CN117395014A - Secure data exchange system, secure data exchange method, electronic device, and storage medium - Google Patents
Secure data exchange system, secure data exchange method, electronic device, and storage medium Download PDFInfo
- Publication number
- CN117395014A CN117395014A CN202210782874.1A CN202210782874A CN117395014A CN 117395014 A CN117395014 A CN 117395014A CN 202210782874 A CN202210782874 A CN 202210782874A CN 117395014 A CN117395014 A CN 117395014A
- Authority
- CN
- China
- Prior art keywords
- gateway
- security
- api
- data exchange
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000002955 isolation Methods 0.000 claims abstract description 65
- 238000012795 verification Methods 0.000 claims abstract description 44
- 238000004891 communication Methods 0.000 claims abstract description 18
- 230000003287 optical effect Effects 0.000 claims description 18
- 230000006870 function Effects 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 10
- 238000010586 diagram Methods 0.000 description 13
- 239000000306 component Substances 0.000 description 10
- 230000005540 biological transmission Effects 0.000 description 8
- 230000011664 signaling Effects 0.000 description 8
- 230000008901 benefit Effects 0.000 description 7
- 239000003795 chemical substances by application Substances 0.000 description 7
- 230000008569 process Effects 0.000 description 5
- 238000011156 evaluation Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 210000001503 joint Anatomy 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
Abstract
The present disclosure relates to a secure data exchange system, method, electronic device, and storage medium. A secure data exchange system comprising: the pre-gateway is deployed in a low-security network and is designed based on a zero-trust architecture, and the pre-gateway is used for shunting and continuously checking the access of a visitor through a zero-trust security policy so as to realize data exchange; and the physical network isolation equipment is connected with the front gateway and is used for carrying out single-packet verification on data from the front gateway and opening a communication interface to the front gateway after the single-packet verification is passed so as to exchange the data from the visitor to the high-security network through the low-security network. The security and reliability of data exchange in the network are improved.
Description
Technical Field
The disclosure relates to the technical field of electronic equipment, and in particular relates to a secure data exchange system, a secure data exchange method, electronic equipment and a storage medium.
Background
At present, physical isolation is generally adopted in the field with high secret-related requirements, a secret-related network is protected by using a light gate or a network gate, the network is generally strictly divided into an internal network and an external network in a secret-related system with the physical isolation of the network gate or the light gate, the internal network and the external network are not allowed to directly communicate, and data can only flow from a low-secret-level network to a high-secret-level network in one direction. Current gatekeepers lack trust, require the use of shutters that rely on unidirectional transmission characteristics of light to ensure transmission reliability, and data from low-density networks need to be closely inspected to find some harmful data. Because the security of the network depends on the location of the network devices, the flow of data from the high-level network to the low-level network is not allowed, which is inconvenient for unified intranet and extranet management, especially where multiple departments cooperation needs to involve sharing some data.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a secure data exchange system, method, electronic device, and storage medium. The security and reliability of data exchange in the network can be effectively improved.
Embodiments of the first aspect of the present application provide a secure data exchange system, comprising:
the pre-gateway is deployed in a low-security network and is designed based on a zero-trust architecture, and the pre-gateway is used for shunting and continuously checking the access of a visitor through a zero-trust security policy so as to realize data exchange;
and the physical network isolation equipment is connected with the front gateway and is used for carrying out single-packet verification on data from the front gateway and opening a communication interface to the front gateway after the single-packet verification is passed so as to exchange the data from the visitor to the high-security network through the low-security network.
In some examples, the pre-gateway includes:
the API gateway is connected with the physical network isolation equipment and is used for executing the function of the zero trust security policy of the visitor access;
and the security execution gateway is connected with the physical network isolation equipment and is used for providing hiding and security proxy functions for application services accessing the low-security-level network, wherein the security proxy is determined based on the authority policy and trust of the visitor.
In some examples, the API gateway includes a first API gateway configured to connect to the physical network isolation device, send network information and identity information to the physical network isolation device for single-packet authentication by the physical network isolation device, a second API gateway configured to receive a call from a visitor, provide an API validity check and a fused current limit service for the visitor, and a third API gateway configured to work-coordinate the first API gateway, the second API gateway, and the third API gateway and manage the first API gateway, the second API gateway, and the third API gateway.
In some examples, the pre-gateway includes:
an API gateway and a secure execution gateway, the API gateway being connected to the physical network isolation device through the secure execution gateway,
the API gateway is used as a data exchange gateway, is provided with a device access account according to a called account and a security access strategy gateway, performs single-packet verification on a visitor, and after the verification is passed, performs shunting and continuous checking on the visitor access through a zero-trust security strategy through the security execution gateway.
In some examples, the API gateway includes a first API gateway for connecting the secure execution gateway, sending network information and identity information to the secure execution gateway for single packet authentication by the secure execution gateway, a second API gateway for receiving a call from a visitor, providing an API validity check and a fused current limit service for the visitor, and a third API gateway for working coordination and management of the first API gateway, the second API gateway, and the third API gateway.
In some examples, the physical network isolation device includes a first unidirectional optical gate to send data of the low-security level network to the high-security level network and a second unidirectional optical gate to send data of the high-security level network to the low-security level network.
Embodiments of the second aspect of the present application provide a secure data exchange method, including:
the front gateway shunts and continuously checks the access of the visitor through a zero trust security policy so as to realize data exchange;
and after the front gateway shunts and continuously checks the access of the visitor through the zero trust security policy, the physical network isolation equipment performs single-packet verification on the data from the front gateway, and opens a communication interface to the front gateway after the single-packet verification is passed, so that the visitor exchanges numbers to a high-security network through the low-security network.
Embodiments of the third aspect of the present application provide an electronic device comprising a processor and a memory, the memory storing at least one instruction, at least one program, a set of codes or a set of instructions, the program, the set of codes or the set of instructions being loaded and executed by the processor to implement the steps of the secure data exchange method provided by the embodiments of the second aspect of the present application described above.
Embodiments of the fourth aspect of the present application provide a non-transitory computer readable storage medium, which when executed by a processor of a mobile terminal, causes the mobile terminal to perform the steps of the secure data exchange method provided by the embodiments of the second aspect of the present application.
Embodiments of the fifth aspect of the present application provide a computer program product which, when executed by a processor of a mobile terminal, enables the mobile terminal to perform steps implementing the secure data exchange method provided by embodiments of the second aspect of the present application described above.
According to the secure data exchange system, the secure data exchange method, the electronic equipment and the storage medium, the front gateway is designed based on the zero trust architecture by being deployed in the low-security network, the front gateway is used for shunting and continuously checking accesses of visitors through the zero trust security policy so as to realize data exchange, the physical network isolation equipment is connected with the front gateway, single-packet verification is carried out on data from the front gateway, and after the single-packet verification is passed, a communication interface is opened to the front gateway so as to enable the visitors to exchange the data to the high-security network through the low-security network. Has the following advantages: the method has the advantages that the data exchange flow of the gatekeeper/the optical gate is defended deeply, a front-end API gateway or a security policy gateway is added, single packet verification processing is carried out on the API gateway/the security policy gateway, compared with the direct IP limiting, the method has the advantages that an attacker is avoided or the network isolation equipment is connected by using IP imitation, the ID sent by single packet verification is generated according to equipment characteristics, the possibility of stealing user names and passwords to connect the network isolation equipment is avoided, if the front-end gateway equipment ID and the passwords are not available, the network isolation equipment cannot be connected, the attacker is blocked in the API gateway/the security policy executing gateway, the front-end gateway processes according to a zero trust architecture, different caller accounts have different security policies, only zero trust related signaling and data can be transmitted outwards by using the network isolation equipment, only zero trust related signaling and data can be transmitted to a related zero trust component, the possibility of external transmission of other confidential data is avoided, the API is used for checking and calling the token, the security policy is continuously executed on the API gateway, and the security policy is continuously verified by the API gateway, and the security policy is continuously verified.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
FIG. 1 is a schematic diagram of a secure data exchange system in one embodiment;
FIG. 2 is a schematic diagram of a secure data exchange system in one embodiment;
FIG. 3 is a schematic diagram of a secure data exchange system in another embodiment;
FIG. 4 is a schematic diagram of the architecture of an API gateway of one embodiment;
FIG. 5 is a schematic diagram of an API gateway account provisioning process;
FIG. 6 is a schematic diagram of a data transmission flow according to one embodiment;
FIG. 7 is a schematic diagram of a data receiving process according to one embodiment;
FIG. 8 is a schematic diagram of an API gateway according to another embodiment;
FIG. 9 is a schematic diagram of a data transmission flow according to another embodiment;
FIG. 10 is a schematic diagram of a data receiving process according to another embodiment;
fig. 11 is an internal structural diagram of an electronic device in one embodiment.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the invention. Rather, they are merely examples of apparatus and methods consistent with aspects of the invention as detailed in the accompanying claims.
The following describes a secure data exchange system, a method, an electronic device, and a storage medium according to an embodiment of the present invention with reference to the accompanying drawings.
Fig. 1 is a block diagram of a secure data exchange system according to one embodiment of the present invention. As shown in fig. 1, a secure data exchange system according to an embodiment of the present invention includes: pre-gateway 110 and physical network isolation device 120, wherein:
the pre-gateway 110 is deployed in a low-security network, the pre-gateway 110 is designed based on a zero-trust architecture, and the pre-gateway 110 is used for shunting and continuously checking the access of a visitor through a zero-trust security policy so as to realize data exchange; the physical network isolation device 120 is connected to the pre-gateway 110, and is configured to perform single-packet authentication on data from the pre-gateway 110, and open a communication interface to the pre-gateway 110 after the single-packet authentication is passed, so as to exchange data between the visitor and the high-security network through the low-security network.
As shown in connection with fig. 2 and 3, the secure data exchange system includes an API gateway (i.e., part of the pre-gateway 110), API gateway cluster management, a zero trust security component ((i.e., part of the pre-gateway 110), a messaging system, a database system, a shutter/gatekeeper device (i.e., physical network quarantine device 120), wherein the zero trust security component includes identity access, unified policy, trust evaluation, security enforcement gateway, security management center.
In one specific example, the pre-gateway comprises: the API gateway is connected with the physical network isolation equipment and is used for executing the function of the zero trust security policy of the visitor access; and the security execution gateway is connected with the physical network isolation equipment and is used for providing hiding and security proxy functions for application services accessing the low-security-level network, wherein the security proxy is determined based on the authority policy and trust of the visitor. In this example, the API gateway includes a first API gateway, a second API gateway, and a third API gateway, where the first API gateway is configured to connect to the physical network isolation device, send network information and identity information to the physical network isolation device so that the physical network isolation device performs single packet verification, the second API gateway is configured to receive a call from a visitor, provide an API validity check and a fused current limit service for the visitor, and the third API gateway is configured to perform working coordination on the first API gateway, the second API gateway, and the third API gateway, and manage the first API gateway, the second API gateway, and the third API gateway.
Specifically, as shown in connection with fig. 2, the API gateway is directly connected to the network isolation device. The security enforcement gateway is used as a zero trust security component, and the application service for providing access to the low security access zone has the functions of hiding the application and security proxy, and the security proxy is based on the user authority policy and trust evaluation. The function of the API gateway is to serve as a front-end protection device and a security policy execution device to execute validity check and security check on the data so as to realize data exchange.
In another example, a pre-gateway includes: the system comprises an API gateway and a safety execution gateway, wherein the API gateway is connected with the physical network isolation equipment through the safety execution gateway, the API gateway is used as a data exchange gateway, the API gateway is provided with an equipment access account of a called account and a safety access strategy gateway, the API gateway performs single-packet verification on a visitor, and after the verification is passed, the access of the visitor through the safety execution gateway is shunted and continuously checked through a zero trust safety strategy. In this example, the API gateway includes a first API gateway, a second API gateway, and a third API gateway, where the first API gateway is configured to connect to the secure execution gateway, send network information and identity information to the secure execution gateway, so that the secure execution gateway performs single packet verification, the second API gateway is configured to receive a call from a visitor, provide an API validity check and a fused current limit service for the visitor, and the third API gateway is configured to perform work coordination on the first API gateway, the second API gateway, and the third API gateway, and manage the first API gateway, the second API gateway, and the third API gateway.
Specifically, as shown in connection with fig. 3, the API gateway is deployed at a remote end, and the API gateway is connected to a low-security access area (i.e., a low-security network) through other networks such as the internet, and then connected to an indoor network isolation device (shutter or gatekeeper) through a zero-trust security policy enforcement gateway, where the security policy enforcement gateway is used as a gateway access agent for the API and is capable of enforcing a data access policy, and the API gateway is operated as a client agent for the security policy enforcement gateway.
As shown in connection with fig. 2 and 3, the physical network isolation device includes a first unidirectional optical gate for transmitting data of the low-security level network to the high-security level network and a second unidirectional optical gate for transmitting data of the high-security level network to the low-security level network. Namely: in order to achieve the aim of bidirectional data transmission, a unidirectional optical gate/network gate for data transmission in a pair is firstly erected between an internal network and an external network. And the unidirectional optical gate for externally transmitting data is connected with a zero trust core component network in a butt joint way by an externally unidirectional optical gate trust end. The device user authority policy of the gateway (i.e. the pre-gateway) is implemented by the gateway (i.e. the pre-gateway) by using the API gateway or the security policy in the pair to transmit the proprietary data or signaling of the communication and other data separately (the policy of taking different data by using different accounts), and the proprietary data and the signaling are directly abutted to the zero trust component.
Functional adjustments are made to the untrusted and trusted ends of the shutter, the trusted and untrusted ends being access by single-packet authenticated systems, any system that does not pass single-packet authentication being unable to access the network service port, the access data must be made by an API gateway or security policy enforcement gateway (collectively referred to herein as a pre-gateway) that passes single-packet authentication. The network physical isolation device distributes unique ID and password for the front gateway at the management end, note that the ID is generated according to the characteristics of the front gateway, the ID and the password can be prompted to be seen when a security agency of the front gateway is installed and a management interface of the front gateway can be saved in a small database at each end of the optical gate, the management interface of the trust end and the non-trust end can be maintained, the front gateway can be connected with the optical gate after the optical gate is connected with the optical gate through single-packet verification, the front gateway is internally provided with a security agency client, and the function of continuously sending single-packet verification to the physical isolation device is realized to ensure the credibility of the front gateway. Only trusted devices can be connected with the network physical isolation device, and compared with the prior method which adopts only IP definition, the continuous single-packet sending verification method avoids the risk of unauthorized data leakage.
The following describes in detail the operation of the manner in which the API gateway is directly connected to the network isolation device and the manner in which the API gateway is connected to the network isolation device through the secure execution gateway, respectively.
As shown in fig. 2, in the manner that the API gateway is directly connected to the network isolation device, the API gateway functions as a key design, and the function of the API gateway is to isolate the direct access network physical isolation device and execute the function of accessing the data security policy. The API gateway program is divided into three parts, one part is used as a terminal to connect with the optical gate/network gate, collect network information and identity information and send a single-packet verification packet, and the other part is used as a server to receive calls of other users and provide API validity check and fusing current limiting service. One part is a cluster and a cluster management part, and is mainly responsible for work coordination and interface management and state management among all the API gateways, and as shown in fig. 4, the strategy design of the API gateway exchanges different data according to different accounts. This ensures secure isolation of the transferred data, and the validation of the API exchange data is continuous. And the three parts are a whole, when the program is hung, all parts do not work, the API equipment ID of the program needs to be accessed to the network physical isolation equipment, and the calling account of the API gateway is accessed to a zero-trust unified identity system. The flow of opening the API gateway account is shown in fig. 5, the whole data exchange flow is that data requests are initiated from a caller to pass through the API gateway, if a data security agent exists in the middle, the data requests pass through the data security agent and then enter the network physical isolation equipment, the flow of sending data calls is shown in fig. 6, the flow of receiving requests is shown in fig. 7, and the check synchronization of the API gateway account is that data in an identity access server is called remotely by using https. The single packet authentication is continuously transmitted and has a certain time validity period, and if the access device does not transmit the single packet authentication for a certain time, the device IP is removed from the access white list of the network isolation device.
As shown in fig. 3, in the manner that the API gateway is connected to the network isolation device through the secure execution gateway, the API gateway functions as a data exchange gateway locally, and has a device access account of a data call account and a secure access policy gateway, and is also an access zero trust security system, multiple zero trust products cooperate, a necessary product is a unified identity, a unified authority policy, a trust and evaluation system, a secure policy execution gateway, and multiple access portals, where the first API gateway is an open web access that cannot prevent DDOS attack, and the portals of the DDOS need to be accessed by implementing single packet verification, and the system uses unified identity and unified authority access to implement the secure policy. Realizing the terminal security agent needs to realize single-packet verification, and serves as a client-side multipoint access security policy execution gateway. And checking the data validity. And an API gateway cluster is realized, and the flow is shared to realize the scheduling and partition attack of the unified strategy. Part is as security policy execution gateway on terminal connection, collecting network information and identity information to send single package verification package, part is as server to receive call of other users, providing API data validity check and fusing current limiting service. The system is characterized in that a part is a cluster and a cluster management part, and is mainly responsible for work coordination and interface management and state management among all API gateways, the working mode is similar to the direct connection principle, but the upper level is a security policy execution gateway, the device account and the calling account are accessed by a zero-trust unified identity, the structure is shown in figure 8, an intranet connection end of external network physical isolation equipment is not only allowed to be connected with an intranet but is directly connected with a trusted front gateway cluster, the cluster is only connected with a gateway which needs to transmit a zero-trust instruction message, the transmitted data is limited, only the zero-trust execution policy, key certificate and token are related to confidential data, only the zero-trust management is related to the information, and the user information of the intranet is synchronized in the Chinese mode.
The whole data exchange flow is that data is initiated from a caller and passes through an API gateway, if a data security agent is arranged in the middle, the data passes through the data security agent and then enters the network physical isolation equipment, the data call flow is shown in figure 9, the receiving request flow is shown in figure 10, and the API gateway account checking synchronization is that data in an identity access server is called remotely by using https.
According to the secure data exchange system provided by the embodiment of the invention, the front gateway is deployed in the low-security network and is designed based on the zero-trust architecture, the front gateway is used for shunting and continuously checking the access of a visitor through the zero-trust security policy so as to realize data exchange, the physical network isolation equipment is connected with the front gateway, single-packet verification is carried out on data from the front gateway, and after the single-packet verification is passed, a communication interface is opened to the front gateway so as to exchange the data from the visitor to the high-security network through the low-security network.
Has the following advantages: the method has the advantages that the data exchange flow of the gatekeeper/the optical gate is defended deeply, a front-end API gateway or a security policy gateway is added, single packet verification processing is carried out on the API gateway/the security policy gateway, compared with the direct IP limiting, the method has the advantages that an attacker is avoided or the network isolation equipment is connected by using IP imitation, the ID sent by single packet verification is generated according to equipment characteristics, the possibility of stealing user names and passwords to connect the network isolation equipment is avoided, if the front-end gateway equipment ID and the passwords are not available, the network isolation equipment cannot be connected, the attacker is blocked in the API gateway/the security policy executing gateway, the front-end gateway processes according to a zero trust architecture, different caller accounts have different security policies, only zero trust related signaling and data can be transmitted outwards by using the network isolation equipment, only zero trust related signaling and data can be transmitted to a related zero trust component, the possibility of external transmission of other confidential data is avoided, the API is used for checking and calling the token, the security policy is continuously executed on the API gateway, and the security policy is continuously verified by the API gateway, and the security policy is continuously verified.
In the above description, zero trust represents a new generation of network security protection concept, and the key of the zero trust is to break the default 'trust', and summarize by a popular sentence, namely 'continuous verification and never trust'. Anyone, devices and systems inside and outside the enterprise network are not trusted by default, and the trust basis for access control is reconstructed based on identity authentication and authorization, thereby ensuring identity trust, device trust, application trust and link trust. Based on the zero trust principle, three "security" of the system can be achieved: terminal security, link security, and access control security.
One-way shutter: english is called FGAP for short, which is a unidirectional isolation software and hardware system based on unidirectional light and developed on the basis of a safety isolation Gate (GAP). Physical separation on the network is realized. The method is used for data exchange scenes of networks with extremely high security requirements, such as between a secret-related network and a non-secret-related network, and between an industry intranet and a public network.
Single packet authentication (Single Packet Authorization): the method is mainly used for closing the service port by default, so that the service realizes network stealth, and cannot be connected or scanned from the network. If the service is needed, the authentication message information is sent to the server through the specific client, and after the server authenticates the message, the server opens the relevant service to the IP address, and the authentication mode is called single-packet authentication.
Service port: here referred to as a channel portal provided by the web service.
SDP: in general terms Software Defined Perimeter, the boundary is defined by software, and as the network environment used by the end user changes with time, the boundaries of the original internal and external networks become more and more blurred, and a new mode is needed to automatically adjust the network boundary to better protect our application, and the mode of defining the boundary by software is called SDP.
DDOS: the abbreviation of (Distributed Denial of Service), i.e. distributed blocking service, is that a hacker uses a DDOS attacker to control multiple machines to attack simultaneously to achieve the purpose of "preventing normal users from using the service", thus forming a DDOS attack.
JWT authentication: one communication method for authenticating authentication using JWTs is JWT (Json Web Token) JWTs which are composed of three pieces of information, the three pieces of information being used together in a link to form a JWT string, the first part we call the header, the second part we call the payload, and the third part the visa.
Further, an embodiment of the present invention provides a secure data exchange method, including: the front gateway shunts and continuously checks the access of the visitor through a zero trust security policy so as to realize data exchange; and after the front gateway shunts and continuously checks the access of the visitor through the zero trust security policy, the physical network isolation equipment performs single-packet verification on the data from the front gateway, and opens a communication interface to the front gateway after the single-packet verification is passed, so that the visitor exchanges the data to the high-security network through the low-security network.
According to the secure data exchange method of the embodiment of the invention, the data exchange flow of the gatekeeper/optical gate is defended deeply, a preposed API gateway or a secure policy gateway is added, and single packet verification processing is carried out on the API gateway/secure policy gateway, compared with the direct IP limiting, the advantage of preventing an attacker or using IP to imitate and connect to network isolation equipment is that ID sent by single packet verification is generated according to equipment characteristics, the possibility of stealing user names and passwords to connect to the network isolation equipment is avoided, if the preposed gateway equipment ID and passwords are not available, the network isolation equipment cannot be connected, thus the attacker is blocked in the API gateway/secure policy execution gateway, the preposed gateway is processed according to a zero trust architecture, different caller accounts have different secure policies, thus the types of data exchange can be separated, only signaling and data related to zero trust can be transmitted outwards by using the network isolation equipment transmitted outwards, only signaling and data related to the related zero trust components can be transmitted outwards, the possibility of other data can be avoided, and the continuous access policy of the API and the secure access policy is ensured to the gateway.
For specific limitations on the secure data exchange method, reference may be made to the above limitation on the secure data exchange system, and no further description is given here. The various modules in the secure data exchange system described above may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, an electronic device, which may be a terminal, is provided, and an internal structure thereof may be as shown in fig. 11. The electronic device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the electronic device is configured to provide computing and control capabilities. The memory of the electronic device includes a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, an operator network, near Field Communication (NFC) or other technologies. The computer program is executed by a processor to implement a secure data exchange method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in fig. 11 is merely a block diagram of a portion of the structure associated with the present application and is not limiting of the computer device to which the present application applies, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In one embodiment, the secure data exchange apparatus provided herein may be implemented in the form of a computer program that is executable on an electronic device as shown in fig. 11. The memory of the electronic device may store the various program modules that make up the secure data exchange device.
The memory in the electronic device stores at least one instruction, at least one program, a set of codes, or a set of instructions, which are loaded and executed by the processor to implement the secure data exchange method according to any of the embodiments described above. For example, implementing a secure data exchange method, including: the front gateway shunts and continuously checks the access of the visitor through a zero trust security policy so as to realize data exchange; and after the front gateway shunts and continuously checks the access of the visitor through the zero trust security policy, the physical network isolation equipment performs single-packet verification on the data from the front gateway, and opens a communication interface to the front gateway after the single-packet verification is passed, so that the visitor exchanges the data to the high-security network through the low-security network.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of: the front gateway shunts and continuously checks the access of the visitor through a zero trust security policy so as to realize data exchange; and after the front gateway shunts and continuously checks the access of the visitor through the zero trust security policy, the physical network isolation equipment performs single-packet verification on the data from the front gateway, and opens a communication interface to the front gateway after the single-packet verification is passed, so that the visitor exchanges the data to the high-security network through the low-security network.
In one embodiment, a computer program product is provided, which when executed by a processor of a mobile terminal, causes the mobile terminal to perform the steps of: the front gateway shunts and continuously checks the access of the visitor through a zero trust security policy so as to realize data exchange; and after the front gateway shunts and continuously checks the access of the visitor through the zero trust security policy, the physical network isolation equipment performs single-packet verification on the data from the front gateway, and opens a communication interface to the front gateway after the single-packet verification is passed, so that the visitor exchanges the data to the high-security network through the low-security network.
Those skilled in the art will appreciate that implementing all or part of the above-described methods may be accomplished by way of a computer program, which may be stored on a non-transitory computer readable storage medium, that when executed may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, or the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms, such as static random access memory (Static Random Access Memory, SRAM), dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features of each of the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples represent only a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.
Claims (10)
1. A secure data exchange system, comprising:
the pre-gateway is deployed in a low-security network and is designed based on a zero-trust architecture, and the pre-gateway is used for shunting and continuously checking the access of a visitor through a zero-trust security policy so as to realize data exchange;
and the physical network isolation equipment is connected with the front gateway and is used for carrying out single-packet verification on data from the front gateway and opening a communication interface to the front gateway after the single-packet verification is passed so as to exchange the data from the visitor to the high-security network through the low-security network.
2. The secure data exchange system of claim 1, wherein the pre-gateway comprises:
the API gateway is connected with the physical network isolation equipment and is used for executing the function of the zero trust security policy of the visitor access;
and the security execution gateway is connected with the physical network isolation equipment and is used for providing hiding and security proxy functions for application services accessing the low-security-level network, wherein the security proxy is determined based on the authority policy and trust of the visitor.
3. The secure data exchange system of claim 2, wherein the API gateway comprises a first API gateway for connecting the physical network isolation device, a second API gateway for receiving a call from a visitor, providing an API validity check and fuse flow restriction service for the visitor, and a third API gateway for operating coordination of the first API gateway, the second API gateway, and the third API gateway and managing the first API gateway, the second API gateway, and the third API gateway, sending network information and identity information to the physical network isolation device for single packet authentication by the physical network isolation device.
4. The secure data exchange system of claim 1, wherein the pre-gateway comprises:
an API gateway and a secure execution gateway, the API gateway being connected to the physical network isolation device through the secure execution gateway,
the API gateway is used as a data exchange gateway, is provided with a device access account according to a called account and a security access strategy gateway, performs single-packet verification on a visitor, and after the verification is passed, performs shunting and continuous checking on the visitor access through a zero-trust security strategy through the security execution gateway.
5. The secure data exchange system of claim 4, wherein the API gateway comprises a first API gateway for connecting to the secure execution gateway, a second API gateway for receiving a call from a visitor, providing an API legitimacy check and fusing flow restriction service for the visitor, and a third API gateway for operating with and managing the first, second, and third API gateways, sending network information and identity information to the secure execution gateway for single packet authentication by the secure execution gateway.
6. The secure data exchange system of any of claims 1-5, wherein the physical network isolation device comprises a first unidirectional optical shutter for transmitting data of the low-security-level network to the high-security-level network and a second unidirectional optical shutter for transmitting data of the high-security-level network to the low-security-level network.
7. A method of secure data exchange, comprising:
the front gateway shunts and continuously checks the access of the visitor through a zero trust security policy so as to realize data exchange;
and after the front gateway shunts and continuously checks the access of the visitor through the zero trust security policy, the physical network isolation equipment performs single-packet verification on the data from the front gateway, and opens a communication interface to the front gateway after the single-packet verification is passed, so that the visitor exchanges the data to the high-security network through the low-security network.
8. An electronic device comprising a processor and a memory, wherein the memory stores at least one instruction, at least one program, a set of codes, or a set of instructions, the program, the set of codes, or the set of instructions being loaded and executed by the processor to implement the secure data exchange method of claim 7.
9. A non-transitory computer readable storage medium, characterized in that instructions in the storage medium, when executed by a processor of a mobile terminal, enable the mobile terminal to perform the secure data exchange method of claim 7.
10. A computer program product, characterized in that instructions in the computer program product, when executed by a processor of a mobile terminal, enable the mobile terminal to perform the secure data exchange method according to claim 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210782874.1A CN117395014A (en) | 2022-07-05 | 2022-07-05 | Secure data exchange system, secure data exchange method, electronic device, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210782874.1A CN117395014A (en) | 2022-07-05 | 2022-07-05 | Secure data exchange system, secure data exchange method, electronic device, and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117395014A true CN117395014A (en) | 2024-01-12 |
Family
ID=89461819
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210782874.1A Pending CN117395014A (en) | 2022-07-05 | 2022-07-05 | Secure data exchange system, secure data exchange method, electronic device, and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117395014A (en) |
-
2022
- 2022-07-05 CN CN202210782874.1A patent/CN117395014A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11134058B1 (en) | Network traffic inspection | |
| US10958662B1 (en) | Access proxy platform | |
| US11457040B1 (en) | Reverse TCP/IP stack | |
| US7661131B1 (en) | Authentication of tunneled connections | |
| US7565526B1 (en) | Three component secure tunnel | |
| US8443190B2 (en) | Method for securing a two-way communications channel and device for implementing said method | |
| US10356612B2 (en) | Method of authenticating a terminal by a gateway of an internal network protected by an access security entity providing secure access | |
| CN102047262B (en) | Authentication for distributed secure content management system | |
| US20080289027A1 (en) | Incorporating network connection security levels into firewall rules | |
| US20100269149A1 (en) | Method of web service and its apparatus | |
| KR101146204B1 (en) | System and Methods For Providing Emergency Service Trust in Packet Data Networks | |
| EP1942629A1 (en) | Method and system for object-based multi-level security in a service oriented architecture | |
| CN101986598B (en) | Authentication method, server and system | |
| CN115001870B (en) | Information security protection system, method and storage medium | |
| EP1760988A1 (en) | Multi-level and multi-factor security credentials management for network element authentication | |
| CN113472758B (en) | Access control method, device, terminal, connector and storage medium | |
| JP4904939B2 (en) | Group participation management method, system and program | |
| KR20220002455A (en) | Improved transmission of data or messages in the vehicle using the SOME/IP communication protocol | |
| US7424736B2 (en) | Method for establishing directed circuits between parties with limited mutual trust | |
| US10298588B2 (en) | Secure communication system and method | |
| CN116545633A (en) | High-security API calling method | |
| US20050097322A1 (en) | Distributed authentication framework stack | |
| CN114666341A (en) | Decentralized SDP controller implementation method and computer storage medium | |
| CN117395014A (en) | Secure data exchange system, secure data exchange method, electronic device, and storage medium | |
| KR102627397B1 (en) | Reverse access system for network using dynamic port |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |