CN117459264A - SSL VPN communication method and system based on browser - Google Patents
SSL VPN communication method and system based on browser Download PDFInfo
- Publication number
- CN117459264A CN117459264A CN202311384779.7A CN202311384779A CN117459264A CN 117459264 A CN117459264 A CN 117459264A CN 202311384779 A CN202311384779 A CN 202311384779A CN 117459264 A CN117459264 A CN 117459264A
- Authority
- CN
- China
- Prior art keywords
- browser
- user
- data
- ssl vpn
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 238000004891 communication Methods 0.000 title claims abstract description 37
- 230000003993 interaction Effects 0.000 claims abstract description 66
- 230000002452 interceptive effect Effects 0.000 claims abstract description 56
- 238000012795 verification Methods 0.000 claims abstract description 45
- 238000006243 chemical reaction Methods 0.000 claims abstract description 22
- 238000012545 processing Methods 0.000 claims abstract description 15
- 230000004044 response Effects 0.000 claims abstract description 14
- 238000012544 monitoring process Methods 0.000 claims description 27
- 230000006399 behavior Effects 0.000 claims description 23
- 230000008569 process Effects 0.000 claims description 11
- 238000001914 filtration Methods 0.000 claims description 9
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 description 17
- 238000010586 diagram Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/08—Protocols for interworking; Protocol conversion
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses an SSL VPN communication method and system based on a browser. The method comprises the following steps: the browser establishes an SSL connection channel with an SSL VPN server; after the user login information passes verification, the SSL VPN server returns an intranet service list which the user has permission to access to the browser; the browser sends a request message to the SSL VPN server, wherein the request message carries the service type and port address of the intranet service selected by the user and interactive data of the user operation webpage; the SSL VPN server decrypts the received request message, analyzes the carried content of the request message, establishes data interaction connection with the corresponding intranet service according to the port address, performs protocol conversion and forwarding processing of interaction data between the browser and the intranet service according to the service type, and then returns a response message to the browser, wherein the interaction data returned by the intranet service carried in the response message are protocol types which can be identified by the browser. The method and the device realize that the user remotely accesses intranet services of various service types.
Description
Technical Field
The application relates to the technical field of communication, in particular to an SSL VPN communication method and system based on a browser.
Background
With the rapid development of the Internet, more and more enterprises, government units and social institutions are connected to the Internet; meanwhile, in order to ensure information security, relatively isolated internal information networks are built. In general, normal office information and production management information of an enterprise are in an information system of an internal network. In recent years, remote operation and remote office become normal in most enterprises and public institutions nowadays, and the remote access to the intranet of the enterprises and public institutions is required to ensure both communication connection and data transmission safety. Because the B/S mode web system is more convenient to deploy and maintain, there are a large number of web systems in enterprises and institutions that can be accessed through a browser. Accordingly, browser-based SSL VPN technologies capable of addressing such application needs have evolved.
SSL VPN technology is a tunnel technology for encrypting and packaging data packets transmitted by a network based on SSL protocol on public network facilities; the technology adopts means such as encryption, authentication, access control and the like, and can realize a secure virtual private network. By the technology, the user can access the functions of each web system in the intranet in the external public network, and the safety of data transmission between the client and the server can be ensured.
Fig. 1 is a framework and a flowchart for implementing the conventional SSL VPN technology based on a browser. In the web mode, the browser has the function of a client in the SSL VPN system, the SSL VPN server can maintain a web site, and after a user logs in the SSL VPN server, the links of other web sites in the internal network can be seen on the first page of the web site. For example, the internal financial system, the internal OA system, the internal CRM system and the like, the internal web sites are all on the SSL VPN server, and the protocol header field in the private URL of the internal web site is replaced, that is, HTTP is replaced by HTTPs, so that HTTPs is used between the browser and the SSL VPN server to ensure the security of the transmitted data. When a user clicks on a link on a web page, the SSL VPN server will initiate access to the real web site pointed to by the link with its own IP address in the intranet. As can be seen from fig. 1, an original HTTP session is divided into two segments, and HTTPs is used for data transmission between the browser and the SSL VPN server, and HTTP is used for data transmission between the SSL VPN server and the real web application server.
In the process of implementing the application, the inventor discovers that the prior SSL VPN technical scheme based on the browser has at least some following disadvantages:
(1) In a real intranet environment, there are web page systems of HTTP type, a large number of web page systems of HTTPs type, and many other service types of web services, such as: FTP, SSH, NFS, SMB, CIFS services, etc., it is apparent that existing SSL VPN technologies that support HTTP-type network requests alone have failed to meet the real-world demand for remote access to intranet environments.
(2) In reality, the SSL protocol depends on encryption technology, and two types of encryption and decryption standards need to be supported: general cryptographic standards, national cryptographic standards. However, in the existing SSL VPN technology architecture, the support for the national cryptographic standard is not perfect enough, and the management of the national cryptographic certificates is not realized.
(3) In the external network environment, the user accesses the internal network environment, and needs to timely identify the unsafe access behavior of the user, record and report to the monitoring server. However, the existing SSL VPN technology cannot identify the behavior data of the user operating the intranet resources in detail.
Disclosure of Invention
The present application is directed to a browser-based SSL VPN communication method and system, which address one or more of the above-mentioned problems.
According to a first aspect of the present application, there is provided a browser-based SSL VPN communication method, including:
an SSL connection channel is established between the browser and the SSL VPN server;
after the user login information passes verification, the SSL VPN server returns an intranet service list which is authorized to be accessed by the user to the browser, wherein the intranet service list marks the service type and the port address of each intranet service;
responding to the intranet service selected by the user, the browser sends a request message to an SSL VPN server through SSL session, wherein the request message carries the service type and port address of the intranet service selected by the user and interactive data of a user operation webpage;
the SSL VPN server decrypts the received request message, further analyzes the carrying content of the request message, establishes data interaction connection with the corresponding intranet service according to the port address, and performs protocol conversion and forwarding processing of interaction data between the browser and the intranet service according to the service type to convert the interaction data into data of a corresponding protocol type of the opposite party;
the SSL VPN server returns a response message to the browser through the SSL session, and interaction data returned by the intranet service carried in the response message is a protocol type which can be identified by the browser, so that the user can remotely access the intranet service of various service types.
According to some embodiments of the present application, a national-private SSL connection channel is established between the browser and the SSL VPN server; the method further comprises the steps of:
when the browser is started, the browser automatically loads the double certificates of the national password which are successfully imported by the user, and carries out the user login information verification process by matching with the configuration strategy of the SSL VPN server: if the SSL VPN server selects a communication mode of national cryptographic two-way verification, the browser sends the locally managed user national cryptographic two-certificate information to the SSL VPN server for verification; if the SSL VPN server selects a communication mode of national password one-way verification, the browser sends the user name and password information to the SSL VPN server for verification.
According to some embodiments of the present application, the SSL VPN server performs protocol conversion and forwarding processing of interactive data between a browser and an intranet service according to a service type, and converts the interactive data into data of a corresponding protocol type that can be identified by a counterpart, including:
the method comprises the steps that HTTP type intranet service, SSL VPN server directly forwards interaction data of user operation webpages to the intranet service, and interaction data returned by the intranet service are directly encrypted by adopting a national encryption standard and then forwarded to a browser;
the method comprises the steps that an HTTPS type intranet service, an SSL VPN server and the intranet service establish encryption handshake connection, interaction data of a user operation webpage are encrypted and then forwarded to the intranet service, the interaction data returned by the intranet service are decrypted, and then the decrypted interaction data are encrypted by adopting a national encryption standard and then forwarded to a browser;
and the other protocol types include, but are not limited to FTP, SSH, NFS, SMB and CIFS, the SSL VPN server firstly converts the interactive data of the user operation webpage into data corresponding to the service type of the intranet service and then forwards the data to the intranet service, firstly converts the interactive data returned by the intranet service into data of an HTTP protocol which can be identified by a browser, and then encrypts the interactive data after protocol conversion by adopting a national encryption standard and forwards the encrypted interactive data to the browser.
According to some embodiments of the present application, the method further comprises:
the browser identifies and records the interactive data of various operation behaviors of the user accessing the intranet service, analyzes, classifies and counts the interactive data of all users according to the user filtering rules and the data reporting rules issued by the monitoring server, and filters out the user operation data to be reported and reports the user operation data to the monitoring server.
According to some embodiments of the present application, the method further comprises:
after receiving user operation data reported by a browser, the monitoring server performs user portrayal on user operation behaviors, and identifies unauthorized access and illegal operation behaviors of the user according to abnormal behavior identification and early warning rules configured in the background. .
According to a second aspect of the present application, there is provided a browser-based SSL VPN communication system, comprising: a browser and an SSL VPN server; an SSL connection channel is established between the browser and the SSL VPN server;
the SSL VPN server is used for returning an intranet service list which is authorized to be accessed by the user to the browser after the user login information passes verification, wherein the intranet service list marks the service type and the port address of each intranet service;
the browser is used for responding to the intranet service selected by the user, sending a request message to the SSL VPN server through SSL session, wherein the request message carries the service type and the port address of the intranet service selected by the user and the interactive data of the user operation webpage;
the SSL VPN server is also used for decrypting the received request message, further analyzing the carrying content of the request message, establishing data interaction connection with the corresponding intranet service according to the port address, performing protocol conversion and forwarding processing of interaction data between the browser and the intranet service according to the service type, and converting the interaction data into data of a corresponding protocol type of the opposite party; and returning a response message to the browser through the SSL session, wherein the interaction data returned by the intranet service carried in the response message is a protocol type which can be identified by the browser, so that the user can remotely access the intranet service of various service types.
According to some embodiments of the present application, a national-density SSL connection channel is established between the browser and the SSL VPN server;
the browser is also used for automatically loading the successfully imported national password double certificates of the user when the browser is started, and carrying out the user login information verification process by matching with the configuration strategy of the SSL VPN server: if the SSL VPN server selects a communication mode of national cryptographic two-way verification, the browser sends the locally managed user national cryptographic two-certificate information to the SSL VPN server for verification; if the SSL VPN server selects a communication mode of national password one-way verification, the browser sends the user name and password information to the SSL VPN server for verification.
According to some embodiments of the present application, the SSL VPN server performs protocol conversion and forwarding processing of interactive data between a browser and an intranet service according to a service type, and converts the interactive data into data of a corresponding protocol type that can be identified by a counterpart, including:
the method comprises the steps that HTTP type intranet service, SSL VPN server directly forwards interaction data of user operation webpages to the intranet service, and interaction data returned by the intranet service are directly encrypted by adopting a national encryption standard and then forwarded to a browser;
the method comprises the steps that an HTTPS type intranet service, an SSL VPN server and the intranet service establish encryption handshake connection, interaction data of a user operation webpage are encrypted and then forwarded to the intranet service, the interaction data returned by the intranet service are decrypted, and then the decrypted interaction data are encrypted by adopting a national encryption standard and then forwarded to a browser;
and the other protocol types include, but are not limited to FTP, SSH, NFS, SMB and CIFS, the SSL VPN server firstly converts the interactive data of the user operation webpage into data corresponding to the service type of the intranet service and then forwards the data to the intranet service, firstly converts the interactive data returned by the intranet service into data of an HTTP protocol which can be identified by a browser, and then encrypts the interactive data after protocol conversion by adopting a national encryption standard and forwards the encrypted interactive data to the browser.
According to some embodiments of the present application, the browser is further configured to identify and record interaction data of various operation behaviors of the user accessing the intranet service, analyze, classify and count interaction data of all users according to user filtering rules and data reporting rules issued by the monitoring server, and filter out user operation data to be reported to the monitoring server.
According to some embodiments of the present application, the system further comprises: the monitoring server is used for carrying out user portrayal on the operation behaviors of the user after receiving the user operation data reported by the browser, and identifying unauthorized access and illegal operation behaviors of the user according to the abnormal behavior identification and early warning rules configured in the background.
The technical scheme of the embodiment of the application can achieve the following beneficial effects:
(1) The internal network service type supporting SSL VPN access is wider, not only supporting the HTTP/HTTPS type web service, but also supporting FTP, SSH, NFS, SMB, CIFS and other types of internal network resource services, and the application range of the browser SSL VPN technology is improved.
(2) The browser realizes the management function of the national cryptographic double certificates, supports the unidirectional or bidirectional user login verification function at the same time when the browser performs national cryptographic communication with the SSL VPN server, and improves the application flexibility of national cryptographic standards.
(3) The method and the device realize the functions of acquiring and reporting the interactive data of the user accessing the intranet resource service in the browser, truly realize comprehensive monitoring of the operation data of the user accessing the intranet resource, and improve the safety of the SSL VPN technology.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
FIG. 1 illustrates an implementation framework and a flow chart of existing browser-based SSL VPN technology;
fig. 2 shows a schematic flow chart of a browser-based SSL VPN communication method according to an embodiment of the present application;
FIG. 3 illustrates an implementation framework and a flowchart of browser-based SSL VPN technology of an embodiment of the present application;
fig. 4 shows another flowchart of a browser-based SSL VPN communication method according to an embodiment of the present application;
fig. 5 shows a schematic structural diagram of a browser-based SSL VPN communication system according to an embodiment of the present application.
Detailed Description
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "comprises" and "comprising," along with any variations thereof, in the description and claims of the present application are intended to cover non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus, but may include other steps or elements not expressly listed.
Example 1
According to a first aspect of the present application, an embodiment of the present application proposes a browser-based SSL VPN communication method, as shown in fig. 2-4, including steps S21 to S25:
s21, an SSL connection channel is established between the browser and the SSL VPN server.
In some preferred embodiments, a national secure SSL connection path is established between the browser and the SSL VPN server.
Referring to fig. 4, the user starts a browser, and the browser automatically loads the double certificate (signature certificate and encryption certificate) of the password of the country where the user has imported successfully. That is, the web browser is loaded into the browser cache in the form of a double certificate list, so that the web browser is convenient for subsequent access to the web system.
The browser automatically recognizes whether the address entered by the user is a web site address in a normal external network or an address of an internal network SSL VPN server. The recognition mode is mainly to judge through the address beginning character string of the URL, for example:HTTPS:// sslvpn_149.147.48.1_443the browser will identify the SSL VPN server that the user requested access to.
And responding to the request access of the user to the SSL VPN server, establishing a national-density SSL connection channel between the browser and the SSL VPN server, and carrying out a user login information verification process in cooperation with the configuration strategy of the SSL VPN server. The specific verification process is as follows:
the SSL VPN server selects a communication mode of national secret one-way or two-way verification for the user login information according to the configuration strategy. If the SSL VPN server selects a communication mode of national cryptographic two-way verification, the browser sends the locally managed user national cryptographic two-certificate information to the SSL VPN server for verification; if the SSL VPN server selects a communication mode of national password one-way verification, the browser sends the user name and password information to the SSL VPN server for verification.
Compared with the prior SSL VPN proposal based on a browser, the SSL VPN proposal has no management of the national secret double certificates, only supports SSL communication of one-way verification, directly calls a management interface of an operating system for an international cryptographic algorithm, and has no management function of the national secret double certificates; according to the embodiment of the application, the management function of the national encryption double certificates is realized in the browser, and when the browser and the SSL VPN server carry out national encryption communication, the one-way or two-way user login verification function is supported. During one-way verification, a user can input a user name and a password for login; during bidirectional verification, a user can avoid secret login, so that flexibility of national secret standard application is improved.
S22, after the user login information passes verification, the SSL VPN server returns an intranet service list which is authorized to be accessed by the user to the browser, and the intranet service list marks the service type and the port address of each intranet service.
After the user login information passes verification, the SSL VPN server sends a list of network services which the user has permission to access in an intranet to a browser for the user to select. For example:
the links to a certain web service of the http type are:https://sslvpn/http/IP_port/page1;
the links to a web service of https type are:https://sslvpn/https/IP_port/page2;
the links to a certain server of FTP type are:https://sslvpn/FTP/IP_port/fileFolder1;
the links to a certain server of the SSH type are:https://sslvpn/SSH/IP_port/fileFolder2。
in practical application, the intranet service list returned by the SSL VPN server to the browser may be in the following form:
192.168.7.170:8181/page1 http
192.168.7.168:443/page1 https
192.168.7.34:21/page1 ftp
that is, only the service type and the port address of each intranet service are marked in the returned intranet service list, and the access link of the intranet service needs to be presented to the user in a browser reconfiguration link form.
S23, responding to the intranet service selected by the user, and sending a request message to the SSL VPN server by the browser through SSL session, wherein the request message carries the service type and the port address of the intranet service selected by the user and interactive data of the user operation webpage.
The user selects an intranet service to be accessed from the intranet service list with authority access, and the browser sends an access request to an SSL VPN server in the intranet based on the selection operation of the user on the intranet service.
It should be noted that, when the state-secret SSL connection channel is established between the browser and the SSL VPN server, all communications between the browser and the SSL VPN server are encrypted by using the state-secret standard, and the browser sends a request message to the SSL VPN server in the state-secret SSL form.
S24, the SSL VPN server decrypts the received request message, further analyzes the carrying content of the request message, establishes data interaction connection with the corresponding intranet service according to the port address, and performs protocol conversion and forwarding processing of interaction data between the browser and the intranet service according to the service type to convert the interaction data into data of a protocol type corresponding to the opposite party.
After receiving the request message, the SSL VPN server decrypts the request message and further analyzes the carrying content of the request message, wherein the carrying content comprises the service type and the port address of the intranet service selected by the user and the interactive data of the user operation webpage. Then, the SSL VPN server establishes data interaction connection with the corresponding intranet service according to the port address, and performs operations such as protocol conversion and data forwarding of interaction data between the browser and the intranet service according to the service type, and converts the operations into data of a corresponding protocol type of the opposite side. Different types of intranet services and SSL VPN server processing flows are different:
and the SSL VPN server only needs to directly forward the interactive data of the user operation webpage to the HTTP type intranet service, and the interactive data returned by the intranet service is directly encrypted by adopting a national encryption standard and then is forwarded to the browser.
The method comprises the steps that an HTTPS type intranet service and an SSL VPN server need to establish encryption handshake connection with the HTTPS type intranet service, interaction data of a user operation webpage are encrypted and then forwarded to the intranet service, the interaction data returned by the intranet service are decrypted, and the decrypted interaction data are encrypted by adopting a national encryption standard and then forwarded to a browser.
Other protocol types include, but are not limited to FTP, SSH, NFS, SMB and CIFS, and the SSL VPN server needs to perform corresponding protocol conversion processing, firstly convert interactive data of a user operation webpage into data corresponding to a service type of the intranet service, then forward the data to the intranet service, firstly convert interactive data returned by the intranet service into data of an HTTP protocol that can be identified by a browser, and then encrypt the interactive data after protocol conversion by adopting a national cryptographic standard, and forward the encrypted interactive data to the browser.
S25, the SSL VPN server returns a response message to the browser through the SSL session, and interaction data returned by the intranet service carried in the response message is a protocol type which can be identified by the browser, so that the user can remotely access the intranet service of various service types.
The scheme of the embodiment of the application can realize that the user remotely accesses intranet services of various service types. The user experience of the browser is that the user operates the network connection of the data interaction between the webpage and the intranet service, and the browser is automatically converted into a corresponding type of VPN link. For example, the number of the cells to be processed,
when a user accesses an intranet service of an HTTP type, the browser is automatically converted into a VPN link of the HTTP type:https://sslvpn/http/IP_port/page2。
when a user accesses an intranet service of the HTTPS type, the browser is automatically converted into a VPN link of the HTTPS type:https://sslvpn/https/IP_port/page3。
when a user accesses other types of intranet services such as FTP, SSH and the like, the browser is automatically converted into a corresponding type of VPN link:
FTP type:https://sslvpn/FTP/IP_port/fileFolder1;
SSH type:https://sslvpn/SSH/IP_port/fileFolder2the method comprises the steps of carrying out a first treatment on the surface of the Etc.
Compared with the existing browser-based SSL VPN scheme, the VPN proxy service is realized only by directly encrypting the HTTP type webpage resources through SSL, and access to other types of intranet resource services cannot be realized; according to the embodiment of the application, through the conversion of protocols such as HTTP protocol and HTTP/HTTPS, FTP, SSH, NFS, SMB, CIFS and the like at the server side of the SSL VPN, the interactive data of the types in the intranet service can be converted into the form of web page format data, the web page format data is encrypted and transmitted to a browser to be displayed, so that a user can access the HTTP type web system in the intranet and also the HTTPS type web system in the intranet, various other types of intranet resource services (FTP, SSH, NFS, SMB, CIFS and the like) can be accessed, and the intranet service types supporting the access of the SSL VPN are wider; in addition, from the aspect of user experience, the user operates the network connection of the data interaction between the webpage and the intranet service, and the conversion is automatically identified in the browser, so that the application range and the user experience of the SSL VPN technology based on the browser are improved.
Referring to fig. 4, according to some embodiments of the present application, the browser-based SSL VPN communication method according to the embodiments of the present application further includes: the browser identifies and records the interactive data of various operation behaviors of the user accessing the intranet service, analyzes, classifies and counts the interactive data of all users according to the user filtering rules and the data reporting rules issued by the monitoring server, and filters out the user operation data to be reported and reports the user operation data to the monitoring server.
In the process of accessing various services in the intranet, the browser can identify and record various operation behaviors of the user and record interactive data of the user. The browser performs network interaction with a monitoring server for remotely monitoring user behaviors, and filters user operation data to be reported from all user interaction data according to user filtering rules and data reporting rules issued by the monitoring server, so that the monitoring server can conveniently perform further analysis and processing.
The browser analyzes, classifies and counts the interaction data of all users, including:
(1) and decrypting all the encrypted web data accessed by the user, so as to ensure that the reported user operation data are decrypted data.
(2) The data content of the webpage resources (including the following types of webpage nodes of < input >, < sub >, < radio >, < checkbox >, < select >, < button >, < number >, etc.) with webpage input, selection and editing properties is analyzed and reported to the monitoring server.
(3) Reporting the type and data of the network data operated by the user, wherein the type comprises the following types: GET, POST, PUT, HEAD, PATCH, DELETE.
Compared with the existing SSL VPN scheme based on the browser, the scheme of the embodiment of the application only counts the login behavior of the user, and realizes deep analysis, classification, detailed statistics and reporting of webpage content data operated by the user.
Still referring to fig. 4, according to some embodiments of the present application, the browser-based SSL VPN communication method according to an embodiment of the present application further includes: after receiving user operation data reported by a browser, the monitoring server performs user portrayal on user operation behaviors, and identifies unauthorized access and illegal operation behaviors of the user according to abnormal behavior identification and early warning rules configured in the background.
Compared with the existing SSL VPN scheme based on the browser, the method only realizes the functions of user login recording and frequency recording; according to the scheme, the functions of acquiring and reporting the interactive data of the user accessing the intranet resource service are realized in the browser, the user accessing operation data can be monitored comprehensively, the filtering and reporting rules of the dynamic configuration data of the remote monitoring system are supported, and further the monitoring server can automatically identify the unauthorized access and illegal operation of the user.
In summary, the embodiment of the invention realizes a set of SSL VPN technical scheme with rich functions based on the web browser: not only supporting the access of the intranet web system of HTTP/HTTPS type, but also supporting more intranet resource services (FTP, SSH, NFS, SMB, CIFS, etc.); the password double-certificate management function of the national password standard is realized; the operation data of the user accessing the intranet service is monitored comprehensively, and the safety of the SSL VPN technology is improved.
Example 2
According to a second aspect of the present application, as shown in fig. 5, an embodiment of the present application proposes a browser-based SSL VPN communication system, including: a browser 51 and an SSL VPN server 52; an SSL connection channel is established between the browser 51 and the SSL VPN server 52.
The SSL VPN server 52 is configured to return, to the browser 51, an intranet service list to which the user has permission to access after the user login information passes verification, where the intranet service list identifies a service type and a port address of each intranet service;
the browser 51 is configured to respond to the intranet service selected by the user, and send a request message to the SSL VPN server 52 through an SSL session, where the request message carries a service type and a port address of the intranet service selected by the user and interactive data of a user operation webpage;
the SSL VPN server 52 is further configured to decrypt the received request message, further analyze the content carried by the request message, establish data interaction with the corresponding intranet service according to the port address, and perform protocol conversion and forwarding processing of the interaction data between the browser and the intranet service according to the service type, and convert the interaction data into data of a protocol type corresponding to the other party; and returning a response message to the browser 51 through the SSL session, wherein the interaction data returned by the intranet service carried in the response message is a protocol type which can be identified by the browser, so that the user can remotely access the intranet service of various service types.
According to some embodiments of the present application, a national-density SSL connection channel is established between the browser 51 and the SSL VPN server 52;
the browser 51 is further configured to automatically load a double certificate of a password of a country that the user has imported successfully when starting, and perform a user login information verification process in cooperation with a configuration policy of the SSL VPN server 52: if the SSL VPN server selects a communication mode of national cryptographic two-way verification, the browser sends the locally managed user national cryptographic two-certificate information to the SSL VPN server for verification; if the SSL VPN server selects a communication mode of national password one-way verification, the browser sends the user name and password information to the SSL VPN server for verification.
According to some embodiments of the present application, the SSL VPN server 52 performs protocol conversion and forwarding processing of interactive data between the browser and the intranet service according to the service type, and converts the interactive data into data of a corresponding protocol type that can be identified by the other party, including:
the method comprises the steps that HTTP type intranet service, SSL VPN server directly forwards interaction data of user operation webpages to the intranet service, and interaction data returned by the intranet service are directly encrypted by adopting a national encryption standard and then forwarded to a browser;
the method comprises the steps that an HTTPS type intranet service, an SSL VPN server and the intranet service establish encryption handshake connection, interaction data of a user operation webpage are encrypted and then forwarded to the intranet service, the interaction data returned by the intranet service are decrypted, and then the decrypted interaction data are encrypted by adopting a national encryption standard and then forwarded to a browser;
and the other protocol types include, but are not limited to FTP, SSH, NFS, SMB and CIFS, the SSL VPN server firstly converts the interactive data of the user operation webpage into data corresponding to the service type of the intranet service and then forwards the data to the intranet service, firstly converts the interactive data returned by the intranet service into data of an HTTP protocol which can be identified by a browser, and then encrypts the interactive data after protocol conversion by adopting a national encryption standard and forwards the encrypted interactive data to the browser.
According to some embodiments of the present application, the browser 51 is further configured to identify and record interaction data of various operation behaviors of the user accessing the intranet service, analyze, classify and count interaction data of all users according to user filtering rules and data reporting rules issued by the monitoring server, and filter out user operation data to be reported to the monitoring server.
Still referring to fig. 5, according to some embodiments of the present application, the system further includes:
the monitoring server 53 is configured to perform user portrayal on the operation behavior of the user after receiving the user operation data reported by the browser 51, and identify unauthorized access and illegal operation behavior of the user according to the abnormal behavior identification and early warning rules configured in the background.
It can be understood that the browser-based SSL VPN communication system shown in fig. 5 can implement the steps in the foregoing method of embodiment 1, and the relevant explanation about the method of embodiment 1 is applicable to the browser-based SSL VPN communication system, which is not repeated here.
Finally, it should be noted that:
the embodiment numbers are merely for the purpose of description and do not represent the advantages or disadvantages of the embodiments. In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments. Embodiments of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of methods and systems according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Claims (10)
1. A browser-based SSL VPN communication method, comprising:
an SSL connection channel is established between the browser and the SSL VPN server;
after the user login information passes verification, the SSL VPN server returns an intranet service list which is authorized to be accessed by the user to the browser, wherein the intranet service list marks the service type and the port address of each intranet service;
responding to the intranet service selected by the user, the browser sends a request message to an SSL VPN server through SSL session, wherein the request message carries the service type and port address of the intranet service selected by the user and interactive data of a user operation webpage;
the SSL VPN server decrypts the received request message, further analyzes the carrying content of the request message, establishes data interaction connection with the corresponding intranet service according to the port address, and performs protocol conversion and forwarding processing of interaction data between the browser and the intranet service according to the service type to convert the interaction data into data of a corresponding protocol type of the opposite party;
the SSL VPN server returns a response message to the browser through the SSL session, and interaction data returned by the intranet service carried in the response message is a protocol type which can be identified by the browser, so that the user can remotely access the intranet service of various service types.
2. The method of claim 1, wherein a national-security SSL connection channel is established between the browser and the SSL VPN server; the method further comprises the steps of:
when the browser is started, the browser automatically loads the double certificates of the national password which are successfully imported by the user, and carries out the user login information verification process by matching with the configuration strategy of the SSL VPN server: if the SSL VPN server selects a communication mode of national cryptographic two-way verification, the browser sends the locally managed user national cryptographic two-certificate information to the SSL VPN server for verification; if the SSL VPN server selects a communication mode of national password one-way verification, the browser sends the user name and password information to the SSL VPN server for verification.
3. The method of claim 2, wherein the SSL VPN server performs protocol conversion and forwarding processing of interactive data between the browser and the intranet service according to the service type, and converts the interactive data into data of a corresponding protocol type that can be identified by the counterpart, including:
the method comprises the steps that HTTP type intranet service, SSL VPN server directly forwards interaction data of user operation webpages to the intranet service, and interaction data returned by the intranet service are directly encrypted by adopting a national encryption standard and then forwarded to a browser;
the method comprises the steps that an HTTPS type intranet service, an SSL VPN server and the intranet service establish encryption handshake connection, interaction data of a user operation webpage are encrypted and then forwarded to the intranet service, the interaction data returned by the intranet service are decrypted, and then the decrypted interaction data are encrypted by adopting a national encryption standard and then forwarded to a browser;
and the other protocol types include, but are not limited to FTP, SSH, NFS, SMB and CIFS, the SSL VPN server firstly converts the interactive data of the user operation webpage into data corresponding to the service type of the intranet service and then forwards the data to the intranet service, firstly converts the interactive data returned by the intranet service into data of an HTTP protocol which can be identified by a browser, and then encrypts the interactive data after protocol conversion by adopting a national encryption standard and forwards the encrypted interactive data to the browser.
4. A method according to any one of claims 1 to 3, further comprising:
the browser identifies and records the interactive data of various operation behaviors of the user accessing the intranet service, analyzes, classifies and counts the interactive data of all users according to the user filtering rules and the data reporting rules issued by the monitoring server, and filters out the user operation data to be reported and reports the user operation data to the monitoring server.
5. The method according to claim 4, wherein the method further comprises:
after receiving user operation data reported by a browser, the monitoring server performs user portrayal on user operation behaviors, and identifies unauthorized access and illegal operation behaviors of the user according to abnormal behavior identification and early warning rules configured in the background.
6. A browser-based SSL VPN communication system, comprising: a browser and an SSL VPN server; an SSL connection channel is established between the browser and the SSL VPN server;
the SSL VPN server is used for returning an intranet service list which is authorized to be accessed by the user to the browser after the user login information passes verification, wherein the intranet service list marks the service type and the port address of each intranet service;
the browser is used for responding to the intranet service selected by the user, sending a request message to the SSL VPN server through SSL session, wherein the request message carries the service type and the port address of the intranet service selected by the user and the interactive data of the user operation webpage;
the SSL VPN server is also used for decrypting the received request message, further analyzing the carrying content of the request message, establishing data interaction connection with the corresponding intranet service according to the port address, performing protocol conversion and forwarding processing of interaction data between the browser and the intranet service according to the service type, and converting the interaction data into data of a corresponding protocol type of the opposite party; and returning a response message to the browser through the SSL session, wherein the interaction data returned by the intranet service carried in the response message is a protocol type which can be identified by the browser, so that the user can remotely access the intranet service of various service types.
7. The system of claim 6, wherein a national-density SSL connection channel is established between the browser and the SSL VPN server;
the browser is also used for automatically loading the successfully imported national password double certificates of the user when the browser is started, and carrying out the user login information verification process by matching with the configuration strategy of the SSL VPN server: if the SSL VPN server selects a communication mode of national cryptographic two-way verification, the browser sends the locally managed user national cryptographic two-certificate information to the SSL VPN server for verification; if the SSL VPN server selects a communication mode of national password one-way verification, the browser sends the user name and password information to the SSL VPN server for verification.
8. The system of claim 7, wherein the SSL VPN server performs protocol conversion and forwarding processing of interactive data between the browser and the intranet service according to a service type, and converts the interactive data into data of a corresponding protocol type that can be identified by a counterpart, and the method comprises:
the method comprises the steps that HTTP type intranet service, SSL VPN server directly forwards interaction data of user operation webpages to the intranet service, and interaction data returned by the intranet service are directly encrypted by adopting a national encryption standard and then forwarded to a browser;
the method comprises the steps that an HTTPS type intranet service, an SSL VPN server and the intranet service establish encryption handshake connection, interaction data of a user operation webpage are encrypted and then forwarded to the intranet service, the interaction data returned by the intranet service are decrypted, and then the decrypted interaction data are encrypted by adopting a national encryption standard and then forwarded to a browser;
and the other protocol types include, but are not limited to FTP, SSH, NFS, SMB and CIFS, the SSL VPN server firstly converts the interactive data of the user operation webpage into data corresponding to the service type of the intranet service and then forwards the data to the intranet service, firstly converts the interactive data returned by the intranet service into data of an HTTP protocol which can be identified by a browser, and then encrypts the interactive data after protocol conversion by adopting a national encryption standard and forwards the encrypted interactive data to the browser.
9. The system according to any one of claims 6 to 8, wherein,
the browser is also used for identifying and recording the interactive data of various operation behaviors of the user accessing the intranet service, analyzing, classifying and counting the interactive data of all users according to the user filtering rules and the data reporting rules issued by the monitoring server, filtering out the user operation data to be reported and reporting the user operation data to the monitoring server.
10. The system of claim 9, wherein the system further comprises:
the monitoring server is used for carrying out user portrayal on the operation behaviors of the user after receiving the user operation data reported by the browser, and identifying unauthorized access and illegal operation behaviors of the user according to the abnormal behavior identification and early warning rules configured in the background.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311384779.7A CN117459264A (en) | 2023-10-24 | 2023-10-24 | SSL VPN communication method and system based on browser |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311384779.7A CN117459264A (en) | 2023-10-24 | 2023-10-24 | SSL VPN communication method and system based on browser |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117459264A true CN117459264A (en) | 2024-01-26 |
Family
ID=89582786
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311384779.7A Pending CN117459264A (en) | 2023-10-24 | 2023-10-24 | SSL VPN communication method and system based on browser |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117459264A (en) |
-
2023
- 2023-10-24 CN CN202311384779.7A patent/CN117459264A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111034150B (en) | Method and apparatus for selectively decrypting SSL/TLS communications | |
| Velan et al. | A survey of methods for encrypted traffic classification and analysis | |
| US20190354709A1 (en) | Enforcement of same origin policy for sensitive data | |
| US9294450B2 (en) | Selectively performing man in the middle decryption | |
| CN111193698B (en) | Data processing method, device, terminal and storage medium | |
| US20240089301A1 (en) | Method and system for capture of visited links from encrypted and non-encrypted network traffic | |
| US9172682B2 (en) | Local authentication in proxy SSL tunnels using a client-side proxy agent | |
| US20160191568A1 (en) | System and related method for network monitoring and control based on applications | |
| EP3905629A1 (en) | Encrypted traffic inspection in a cloud-based security system | |
| JP2018512099A (en) | Secure dynamic communication network and protocol | |
| US11196833B1 (en) | Proxy server synchronizer | |
| CN111726366A (en) | Device communication method, device, system, medium and electronic device | |
| WO2019178942A1 (en) | Method and system for performing ssl handshake | |
| US20200404044A1 (en) | Diversified file transfer | |
| CN107463848B (en) | Application-oriented ciphertext search method, device, proxy server and system | |
| Bachupally et al. | Network security analysis using Big Data technology | |
| CN103716280B (en) | data transmission method, server and system | |
| JP2004220120A (en) | Network security system, access control method, authentication mechanism, firewall mechanism, authentication mechanism program, firewall mechanism program, and recording medium | |
| CN211352206U (en) | IPSec VPN cryptographic machine based on quantum key distribution | |
| CN106031097A (en) | Service processing method and device | |
| CN110049024B (en) | Data transmission method, transfer server and access network point server | |
| Wu et al. | IoT network traffic analysis: Opportunities and challenges for forensic investigators? | |
| CN117459264A (en) | SSL VPN communication method and system based on browser | |
| Jaswal | Hands-On Network Forensics: Investigate network attacks and find evidence using common network forensic tools | |
| Erlacher et al. | A TLS interception proxy with real-time libpcap export |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |