CN116418595A - Security verification system and security verification method for accessing Web server - Google Patents
Security verification system and security verification method for accessing Web server Download PDFInfo
- Publication number
- CN116418595A CN116418595A CN202310488643.4A CN202310488643A CN116418595A CN 116418595 A CN116418595 A CN 116418595A CN 202310488643 A CN202310488643 A CN 202310488643A CN 116418595 A CN116418595 A CN 116418595A
- Authority
- CN
- China
- Prior art keywords
- access request
- security
- web server
- client
- traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012795 verification Methods 0.000 title claims abstract description 42
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000012545 processing Methods 0.000 claims abstract description 39
- 238000001514 detection method Methods 0.000 claims abstract description 36
- 230000008569 process Effects 0.000 claims description 10
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 230000000903 blocking effect Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000011176 pooling Methods 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- 101000652292 Homo sapiens Serotonin N-acetyltransferase Proteins 0.000 description 1
- 102100030547 Serotonin N-acetyltransferase Human genes 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000012508 change request Methods 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/12—Avoiding congestion; Recovering from congestion
- H04L47/125—Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
- H04L69/162—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a security verification system and a security verification method for accessing a Web server. Wherein, this security verification system includes: the load balancing equipment is used for receiving the access request of the client and distributing the request to the traffic composer; the traffic composer is used for receiving the access request forwarded by the load balancing device and distributing the access request to the security device, wherein one end of the traffic composer is connected with the load balancing device; a safety resource pool connected with the other end of the flow rate arrangement device, a plurality of safety devices are arranged in the safety resource pool, at least one security device of the plurality of security devices is used for carrying out security detection on the access request, and forwarding the access request to a target Web server corresponding to the access request after the security detection is passed. The method and the device solve the technical problems that the service data processing efficiency is low and the detection requirement of the service peak period cannot be met due to the fact that safety equipment is deployed based on a serial connection mode in the related technology.
Description
Technical Field
The present application relates to the field of security verification, and in particular, to a security verification system and a security verification method for accessing a Web server.
Background
In recent years, with the development of business, the WEB access volume is increased due to the popularization of online second killing and each activity of preemption, and a WEB Application Firewall (WAF) is deployed at an enterprise internet entrance as a first wall of security protection to prevent the attack of malicious requests from the internet on WEB applications. The security device is deployed on the main and standby lines of the enterprise Internet portal in a transparent bridge mode by means of load balancing, and can detect and block Internet malicious requests in real time. However, as business volume increases, security devices may present processing performance bottlenecks, which are very limited due to the serial deployment. When the security device is unable to handle the service request, all internet services may be affected. Even if the device is replaced by a device with stronger performance, on the premise that a single device operates, the detection requirement of the service peak period is difficult to deal with. In addition, the WAF is connected in series on a physical line after load balancing, has strong correlation with a network architecture, and cannot rapidly and transversely expand to cope with sudden traffic flow demands.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the application provides a security verification system and a security verification method for accessing a Web server, which at least solve the technical problems that service data processing efficiency is low and detection requirements in service peak period cannot be met due to the fact that security equipment is deployed based on a serial connection mode in the related technology.
According to an aspect of an embodiment of the present application, there is provided a security verification system for accessing a Web server, including: the load balancing equipment is used for receiving an access request of the client and distributing the request to a traffic composer based on a secure socket layer protocol SSL, wherein the access request is used for accessing a Web server; the traffic composer is used for receiving the access request forwarded by the load balancing device and distributing the access request to the security device, wherein one end of the traffic composer is connected with the load balancing device; and the safety resource pool is connected with the other end of the flow rate orchestrator, a plurality of safety devices are deployed in the safety resource pool, at least one of the safety devices is used for carrying out safety detection on the access request, and after the safety detection is passed, the access request is forwarded to a target Web server corresponding to the access request.
Optionally, the traffic orchestrator is further configured to send the access request to the security device after SSL offloading the access request.
Optionally, the security device is further configured to return the access request to the traffic orchestrator after the access request passes the security detection, and the traffic orchestrator forwards the access request to the target Web server, and returns a processing result corresponding to the access request to the client.
Optionally, the target Web server is configured to parse the access request, determine a Web application to be accessed by the client, obtain a processing result of the Web application on the access request, and return the processing result to the client.
Optionally, the target Web server is configured to determine a forwarding path of the access request during the process of receiving the access request, and return the processing result to the client based on the forwarding path.
Optionally, the secure resource pool employs a transparent bridge and a reverse proxy to pool deployment of multiple different types of secure devices.
Optionally, the security verification system further comprises: and the network address conversion module is used for converting the intranet network address IP of the Web server into the public network address IP.
According to another aspect of the embodiments of the present application, there is also provided a security verification method for accessing a Web server, including: receiving an access request from a client to a Web server, distributing the request to a traffic orchestrator based on a secure socket layer protocol SSL through load balancing equipment, wherein the access request is used for accessing the Web server, forwarding the access request to a secure resource pool through the traffic orchestrator, and deploying a plurality of secure devices in the secure resource pool; and carrying out security detection on the access request based on a target security device in the plurality of security devices, and forwarding the access request to the target Web server after the security detection is passed.
Optionally, receiving an access request from the client to the Web server includes: converting an intranet network address IP of a target Web server into a public network address IP, and exposing the public network IP to a client; and receiving an access request of the client to the public network IP.
Optionally, the target Web server is configured to parse the access request, determine a Web application to be accessed by the client, obtain a processing result of the Web application on the access request, and return the processing result to the client.
Optionally, returning the processing result to the client includes: backtracking a forwarding path of the access request in the process of receiving the access request; and returning the processing result to the client based on the forwarding path.
According to another aspect of the embodiments of the present application, there is further provided a nonvolatile storage medium, where the storage medium includes a stored program, and when the program runs, the device where the storage medium is controlled to execute any one of the security verification methods for accessing the Web server.
According to another aspect of the embodiments of the present application, there is also provided an electronic device, including: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to execute instructions to implement any one of a secure authentication method for accessing the Web server.
In the embodiment of the application, a mode of introducing a secure resource pool to flexibly arrange loads on the traffic is adopted, and the load balancing equipment is used for receiving an access request of a client and distributing the request to a traffic arrangement device based on a secure socket layer protocol SSL, wherein the access request is used for accessing a Web server; the traffic composer is used for receiving the access request forwarded by the load balancing device and distributing the access request to the security device, wherein one end of the traffic composer is connected with the load balancing device; the safety resource pool is connected with the other end of the flow orchestrator, a plurality of safety devices are deployed in the safety resource pool, at least one of the safety devices is used for carrying out safety detection on an access request, and after the safety detection is passed, the access request is forwarded to a target Web server corresponding to the access request, so that the aim of processing high-concurrency service requests based on the plurality of safety devices is fulfilled, the processing efficiency of service data is improved, the technical effects of detecting and blocking internet malicious requests in real time are realized, and the technical problems that the service data processing efficiency is lower and the detection requirement of service peak period cannot be met due to the fact that the safety devices are deployed based on a serial connection mode in the related technology are solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
FIG. 1 is a schematic diagram of an alternative security authentication system for accessing a Web server according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a security verification system in an embodiment of the present application;
FIG. 3 is a schematic deployment diagram of load balancing in an embodiment of the present application;
fig. 4 is a flow chart of an alternative security verification method for accessing a Web server according to an embodiment of the present application.
Detailed Description
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In order to facilitate a better understanding of the related embodiments of the present application, technical terms or partial terms that may be referred to in the present application are explained below by those skilled in the art:
nat (Network Address Translation), which refers to network address translation, was proposed in 1994. NAT methods can be used when some hosts inside the private network have been assigned a local IP address (i.e., a private address used only in the private network), but want to communicate with hosts on the internet (without encryption). This method requires the installation of NAT software on a router that is connected to the internet (public IP) in a private network (private IP). The router equipped with NAT software is called NAT router and has at least one valid external global IP address (public network IP address). Thus, all hosts using local addresses (private IP addresses) can connect to the internet by converting their local addresses to global IP addresses on the NAT router when communicating with the outside world. In addition, this approach, by using a small number of global IP addresses (public network IP addresses) to represent more private IP addresses, will help to slow the exhaustion of the available IP address space. NAT is described in RFC 2663.
2.F5 SSL Orchestrator, SSLO for short. F5 (Nasco: FFIV) is a worldwide leading vendor in the area of Application Delivery Networks (ADNs), created in 1996, headquarters were located in Seattle, U.S.A. F5 provides faster, secure and intelligent applications for global large enterprises, operators, government and consumer brands, and by delivering cloud and security solutions, F5 helps enterprises enjoy their required application architecture without loss of speed and manageability. The SSLO pushed by F5 can load certificates for decrypting traffic, performing safe control check and re-encrypting, improves network visibility, eliminates safety blind spots and can help avoid threats in the network. Meanwhile, SSLO saves the performance consumption caused by the fact that security equipment processes SSL encryption and decryption. The technical advantages of SSLO are SSL visualization, fast expansion of security devices, support of multiple topologies and devices, dynamic service chaining.
English of SSL is named as Secure Sockets Layer, chinese is named as secure socket layer protocol, and the SSL is a safety protocol based on WEB application proposed by Netscape (Netscape) company. The SSL protocol specifies a mechanism that provides a hierarchy of data security between application protocols (e.g., HTTP, telnet, NNTP and FTP, etc.) and the TCP/IP protocol, which provides data encryption, server authentication, message integrity, and optionally client authentication for TCP/IP connections.
In accordance with embodiments of the present application, there is provided an embodiment of a security authentication system for accessing a Web server, it being noted that the steps illustrated in the flowchart of the figures may be performed in a computer system, such as a set of computer executable instructions, and that although a logical sequence is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in a different order than that illustrated herein.
Fig. 1 is a security verification system for accessing a Web server according to an embodiment of the present application, as shown in fig. 1, the security verification system including:
the load balancing device 01 is used for receiving an access request of a client and distributing the request to a traffic composer based on a secure socket layer protocol SSL, wherein the access request is used for accessing a Web server; the traffic orchestrator of the secure socket layer protocol SSL may be referred to simply as SSLO.
The traffic composer 02 is configured to receive the access request forwarded by the load balancing device and distribute the access request to the security device, where one end of the traffic composer is connected with the load balancing device;
and the safety resource pool 03 is connected with the other end of the traffic orchestrator, a plurality of safety devices are deployed in the safety resource pool, at least one of the safety devices is used for carrying out safety detection on the access request, and after the safety detection is passed, the access request is forwarded to a target Web server corresponding to the access request.
In the security verification system, a mode of introducing a security resource pool to flexibly arrange loads on the traffic is adopted, and the security verification system is used for receiving an access request of a client through load balancing equipment and distributing the request to a traffic arrangement device based on a secure socket layer protocol SSL, wherein the access request is used for accessing a Web server; the traffic composer is used for receiving the access request forwarded by the load balancing device and distributing the access request to the security device, wherein one end of the traffic composer is connected with the load balancing device; the safety resource pool is connected with the other end of the flow orchestrator, a plurality of safety devices are deployed in the safety resource pool, at least one of the safety devices is used for carrying out safety detection on an access request, and after the safety detection is passed, the access request is forwarded to a target Web server corresponding to the access request, so that the aim of processing high-concurrency service requests based on the plurality of safety devices is fulfilled, the processing efficiency of service data is improved, the technical effects of detecting and blocking internet malicious requests in real time are realized, and the technical problems that the service data processing efficiency is lower and the detection requirement of service peak period cannot be met due to the fact that the safety devices are deployed based on a serial connection mode in the related technology are solved.
In some embodiments of the present application, the traffic orchestrator is further configured to send the access request to the security device after SSL offloading the access request. Optionally, at least two SSLOs are deployed to form a resource pool for loading by adopting load balancing behind an enterprise Internet entrance firewall, and the SSLOs forward the request message SSL to safety equipment in the safety resource pool after unloading according to a preset flow forwarding rule. After the safety device finishes processing, the safety device returns a packet to the SSLO, and the SSLO forwards the packet to the WEB server.
In some optional embodiments of the present application, the security device is further configured to return, after the access request passes the security detection, the access request to the traffic orchestrator, and the traffic orchestrator forwards the access request to the target Web server, and returns a processing result corresponding to the access request to the client. Through the steps, the safety of the Web server can be ensured, and data required by the client is sent to the client, so that the service requirement of the client is met.
In some examples of the application, the access request sent by the client to the Web server may be directly used for accessing the Web application, so that the target Web server may be used for analyzing the access request, determining the Web application to be accessed by the client, obtaining a processing result of the Web application on the access request, and returning the processing result to the client.
In order to facilitate tracing of data, as an optional implementation manner, the target Web server is further configured to determine a forwarding path of the access request in a process of receiving the access request, and return a processing result to the client based on the forwarding path. It can be understood that, for the target Web server, based on the receiving stage, the path of the service request is received, and the data to be accessed by the client is returned to the client according to the path, so that not only can the access result corresponding to the access request of each client be ensured to be accurately returned to each client, but also the data tracing and management by later operation and maintenance personnel can be facilitated.
In order to be compatible with different network architectures, in related embodiments of the present application, the secure resource pool may employ a transparent bridge and a reverse proxy to pool deployment of multiple different types of secure devices. When the system is deployed in the transparent bridge mode, the configuration is not needed for load balancing, the WAF is transparent to the load balancing and the back-end server, the equipment transmits HTTP requests, and for the internet systems needing protection, the WAF configures the IP address and the port of the server end of each system needing protection. When the reverse proxy mode is deployed, the load balancing needs to map the real host to the WAF, at this time, the WAF externally appears as the real host at the back end, the client accesses the WAF, and after receiving the HTTP request message of the client, the WAF forwards the request to the corresponding real host at the back end.
However, it should be noted that if the network architecture is not modified, for example, the technical solution disclosed in the present application is not adopted, the WAF cannot be laterally expanded to meet the bursty service request no matter whether the transparent bridge mode or the reverse proxy mode is adopted, and besides the emergency bypass, the WAF cannot be quickly bypassed, so as to reduce the influence of performance or faults on the service, and only the higher performance device can be replaced to recover the network, so that the service recovery time is uncontrollable. The method and the device realize simultaneous service of a plurality of safety devices by arranging the traffic through introducing the safety resource pool to solve the problems, control the traffic proportion of each safety device and solve the problems existing in the related art.
In order to ensure the security of the intranet IP information, as an optional implementation manner, the security verification system further includes: and the network address conversion module is used for converting the intranet network address IP of the Web server into the public network address IP. That is, when the client accesses the server, the message request packet uses NAT technology on the relevant network device, and the flow forwarding process is as follows:
(1) The client accesses the Internet public network IP exposed after firewall mapping, and the firewall forwards the request data packet to load balancing equipment in front of the SSLO aiming at an access control strategy and NAT;
(2) Load balancing forwarding in front of SSLO, modifying a target IP into an SSLO service chain IP, and carrying out load forwarding;
(3) SSLO receives the request data packet, and balances the load to different security products such as WAF, IPS and the like according to the security service chain;
(4) When the traffic has completed the security device configured on the service chain, exiting the traffic forwarding of the service chain, and forwarding the request data packet to the load balancing device of the service end;
(5) The load balancing equipment of the server forwards the request data packet to a final server WEB server according to the forwarding information;
(6) After the server processes the request, the request is sent back one by one along the flow forwarding path.
In summary, in the related embodiments of the present application, by introducing the SSL traffic arrangement device, continuous, stable and efficient internet traffic detection can be provided under the condition of transparency and no perception to users and systems, so as to ensure that the exposed surface of the internet is continuously in the monitoring protection mechanism. The security resource pool can adopt transparent bridges and reverse agents to deploy security devices of different types; when the safety equipment can not be monitored normally due to the service function transformation change request message and the like, the SSLO can adjust the flow forwarding proportion to carry out technical verification, and all access clear streams can be cut to the safety equipment for protection after verification; because of the flow load, the safety resource pool equipment or SSLO software version upgrading does not need to stop the operation, and the business is not influenced; if the response of the SSLO to the heartbeat packet is overtime, abnormal equipment can be automatically kicked out of a safety service chain, and the service is ensured not to be influenced.
Fig. 2 is a schematic diagram of the security verification system in an embodiment of the present application, as shown in fig. 2, by introducing a load balancing device with SSL traffic arrangement (abbreviated as "SSLO") function at an internet boundary, and performing resource pooling deployment on WAFs, a primary-backup deployment mode of the security device is changed into pooling cluster deployment, so as to achieve the purpose of simultaneously providing security detection services for multiple security devices.
In order to support the safety detection during the sudden increase of the traffic, the architecture of the Internet entry network is optimized from the requirement of meeting the requirement that the safety equipment can be rapidly and transversely expanded, and the architecture meets the following operation and maintenance scenes:
(1) The rapid transverse capacity expansion and the seamless equipment upgrading are supported;
(2) The safe resource pool can realize the rapid isolation of fault equipment and improve the equipment resource utilization rate;
(3) Heterogeneous safety equipment, which improves the safety detection capability;
(4) The refined business flow is dynamically arranged, and more complex security scenes are supported.
Fig. 3 is a schematic deployment diagram of load balancing in an embodiment of the present application, as shown in fig. 3, after an enterprise internet access firewall, at least two SSLOs are deployed by using load balancing to form a resource pool for loading, and the SSLOs offload a request message SSL according to a traffic forwarding rule set in advance and forward the request message SSL to a security device in the security resource pool. After the safety device finishes processing, the safety device returns a packet to the SSLO, and the SSLO forwards the packet to the WEB server. For the setting of the traffic forwarding rule, the SSLO has a security policy, and the traffic can be identified and arranged after configuration. If configured, the WEB protocol corresponds to a service chain (WAF), and the WEB protocol in the traffic flows to the service chain of the WAF. Secondly, the backward forwarding of the SSLO and the server of the F5 deployment architecture is realized through a TCP link, after SNAT, the Internet IP can be changed into SNAT_ip to access a back-end server, the back-end server sees that load access is returned to a load, F5 has an autolasthop to record the last hop, and by using the characteristic, F5 can ensure the consistency of a back-and-forth path without configuring a packet route.
Fig. 4 is a security verification method for accessing a Web server according to an embodiment of the present application, as shown in fig. 4, the method includes:
s402, receiving an access request from a client to a Web server, and distributing the request to a traffic composer based on a secure socket layer protocol SSL through load balancing equipment, wherein the access request is used for accessing the Web server;
s404, forwarding the access request to a secure resource pool through a traffic orchestrator, wherein a plurality of secure devices are deployed in the secure resource pool;
s406, carrying out security detection on the access request based on a target security device in the plurality of security devices, and forwarding the access request to the target Web server after the security detection is passed.
In the security verification method, an access request from a client to a Web server is received, and the request is distributed to a traffic orchestrator based on a secure socket layer protocol SSL through load balancing equipment, wherein the access request is used for accessing the Web server; then, forwarding the access request to a secure resource pool through a traffic orchestrator, wherein a plurality of secure devices are deployed in the secure resource pool; finally, the access request is safely detected based on the target security devices in the plurality of security devices, and after the security detection is passed, the access request is forwarded to the target Web server, so that the aim of processing the high-concurrency service request based on the plurality of security devices is fulfilled, the processing efficiency of service data is improved, the technical effects of detecting and blocking the internet malicious request in real time are realized, and the technical problems that the service data processing efficiency is lower and the detection requirement in the service peak period cannot be met due to the fact that the security devices are deployed based on a serial connection mode in the related art are solved.
In order to ensure the security of the intranet network address IP of the target Web server, in some embodiments of the present application, receiving an access request from a client to the Web server may be implemented in the following manner: converting an intranet network address IP of a target Web server into a public network address IP, and exposing the public network IP to a client; and receiving an access request of the client to the public network IP.
As an optional implementation manner, the access request sent by the client to the Web server can be directly used for carrying out access on the Web application, the target Web server is used for analyzing the access request, the Web application to be accessed by the client is determined, the processing result of the Web application on the access request is obtained, and the processing result is returned to the client.
In order to facilitate tracing of data, in some optional embodiments of the present application, returning a processing result to a client includes: backtracking a forwarding path of the access request in the process of receiving the access request; and returning the processing result to the client based on the forwarding path. It can be understood that, for the target Web server, based on the receiving stage, the path of the service request is received, and the data to be accessed by the client is returned to the client according to the path, so that not only can the access result corresponding to the access request of each client be ensured to be accurately returned to each client, but also the data tracing and management by later operation and maintenance personnel can be facilitated.
According to another aspect of the embodiments of the present application, there is further provided a nonvolatile storage medium, where the storage medium includes a stored program, and when the program runs, the device where the storage medium is controlled to execute any one of the security verification methods for accessing the Web server.
Specifically, the storage medium is configured to store program instructions for the following functions, and implement the following functions:
receiving an access request from a client to a Web server, distributing the request to a traffic orchestrator based on a secure socket layer protocol SSL through load balancing equipment, wherein the access request is used for accessing the Web server, forwarding the access request to a secure resource pool through the traffic orchestrator, and deploying a plurality of secure devices in the secure resource pool; and carrying out security detection on the access request based on a target security device in the plurality of security devices, and forwarding the access request to the target Web server after the security detection is passed.
Alternatively, in the present embodiment, the storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
In an exemplary embodiment of the present application, there is also provided a computer program product comprising a computer program which, when executed by a processor, implements a method of security verification of access to a Web server of any of the above.
Optionally, the computer program may, when executed by a processor, implement the steps of:
receiving an access request from a client to a Web server, distributing the request to a traffic orchestrator based on a secure socket layer protocol SSL through load balancing equipment, wherein the access request is used for accessing the Web server, forwarding the access request to a secure resource pool through the traffic orchestrator, and deploying a plurality of secure devices in the secure resource pool; and carrying out security detection on the access request based on a target security device in the plurality of security devices, and forwarding the access request to the target Web server after the security detection is passed.
According to another aspect of the embodiments of the present application, there is also provided an electronic device, including: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to execute instructions to implement any one of a secure authentication method for accessing the Web server.
Optionally, the electronic device may further include a transmission device and an input/output device, where the transmission device is connected to the processor, and the input device is connected to the processor.
The foregoing embodiment numbers of the present application are merely for describing, and do not represent advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, for example, may be a logic function division, and may be implemented in another manner, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application and are intended to be comprehended within the scope of the present application.
Claims (13)
1. A security verification system for accessing a Web server, comprising:
the load balancing equipment is used for receiving an access request of the client and distributing the request to a traffic composer based on a secure socket layer protocol SSL, wherein the access request is used for accessing a Web server;
the traffic orchestrator is used for receiving the access request forwarded by the load balancing device and distributing the access request to the security device, wherein one end of the traffic orchestrator is connected with the load balancing device;
and the safety resource pool is connected with the other end of the flow orchestrator, a plurality of safety devices are arranged in the safety resource pool, at least one of the safety devices is used for carrying out safety detection on the access request, and after the safety detection is passed, the access request is forwarded to a target Web server corresponding to the access request.
2. The security verification system of claim 1, wherein the traffic orchestrator is further configured to send the access request to the security device after SSL offloading the access request.
3. The security verification system according to claim 1, wherein the security device is further configured to return the access request to the traffic orchestrator after the access request passes the security detection, forward the access request to the target Web server by the traffic orchestrator, and return a processing result corresponding to the access request to the client.
4. The security verification system according to claim 3, wherein the target Web server is configured to parse the access request, determine a Web application to be accessed by the client, obtain a processing result of the Web application on the access request, and return the processing result to the client.
5. A security verification system according to claim 3, wherein the target Web server is configured to determine a forwarding path of the access request during receipt of the access request, and return the processing result to the client based on the forwarding path.
6. The security verification system of claim 1, wherein the secure resource pool deploys the plurality of different types of security devices in a pooled manner using a transparent bridge and a reverse proxy.
7. The security verification system of claim 1, wherein the security verification system further comprises: and the network address conversion module is used for converting the intranet network address IP of the Web server into the public network address IP.
8. A security verification method for accessing a Web server, comprising:
receiving an access request from a client to a Web server, and distributing the request to a traffic composer based on a secure socket layer protocol SSL through load balancing equipment, wherein the access request is used for accessing the Web server;
forwarding the access request to a secure resource pool by the traffic orchestrator, the secure resource pool being pooled with a plurality of secure devices;
and carrying out security detection on the access request based on a target security device in the plurality of security devices, and forwarding the access request to a target Web server after the security detection is passed.
9. The security verification method of claim 8, wherein receiving an access request from a client to a Web server comprises:
converting the intranet network address IP of the target Web server into a public network address IP, and exposing the public network IP to the client;
and receiving the access request of the client to the public network IP.
10. The security verification method according to claim 8, wherein the target Web server is configured to parse the access request, determine a Web application to be accessed by the client, obtain a processing result of the Web application on the access request, and return the processing result to the client.
11. The security verification method according to claim 10, wherein returning the processing result to the client comprises:
backtracking a forwarding path of the access request in the process of receiving the access request;
and returning the processing result to the client based on the forwarding path.
12. A non-volatile storage medium, characterized in that the storage medium comprises a stored program, wherein the device in which the storage medium is controlled to execute the security authentication method for accessing a Web server according to any one of claims 8 to 11 when the program is run.
13. An electronic device, comprising:
a processor;
a memory for storing the processor-executable instructions;
wherein the processor is configured to execute the instructions to implement the security authentication method of accessing a Web server as claimed in any one of claims 8 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310488643.4A CN116418595A (en) | 2023-04-28 | 2023-04-28 | Security verification system and security verification method for accessing Web server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310488643.4A CN116418595A (en) | 2023-04-28 | 2023-04-28 | Security verification system and security verification method for accessing Web server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116418595A true CN116418595A (en) | 2023-07-11 |
Family
ID=87049443
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310488643.4A Pending CN116418595A (en) | 2023-04-28 | 2023-04-28 | Security verification system and security verification method for accessing Web server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116418595A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117544424A (en) * | 2024-01-09 | 2024-02-09 | 万洲嘉智信息科技有限公司 | Multi-protocol intelligent park management and control platform based on ubiquitous connection |
-
2023
- 2023-04-28 CN CN202310488643.4A patent/CN116418595A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117544424A (en) * | 2024-01-09 | 2024-02-09 | 万洲嘉智信息科技有限公司 | Multi-protocol intelligent park management and control platform based on ubiquitous connection |
| CN117544424B (en) * | 2024-01-09 | 2024-03-15 | 万洲嘉智信息科技有限公司 | Multi-protocol intelligent park management and control platform based on ubiquitous connection |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11240064B2 (en) | System and method for a global virtual network | |
| US20220393907A1 (en) | Systems and methods for providing a global virtual network (gvn) | |
| CN1761240B (en) | Intelligent integrated network security device for high-availability applications | |
| US7343599B2 (en) | Network-based patching machine | |
| US20160173452A1 (en) | Multi-connection system and method for service using internet protocol | |
| US10404747B1 (en) | Detecting malicious activity by using endemic network hosts as decoys | |
| KR20190004350A (en) | Handle network traffic to defend against attacks | |
| Pletinckx et al. | Malware coordination using the blockchain: An analysis of the cerber ransomware | |
| CN104967609A (en) | Intranet development server access method, intranet development server access device and intranet development server access system | |
| US20200322181A1 (en) | Scalable cloud switch for integration of on premises networking infrastructure with networking services in the cloud | |
| GB2389023A (en) | Computer system, method and network | |
| KR101286015B1 (en) | Security audit service system and method among virtual machines in the virtualization environment | |
| CN116418595A (en) | Security verification system and security verification method for accessing Web server | |
| CN109688242B (en) | Cloud protection system and method | |
| CN112822037B (en) | Flow arrangement method and system for security resource pool | |
| US10795912B2 (en) | Synchronizing a forwarding database within a high-availability cluster | |
| KR101342592B1 (en) | Web Application Firewall Apparatus and method for Cloud system | |
| CN111818081B (en) | Virtual encryption machine management method, device, computer equipment and storage medium | |
| CN114666249B (en) | Traffic collection method and equipment on cloud platform and computer readable storage medium | |
| CN115297098A (en) | Edge service acquisition method and device, edge computing system, medium and equipment | |
| CN109428863A (en) | Safety protecting method, data processing method, device and the equipment of container service | |
| CN113691608A (en) | Traffic distribution method, traffic distribution device, electronic equipment and media | |
| KR20200069702A (en) | System and method for collecting Tor network traffic | |
| CN110636148A (en) | Network address upgrading processing method | |
| CN110012033A (en) | A kind of data transmission method, system and associated component |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |