2020-06-03 2020-10-30 中邮消费金融有限公司 RPC protocol-based cross-network regional proxy access method and system
CN111698334A (en) * 2020-06-24 2020-09-22 昆明东电科技有限公司 Network service method and system of dual reverse proxy between intranet and extranet
CN111818100A (en) * 2020-09-04 2020-10-23 腾讯科技(深圳)有限公司 Method for configuring channel across networks, related equipment and storage medium
CN112165480A (en) * 2020-09-22 2021-01-01 北京字跳网络技术有限公司 Information acquisition method and device and electronic equipment
CN113542274A (en) * 2021-07-15 2021-10-22 南京中孚信息技术有限公司 Cross-domain data transmission method, device, server and storage medium
CN114070578A (en) * 2021-09-27 2022-02-18 杭州安恒信息技术股份有限公司 User private network intranet intercommunication method, system, computer and storage medium
CN114205149A (en) * 2021-12-06 2022-03-18 华云数据(厦门)网络有限公司 Network communication method and device

Also Published As

Publication number Publication date
CN114826754A (en) 2022-07-29

Similar Documents

Publication Publication Date Title
CN114826754B (en) Communication method and system between different networks, storage medium and electronic device
CN112422532B (en) Service communication method, system and device and electronic equipment
JP2020064668A (en) Network connection automatization
CN112073969B (en) 5G network security protection method and system
KR101992976B1 (en) A remote access system using the SSH protocol and managing SSH authentication key securely
US8789134B2 (en) Method for establishing trusted network connect framework of tri-element peer authentication
CN113141365B (en) Distributed micro-service data transmission method, device, system and electronic equipment
CN110912929B (en) Safety control middle platform system based on regional medical treatment
CN109101811B (en) Operation, maintenance and audit method of controllable Oracle session based on SSH tunnel
CN111918284A (en) Safe communication method and system based on safe communication module
CN111277607A (en) Communication tunnel module, application monitoring module and mobile terminal security access system
CN105722072A (en) Business authorization method, device, system and router
CN113422768B (en) Application access method and device in zero trust and computing equipment
CN114697963A (en) Terminal identity authentication method and device, computer equipment and storage medium
KR101764339B1 (en) Remote device management method using integrated console switch
CN110602133A (en) Intelligent contract processing method, block chain management device and storage medium
KR20150114921A (en) System and method for providing secure network in enterprise
CN115499177A (en) Cloud desktop access method, zero-trust gateway, cloud desktop client and server
KR101992985B1 (en) An access control system of controlling hard-coded passwords and commands for enhancing security of the servers
CN114363073A (en) TLS encrypted traffic analysis method and device, terminal device and storage medium
CN114513326B (en) Method and system for realizing communication audit based on dynamic proxy
KR20150041613A (en) System and method for providing secure network in enterprise
CN116506221B (en) Industrial switch admission control method, device, computer equipment and medium
CN114745138B (en) Equipment authentication method, device, control platform and storage medium
CN116015961B (en) Control processing method, security CPE, system and medium of down-hanging terminal equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant