CN116232875B - Remote office method, device, equipment and medium - Google Patents
Remote office method, device, equipment and medium Download PDFInfo
- Publication number
- CN116232875B CN116232875B CN202310511744.9A CN202310511744A CN116232875B CN 116232875 B CN116232875 B CN 116232875B CN 202310511744 A CN202310511744 A CN 202310511744A CN 116232875 B CN116232875 B CN 116232875B
- Authority
- CN
- China
- Prior art keywords
- data
- server
- internal network
- information
- fort machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0876—Aspects of the degree of configuration automation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The application provides a remote office method, a device, equipment and a medium, wherein the method comprises the following steps: the fort machine receives an internal network access request sent by the wide area network equipment, wherein the internal network access request carries verification information and identity information of a requester; judging whether the internal network access request is a legal request or not by the fort machine according to the verification information; if the internal network access request is a legal request, the fort machine permits the wide area network equipment corresponding to the identity information to access the corresponding server and informs the wide area network equipment of permitting the wide area network equipment to access the server; the fort machine receives an internal network operation request sent by wide area network equipment; the fort queries the permission login server corresponding to the identity information according to the identity information; judging whether the allowed login server comprises an operation server or not by the fort machine; if the permission login server comprises an operation server, the fort machine logs in the operation server and executes response operation in the operation server according to the operation content.
Description
Technical Field
The present application relates to the field of network security, and in particular, to a remote office method, apparatus, device, and medium.
Background
With the development of internet technology, more and more enterprises choose to use a remote office mode to perform operations in specific areas and environments. In a tele-office environment, a user may log in to a client of the wide area network in the area a and then control the work equipment in the area B to work through the network.
The remote office work mode can enable a user to finish work in different places without changing own office places. But because the signal transmission is performed through the network of the wide area network at the time of remote office, the network security aspect is affected to a certain extent.
Disclosure of Invention
In view of the foregoing, an object of the present application is to provide a method, an apparatus, a device and a medium for remote office, which are used for solving the problem of poor network security during remote office in the prior art.
In a first aspect, embodiments of the present application provide a method of teleworking on a teleworking system, the teleworking system comprising:
the system comprises an operation and maintenance client and an internal network, wherein the internal network comprises a plurality of servers, an automatic deployment platform, a switch, a fort machine, a firewall and a router; the servers and the automatic deployment platform are respectively connected with the operation and maintenance client in a communication way through the switch and the fort machine in sequence; the servers and the automatic deployment platform are respectively connected into a wide area network through a switch, a firewall and a router in sequence;
The tele-office method comprises the following steps:
the fort machine receives an internal network access request sent by wide area network equipment, wherein the internal network access request carries verification information and identity information of a requester;
judging whether the internal network access request is a legal request or not by the fort machine according to the verification information;
if the internal network access request is a legal request, the fort machine permits the wide area network equipment corresponding to the identity information to access the corresponding server and informs the wide area network equipment of permitting the wide area network equipment to access the server;
the fort machine receives an internal network operation request sent by wide area network equipment; the internal network operation request carries identity information, operation content and an operation server;
inquiring a permitted login server corresponding to the identity information by the fort machine according to the identity information;
judging whether the operation server is contained in the permission login server by the fort machine;
if the permission login server comprises the operation server, the fort machine logs in the operation server and executes response operation in the operation server according to the operation content.
Optionally, the method further comprises:
Generating a historical access rule by the fort machine according to the number of the internal network operation requests received in each time period in the history; the history access law characterizes the condition that the number of the historical internal network operation requests changes with time;
the fort machine determines whether the number of the internal network operation requests received in the current time period is suspected to be abnormal or not according to the difference value between the number of the internal network operation requests received in the current time period and the number of the historical internal network operation requests in the same time period in the historical access law;
if the internal network operation requests are suspected to be abnormal, generating a current access rule of the current time period by the fort machine according to the number of the internal network operation requests corresponding to a plurality of time periods before the current time period and the number of the internal network operation requests received by the current time period;
the fort machine determines whether the number of the internal network operation requests received in the current time period is abnormal according to the similarity of the current access rule and the historical access rule.
Optionally, the method further comprises:
when the bastion machine monitors that the number of the internal network operation requests received in the current time period is abnormal, the bastion machine calls the current load degree of each server;
The fort determines an abnormal server in an abnormal state according to the current load degree of each service;
the fort machine obtains data information and data content of data to be audited, which are processed by the abnormal server in the current time period; the data information comprises a data requesting party, data acquisition time and data type;
the bastion machine calculates a first data abstract of the data to be audited according to the data content;
the fort machine stores the first data abstract, the data content and the data information of the data to be audited according to the difference of the data to be audited, and sends the first data abstract, the data content and the data information of each data to be audited to a verification server in the servers for verification.
Optionally, the method further comprises:
after receiving a first data abstract, data content and data information of data to be audited, a check server searches whether first target abstract information which is the same as the content of the first data abstract exists in abstract information of historical abnormal data;
if the first target abstract information with the same content as the first data abstract is found, updating the abnormal times of the historical abnormal data corresponding to the first target abstract information by the verification server;
If the first target abstract information which is the same as the content of the first data abstract is not found, the verification server splits the data content according to a preset rule to obtain a plurality of data paragraphs, and searches whether second target abstract information which is the same as the content of the second data abstract of each data paragraph exists in the abstract information of the historical abnormal data; if the second target abstract information exists, updating the abnormal times of the historical abnormal data corresponding to the second target abstract information by the verification server; if the second target abstract information does not exist, the verification server establishes new historical abnormal data according to the first data abstract, the data content and the data information of the data to be audited.
Optionally, the method further comprises:
if the internal network operation request is a data forwarding request, the fort obtains data information and data content of general data according to the data forwarding request; the general data is data other than the data to be checked;
detecting the security degree of a wide area network where a current router is located by the fort machine;
the fort machine determines whether the general data can be sent according to the data security level of the general data and the security degree of the wide area network;
If the general data can be sent, the fort sends the general data to a network end corresponding to the data forwarding request in the wide area network through the router;
if the common data can not be sent, the fort machine sends the text abstract of the common data to a network end corresponding to the data forwarding request in the wide area network through the router.
Optionally, the general data is one of advertisement information, announcement information and audit data.
Optionally, each server is provided with an RPC client.
In a second aspect, embodiments of the present application provide a tele-office device for use in a tele-office system comprising:
the system comprises an operation and maintenance client and an internal network, wherein the internal network comprises a plurality of servers, an automatic deployment platform, a switch, a fort machine, a firewall and a router; the servers and the automatic deployment platform are respectively connected with the operation and maintenance client in a communication way through the switch and the fort machine in sequence; the servers and the automatic deployment platform are respectively connected into a wide area network through a switch, a firewall and a router in sequence;
the remote office device includes:
The system comprises a first receiving module, a second receiving module and a second receiving module, wherein the first receiving module is used for receiving an internal network access request sent by wide area network equipment by a fort machine, and the internal network access request carries verification information and identity information of a requester;
the first judging module is used for judging whether the internal network access request is a legal request or not according to the verification information by the fort machine;
the notifying module is used for permitting the wide area network equipment corresponding to the identity information to access the corresponding server if the internal network access request is a legal request and notifying the wide area network equipment to permit access to the server;
the second receiving module is used for receiving an internal network operation request sent by the wide area network device by the fort machine; the internal network operation request carries identity information, operation content and an operation server;
the inquiring module is used for inquiring the permitted login server corresponding to the identity information according to the identity information by the fort machine;
the second judging module is used for judging whether the allowed login server contains the operation server or not by the fort machine;
and the login module is used for logging in the operation server by the fort machine if the permission login server comprises the operation server, and executing response operation in the operation server according to the operation content.
In a third aspect, embodiments of the present application provide a computer device including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the above method when executing the computer program.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the above-described method.
The remote office method provided by the embodiment of the application comprises the following steps: the fort machine receives an internal network access request sent by wide area network equipment, wherein the internal network access request carries verification information and identity information of a requester; judging whether the internal network access request is a legal request or not by the fort machine according to the verification information; if the internal network access request is a legal request, the fort machine permits the wide area network equipment corresponding to the identity information to access the corresponding server and informs the wide area network equipment of permitting the wide area network equipment to access the server; the fort machine receives an internal network operation request sent by wide area network equipment; the internal network operation request carries identity information, operation content and an operation server; inquiring a permitted login server corresponding to the identity information by the fort machine according to the identity information; judging whether the operation server is contained in the permission login server by the fort machine; if the permission login server comprises the operation server, the fort machine logs in the operation server and executes response operation in the operation server according to the operation content.
In the present application, even if the wan device is a legal device (the internal network access request provided by the wan device is a legal request), the wan device will not skip the fort machine to directly operate the internal server, but the fort machine responds to the operation in the whole course, so as to ensure the security of the internal network, and meanwhile, the data processing capability of the fort machine and the number of servers are in positive correlation. When the internal network is set, the operation capability of the fort machine should be configured in advance according to the number of servers (or the operation capability of the servers), so that the operation capability of the fort machine cannot be mismatched with the number of servers, otherwise, the overall operation efficiency is reduced.
In order to make the above objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered limiting the scope, and that other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a lan system according to an embodiment of the present application;
fig. 2 is a schematic diagram of a remote office system according to an embodiment of the present application;
fig. 3 is a schematic flow chart of a remote office method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a remote office device according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application, which are generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, as provided in the accompanying drawings, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, are intended to be within the scope of the present application.
In the conventional technology, a user needs to access to the internet through a computer at the site A when remotely working, then sends a control instruction through operating the computer at the site A, transmits the control instruction to the computer at the site B through the internet, and further completes a response operation by the computer at the site B based on the control instruction. As shown in fig. 1, a conventional remote office system is shown, which includes a control terminal (operation and maintenance client) and a local terminal, wherein the control terminal is directly operated by a user (operation and maintenance personnel), or the control terminal and the user are in the same region. The local side is a local area network system formed by the internal network in fig. 1, and the local area network system comprises a router, a firewall, a switch, a plurality of servers and an automated deployment platform. The servers and the automatic deployment platform are respectively connected into a wide area network (Internet) through a switch, a firewall and a router in sequence, and are communicated with the operation and maintenance client through the wide area network. The user can send control instructions by operating the operation and maintenance client, and the control instructions are transmitted to a certain server through the router, the firewall and the switch. Before sending the control command, the user needs to know the user name and the password of each server to log into the designated server, and the operation of operating the designated server through the control command is completed. Obviously, the password storage mode needs the user to record all passwords, and once the user changes the operation place, the situation that the user forgets to log in the server is easy to occur, particularly when the number of the servers is excessive, the user can hardly remember all the passwords. Therefore, in some cases, the system setting personnel can avoid the problem of forgetting the password by adopting a mode of avoiding the password from logging in the server, but the mode obviously improves the overall risk of the system, and after the firewall is broken, the local servers fall down collectively.
In response to the problems, the present inventors have provided an improved tele-office method for acting on a tele-office system, as shown in fig. 2, comprising:
the system comprises an operation and maintenance client and an internal network, wherein the internal network comprises a plurality of servers, an automatic deployment platform, a switch, a fort machine, a firewall and a router; the servers and the automatic deployment platform are respectively connected with the operation and maintenance client in a communication way through the switch and the fort machine in sequence; the servers and the automatic deployment platform are respectively connected into the wide area network through the switch, the firewall and the router in sequence.
The tele-office method as shown in fig. 3 includes:
s301, the fort machine receives an internal network access request sent by wide area network equipment, wherein the internal network access request carries verification information and identity information of a requester;
s302, judging whether the internal network access request is a legal request or not by the fort machine according to the verification information;
s303, if the internal network access request is a legal request, the fort machine grants the wide area network device corresponding to the identity information access to the corresponding server and informs the wide area network device of granting the wide area network device access to the server;
S304, the fort machine receives an internal network operation request sent by the wide area network equipment; the internal network operation request carries identity information, operation content and an operation server;
s305, querying a permitted login server corresponding to the identity information by the fort machine according to the identity information;
s306, judging whether the permitted login server contains the operation server or not by the fort machine;
s307, if the permission login server comprises the operation server, the fort machine logs in the operation server and executes response operation in the operation server according to the operation content.
In step S301, the fort machine is a device/system for monitoring and recording the operation actions of the operation staff on the devices such as servers, network devices, security devices, databases and the like in the network by using various technical means in order to ensure that the network and the data are not invaded and damaged by external and internal users under a specific network environment. In the scheme, the bastion machine is a common server in the internal network, a bastion machine service system is arranged on the common server, services are externally provided through web services, server resources are required to be configured in the bastion machine service system before the bastion machine works, when operators (operation and maintenance implementation personnel) of wide area network equipment (such as operation and maintenance clients) need to log in to access the server, the bastion machine service system is required to be logged in, then the server needing to be operated is accessed, and when the bastion machine service system is logged in, user identities are identified and authenticated to ensure the safety of the system, so that the safety of the internal network is ensured.
Wide area network devices are not a class of devices, but are all devices (e.g., servers or personal computers, etc.) that can access a wide area network, typically wide area network devices. The internal network access request refers to the internal network where the wide area network device desires to access the fort machine. The internal network is a local area network, and all devices (such as a server, an automatic deployment platform, a switch, a fireproof front device, a router and the like) in the internal network are local area networks formed by short-distance communication or limited communication modes (the local area networks are formed by taking the switch as a link) for information interaction. The server mainly provides basic services and collects and acquires basic data. The automatic deployment platform has the main function of scheduling tasks and information for the server. Because the internal network has higher data security requirement, each device in the internal network is connected by a local area network, and meanwhile, whether communication between different internal network devices is to be encrypted can be determined by an automatic deployment platform according to specific situations.
In the scheme, each server can be provided with the RPC client, and remote operation can be conveniently completed by setting the RPC client.
The authentication information of the requesting party is a proof, usually in the form of a password, used to prove the validity of the wide area network device to access the internal network. The identity information is identification information for distinguishing from other wide area network devices, such as an IP address, an ID, a login user name of a certain platform, and the like.
In step S302, the fort machine can determine whether the internal network access request is legal according to the authentication information, specifically, the legal authentication information should be stored in the fort machine, and the fort machine can determine whether the access request is legal by retrieving the pre-stored authentication information and comparing whether the pre-stored authentication information is identical to the authentication information of the requester. Typically, pre-stored authentication information needs to be queried by identity information.
In step S303, after the fort determines that the internal network access request is a legal request, the fort may inform that the device that issued the internal network access request in step S301 may start to access. After that, in step S304, the wide area network device in step S301 may initiate an internal network operation request, and since verification has already been performed in steps S301 to S303, specific operations may be started in this step directly based on the internal network operation request. The operation content can be set by the user, such as data extraction, data operation, monitoring and other actions.
However, since the service contents responsible for the different servers are different, the rights corresponding to the different service contents are also different, so that it is required to verify whether the user has the right to view, and in step S305, the fort machine can determine the server to which the request can log in according to the identity information, i.e. the server is permitted to log in. In general, the login permission server corresponding to each identity information is pre-stored in the bastion machine.
After determining that the login server is permitted in S306, the fort machine needs to verify whether the operation server in the internal network operation request is one or more of the permitted login servers, and if so, the fort machine can log in the operation server in step S307, and the responsive operation is completed according to the operation content.
It should be noted that, in this solution, even if the wan device is a legal device (the internal network access request provided by the wan device is a legal request), the wan device will not skip the bastion machine to directly operate the internal server, but the bastion machine responds the whole course, so as to ensure the security of the internal network, and meanwhile, the data processing capability of the bastion machine and the number of servers are in positive correlation. When the internal network is set, the operation capability of the fort machine should be configured in advance according to the number of servers (or the operation capability of the servers), so that the operation capability of the fort machine cannot be mismatched with the number of servers, otherwise, the overall operation efficiency is reduced.
Further, in order to ensure the stability of the operation of the internal network, a monitoring rule should be set, and further, the method provided by the present application further includes:
step 401, generating a historical access rule by the fort machine according to the number of internal network operation requests received in each time period in the history; the history access law characterizes the condition that the number of the historical internal network operation requests changes with time;
step 402, determining, by the bastion engine, whether the number of internal network operation requests received in the current time period is suspected to be abnormal according to a difference between the number of internal network operation requests received in the current time period and the number of historical internal network operation requests in the same time period in the historical access law;
step 403, if the request is suspected to be abnormal, generating a current access rule of the current time period by the fort machine according to the number of internal network operation requests corresponding to a plurality of time periods before the current time period and the number of internal network operation requests received by the current time period;
step 404, the fort machine determines whether the number of the internal network operation requests received in the current time period is abnormal according to the similarity of the current access rule and the historical access rule.
In step 401, the number of internal network operation requests acquired by the fort machine generates a historical access law that reflects the number of internal network operation requests at each of a plurality of consecutive time periods. Generally, the history access rule includes two types, one is an access rule with a minimum time period of day and the other is a history access rule with a unit of hour, so that the history access rule is designed mainly in consideration of the great difference of the change conditions of the history access rule under different periods. If the access rule is formed only by taking the day as the minimum time period, a lot of burst abnormal incremental data can not be monitored, the granularity is too large, if the historical access rule is only taken as a unit of hour, the data in different hours can jump even if the data is normal, and therefore, if the historical access rule is only taken as a unit of hour, a lot of data is judged to be abnormal data. Thus, in particular implementations, it should be considered that access rules are formed in days and hours, respectively, at the same time, and that both access rules are used simultaneously in subsequent steps to determine whether the number of internal network operation requests is abnormal.
In step 402, the fort machine may determine the suspected abnormal condition of the request according to the difference between the number of internal network operation requests received in the current time period and the number of internal network operation requests in the history of the same time period in the history access rule. The only data that is compared in this step is point-to-point data, such as the current 7-8 point time period, which can be compared to the number of internal network operation requests for the current time period using the average of the 7-8 point data for a certain day or days historically (typically the average of the 7-8 point data for every day within a week). Similarly, if 7 months 7 today, data from 6 months 7 or data from 7 months 7 in the last year may be used for comparison to determine the difference.
If the difference is too large, meaning abnormality is described. At this time, in step 403, the current azimuth rule of the current time period may be temporarily generated in the same manner as the generation of the history access rule, where the difference is that the current access rule is generated by using continuous data of the last several hours or days, and the data used for generating the history access rule is longer.
Thereafter, in step 404, it may be determined whether the data is abnormal according to the similarity of the two access laws. The processing mode is adopted mainly in consideration of the fact that the processing capacity of the fort machine is consumed in generating the access rule, and the historical access rule can be generated in idle time of the fort machine, but the current access rule is required to be generated temporarily. The judging mechanism of suspected abnormality is added, and the normal operation of the fort machine is better ensured. Of course, the threshold for determining whether the difference is too large (whether it is suspected to be abnormal) in step 402 may be determined according to the type and history of the servers to be operated by the received internal network operation request, and if some servers do have data hops, additional verification may be considered for such servers.
Further, when an anomaly is detected, further verification can be performed, that is, the scheme provided by the application further includes:
step 501, when monitoring that the number of internal network operation requests received in the current time period is abnormal, the fort machine invokes the current load degree of each server;
step 502, determining an abnormal server in an abnormal state according to the current load degree of each service by the fort machine;
step 503, the fort machine obtains the data information and the data content of the data to be audited processed by the abnormal server in the current time period; the data information comprises a data requesting party, data acquisition time and data type;
step 504, calculating a first data abstract of the data to be audited according to the data content by the fort machine;
step 505, the fort machine stores the first data abstract, the data content and the data information of the data to be audited according to the difference of the data to be audited, and sends the first data abstract, the data content and the data information of each data to be audited to a verification server in the plurality of servers for verification.
In step 501, when the bastion engine finds that the number of network operation requests is abnormal, the load level of each server in the internal network is directly invoked. The abnormal server is then determined according to the load level, and the current charge level and the historical load level are generally widely separated, which indicates that the server is abnormal, but the server is not necessarily abnormal. Therefore, it is also necessary to acquire the data information of the anomaly server for subsequent judgment in step 503. In step 504, a first data digest of the data to be audited is generated, and then the first data digest, the data content, and the data information of each data to be audited are sent to a verification server of the plurality of servers for verification. The primary function of the first data digest is to prevent tampering of the data and to facilitate further comparison.
Further, the scheme provided by the application further comprises the following steps:
step 601, after receiving a first data abstract, data content and data information of data to be audited, a check server searches whether first target abstract information which is the same as the content of the first data abstract exists in abstract information of historical abnormal data;
step 602, if first target abstract information with the same content as the first data abstract is found, updating the abnormal times of the historical abnormal data corresponding to the first target abstract information by a verification server;
step 603, if the first target summary information identical to the content of the first data summary is not found, the verification server splits the data content according to a predetermined rule to obtain a plurality of data paragraphs, and searches summary information of historical abnormal data for whether second target summary information identical to the content of the second data summary of each data paragraph exists; if the second target abstract information exists, updating the abnormal times of the historical abnormal data corresponding to the second target abstract information by the verification server; if the second target abstract information does not exist, the verification server establishes new historical abnormal data according to the first data abstract, the data content and the data information of the data to be audited.
In step 601, the verification server is also one of the servers in the internal network, and its main responsibility is to perform security verification (data verification). The historical abnormal data is data which is judged to be abnormal in history, summary information of the data is stored in the verification server, and the summary information can be stored in the fort machine in a backup mode. The purpose of summarizing and searching the first target summary information in the step is mainly to reduce the comparison cost, and the efficiency of inquiring through the summary information is higher (the summary information is shorter and has uniqueness). Furthermore, if the number of anomalies is found, in step 602, the number of anomalies of the found historical anomaly data may be increased, and if the number of anomalies is too high, other processing mechanisms should be introduced to perform targeted processing (such as an interception mechanism of the anomaly data).
If not found, there may be two cases, one in which the exception data is changed and one in which it is indeed new exception data. At this time, it may be considered to split the data content of the current abnormal data. The data processed by the system is mostly data which is announced, audited and the like and is close to production and living, so that the arrangement mode of the data has obvious format rules, the data content can be split according to the established format rules to obtain a plurality of data paragraphs, then the abstracts of the data paragraphs are regenerated, and then the abstracts are used for searching in a comparison mode. If the current abnormal data can be found, the current abnormal data is still the abnormal data found before, and the abnormal times of the abnormal data found before can be increased. Otherwise, it is indicated that this is new anomaly data, and new historical anomaly data should be established.
Specifically, the method provided by the application further comprises the following steps:
step 701, if the internal network operation request is a data forwarding request, the fort obtains data information and data content of general data according to the data forwarding request; the general data is data other than the data to be checked;
step 702, detecting the security degree of the wide area network where the current router is located by the fort machine;
step 703, determining, by the bastion engine, whether the general data can be sent according to the data security level of the general data and the security level of the wide area network;
step 704, if the general data can be sent, the fort machine sends the general data to a network end corresponding to the data forwarding request in the wide area network through the router;
step 705, if the common data cannot be sent, the fort machine sends the text abstract of the common data to the network end corresponding to the data forwarding request in the wide area network through the router.
In step 701, the general data is relatively secure data, and of course, there are various types of data other than the data to be checked, and thus, in actual operation, the data other than the data to be checked is not necessarily the general data in step 701.
Since the data forwarding request is sent to other devices in the wide area network (not the wide area network device that has been authenticated as a legitimate device in step 301), the security level of the network needs to be verified. Thereafter, the fort machine can determine whether the general data can be transmitted according to the security level of the general data and the security level of the wide area network. Generally, the security level is determined according to the stability (frequency of frame and packet loss) of the wide area network and the situation that information leakage occurs historically. Only when the network security level is higher than that of the general data, the general data is granted to be forwarded to the designated external device through the wide area network. Specifically, the security levels of different general data are different, and the security levels of different general data can be preset by a user.
If the network security degree is not higher than the security level of general data, the data can be sent only in the form of sending text summaries, so that at least the information can be ensured not to be seriously leaked. Here, the text abstract and the data abstract described in the foregoing are different, and the text abstract actually reflects the main content of general data, which is a natural language that a user can directly read.
The embodiment of the application provides a remote office device, acts on a remote office system, and the remote office system comprises:
the system comprises an operation and maintenance client and an internal network, wherein the internal network comprises a plurality of servers, an automatic deployment platform, a switch, a fort machine, a firewall and a router; the servers and the automatic deployment platform are respectively connected with the operation and maintenance client in a communication way through the switch and the fort machine in sequence; the servers and the automatic deployment platform are respectively connected into a wide area network through a switch, a firewall and a router in sequence;
as shown in fig. 4, the remote office apparatus includes:
a first receiving module 401, configured to receive, by a fort, an internal network access request sent by a wan device, where the internal network access request carries verification information and identity information of a requester;
a first judging module 402, configured to judge, by using the fort machine, whether the internal network access request is a legal request according to the verification information;
a notification module 403, configured to, if the internal network access request is a legal request, grant, by the bastion engine, a wide area network device corresponding to the identity information to access a corresponding server, and notify the wide area network device to grant access to the server;
A second accepting module 404, configured to accept, by the bastion engine, an internal network operation request sent by the wan device; the internal network operation request carries identity information, operation content and an operation server;
a query module 405, configured to query, by using the fort machine, a permitted login server corresponding to the identity information according to the identity information;
a second judging module 406, configured to judge whether the operation server is included in the permitted login server by using the fort machine;
and a login module 407, configured to, if the permitted login server includes the operation server, log in the operation server by using the bastion engine, and execute a responsive operation in the operation server according to the operation content.
Optionally, the apparatus further includes:
the generating module is used for generating a historical access rule according to the number of the internal network operation requests received by each time period in the history by the fort machine; the history access law characterizes the condition that the number of the historical internal network operation requests changes with time;
the fort machine determines whether the number of the internal network operation requests received in the current time period is suspected to be abnormal or not according to the difference value between the number of the internal network operation requests received in the current time period and the number of the historical internal network operation requests in the same time period in the historical access law; if the internal network operation requests are suspected to be abnormal, generating a current access rule of the current time period by the fort machine according to the number of the internal network operation requests corresponding to a plurality of time periods before the current time period and the number of the internal network operation requests received by the current time period; the fort machine determines whether the number of the internal network operation requests received in the current time period is abnormal according to the similarity of the current access rule and the historical access rule.
Optionally, the apparatus further includes:
the system comprises a calling module, a server and a server, wherein the calling module is used for calling the current load degree of each server when monitoring that the number of the internal network operation requests received in the current time period is abnormal;
the determining module is used for determining an abnormal server in an abnormal state according to the current load degree of each service by the fort machine;
the obtaining module is used for obtaining data information and data content of the data to be audited, which are processed by the abnormal server in the current time period, by the fort machine; the data information comprises a data requesting party, data acquisition time and data type;
the calculation module is used for calculating a first data abstract of the data to be audited according to the data content by the fort machine;
and the verification module is used for storing the first data abstract, the data content and the data information of the data to be verified according to the difference of the data to be verified by the fort machine, and sending the first data abstract, the data content and the data information of each data to be verified to a verification server in the plurality of servers for verification.
Optionally, the apparatus further includes:
the searching module is used for searching whether first target abstract information which is the same as the first data abstract exists in the abstract information of the historical abnormal data after the checking server receives the first data abstract, the data content and the data information of the data to be checked;
The updating module is used for updating the abnormal times of the historical abnormal data corresponding to the first target abstract information if the first target abstract information which is the same as the first data abstract in content is searched;
the splitting module is used for splitting the data content according to a preset rule by the verification server to obtain a plurality of data paragraphs if the first target abstract information which is the same as the content of the first data abstract is not found, and searching whether second target abstract information which is the same as the content of the second data abstract of each data paragraph exists in the abstract information of the historical abnormal data; if the second target abstract information exists, updating the abnormal times of the historical abnormal data corresponding to the second target abstract information by the verification server; if the second target abstract information does not exist, the verification server establishes new historical abnormal data according to the first data abstract, the data content and the data information of the data to be audited.
Optionally, the apparatus further includes:
the system comprises a forwarding device, a fort machine and a data processing device, wherein the forwarding device is used for acquiring data information and data content of general data according to a data forwarding request if the internal network operation request is the data forwarding request; the general data is data other than the data to be checked;
The detection module is used for detecting the security degree of the wide area network where the current router is located by the fort machine;
the second judging module is used for determining whether the common data can be sent or not according to the data security level of the common data and the security degree of the wide area network by the fort machine; if the general data can be sent, the fort sends the general data to a network end corresponding to the data forwarding request in the wide area network through the router; if the common data can not be sent, the fort machine sends the text abstract of the common data to a network end corresponding to the data forwarding request in the wide area network through the router.
Optionally, the general data is one of advertisement information, announcement information and audit data.
Optionally, each server is provided with an RPC client.
Corresponding to the tele-office method in fig. 1, the embodiment of the present application further provides a computer device 500, as shown in fig. 5, where the device includes a memory 501, a processor 502, and a computer program stored in the memory 501 and executable on the processor 502, where the processor 502 implements the tele-office method when executing the computer program.
Specifically, the memory 501 and the processor 502 can be general-purpose memories and processors, which are not limited herein, and when the processor 502 runs the computer program stored in the memory 501, the remote office method can be executed, so as to solve the problem of poor network security during remote office in the prior art.
Corresponding to the tele-office method of fig. 1, the embodiments of the present application also provide a computer-readable storage medium having a computer program stored thereon, which when executed by a processor performs the steps of the tele-office method described above.
Specifically, the storage medium can be a general storage medium, such as a mobile disk, a hard disk, and the like, and when a computer program on the storage medium is run, the remote office method can be executed, so that the problem of poor network security during remote office in the prior art is solved. When the internal network is set, the operation capability of the fort machine should be configured in advance according to the number of servers (or the operation capability of the servers), so that the operation capability of the fort machine cannot be mismatched with the number of servers, otherwise, the overall operation efficiency is reduced.
In the embodiments provided in the present application, it should be understood that the disclosed methods and apparatuses may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments provided in the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
It should be noted that: like reference numerals and letters in the following figures denote like items, and thus once an item is defined in one figure, no further definition or explanation of it is required in the following figures, and furthermore, the terms "first," "second," "third," etc. are used merely to distinguish one description from another and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the foregoing examples are merely specific embodiments of the present application, and are not intended to limit the scope of the present application, but the present application is not limited thereto, and those skilled in the art will appreciate that while the foregoing examples are described in detail, the present application is not limited thereto. Any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or make equivalent substitutions for some of the technical features within the technical scope of the disclosure of the present application; such modifications, changes or substitutions do not depart from the spirit and scope of the corresponding technical solutions. Are intended to be encompassed within the scope of this application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (8)
1. A method of tele-office, for acting on a tele-office system, the tele-office system comprising:
the system comprises an operation and maintenance client and an internal network, wherein the internal network comprises a plurality of servers, an automatic deployment platform, a switch, a fort machine, a firewall and a router; the servers and the automatic deployment platform are respectively connected with the operation and maintenance client in a communication way through the switch and the fort machine in sequence; the servers and the automatic deployment platform are respectively connected into a wide area network through a switch, a firewall and a router in sequence;
The tele-office method comprises the following steps:
the fort machine receives an internal network access request sent by wide area network equipment, wherein the internal network access request carries verification information and identity information of a requester;
judging whether the internal network access request is a legal request or not by the fort machine according to the verification information;
if the internal network access request is a legal request, the fort machine permits the wide area network equipment corresponding to the identity information to access the corresponding server and informs the wide area network equipment of permitting the wide area network equipment to access the server;
the fort machine receives an internal network operation request sent by wide area network equipment; the internal network operation request carries identity information, operation content and an operation server;
inquiring a permitted login server corresponding to the identity information by the fort machine according to the identity information;
judging whether the operation server is contained in the permission login server by the fort machine;
if the permitted login server comprises the operation server, the fort logs in the operation server, and executes response operation in the operation server according to the operation content;
the method further comprises the steps of:
generating a historical access rule by the fort machine according to the number of the internal network operation requests received in each time period in the history; the history access law characterizes the condition that the number of the historical internal network operation requests changes with time;
The fort machine determines whether the number of the internal network operation requests received in the current time period is suspected to be abnormal or not according to the difference value between the number of the internal network operation requests received in the current time period and the number of the historical internal network operation requests in the same time period in the historical access law;
if the internal network operation requests are suspected to be abnormal, generating a current access rule of the current time period by the fort machine according to the number of the internal network operation requests corresponding to a plurality of time periods before the current time period and the number of the internal network operation requests received by the current time period;
the bastion machine determines whether the number of the internal network operation requests received in the current time period is abnormal or not according to the similarity of the current access rule and the historical access rule;
the method further comprises the steps of:
when the bastion machine monitors that the number of the internal network operation requests received in the current time period is abnormal, the bastion machine calls the current load degree of each server;
the fort determines an abnormal server in an abnormal state according to the current load degree of each service;
the fort machine obtains data information and data content of data to be audited, which are processed by the abnormal server in the current time period; the data information comprises a data requesting party, data acquisition time and data type;
The bastion machine calculates a first data abstract of the data to be audited according to the data content;
the fort machine stores the first data abstract, the data content and the data information of the data to be audited according to the difference of the data to be audited, and sends the first data abstract, the data content and the data information of each data to be audited to a verification server in the servers for verification.
2. The method according to claim 1, wherein the method further comprises:
after receiving a first data abstract, data content and data information of data to be audited, a check server searches whether first target abstract information which is the same as the content of the first data abstract exists in abstract information of historical abnormal data;
if the first target abstract information with the same content as the first data abstract is found, updating the abnormal times of the historical abnormal data corresponding to the first target abstract information by the verification server;
if the first target abstract information which is the same as the content of the first data abstract is not found, the verification server splits the data content according to a preset rule to obtain a plurality of data paragraphs, and searches whether second target abstract information which is the same as the content of the second data abstract of each data paragraph exists in the abstract information of the historical abnormal data; if the second target abstract information exists, updating the abnormal times of the historical abnormal data corresponding to the second target abstract information by the verification server; if the second target abstract information does not exist, the verification server establishes new historical abnormal data according to the first data abstract, the data content and the data information of the data to be audited.
3. The method according to claim 1, wherein the method further comprises:
if the internal network operation request is a data forwarding request, the fort obtains data information and data content of general data according to the data forwarding request; the general data is data other than the data to be checked;
detecting the security degree of a wide area network where a current router is located by the fort machine;
the fort machine determines whether the general data can be sent according to the data security level of the general data and the security degree of the wide area network;
if the general data can be sent, the fort sends the general data to a network end corresponding to the data forwarding request in the wide area network through the router;
if the common data can not be sent, the fort machine sends the text abstract of the common data to a network end corresponding to the data forwarding request in the wide area network through the router.
4. A method according to claim 3, wherein the general data is one of advertisement information, announcement information, audit data.
5. The method of claim 1, wherein each of the servers has an RPC client disposed therein.
6. A tele-office apparatus for operating in a tele-office system, the tele-office system comprising:
the system comprises an operation and maintenance client and an internal network, wherein the internal network comprises a plurality of servers, an automatic deployment platform, a switch, a fort machine, a firewall and a router; the servers and the automatic deployment platform are respectively connected with the operation and maintenance client in a communication way through the switch and the fort machine in sequence; the servers and the automatic deployment platform are respectively connected into a wide area network through a switch, a firewall and a router in sequence;
the remote office device includes:
the system comprises a first receiving module, a second receiving module and a second receiving module, wherein the first receiving module is used for receiving an internal network access request sent by wide area network equipment by a fort machine, and the internal network access request carries verification information and identity information of a requester;
the first judging module is used for judging whether the internal network access request is a legal request or not according to the verification information by the fort machine;
the notifying module is used for permitting the wide area network equipment corresponding to the identity information to access the corresponding server if the internal network access request is a legal request and notifying the wide area network equipment to permit access to the server;
the second receiving module is used for receiving an internal network operation request sent by the wide area network device by the fort machine; the internal network operation request carries identity information, operation content and an operation server;
The inquiring module is used for inquiring the permitted login server corresponding to the identity information according to the identity information by the fort machine;
the second judging module is used for judging whether the allowed login server contains the operation server or not by the fort machine;
a login module, configured to, if the permitted login server includes the operation server, log in the operation server by using a bastion machine, and execute a response operation in the operation server according to the operation content;
the apparatus further comprises:
the generating module is used for generating a historical access rule according to the number of the internal network operation requests received by each time period in the history by the fort machine; the history access law characterizes the condition that the number of the historical internal network operation requests changes with time;
the fort machine determines whether the number of the internal network operation requests received in the current time period is suspected to be abnormal or not according to the difference value between the number of the internal network operation requests received in the current time period and the number of the historical internal network operation requests in the same time period in the historical access law; if the internal network operation requests are suspected to be abnormal, generating a current access rule of the current time period by the fort machine according to the number of the internal network operation requests corresponding to a plurality of time periods before the current time period and the number of the internal network operation requests received by the current time period; the bastion machine determines whether the number of the internal network operation requests received in the current time period is abnormal or not according to the similarity of the current access rule and the historical access rule;
The apparatus further comprises:
the system comprises a calling module, a server and a server, wherein the calling module is used for calling the current load degree of each server when monitoring that the number of the internal network operation requests received in the current time period is abnormal;
the determining module is used for determining an abnormal server in an abnormal state according to the current load degree of each service by the fort machine;
the obtaining module is used for obtaining data information and data content of the data to be audited, which are processed by the abnormal server in the current time period, by the fort machine; the data information comprises a data requesting party, data acquisition time and data type;
the calculation module is used for calculating a first data abstract of the data to be audited according to the data content by the fort machine;
and the verification module is used for storing the first data abstract, the data content and the data information of the data to be verified according to the difference of the data to be verified by the fort machine, and sending the first data abstract, the data content and the data information of each data to be verified to a verification server in the plurality of servers for verification.
7. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method according to any of the preceding claims 1-5 when the computer program is executed.
8. A computer readable storage medium having stored thereon a computer program, characterized in that the computer program when executed by a processor performs the steps of the method of any of the preceding claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310511744.9A CN116232875B (en) | 2023-05-09 | 2023-05-09 | Remote office method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310511744.9A CN116232875B (en) | 2023-05-09 | 2023-05-09 | Remote office method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116232875A CN116232875A (en) | 2023-06-06 |
| CN116232875B true CN116232875B (en) | 2023-07-28 |
Family
ID=86587693
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310511744.9A Active CN116232875B (en) | 2023-05-09 | 2023-05-09 | Remote office method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116232875B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116743566B (en) * | 2023-07-19 | 2023-12-19 | 北京道迩科技有限公司 | Network access method, device and computer storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103747089A (en) * | 2014-01-14 | 2014-04-23 | 浪潮电子信息产业股份有限公司 | File transfer auditing system and method based on bastion machine |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| IL243426A0 (en) * | 2015-12-31 | 2016-04-21 | Asaf Shabtai | Platform for protecting small and medium enterprises from cyber security threats |
| CN110719276B (en) * | 2019-09-30 | 2021-12-24 | 北京网瑞达科技有限公司 | Network equipment safety access system based on cache password and working method thereof |
| CN113489713B (en) * | 2021-06-30 | 2022-10-25 | 平安科技(深圳)有限公司 | Network attack detection method, device, equipment and storage medium |
-
2023
- 2023-05-09 CN CN202310511744.9A patent/CN116232875B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103747089A (en) * | 2014-01-14 | 2014-04-23 | 浪潮电子信息产业股份有限公司 | File transfer auditing system and method based on bastion machine |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116232875A (en) | 2023-06-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9282114B1 (en) | Generation of alerts in an event management system based upon risk | |
| US8392963B2 (en) | Techniques for tracking actual users in web application security systems | |
| US10848505B2 (en) | Cyberattack behavior detection method and apparatus | |
| CN105939326B (en) | Method and device for processing message | |
| CN111490981B (en) | Access management method and device, bastion machine and readable storage medium | |
| CN111209582A (en) | Request authentication method, device, equipment and storage medium | |
| KR100745044B1 (en) | Apparatus and method for protecting access of phishing site | |
| CN107147671B (en) | Website routing-based access right control method, access method and system | |
| CN116232875B (en) | Remote office method, device, equipment and medium | |
| CN112787992A (en) | Method, device, equipment and medium for detecting and protecting sensitive data | |
| CN111371738A (en) | Access control method, device, equipment and readable storage medium | |
| KR101823421B1 (en) | Apparatus and method for securiting network based on whithlist | |
| KR100985750B1 (en) | System for issuing a substitution number substituted for the resident's registration number | |
| CN110502896B (en) | Leakage monitoring method and system for website information and related device | |
| CN111131166B (en) | User behavior prejudging method and related equipment | |
| CN101222481B (en) | Method and client terminal for safely submitting user information | |
| CN114969744A (en) | Process interception method and system, electronic device and storage medium | |
| CN111510431B (en) | Universal terminal access control platform, client and control method | |
| CN113961920A (en) | Suspicious process processing method and device, storage medium and electronic equipment | |
| JP2018142266A (en) | Illegal access detector, program and method | |
| JP2013069016A (en) | Information leakage prevention device and limitation information generation device | |
| CN111814143A (en) | Method and system for dynamically monitoring SQL injection | |
| CN116633594B (en) | Flamingo gateway security system | |
| KR20080035144A (en) | Method and system for controlling the access to the database | |
| CN104735090A (en) | Web server webpage distortion preventing method and web server webpage distortion preventing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |