CN116743460A - Data exchange isolation method, system, equipment and storage medium for internal and external network - Google Patents
Data exchange isolation method, system, equipment and storage medium for internal and external network Download PDFInfo
- Publication number
- CN116743460A CN116743460A CN202310710060.1A CN202310710060A CN116743460A CN 116743460 A CN116743460 A CN 116743460A CN 202310710060 A CN202310710060 A CN 202310710060A CN 116743460 A CN116743460 A CN 116743460A
- Authority
- CN
- China
- Prior art keywords
- data
- data exchange
- identity
- isolation
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 198
- 238000012795 verification Methods 0.000 claims abstract description 92
- 230000005540 biological transmission Effects 0.000 claims abstract description 47
- 238000000034 method Methods 0.000 claims abstract description 34
- 238000012790 confirmation Methods 0.000 claims description 59
- 238000005192 partition Methods 0.000 claims description 32
- 238000013523 data management Methods 0.000 claims description 26
- 238000004590 computer program Methods 0.000 claims description 5
- 238000004891 communication Methods 0.000 claims description 4
- 230000000694 effects Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000035945 sensitivity Effects 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000006735 deficit Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a data exchange isolation method, system, equipment and storage medium of an internal and external network, and relates to the technical field of data security. The method comprises the following steps: acquiring a service request of data transmission and sending identity data to an isolation end; after receiving the identity data, the isolation end invokes the identity verification data according to the identity data, compares the identity verification data with the identity data to generate a comparison result, matches the data exchange authority associated with the service request type according to the comparison result, generates an authentication verification code and a random number, sends an identity authentication request to the external network data end, and verifies the consistency of the data exchange key through the data exchange verification key; after passing the identity authentication, the data exchange secret key is established between the external network data end and the isolation end, and the internal and external network transmission channel is established through the data exchange secret key. The method solves the problems that the security risk exists in the internal and external network data exchange in the prior art and the limitation exists in the traditional solution.
Description
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a method, a system, an apparatus, and a storage medium for data exchange isolation between an intranet and an extranet.
Background
With the rapid development of personal information technology, the data exchange between the internal and external networks has become an important activity for enterprises and organizations; the intranet is used for storing and processing sensitive data, core business systems and internal resources, while the extranet provides a platform for communication and interaction between enterprises and partners, clients and other external entities. However, the data exchange of the internal and external networks faces serious security risks and challenges, and the external networks are in public networks and are vulnerable to various external threats; such as malware, viruses, trojan programs, phishing, etc. Hackers and malicious actors exploit these threats to obtain sensitive information, destroy systems, or perform other illegal activities, and outside network data exchanges that are not properly protected may lead to leakage and theft of sensitive data. An attacker may intercept data during data transmission or acquire sensitive information by listening and sniffing the network, which may lead to problems with enterprise reputation impairment, commercial confidentiality disclosure, personal privacy violations, etc. In the data exchange of the internal and external networks, the risks of identity forging and impersonation exist; an attacker may impersonate a legitimate user, device, or system to gain unauthorized access rights, which may result in unauthorized data access, system intrusion, or other malicious activity. Ensuring the integrity and credibility of data in the transmission process of the intranet and the extranet is an important challenge, and an attacker can tamper with the data content to manipulate or forge the data, thereby destroying the accuracy and the reliability of the data.
Although some solutions exist to address these security challenges, such as firewalls, intrusion detection systems, encryption techniques, access control mechanisms, etc., there are still some drawbacks and limitations: the traditional protection measures generally only provide a single-level protection, and cannot comprehensively cope with complex and diversified attack means; an attacker can implement an attack by bypassing the guard mechanism; the traditional security measures need complex configuration and management, and configuration errors or untimely maintenance are easy to occur, so that the security risk is increased; traditional encryption technology mainly focuses on confidentiality of data, but has limitation on integrity protection of the data; in the process of data exchange between the internal network and the external network, the risk of data tampering and impersonation cannot be effectively prevented by only using an encryption technology; conventional access control mechanisms often lack flexibility and fine-grained control, and cannot meet the requirements of different intranet-extranet interaction scenarios, which may cause excessive limitation or insufficient access control policies, thereby affecting the security of data exchange.
Thus, current intranet and extranet data exchange presents security risks and challenges, while traditional solutions present some limitations in addressing these issues; it is necessary to develop a more comprehensive and efficient method to realize the isolation and security protection of the data exchange between the internal and external networks, so as to solve the problems existing in the prior art.
Disclosure of Invention
In order to solve the security risk and challenges of the internal and external network data exchange in the prior art, the conventional solution has some limitation in solving the problems.
In a first aspect, an embodiment of the present invention provides a data exchange isolation method for an internal and external network, which is applied to a data exchange isolation system for an internal and external network, where the system includes an internal network data end, an isolation end and an external network data end, and the internal network data end is connected with the internal network data end through the isolation end, where the method includes:
the intranet data end obtains a service request of data transmission, wherein the service request comprises identity data, and the identity data is sent to the isolation end;
the isolation end receives the identity data, invokes the identity verification data according to the identity data, compares the identity verification data with the identity data and generates a comparison result; matching data exchange permission associated with the service request type according to the comparison result, and generating an authentication verification code and a random number according to the data exchange permission; generating a data exchange secret key according to an authentication verification code and a random number according to a preset algorithm, and sending an identity authentication request to an external network data terminal;
the external network data end receives the identity authentication request and sends a data exchange confirmation secret key to the isolation end according to the identity authentication request;
After the isolation end receives the data exchange confirmation secret key, verifying whether the data exchange secret key is consistent with the data exchange confirmation secret key, and sending a data exchange secret key request to the external network data end when verifying that the data exchange secret key is consistent with the data exchange confirmation secret key;
the data terminal of the external network receives the data exchange key request and sends the data exchange key to the isolated terminal;
the isolation end receives the data exchange secret key, acquires the service request from the intranet data end, verifies the corresponding relation between the service request and the data request type corresponding to the data exchange authority, and establishes the intranet and extranet transmission channel through the data exchange secret key after determining that the service request corresponds to the data request type.
Preferably, the data exchange authority associated with the service request type is matched according to the comparison result, and the authentication verification code and the random number are generated according to the data exchange authority, including:
after the comparison result is obtained, matching the data exchange authorities of the corresponding service type partitions according to a preset registry, wherein each service type partition corresponds to one data management key; generating a verification code and generating a random number according to each data management key.
Preferably, before the step of acquiring the service request of the data transmission by the intranet data end, the method further comprises:
Setting a service type configuration strategy by the isolation end;
the intranet data end sets corresponding service type allocation rules according to the service type allocation strategy and in combination with the multi-source heterogeneous data to be exchanged;
the isolation end configures the service request type according to the service type allocation rule.
In a second aspect, an embodiment of the present invention provides a data exchange isolation method for an internal and external network, where the data exchange isolation method is applied to a data exchange isolation system for an internal and external network, the system includes an internal network data end and an isolation end, and the isolation end is connected with the external network data end, where the method includes:
the intranet data end obtains a service request of data transmission, wherein the service request comprises identity data, and the identity data is sent to the isolation end;
the isolation end receives the identity data, invokes the identity verification data according to the identity data, compares the identity verification data with the identity data and generates a comparison result; matching data exchange permission associated with the service request type according to the comparison result, and generating an authentication verification code and a random number according to the data exchange permission; generating a data exchange secret key according to an authentication verification code and a random number according to a preset algorithm, and sending an identity authentication request to an external network data terminal;
the external network data end receives the identity authentication request and sends a data exchange confirmation secret key to the isolation end according to the identity authentication request;
The isolation terminal receives the data exchange confirmation key of the external network according to the data exchange confirmation key sent to the isolation terminal, verifies whether the data exchange key is consistent with the data exchange confirmation key, and sends a data exchange key request to the external network data terminal when verifying that the data exchange key is consistent with the data exchange confirmation key;
the isolation end receives a data exchange key sent by the external network data end according to the data exchange key request, acquires a service request from the internal network data end, verifies the corresponding relation between the service request and the data request type corresponding to the data exchange authority, and establishes an internal and external network transmission channel through the data exchange key after determining that the service request corresponds to the data request type.
Preferably, the data exchange authority associated with the service request type is matched according to the comparison result, and the authentication verification code and the random number are generated according to the data exchange authority, including:
after the comparison result is obtained, matching the data exchange authorities of the corresponding service type partitions according to a preset registry, wherein each service type partition corresponds to one data management key;
generating a verification code and generating a random number according to each data management key.
Preferably, before the step of acquiring the service request of the data transmission by the intranet data end, the method further comprises:
Setting a service type configuration strategy by the isolation end;
the intranet data end sets corresponding service type allocation rules according to the service type allocation strategy and in combination with the multi-source heterogeneous data to be exchanged;
the isolation end configures the service request type according to the service type allocation rule.
In a third aspect, an embodiment of the present invention provides a data exchange isolation system for an internal and external network, where the system includes an internal network data end, an isolation end, and an external network data end, where the internal network data end is connected to the internal network data end through the isolation end,
the intranet data end is used for acquiring a service request of data transmission, wherein the service request comprises identity data, and the identity data is sent to the isolation end;
the isolation end is used for receiving the identity data, calling the identity verification data according to the identity data, comparing the identity verification data with the identity data and generating a comparison result; matching data exchange permission associated with the service request type according to the comparison result, and generating an authentication verification code and a random number according to the data exchange permission; generating a data exchange secret key according to an authentication verification code and a random number according to a preset algorithm, and sending an identity authentication request to an external network data terminal;
the external network data end is used for receiving the identity authentication request and sending a data exchange confirmation secret key to the isolation end according to the identity authentication request;
The isolation end is used for verifying whether the data exchange secret key is consistent with the data exchange confirmation secret key after receiving the data exchange confirmation secret key, and sending a data exchange secret key request to the external network data end when verifying that the data exchange secret key is consistent with the data exchange confirmation secret key;
the external network data end is used for receiving the data exchange key request and sending the data exchange key to the isolation end;
the isolation end is used for receiving the data exchange secret key, acquiring the service request from the intranet data end, verifying the corresponding relation between the service request and the data request type corresponding to the data exchange authority, and establishing an intranet transmission channel and an extranet transmission channel through the data exchange secret key after determining that the service request corresponds to the data request type.
Preferably, the isolation end comprises a random number module, which is used for matching the data exchange authority of the corresponding service type partition according to a preset registry after the comparison result is obtained, wherein each service type partition corresponds to one data management secret key; generating a verification code and generating a random number according to each data management key.
In a fourth aspect, an embodiment of the present invention provides a computer device, including a memory and a processor that are communicatively connected, where the memory is configured to store a computer program, and the processor is configured to read the computer program and execute the data exchange isolation method of the intranet and the extranet according to the foregoing embodiment.
In a fifth aspect, an embodiment of the present invention proposes a computer readable storage medium, on which instructions are stored, which when executed on a computer, perform a data exchange isolation method for an intranet and extranet as proposed in the above embodiment.
The beneficial effects are that: and firstly acquiring a service request of data transmission through the intranet data terminal, and sending the identity data to the isolation terminal. After receiving the identity data, the isolation end invokes the identity verification data according to the identity data and compares the identity verification data with the identity data to generate a comparison result. And the isolation end matches the data exchange authority associated with the service request type according to the comparison result and generates an authentication verification code and a random number. The isolation end sends an identity authentication request to the external network data end, and verifies the consistency of the data exchange key through the data exchange confirmation key; after passing the identity authentication, the data exchange secret key is established between the external network data end and the isolation end, and the internal and external network transmission channel is established through the data exchange secret key. Thus, the problems that security risks and challenges exist in the internal and external network data exchange in the prior art are solved, and the conventional solutions have some limitations in solving the problems.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
fig. 1 is a flowchart of a data exchange isolation method of an internal and external network according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a functional module of a data exchange isolation system of an internal and external network according to an embodiment of the present invention;
fig. 3 is a schematic functional block diagram of another data exchange isolation system for an intranet and extranet according to an embodiment of the present invention.
Detailed Description
In order to more clearly illustrate the embodiments of the invention or the solutions of the prior art, the invention will be briefly described below with reference to the accompanying drawings and the description of the embodiments or the prior art, it being apparent that the following description of the structure of the drawings is only some embodiments of the invention and that other drawings can be obtained from these drawings by a person skilled in the art without inventive effort. The description of the embodiments is provided to assist understanding of the present invention, but is not intended to limit the present invention.
Referring to fig. 1, in a first aspect, a method for data exchange isolation between an internal network and an external network according to an embodiment of the present invention is applied to a data exchange isolation system between the internal network and the external network, where the system includes an internal network data end, an isolation end, and an external network data end, and the internal network data end is connected with the internal network data end through the isolation end; the data exchange isolation system of the intranet and the extranet may be performed by, but not limited to, a computer device with a certain computing resource, for example, a personal computer (Personal Computer, PC, refer to a multipurpose computer with a size, price and performance suitable for personal use, and desktop, notebook, small notebook, tablet, ultrabook, etc. belong to personal computers), a smart phone, a personal digital assistant (Personal digital assistant, PAD), or an electronic device such as a platform server. The storage end comprises a main board, a memory and an external data exchange module, wherein the external data exchange module and the memory are respectively connected with the main board, an encryption and decryption unit and an identity data read-only memory unit are arranged in the memory, and the method comprises the following steps: the intranet data end obtains a service request of data transmission, wherein the service request comprises identity data, and the identity data is sent to the isolation end; the isolation end receives the identity data, invokes the identity verification data according to the identity data, compares the identity verification data with the identity data and generates a comparison result; matching data exchange permission associated with the service request type according to the comparison result, and generating an authentication verification code and a random number according to the data exchange permission; generating a data exchange secret key according to an authentication verification code and a random number according to a preset algorithm, and sending an identity authentication request to an external network data terminal; the external network data end receives the identity authentication request and sends a data exchange confirmation secret key to the isolation end according to the identity authentication request; after the isolation end receives the data exchange confirmation secret key, verifying whether the data exchange secret key is consistent with the data exchange confirmation secret key, and sending a data exchange secret key request to the external network data end when verifying that the data exchange secret key is consistent with the data exchange confirmation secret key; the data terminal of the external network receives the data exchange key request and sends the data exchange key to the isolated terminal; the isolation end receives the data exchange secret key, acquires the service request from the intranet data end, verifies the corresponding relation between the service request and the data request type corresponding to the data exchange authority, and establishes the intranet and extranet transmission channel through the data exchange secret key after determining that the service request corresponds to the data request type. Thus, the problems that security risks and challenges exist in the internal and external network data exchange in the prior art are solved, and the conventional solutions have some limitations in solving the problems.
It should be understood that the foregoing execution subject does not limit the embodiments of the present application, and accordingly, the operation steps of the method may be, but not limited to, those shown in the following steps S11 to S16.
In a first aspect, an embodiment of the present application provides a data exchange isolation method for an internal and external network, which is applied to a data exchange isolation system for an internal and external network, where the system includes an internal network data end, an isolation end and an external network data end, and the internal network data end is connected with the internal network data end through the isolation end, where the method includes:
step S11, an intranet data end acquires a service request of data transmission, wherein the service request comprises identity data, and the identity data is sent to an isolation end;
the intranet data terminal can acquire the service request through a network interface or other appropriate modes; the identity data may include identity information of the user, such as a user name, a password, or other authentication credentials, and the intranet data side sends the identity data to the quarantine side through a network connection. In this embodiment, the intranet data end may receive the service request through a network interface or other suitable manner, for example, the intranet data end may relate to implementing service logic in the intranet application program to generate the service request; the intranet data end extracts identity data such as a user name, a password or other identity verification credentials from the service request; at the same time, identity data is transmitted to the quarantine end using the appropriate protocol and network connection.
Step S12, the isolation end receives the identity data, and calls the identity verification data according to the identity data, compares the identity verification data with the identity data and generates a comparison result; matching data exchange permission associated with the service request type according to the comparison result, and generating an authentication verification code and a random number according to the data exchange permission; generating a data exchange secret key according to an authentication verification code and a random number according to a preset algorithm, and sending an identity authentication request to an external network data terminal;
after the isolation end receives the identity data sent from the intranet data end, the identity verification data stored in the internal database or other identity verification systems can be called according to the identity data. The isolation end compares the received identity verification data with the identity data to generate a comparison result for verifying the accuracy of the identity data. According to the comparison result, the isolation end can search the data exchange authority associated with the service request type; the data exchange authority may be an access rule or a permission control list pre-configured in the system, and is used for determining which data can be exchanged between the intranet and the extranet. The isolation end generates an authentication verification code and a random number according to the data exchange authority, and the values can be used for ensuring the safety and the integrity of data exchange; then, according to a preset algorithm, the isolation end generates a data exchange secret key by using the authentication verification code and the random number; meanwhile, the isolation end sends an identity authentication request to the external network data end so as to further verify whether the data exchange rule is met between the isolation end and the internal network data end.
Step S13, the external network data end receives the identity authentication request and sends a data exchange confirmation secret key to the isolation end according to the identity authentication request;
after the external network data receives the identity authentication request from the isolation end, the external network data can carry out identity authentication according to the identity data in the request; after the verification is successful, the external network data end sends the data exchange confirmation key to the isolation end. The data exchange validation key is an associated value of the data key for further verifying the validity and integrity of the data exchange.
Step S14, after the isolation end receives the data exchange confirmation key, verifying whether the data exchange key is consistent with the data exchange confirmation key, and when the data exchange key is verified to be consistent with the data exchange confirmation key, sending a data exchange key request to the external network data end;
after the isolation end receives the data exchange confirmation key, the isolation end verifies whether the data exchange key is consistent with the data exchange confirmation key, and when the data exchange key is verified to be consistent with the data exchange confirmation key, the isolation end can confirm the validity of the data exchange. The isolation end compares the received data exchange secret key with the data exchange confirmation secret key to ensure that the two secret keys are matched; after confirming the matching, a data exchange key request is sent to the data end of the external network.
Step S15, the external network data terminal receives the data exchange key request and sends the data exchange key to the isolation terminal;
after receiving the data exchange key request from the isolated terminal, the external network data terminal can generate and send the data exchange key to the isolated terminal after confirming that the authentication and the data exchange confirmation key pass the authentication. The data exchange key is generated using a predetermined algorithm, which will be used to encrypt and decrypt data transmitted between the internal and external networks.
Step S16, the isolation end receives the data exchange key, acquires the service request from the intranet data end, verifies the corresponding relation between the service request and the data request type corresponding to the data exchange authority, and establishes the intranet and extranet transmission channel through the data exchange key after determining that the service request corresponds to the data request type.
After the isolation end receives the data exchange key sent by the data end of the external network, the isolation end can be used for establishing a transmission channel between the internal network and the external network. The isolation end sends a request to the intranet data end to acquire data related to the service request. After the service request is acquired, the isolation end verifies the corresponding relation between the service request and the data request type corresponding to the data exchange authority, and ensures that the service request accords with a preset data exchange rule. Once the service request is confirmed to correspond to the data request type, the isolation end establishes a transmission channel of the internal and external networks by using the data exchange key generated before. The transmission channel is used for safely transmitting data and ensuring the data exchange isolation between the internal network and the external network.
In this embodiment, a service request for data transmission is obtained, and identity data is sent to an isolation end; after receiving the identity data, the isolation end invokes the identity verification data according to the identity data, compares the identity verification data with the identity data to generate a comparison result, matches the data exchange authority associated with the service request type according to the comparison result, generates an authentication verification code and a random number, sends an identity authentication request to the external network data end, and verifies the consistency of the data exchange key through the data exchange verification key; after passing the identity authentication, the data exchange secret key is established between the external network data end and the isolation end, and the internal and external network transmission channel is established through the data exchange secret key. The data exchange isolation system of the internal and external networks can realize safe and reliable data exchange; identity verification, data exchange authority verification and encrypted communication are used, the validity and confidentiality of data transmission are guaranteed, and meanwhile, the established transmission channel can meet the data exchange requirement between the internal network and the external network. The method solves the problems that the security risk exists in the internal and external network data exchange in the prior art and the limitation exists in the traditional solution.
Preferably, the data exchange authority associated with the service request type is matched according to the comparison result, and the authentication verification code and the random number are generated according to the data exchange authority, including:
After the comparison result is obtained, matching the data exchange authorities of the corresponding service type partitions according to a preset registry, wherein each service type partition corresponds to one data management key; generating a verification code and generating a random number according to each data management key.
After the comparison result is obtained, the isolation end matches the data exchange permission of the corresponding service type partition according to a preset registry. The registry may be a data structure containing partitions of different traffic types and corresponding data management keys. The isolation end selects a corresponding service type partition according to the comparison result, and obtains a data management key associated with the partition; each service type partition has a corresponding data management key for encrypting and decrypting the data for that partition.
The isolated end uses the selected data management key to generate an authentication verification code and a random number, which can be realized by a cryptographically secure pseudo-random number generation algorithm; the generated authentication verification code and random number will be used in the subsequent identity authentication and data exchange key generation process.
Preferably, before the step of acquiring the service request of the data transmission by the intranet data end, the method further comprises:
Setting a service type configuration strategy by the isolation end;
the isolation end formulates a service type configuration strategy according to the system requirement and the security strategy, wherein the strategy considers factors such as sensitivity, access authority, data classification and the like of different service types; the traffic type configuration policy may include defining a list of allowed traffic types, constraints, and security rules associated with each traffic type.
The intranet data end sets corresponding service type allocation rules according to the service type allocation strategy and in combination with the multi-source heterogeneous data to be exchanged;
the intranet data end formulates a corresponding service type distribution rule according to a service type configuration strategy and multi-source heterogeneous data to be exchanged; the traffic type assignment rules may be set based on factors such as the characteristics of the data source, the sensitivity level, security requirements, etc. For example, the data sources may be classified according to their IP address, data format, data labels, etc., and different data sources may be assigned to corresponding traffic type partitions.
The isolation end configures the service request type according to the service type allocation rule.
The isolation terminal allocates a request type identifier or other modes to each service type according to the service type allocation rule set by the intranet data terminal to identify different service request types. Wherein the request type identifier may be a predefined number, string or code for identifying a specific service request type; the isolation end associates the service request with the corresponding service request type according to the allocation rule, and ensures the uniqueness and the safety of the request type.
In a second aspect, an embodiment of the present invention provides a data exchange isolation method for an internal and external network, where the data exchange isolation method is applied to a data exchange isolation system for an internal and external network, the system includes an internal network data end and an isolation end, and the isolation end is connected with the external network data end, where the method includes:
the intranet data end obtains a service request of data transmission, wherein the service request comprises identity data, and the identity data is sent to the isolation end;
the intranet data terminal can acquire the service request through a network interface or other appropriate modes; the identity data may include identity information of the user, such as a user name, a password, or other authentication credentials, and the intranet data side sends the identity data to the quarantine side through a network connection. In this embodiment, the intranet data end may receive the service request through a network interface or other suitable manner, for example, the intranet data end may relate to implementing service logic in the intranet application program to generate the service request; the intranet data end extracts identity data such as a user name, a password or other identity verification credentials from the service request; at the same time, identity data is transmitted to the quarantine end using the appropriate protocol and network connection.
The isolation end receives the identity data, invokes the identity verification data according to the identity data, compares the identity verification data with the identity data and generates a comparison result; matching data exchange permission associated with the service request type according to the comparison result, and generating an authentication verification code and a random number according to the data exchange permission; generating a data exchange secret key according to an authentication verification code and a random number according to a preset algorithm, and sending an identity authentication request to an external network data terminal;
After the isolation end receives the identity data sent from the intranet data end, the identity verification data stored in the internal database or other identity verification systems can be called according to the identity data. The isolation end compares the received identity verification data with the identity data to generate a comparison result for verifying the accuracy of the identity data. According to the comparison result, the isolation end can search the data exchange authority associated with the service request type; the data exchange authority may be an access rule or a permission control list pre-configured in the system, and is used for determining which data can be exchanged between the intranet and the extranet. The isolation end generates an authentication verification code and a random number according to the data exchange authority, and the values can be used for ensuring the safety and the integrity of data exchange; then, according to a preset algorithm, the isolation end generates a data exchange secret key by using the authentication verification code and the random number; meanwhile, the isolation end sends an identity authentication request to the external network data end so as to further verify whether the data exchange rule is met between the isolation end and the internal network data end.
The external network data end receives the identity authentication request and sends a data exchange confirmation secret key to the isolation end according to the identity authentication request;
After the external network data receives the identity authentication request from the isolation end, the external network data can carry out identity authentication according to the identity data in the request; after the verification is successful, the external network data end sends the data exchange confirmation key to the isolation end. The data exchange validation key is an associated value of the data key for further verifying the validity and integrity of the data exchange.
The isolation terminal receives the data exchange confirmation key of the external network according to the data exchange confirmation key sent to the isolation terminal, verifies whether the data exchange key is consistent with the data exchange confirmation key, and sends a data exchange key request to the external network data terminal when verifying that the data exchange key is consistent with the data exchange confirmation key;
after the isolation end receives the data exchange confirmation key, the isolation end verifies whether the data exchange key is consistent with the data exchange confirmation key, and when the data exchange key is verified to be consistent with the data exchange confirmation key, the isolation end can confirm the validity of the data exchange. The isolation end compares the received data exchange secret key with the data exchange confirmation secret key to ensure that the two secret keys are matched; after confirming the matching, a data exchange key request is sent to the data end of the external network.
The isolation end receives a data exchange key sent by the external network data end according to the data exchange key request, acquires a service request from the internal network data end, verifies the corresponding relation between the service request and the data request type corresponding to the data exchange authority, and establishes an internal and external network transmission channel through the data exchange key after determining that the service request corresponds to the data request type.
After receiving the data exchange key request from the isolated terminal, the external network data terminal can generate and send the data exchange key to the isolated terminal after confirming that the authentication and the data exchange confirmation key pass the authentication. The data exchange key is generated using a predetermined algorithm, which will be used to encrypt and decrypt data transmitted between the internal and external networks.
After the isolation end receives the data exchange key sent by the data end of the external network, the isolation end can be used for establishing a transmission channel between the internal network and the external network. The isolation end sends a request to the intranet data end to acquire data related to the service request. After the service request is acquired, the isolation end verifies the corresponding relation between the service request and the data request type corresponding to the data exchange authority, and ensures that the service request accords with a preset data exchange rule. Once the service request is confirmed to correspond to the data request type, the isolation end establishes a transmission channel of the internal and external networks by using the data exchange key generated before. The transmission channel is used for safely transmitting data and ensuring the data exchange isolation between the internal network and the external network.
In this embodiment, the data exchange isolation system of the internal and external networks can realize safe and reliable data exchange. Identity verification, data exchange authority verification and encrypted communication are used, the validity and confidentiality of data transmission are guaranteed, and meanwhile, the established transmission channel can meet the data exchange requirement between the internal network and the external network.
Preferably, the data exchange authority associated with the service request type is matched according to the comparison result, and the authentication verification code and the random number are generated according to the data exchange authority, including:
after the comparison result is obtained, matching the data exchange authorities of the corresponding service type partitions according to a preset registry, wherein each service type partition corresponds to one data management key; generating a verification code and generating a random number according to each data management key.
After the comparison result is obtained, the isolation end matches the data exchange permission of the corresponding service type partition according to a preset registry. The registry may be a data structure containing partitions of different traffic types and corresponding data management keys. The isolation end selects a corresponding service type partition according to the comparison result, and obtains a data management key associated with the partition; each service type partition has a corresponding data management key for encrypting and decrypting the data for that partition.
The isolated end uses the selected data management key to generate an authentication verification code and a random number, which can be realized by a cryptographically secure pseudo-random number generation algorithm; the generated authentication verification code and random number will be used in the subsequent identity authentication and data exchange key generation process.
Preferably, before the step of acquiring the service request of the data transmission by the intranet data end, the method further comprises:
setting a service type configuration strategy by the isolation end;
the intranet data end sets corresponding service type allocation rules according to the service type allocation strategy and in combination with the multi-source heterogeneous data to be exchanged;
the isolation end configures the service request type according to the service type allocation rule.
Setting a service type configuration strategy by the isolation end;
the isolation end formulates a service type configuration strategy according to the system requirement and the security strategy, wherein the strategy considers factors such as sensitivity, access authority, data classification and the like of different service types; the traffic type configuration policy may include defining a list of allowed traffic types, constraints, and security rules associated with each traffic type.
The intranet data end sets corresponding service type allocation rules according to the service type allocation strategy and in combination with the multi-source heterogeneous data to be exchanged;
the intranet data end formulates a corresponding service type distribution rule according to a service type configuration strategy and multi-source heterogeneous data to be exchanged; the traffic type assignment rules may be set based on factors such as the characteristics of the data source, the sensitivity level, security requirements, etc. For example, the data sources may be classified according to their IP address, data format, data labels, etc., and different data sources may be assigned to corresponding traffic type partitions.
The isolation end configures the service request type according to the service type allocation rule.
The isolation terminal allocates a request type identifier or other modes to each service type according to the service type allocation rule set by the intranet data terminal to identify different service request types. Wherein the request type identifier may be a predefined number, string or code for identifying a specific service request type; the isolation end associates the service request with the corresponding service request type according to the allocation rule, and ensures the uniqueness and the safety of the request type.
In a third aspect, referring to fig. 2 and 3, an embodiment of the present invention provides an internal-external network data exchange isolation system 100, where the internal-external network data exchange isolation system 100 includes an internal network data end 110, an isolation end 120, and an external network data end 130, the internal network data end 110 is connected to the internal network data end 110 through the isolation end 120, where,
an intranet data end 110, configured to obtain a service request for data transmission, where the service request includes identity data, and send the identity data to an isolation end 120;
the isolation end 120 is configured to receive the identity data, retrieve the identity verification data according to the identity data, compare the identity verification data with the identity data, and generate a comparison result; matching data exchange permission associated with the service request type according to the comparison result, and generating an authentication verification code and a random number according to the data exchange permission; generating a data exchange key according to a preset algorithm according to the authentication verification code and the random number, and sending an identity authentication request to the external network data terminal 130;
The external network data end 130 is configured to receive the identity authentication request, and send a data exchange confirmation key to the isolated end 120 according to the identity authentication request;
the isolation end 120 is configured to, after receiving the data exchange confirmation key, verify whether the data exchange key is consistent with the data exchange confirmation key, and send a data exchange key request to the external network data end 130 when the data exchange key is verified to be consistent with the data exchange confirmation key;
the external network data end 130 is configured to receive the data exchange key request and send the data exchange key to the isolated end 120;
the isolation end 120 is configured to receive the data exchange key, obtain a service request from the intranet data end 110, verify a correspondence between a service request and a data request type corresponding to the data exchange authority, and establish an intranet-extranet transmission channel through the data exchange key after determining that the service request corresponds to the data request type.
Preferably, the isolation end 120 includes a random number module 121, configured to match data exchange rights of corresponding service type partitions according to a preset registry after obtaining a comparison result, where each service type partition corresponds to a data management key; generating a verification code and generating a random number according to each data management key.
Specifically, the data exchange isolation system 100 of the intranet and extranet is described in detail in the first embodiment and the second embodiment, which is not described herein.
In a fourth aspect, a data exchange isolated computer device of an intranet and extranet is further provided, where the data exchange isolated computer device includes, at a hardware level: a data interface; a memory for storing instructions; a processor, configured to read the instruction stored in the memory, and execute the data exchange isolation method of the intranet and extranet in embodiment 1 according to the instruction: step S11, an intranet data end acquires a service request of data transmission, wherein the service request comprises identity data, and the identity data is sent to an isolation end; step S12, the isolation end receives the identity data, and calls the identity verification data according to the identity data, compares the identity verification data with the identity data and generates a comparison result; matching data exchange permission associated with the service request type according to the comparison result, and generating an authentication verification code and a random number according to the data exchange permission; generating a data exchange secret key according to an authentication verification code and a random number according to a preset algorithm, and sending an identity authentication request to an external network data terminal; step S13, the external network data end receives the identity authentication request and sends a data exchange confirmation secret key to the isolation end according to the identity authentication request; step S14, after the isolation end receives the data exchange confirmation key, verifying whether the data exchange key is consistent with the data exchange confirmation key, and when the data exchange key is verified to be consistent with the data exchange confirmation key, sending a data exchange key request to the external network data end; step S15, the external network data terminal receives the data exchange key request and sends the data exchange key to the isolation terminal; step S16, the isolation end receives the data exchange key, acquires the service request from the intranet data end, verifies the corresponding relation between the service request and the data request type corresponding to the data exchange authority, and establishes the intranet and extranet transmission channel through the data exchange key after determining that the service request corresponds to the data request type.
Optionally, the device further comprises an internal bus. The processor and memory and data interfaces may be interconnected by an internal bus, which may be an ISA (Industry Standard Architecture ) bus, a PCI (Peripheral Component Interconnect, peripheral component interconnect standard) bus, or an EISA (Extended Industry Standard Architecture ) bus, among others. The buses may be divided into address buses, data buses, control buses, etc.
The Memory may include, but is not limited to, random access Memory (Random Access Memory, RAM), read Only Memory (ROM), flash Memory (Flash Memory), first-in first-out Memory (First Input First Output, FIFO), and/or first-in last-out Memory (First In Last Out, FILO), etc. The processor may be a general-purpose processor including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
The working process, working details and technical effects of the device according to the fourth embodiment of the present invention can be referred to the first embodiment, and are not described herein.
A fifth embodiment of the present invention provides a computer-readable storage medium storing instructions comprising the method for data exchange isolation of an intranet and extranet of the first embodiment, i.e. the computer-readable storage medium has instructions stored thereon which, when executed on a computer, perform the method for data exchange isolation of an intranet and extranet as in the first aspect. The computer readable storage medium refers to a carrier for storing data, and may include, but is not limited to, a floppy disk, an optical disk, a hard disk, a flash Memory, and/or a Memory Stick (Memory Stick), etc., where the computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable devices.
The working process, working details and technical effects of the computer readable storage medium according to the fifth embodiment of the present invention can be referred to the first embodiment, and are not repeated herein.
A sixth aspect of the present embodiment provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform a data exchange isolation method for an intranet as in the first embodiment, wherein the computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus.
The various embodiments described above are illustrative only, in that elements illustrated as separate elements may or may not be physically separate, and elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and appreciate in real time without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the above-described technical solutions may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., comprising several instructions for causing a merging means of warehouse codes to perform the various embodiments or methods of certain parts of the embodiments.
Finally, it should be noted that: the above is only a preferred embodiment of the invention and is not intended to limit the scope of the invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the invention should be included in the protection scope of the invention.
Claims (10)
1. The data exchange isolation method for the internal and external networks is characterized by being applied to a data exchange isolation system for the internal and external networks, wherein the system comprises an internal network data end, an isolation end and an external network data end, and the internal network data end is connected with the internal network data end through the isolation end, and the method comprises the following steps:
the intranet data end acquires a service request of data transmission, wherein the service request comprises identity data, and the identity data is sent to an isolation end;
the isolation end receives the identity data, invokes the identity verification data according to the identity data, compares the identity verification data with the identity data and generates a comparison result; matching data exchange permission associated with the service request type according to the comparison result, and generating an authentication verification code and a random number according to the data exchange permission; generating a data exchange secret key according to the authentication verification code and the random number according to a preset algorithm, and sending an identity authentication request to the external network data terminal;
The external network data end receives the identity authentication request and sends a data exchange confirmation key to the isolation end according to the identity authentication request;
after the isolation end receives the data exchange confirmation secret key, verifying whether the data exchange secret key is consistent with the data exchange confirmation secret key, and sending a data exchange secret key request to the external network data end when verifying that the data exchange secret key is consistent with the data exchange confirmation secret key;
the external network data terminal receives the data exchange key request and sends a data exchange key to the isolation terminal;
the isolation end receives the data exchange key, acquires a service request from the intranet data end, verifies the corresponding relation between the service request and the data request type corresponding to the data exchange authority, and establishes an intranet and extranet transmission channel through the data exchange key after determining that the service request corresponds to the data request type.
2. The method for isolating data exchange between an intranet and an extranet according to claim 1, wherein the matching the data exchange authority associated with the service request type according to the comparison result, and generating the authentication verification code and the random number according to the data exchange authority, comprises:
After the comparison result is obtained, matching the data exchange rights of the corresponding service type partitions according to a preset registry, wherein each service type partition corresponds to a data management key; generating a verification code and generating a random number according to each data management key.
3. The method for isolating data exchange between an intranet and an extranet according to claim 2, wherein before the step of obtaining the service request of data transmission by the intranet data end, the method further comprises:
setting a service type configuration strategy by the isolation end;
the intranet data end sets corresponding service type allocation rules according to the service type configuration strategy and in combination with multi-source heterogeneous data to be exchanged;
and the isolation end configures the service request type according to the service type allocation rule.
4. The data exchange isolation method of the internal and external networks is characterized by being applied to a data exchange isolation system of the internal and external networks, wherein the system comprises an internal network data end and an isolation end, and the isolation end is connected with the external network data end, and the method comprises the following steps:
the intranet data end acquires a service request of data transmission, wherein the service request comprises identity data, and the identity data is sent to an isolation end;
The isolation end receives the identity data, invokes the identity verification data according to the identity data, compares the identity verification data with the identity data and generates a comparison result; matching data exchange permission associated with the service request type according to the comparison result, and generating an authentication verification code and a random number according to the data exchange permission; generating a data exchange secret key according to the authentication verification code and the random number according to a preset algorithm, and sending the identity authentication request to the external network data terminal;
the external network data end receives the identity authentication request and sends a data exchange confirmation key to the isolation end according to the identity authentication request;
the isolation end receives the data exchange confirmation secret key, verifies whether the data exchange secret key is consistent with the data exchange confirmation secret key, and sends a data exchange secret key request to the external network data end when verifying that the data exchange secret key is consistent with the data exchange confirmation secret key;
the isolation end receives a data exchange key sent by the external network data end according to the data exchange key request, the data exchange key acquires a service request from the internal network data end, verifies the corresponding relation between the service request and a data request type corresponding to the data exchange authority, and establishes an internal and external network transmission channel through the data exchange key after determining that the service request corresponds to the data request type.
5. The method for isolating data exchange between an intranet and an extranet according to claim 4, wherein the matching the data exchange authority associated with the service request type according to the comparison result, and generating the authentication verification code and the random number according to the data exchange authority, comprises:
after the comparison result is obtained, matching the data exchange rights of the corresponding service type partitions according to a preset registry, wherein each service type partition corresponds to a data management key;
generating a verification code and generating a random number according to each data management key.
6. The method for isolating data exchange between an intranet and an extranet according to claim 5, wherein before the step of obtaining the service request of data transmission by the intranet data end, the method further comprises:
setting a service type configuration strategy by the isolation end;
the intranet data end sets corresponding service type allocation rules according to the service type configuration strategy and in combination with multi-source heterogeneous data to be exchanged;
and the isolation end configures the service request type according to the service type allocation rule.
7. The data exchange isolation system of the internal and external networks is characterized by comprising an internal network data end, an isolation end and an external network data end, wherein the internal network data end is connected with the internal network data end through the isolation end,
The intranet data end is used for acquiring a service request of data transmission, wherein the service request comprises identity data, and the identity data is sent to the isolation end;
the isolation end is used for receiving the identity data, calling the identity verification data according to the identity data, comparing the identity verification data with the identity data and generating a comparison result; matching data exchange permission associated with the service request type according to the comparison result, and generating an authentication verification code and a random number according to the data exchange permission; generating a data exchange secret key according to the authentication verification code and the random number according to a preset algorithm, and sending the identity authentication request to the external network data terminal;
the external network data end is used for receiving the identity authentication request and sending a data exchange confirmation secret key to the isolation end according to the identity authentication request;
the isolation end is used for verifying whether the data exchange secret key is consistent with the data exchange confirmation secret key after receiving the data exchange confirmation secret key, and sending a data exchange secret key request to the external network data end when verifying that the data exchange secret key is consistent with the data exchange confirmation secret key;
The external network data end is used for receiving the data exchange key request and sending a data exchange key to the isolation end;
the isolation end is used for receiving the data exchange secret key, acquiring a service request from the intranet data end, verifying the corresponding relation between the service request and the data request type corresponding to the data exchange authority, and establishing an intranet and extranet transmission channel through the data exchange secret key after determining that the service request corresponds to the data request type.
8. The data exchange isolation system of the intranet and extranet according to claim 7, wherein the isolation terminal comprises a random number module, and is used for matching data exchange authorities of corresponding service type partitions according to a preset registry after the comparison result is obtained, wherein each service type partition corresponds to a data management secret key; generating a verification code and generating a random number according to each data management key.
9. A computer device comprising a memory and a processor in communication, wherein the memory is configured to store a computer program and the processor is configured to read the computer program and perform a data exchange isolation method for an intranet and extranet as claimed in any one of claims 1 to 3.
10. A computer readable storage medium having instructions stored thereon which, when run on a computer, perform the method of data exchange isolation of an intranet and extranet as claimed in any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310710060.1A CN116743460A (en) | 2023-06-14 | 2023-06-14 | Data exchange isolation method, system, equipment and storage medium for internal and external network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310710060.1A CN116743460A (en) | 2023-06-14 | 2023-06-14 | Data exchange isolation method, system, equipment and storage medium for internal and external network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116743460A true CN116743460A (en) | 2023-09-12 |
Family
ID=87907617
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310710060.1A Pending CN116743460A (en) | 2023-06-14 | 2023-06-14 | Data exchange isolation method, system, equipment and storage medium for internal and external network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116743460A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104767752A (en) * | 2015-04-07 | 2015-07-08 | 西安汇景倬元信息技术有限公司 | Distributed network isolating system and method |
| CN106341397A (en) * | 2016-08-25 | 2017-01-18 | 柏盟(北京)科技发展有限公司 | Industrial safety isolation GAP |
| CN216819851U (en) * | 2022-02-25 | 2022-06-24 | 北京工业大学 | Safety access device in transformer substation |
| CN115952552A (en) * | 2023-03-15 | 2023-04-11 | 北京和升达信息安全技术有限公司 | Remote data destruction method, system and equipment |
-
2023
- 2023-06-14 CN CN202310710060.1A patent/CN116743460A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104767752A (en) * | 2015-04-07 | 2015-07-08 | 西安汇景倬元信息技术有限公司 | Distributed network isolating system and method |
| CN106341397A (en) * | 2016-08-25 | 2017-01-18 | 柏盟(北京)科技发展有限公司 | Industrial safety isolation GAP |
| CN216819851U (en) * | 2022-02-25 | 2022-06-24 | 北京工业大学 | Safety access device in transformer substation |
| CN115952552A (en) * | 2023-03-15 | 2023-04-11 | 北京和升达信息安全技术有限公司 | Remote data destruction method, system and equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11432150B2 (en) | Method and apparatus for authenticating network access of terminal | |
| JP2022545627A (en) | Decentralized data authentication | |
| US9053318B2 (en) | Anti-cloning system and method | |
| CN112651037B (en) | Out-of-chain data access method and system for block chain system | |
| CN114553540B (en) | Zero trust-based Internet of things system, data access method, device and medium | |
| CN114244522B (en) | Information protection method, device, electronic equipment and computer readable storage medium | |
| US10635826B2 (en) | System and method for securing data in a storage medium | |
| CN111147447A (en) | Data protection method and system | |
| CN109302442B (en) | Data storage proving method and related equipment | |
| CN108900595B (en) | Method, device and equipment for accessing data of cloud storage server and computing medium | |
| CN110572392A (en) | Identity authentication method based on HyperLegger network | |
| CN106576050B (en) | Three-tier security and computing architecture | |
| CN115225350B (en) | Government cloud encryption login verification method based on national secret certificate and storage medium | |
| CN114553566B (en) | Data encryption method, device, equipment and storage medium | |
| CN108429732B (en) | Method and system for acquiring resources | |
| Tutubala et al. | A hybrid framework to improve data security in cloud computing | |
| CN115865495A (en) | Data transmission control method and device, electronic equipment and readable storage medium | |
| Kang et al. | A study on the needs for enhancement of personal information protection in cloud computing security certification system | |
| CN114024682A (en) | Cross-domain single sign-on method, service equipment and authentication equipment | |
| CN116743460A (en) | Data exchange isolation method, system, equipment and storage medium for internal and external network | |
| CN114039748A (en) | Identity authentication method, system, computer device and storage medium | |
| Darwish et al. | Privacy and security of cloud computing: a comprehensive review of techniques and challenges | |
| KR102534012B1 (en) | System and method for authenticating security level of content provider | |
| CN117240621B (en) | Processing method and device of network request, computer readable medium and electronic equipment | |
| CN109284615B (en) | Mobile equipment digital resource safety management method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |