CN117319093A - Data access service method based on isolation device - Google Patents
Data access service method based on isolation device Download PDFInfo
- Publication number
- CN117319093A CN117319093A CN202311619156.3A CN202311619156A CN117319093A CN 117319093 A CN117319093 A CN 117319093A CN 202311619156 A CN202311619156 A CN 202311619156A CN 117319093 A CN117319093 A CN 117319093A
- Authority
- CN
- China
- Prior art keywords
- service
- data
- information
- request
- data access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 40
- 238000000034 method Methods 0.000 title claims abstract description 17
- 230000004044 response Effects 0.000 claims abstract description 24
- 230000007123 defense Effects 0.000 claims abstract description 7
- 238000012544 monitoring process Methods 0.000 claims abstract description 5
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims abstract description 4
- 230000035515 penetration Effects 0.000 claims abstract 3
- 238000013475 authorization Methods 0.000 claims description 8
- 230000007246 mechanism Effects 0.000 claims description 8
- 239000000523 sample Substances 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000007726 management method Methods 0.000 claims description 3
- 238000010223 real-time analysis Methods 0.000 claims description 2
- 230000001360 synchronised effect Effects 0.000 description 5
- 230000006399 behavior Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/133—Protocols for remote procedure calls [RPC]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a data access service method based on an isolation device, which comprises the following steps: service resource security protection: the back-end application program is deployed in the isolation area, and the data is stored in the isolation area; setting a service routing table and controlling service calling authority; realizing service agent based on penetration protocol of physical isolation device; active defense: analyzing the source end address of the service call request in real time, and establishing a suspicious IP blacklist; analyzing the validity of a user request in real time, and establishing a blacklist of suspicious users; keeping silence for illegal requests, and avoiding resource information leakage; data encryption: the user can apply for encrypting the request message and the response message of the data access service according to the self data protection requirement; the data is symmetrically encrypted when being transmitted between the information external network and the information internal network, so that data leakage caused by monitoring of malicious programs such as Trojan horse is avoided. The invention realizes the physical isolation of the core service data from the application and the Internet, reduces the application safety protection difficulty and improves the network safety level.
Description
Technical Field
The invention belongs to the field of safety protection of power grids in Internet environments, and relates to a power information safety protection method for providing data services for the Internet, in particular to a data access service method based on an isolation device.
Background
With popularization of WEB2.0 technology application, the Internet becomes an important channel for providing information service for users and developing business interaction by power enterprises, and corresponding network safety protection requirements are also higher and higher. At present, an information intranet and an information extranet (divided into a DMZ zone and a safety zone) are constructed by a power grid company through security protection facilities such as a firewall and a physical isolation device, service data are stored in the information intranet and are physically isolated from the Internet, service applications are deployed in the information extranet, wherein the DMZ zone is configured with a front-end server, and the safety zone is configured with a back-end service application. The existing network structure can meet the basic safety protection requirement, but the service application is deployed on the information external network, once an attacker acquires the deployment program package, the problems of service resource leakage, service logic leakage, intranet data resource connection information leakage and the like are easily caused, and a clue is provided for further attack. Therefore, the existing common application deployment mode has the defects of high application safety protection difficulty and high information leakage risk, and information safety accidents are easy to generate.
Disclosure of Invention
The invention aims to provide a data access service method based on an isolation device, which combines the characteristic of front-end and rear-end separation of the current WEB application development, and utilizes security protection mechanisms such as service agents, identity authentication, content filtering, data encryption, asynchronous communication and the like to realize the physical isolation of core service data from applications and the Internet, reduce the security protection difficulty of the applications and improve the network security level.
The aim of the invention is achieved by the following technical scheme:
a data access service method based on an isolation device is characterized in that: the method enhances the safety protection from three aspects of service resource safety protection, active defense and data encryption, and comprises the following specific steps.
1) Service resource security protection:
(1-1) backend applications are deployed in isolation zones, and data is stored in the isolation zones
All the back-end applications containing the core business logic are deployed in the information intranet, and the data resource information and the business logic are prevented from being revealed due to the fact that application program files are stolen through physical isolation from the Internet.
The data are stored in a relational database and a distributed file system which are located in an information intranet. The business database and the resource database on which the data access service mechanism depends are not stored in the same database management system.
(1-2) setting a service routing table, controlling service invocation authority
Setting a service routing table and a service authority control table in a resource database in an information intranet. Only application services that join the service routing table can be invoked by internet requests. The service call is based on a trusted request, caller identity is obtained according to token information carried in the request, and the request is executed only if the authorization information of the service to be called to the current caller is stored in the service authority control table. Http requests not in the service routing table will be filtered.
(1-3) physical isolation device-based pass-through protocol implementation service proxy
And respectively deploying data access service agents Agent-A and Agent-B in the security areas of the information intranet and the information extranet. The JDBC channel provided by the physical isolation device between the Agent-A and the Agent-B is used for exchanging information such as service call request instructions, service response data, service call states and the like through a resource database positioned in the information intranet, and synchronous call of the client side from the Internet to the information intranet business application service is completed in an asynchronous mode.
2) Active defense:
(2-1) real-time analyzing the source address of the service call request, and establishing a suspicious IP blacklist
For illegal requests (no token, no service authorization, wrong service address, etc.) from the same IP address, when the number of requests in unit time reaches a preset threshold, the data access service agent regards as an attack probe, the IP address is blacklisted and no response is made to the access from the IP address.
(2-2) real-time analysis of user request validity, establishment of blacklist of suspicious users
For illegal requests (no service authorization, wrong service address, etc.) from the same user, when the number of requests in unit time reaches a preset threshold, the data access service agent will be regarded as an attack probe, temporarily lock the user and cancel the system access authority.
(2-3) keeping silence for illegal requests, avoiding leakage of resource information
The data access service agent does not respond to illegal requests, does not return any information, and reduces the risk of resource information leakage to the greatest extent.
3) Data encryption
And (3-1) the user can apply for encrypting the request message and the response message of the data access service according to the self data protection requirement. The data encryption adopts an asymmetric encryption algorithm, a user can encrypt an uplink request message by adopting a private key, and decrypt a downlink response message, so that the service data is prevented from being revealed or tampered in the network transmission process.
And (3-2) symmetrically encrypting the data when the data is transmitted between the information external network and the information internal network, so that data leakage caused by monitoring by malicious programs such as Trojan horse is avoided.
The beneficial effects of the invention are as follows:
the invention realizes the physical isolation of core business data from application and Internet through security protection mechanisms such as service agent, identity authentication, content filtering, data encryption, asynchronous communication and the like, can fully utilize the characteristic of separation of front and rear ends of WEB application development, provides a safe and efficient data service access mechanism in a physical isolation environment, realizes active defense based on service access behaviors, reduces application security protection difficulty, strengthens the security protection of a business system and improves network security level.
Drawings
Fig. 1 is a schematic diagram of a data access service method based on an isolation device.
Description of the embodiments
The data access service method based on the isolation device enhances the safety protection from three aspects of service resource safety protection, active defense and data encryption.
1) The back-end application program is deployed in the isolation area, and the data is stored in the isolation area.
All the back-end applications containing the core business logic are deployed in the information intranet, and the data resource information and the business logic are prevented from being revealed due to the fact that application program files are stolen through physical isolation from the Internet.
The data are stored in a relational database and a distributed file system which are located in an information intranet. The business database and the resource database on which the data access service mechanism depends are not stored in the same database management system.
Setting a service routing table and controlling service calling authority.
Setting a service routing table and a service authority control table in a resource database in an information intranet. Only application services that join the service routing table can be invoked by internet requests. The service call is based on a trusted request, caller identity is obtained according to token information carried in the request, and the request is executed only if the authorization information of the service to be called to the current caller is stored in the service authority control table. Http requests not in the service routing table will be filtered.
The service proxy is implemented based on a pass-through protocol of the physical isolation device.
And respectively deploying data access service agents Agent-A and Agent-B in the security areas of the information intranet and the information extranet. The JDBC channel provided by the physical isolation device between the Agent-A and the Agent-B is used for exchanging information such as service call request instructions, service response data, service call states and the like through a resource database positioned in the information intranet, and synchronous call of the client side from the Internet to the information intranet business application service is completed in an asynchronous mode.
2) And analyzing the source end address of the service call request in real time, and establishing a suspicious IP blacklist.
For illegal requests (no token, no service authorization, wrong service address, etc.) from the same IP address, when the number of requests in unit time reaches a preset threshold, the data access service agent regards as an attack probe, the IP address is blacklisted and no response is made to the access from the IP address.
And analyzing the validity of the user request in real time, and establishing a blacklist of suspicious users.
For illegal requests (no service authorization, wrong service address, etc.) from the same user, when the number of requests in unit time reaches a preset threshold, the data access service agent will be regarded as an attack probe, temporarily lock the user and cancel the system access authority.
And keeping silence for illegal requests, and avoiding resource information leakage.
The data access service agent does not respond to illegal requests, does not return any information, and reduces the risk of resource information leakage to the greatest extent.
3) Data encryption
The user can apply for encrypting the request message and the response message of the data access service according to the self data protection requirement. The data encryption adopts an asymmetric encryption algorithm, a user can encrypt an uplink request message by adopting a private key, and decrypt a downlink response message, so that the service data is prevented from being revealed or tampered in the network transmission process.
The data is symmetrically encrypted when being transmitted between the information external network and the information internal network, so that data leakage caused by monitoring of malicious programs such as Trojan horse is avoided.
With reference to fig. 1, the specific working steps of the data service access mechanism will be further described below by taking a service call and file upload procedure as an example:
and respectively deploying data access service agents Agent-A and Agent-B in the security areas of the information intranet and the information extranet. The data access service Agent-B deployed in the information intranet can send a service Agent opening or closing instruction through an Http protocol. The service access service is implemented as follows.
(1) The Agent-A receives an Http/Https service call request from the Internet, acquires the IP address and token information of the service caller from the request header, and verifies the validity of the identity of the service caller. If no token information exists in the request header, the identity authentication function is skipped. If the request head has token information which can not pass verification, the request head does not respond;
(2) After caller authentication is passed, agent-A verifies whether the call request is authorized according to the data in the service routing table and the service authority control table preloaded into the memory. If the call request is authorized, the JDBC driver provided by the physical isolation device encrypts the service call request information and then writes the encrypted service call request information into a call instruction table to be executed in a resource database in the information intranet, binds a current instruction of the current session with one thread in the response information receiving thread group, and waits for response information to return. If the call request is not authorized, not responding;
(3) And after the Agent-B starts the Agent service, starting an instruction distribution thread to scan a call instruction table to be executed in a resource database of the information intranet. After finding the call instruction to be executed, distributing the call instruction to an instruction execution thread group, assigning threads to send service call requests to corresponding service application servers, encrypting the received service response information, and writing the encrypted service response information into a service response information table in a resource database;
(4) The response information receiving thread of the Agent-A polls a service response information table in a resource database of an information intranet through a JDBC driving wheel provided by a physical isolation device, decrypts and packages service response information corresponding to a current instruction of a current session after inquiring the service response information, and sends the service response information to a client through the current session to complete one Http/Https request;
(5) The Agent-B starts a resource database data cleaning thread to regularly clean up completed, failed or expired service calling instructions and service response information in the resource database;
(6) After receiving a file uploading request, the Agent-A firstly writes the received file stream into a distributed file system positioned in an information external network, and then writes a file synchronization instruction into a file synchronization instruction table positioned in a resource database of the information internal network, so as to explain the file name, the file type, the byte number, the access path and the synchronization state of the file to be synchronized;
(7) The Agent-A file synchronization thread group scans a file synchronization instruction table in a resource database in the information intranet, and once a file to be synchronized is found (synchronization state is 0), the distribution thread reads the file (modification synchronization state is 1), divides and encrypts a byte stream of the file, and writes the byte stream into the file synchronization instruction table in the resource database in the information intranet. After the writing is completed, modifying the file synchronization state to be 2;
(8) The Agent-B file synchronization thread group scans a file synchronization instruction table in a resource database in the information intranet, and once a file to be synchronized is found (synchronization state is 2), the distribution thread inquires a data record (modification synchronization state is 3) of a corresponding file in the file synchronization data table, decrypts and assembles the read byte stream, and writes the decrypted byte stream into a distributed file system in the information intranet, so that ferrying of the file from the external network to the intranet is completed.
The invention provides a safe and efficient data service access mechanism in a physical isolation environment, realizes active defense based on service access behaviors, reduces application safety protection difficulty, strengthens the safety protection of a business system and improves the network safety level.
Claims (5)
1. A data access service method based on an isolation device, characterized in that the method comprises the following steps:
(1) Service resource security protection: the back-end application program is deployed in the isolation area, and the data is stored in the isolation area; setting a service routing table and controlling service calling authority; realizing service agent based on penetration protocol of physical isolation device;
(2) Active defense: analyzing the source end address of the service call request in real time, and establishing a suspicious IP blacklist; analyzing the validity of a user request in real time, and establishing a blacklist of suspicious users; keeping silence for illegal requests, and avoiding resource information leakage;
(3) Data encryption: the user applies for encrypting the request message and the response message of the data access service according to the self data protection requirement; and data is symmetrically encrypted when being transmitted between the information external network and the information internal network, so that data leakage caused by monitoring by malicious programs is avoided.
2. The method for data access service based on an isolation device according to claim 1, wherein in step (1), the backend application is deployed in an isolation area, and the data is stored in the isolation area, specifically comprising:
all the back-end applications containing the core business logic are deployed in the information intranet, and the data resource information and the business logic are prevented from being revealed due to the fact that application program files are stolen through physical isolation from the Internet;
the data are stored in a relational database and a distributed file system which are positioned in an information intranet, and a business database and a resource database on which a data access service mechanism depends are stored in different database management systems;
setting a service routing table, controlling service calling authority, and specifically comprising:
setting a service routing table and a service authority control table in a resource database in an information intranet, wherein only application services added into the service routing table can be called by an internet request; the service call is based on a trusted request, caller identity is obtained according to token information carried in the request, and the request is executed only if the authorization information of the service to be called to the current caller is stored in a service authority control table, and Http requests which are not in a service routing table are filtered;
the penetration protocol based on the physical isolation device realizes the service agent, which comprises the following steps:
and respectively deploying a data access service Agent-A and an Agent-B in the security areas of the information intranet and the information extranet, and synchronously calling the information intranet business application service by the client from the Internet in an asynchronous mode by exchanging a service call request instruction, service response data and service call state information through a resource database positioned in the information intranet based on a JDBC channel provided by a physical isolation device.
3. The method of claim 1, wherein the step (2) specifically comprises:
(2-1) real-time analyzing the source address of the service call request, and establishing a suspicious IP blacklist
For illegal requests from the same IP address, when the request times in unit time reach a preset threshold, the data access service agent is regarded as an attack probe, the IP address is blacklisted, and the access from the IP address is not responded;
(2-2) real-time analysis of user request validity, establishment of blacklist of suspicious users
For illegal requests from the same user, when the request times in unit time reach a preset threshold, the data access service agent is regarded as an attack probe, temporarily locks the user and cancels the system access authority;
(2-3) keeping silence for illegal requests, avoiding leakage of resource information
The data access service agent does not respond to illegal requests, does not return any information, and reduces the risk of resource information leakage to the greatest extent.
4. A data access service method based on an isolation device according to claim 3, characterized in that the illegal request comprises a request for a service address without token, without service authorization, with errors.
5. The method of claim 1, wherein the step (3) specifically comprises:
(3-1) the user applies for encrypting the request message and the response message of the data access service according to the self data protection requirement; the data encryption adopts an asymmetric encryption algorithm, a user encrypts an uplink request message by adopting a private key, and decrypts a downlink response message, so that the service data is prevented from being revealed or tampered in the network transmission process;
and (3-2) symmetrically encrypting the data when the data is transmitted between the information external network and the information internal network, so that the data leakage caused by monitoring by a Trojan malicious program is avoided.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311619156.3A CN117319093A (en) | 2023-11-30 | 2023-11-30 | Data access service method based on isolation device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311619156.3A CN117319093A (en) | 2023-11-30 | 2023-11-30 | Data access service method based on isolation device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN117319093A true CN117319093A (en) | 2023-12-29 |
Family
ID=89288797
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202311619156.3A Pending CN117319093A (en) | 2023-11-30 | 2023-11-30 | Data access service method based on isolation device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117319093A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117614751A (en) * | 2024-01-24 | 2024-02-27 | 上海银基信息安全技术股份有限公司 | Intranet access method and system |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1571398A (en) * | 2004-04-29 | 2005-01-26 | 上海交通大学 | Network safety isolating and information exchanging system and method based on proxy mapping |
US20050044197A1 (en) * | 2003-08-18 | 2005-02-24 | Sun Microsystems.Inc. | Structured methodology and design patterns for web services |
CN102843352A (en) * | 2012-05-15 | 2012-12-26 | 广东电网公司茂名供电局 | Cross-physical isolation data transparent transmission system and method between intranet and extranet |
CN108243143A (en) * | 2016-12-23 | 2018-07-03 | 北京明朝万达科技股份有限公司 | A kind of gateway penetrating method and system based on different web agent |
CN110971622A (en) * | 2020-03-04 | 2020-04-07 | 信联科技(南京)有限公司 | Bidirectional access method and system between public network application system and intranet application system |
CN114143066A (en) * | 2021-11-26 | 2022-03-04 | 国网四川省电力公司南充供电公司 | Intranet and extranet docking system and method based on agent isolation device |
CN116545706A (en) * | 2023-05-15 | 2023-08-04 | 合芯科技(苏州)有限公司 | Data security transmission control system, method and device and electronic equipment |
-
2023
- 2023-11-30 CN CN202311619156.3A patent/CN117319093A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050044197A1 (en) * | 2003-08-18 | 2005-02-24 | Sun Microsystems.Inc. | Structured methodology and design patterns for web services |
CN1571398A (en) * | 2004-04-29 | 2005-01-26 | 上海交通大学 | Network safety isolating and information exchanging system and method based on proxy mapping |
CN102843352A (en) * | 2012-05-15 | 2012-12-26 | 广东电网公司茂名供电局 | Cross-physical isolation data transparent transmission system and method between intranet and extranet |
CN108243143A (en) * | 2016-12-23 | 2018-07-03 | 北京明朝万达科技股份有限公司 | A kind of gateway penetrating method and system based on different web agent |
CN110971622A (en) * | 2020-03-04 | 2020-04-07 | 信联科技(南京)有限公司 | Bidirectional access method and system between public network application system and intranet application system |
CN114143066A (en) * | 2021-11-26 | 2022-03-04 | 国网四川省电力公司南充供电公司 | Intranet and extranet docking system and method based on agent isolation device |
CN116545706A (en) * | 2023-05-15 | 2023-08-04 | 合芯科技(苏州)有限公司 | Data security transmission control system, method and device and electronic equipment |
Non-Patent Citations (1)
Title |
---|
杨松;刘洪善;程艳;: "云计算安全体系设计与实现综述", 重庆邮电大学学报(自然科学版), no. 05 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117614751A (en) * | 2024-01-24 | 2024-02-27 | 上海银基信息安全技术股份有限公司 | Intranet access method and system |
CN117614751B (en) * | 2024-01-24 | 2024-04-02 | 上海银基信息安全技术股份有限公司 | Intranet access method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Aura et al. | Stateless connections | |
CN110996318A (en) | Safety communication access system of intelligent inspection robot of transformer substation | |
CN114615328A (en) | Safety access control system and method | |
Bumanglag et al. | On the impact of DNS over HTTPS paradigm on cyber systems | |
CN110225050B (en) | JWT token management method | |
JP2023514736A (en) | Method and system for secure communication | |
WO2003060671A2 (en) | Communication security system | |
Dahlmanns et al. | Transparent end-to-end security for publish/subscribe communication in cyber-physical systems | |
CN105429962B (en) | A kind of general go-between service construction method and system towards encryption data | |
CN117319093A (en) | Data access service method based on isolation device | |
WO2023174143A1 (en) | Data transmission method, device, medium and product | |
CN114422194A (en) | Single package authentication method, device, server and storage medium | |
CN115549932A (en) | Safety access system and access method for massive heterogeneous Internet of things terminals | |
JP2004220120A (en) | Network security system, access control method, authentication mechanism, firewall mechanism, authentication mechanism program, firewall mechanism program, and recording medium | |
Khoussainov et al. | LAN security: problems and solutions for Ethernet networks | |
CN116471008A (en) | Interface access security control method and system based on hybrid encryption | |
US8699710B2 (en) | Controlled security domains | |
CN115567310A (en) | Client secure distribution method based on network stealth in zero trust mode | |
CN106453336B (en) | Method for internal network to actively provide external network host calling service | |
JP2005202970A (en) | Security system and security method for firewall, and computer program product | |
US20080059788A1 (en) | Secure electronic communications pathway | |
CN112738020A (en) | Linkage scanning method for loopholes | |
CN115314262B (en) | Design method of trusted network card and networking method thereof | |
JP2005065004A (en) | Method, device and program for inspecting encrypted communication data | |
CN114900372B (en) | Resource protection system based on zero trust security sentinel system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |