CN117914627B - Data element circulation system based on DMZ network architecture - Google Patents
Data element circulation system based on DMZ network architecture Download PDFInfo
- Publication number
- CN117914627B CN117914627B CN202410295698.8A CN202410295698A CN117914627B CN 117914627 B CN117914627 B CN 117914627B CN 202410295698 A CN202410295698 A CN 202410295698A CN 117914627 B CN117914627 B CN 117914627B
- Authority
- CN
- China
- Prior art keywords
- data
- server
- area
- client
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000003993 interaction Effects 0.000 claims abstract description 60
- 238000004519 manufacturing process Methods 0.000 claims abstract description 39
- 238000007405 data analysis Methods 0.000 claims abstract description 14
- 238000004364 calculation method Methods 0.000 claims abstract description 10
- 238000012546 transfer Methods 0.000 claims abstract description 4
- 230000002452 interceptive effect Effects 0.000 claims description 27
- 238000000034 method Methods 0.000 claims description 15
- 238000013475 authorization Methods 0.000 claims description 9
- 230000002265 prevention Effects 0.000 claims description 8
- 230000008569 process Effects 0.000 claims description 8
- 238000013507 mapping Methods 0.000 claims description 5
- 238000012216 screening Methods 0.000 claims description 5
- 244000035744 Hura crepitans Species 0.000 claims description 4
- 238000000586 desensitisation Methods 0.000 claims description 4
- 238000004458 analytical method Methods 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 claims description 2
- 238000002955 isolation Methods 0.000 abstract description 4
- 238000005516 engineering process Methods 0.000 description 5
- 238000011161 development Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- 239000012530 fluid Substances 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a data element circulation system based on a DMZ network architecture, which belongs to the technical field of information security and comprises the following components: the Internet open area is used for providing Internet data services for different service scenes; the core data production area is used for generating derivative data by utilizing big data analysis and calculation according to the internet data service requirement and delivering the data to the internet open area through the data interaction area; the data interaction area is used for data interaction between the Internet open area and the core data production area, and the data interaction area does not store or call the original data and only serves as a temporary transfer station to store the derivative data; and the network protection layer is used for controlling access between the data interaction area and the Internet open area and between the data interaction area and the core data production area. The invention can ensure the safety compliance to provide the data analysis result for the clients under the condition of not directly providing the original data and the personal sensitive information, and can realize the isolation of the service platform and the data production environment.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a data element circulation system based on a DMZ network architecture.
Background
DMZ is an abbreviation of english "Demilitarized Zone", chinese name "isolation zone", corresponding to military zone and trust zone, also called "demilitarized zone", is a buffer zone between a non-secure system and secure system set up to solve the problem that external network cannot access internal network server. The function is to arrange the servers allowing external access such as FTP server, E-Mail server, etc. in the area separately, so that the whole internal network to be protected is connected to the trust zone, and then no direct access of any external network is allowed, thereby realizing the separation of internal network and external network and meeting the safety requirement of users.
Along with the rapid development of cloud computing, big data, artificial intelligence and other technologies, the society of today has put into an important opportunity for digital development, and the data scale is presenting explosive growth and mass aggregation situations. Data is becoming the core of competition for motivating rapid development and reform of various industries. The data becomes a new production element, the circulation of the data element is accelerated, and the release of the digital productivity becomes one of the key tasks for promoting the social development. The data is different from the traditional elements, has the characteristics of replicability, easy variation, strong fluidity and the like, and in order to realize safe and efficient circulation of the data elements, the data value is fully mined, the data is promoted to be opened and efficiently utilized and applied, and the data element fluid technology is rapidly developed.
Currently, mainstream big data element circulation technology is mainly based on technologies such as privacy calculation, encryption technology and data sandboxes, but a data service platform is directly opened for users, for example, when the data service platform is used as a big health medical data center or a big financial data center, because of higher safety requirements of data, if the platform has design defects or users operate improperly, the risk of data leakage or damage exists.
Disclosure of Invention
Aiming at the problems, the invention aims to provide a data element circulation system based on a DMZ network architecture, which can ensure that a data analysis result is provided for a client in a safe compliance way under the condition that original data and personal sensitive information are not directly provided when the system is oriented to clients with big data analysis requirements, and can realize the isolation of a service platform and a data production environment and ensure that the availability of data is invisible.
The invention aims to achieve the aim, and the aim is achieved by the following technical scheme: a DMZ network architecture based data element flow system, comprising: the system comprises an Internet open area, a data interaction area, a network protection layer and a core data production area;
The Internet open area is used for providing Internet data services for different users and different service scenes;
the core data production area is used for generating derivative data by utilizing big data analysis and calculation according to the internet data service requirement and delivering the data to the internet open area through the data interaction area;
the data interaction area is used for data interaction between the Internet open area and the core data production area, the data interaction area does not store or call the original data, the data interaction area is only used as a temporary transfer station to temporarily store the derivative data, and the storage record is cleared periodically;
And the network protection layer is used for controlling access between the data interaction area and the Internet open area and between the data interaction area and the core data production area.
Further, a plurality of different kinds of big data application service platforms are deployed in the Internet open area, and a plurality of application servers are arranged in each big data application service platform; the big data application service platform is used for opening to the outside of the Internet and providing a data service function for clients; and after receiving the data service request of the client, auditing the client authorization information, generating a client digital signature aiming at the client identity after the client authorization information passes the auditing, and forwarding the data request of the client to a core data production area through a data interaction area reverse proxy server.
Further, a background application server and a data lake are deployed in the core data production area; the background application server is used for receiving the data request of the client, responding to the content of the data request, calling the data lake to generate a data file or desensitized data, capping the data file with a digital signature according to the digital signature of the client, generating a data watermark for the desensitized data, and writing the generated data file, the desensitized data and the corresponding digital signature of the client into the data interaction area.
Further, the data interaction area is provided with a reverse proxy server, an interaction data server and an interaction file server; the reverse proxy server is used for forwarding the data request to the designated background application server IP and the port according to the written mapping relation and the port for sending the data request by the big data application service platform, and performing preliminary screening on the message header file and the format of the request in the forwarding process to block the illegal request which does not meet the format requirement; the interactive data server is used for storing the structured derivative data files, such as desensitization data, and the like, sent by the background application server; and the interactive file server is used for storing unstructured derivative data files, such as pictures, PDF and the like, sent by the background application server.
Further, the interactive data server, the interactive file server and the reverse proxy server are not mutually communicated; the core data production area only has write-in authority to the interactive data server and the interactive file server, and the Internet open area only has read-out and copy authority to the interactive data server and the interactive file server; the interactive data server and the interactive file server cannot initiate direct access to resources of the core data production area and the Internet open area;
Further, the network protection layer includes: the system comprises a gatekeeper, a firewall and a data leakage prevention component; the firewall and the gatekeeper are used for limiting the access among the servers, only specific IP, protocol and port are opened by configuring a protection strategy, only the unidirectional access from the reverse proxy server to the core data production area is allowed, and the unidirectional access from the core data production area to the interactive data server and the interactive file server is allowed; and the data leakage prevention component is used for monitoring the transmitted data content and avoiding sensitive data leakage.
Further, the background application server is specifically configured to:
Receiving an API request forwarded by a reverse proxy server; after receiving the API request, the API message format, the API_key and the API_secret are checked, after the check is passed, the data in the data lake is called according to the request content, the data is calculated to generate a data file or desensitized data, the data file is signed with a digital signature according to the client digital signature, the desensitized data is generated with a data watermark, and the generated data file, the desensitized data and the corresponding client digital signature are written into the data interaction area.
Further, the background application server includes, but is not limited to: the system comprises a data sandbox server, an analysis model server and a data AI platform server.
Further, the data files include, but are not limited to: the data analysis report form, the encryption calculation result record form and the data statistics result record form.
Compared with the prior art, the invention has the beneficial effects that:
1. The invention reduces the exposed surface of the network layer by establishing the data interaction area and converging the data outlet, thereby being convenient for the centralized management and control of the security layer.
2. The invention realizes meeting the data interaction requirement, and simultaneously ensures that the background production server is not directly contacted with the Internet, thereby avoiding the direct exposure of core data and personal privacy information in the Internet.
3. The invention can avoid the direct contact of the user with the core production environment, and the front-end system server and the back-end system server can not know the network address of the opposite side, even if the front-end service platform is attacked by the network, the safety of the core production system can be ensured.
4. The invention can ensure that the data is available and invisible by establishing the multi-layer access control strategy.
5. The invention realizes unidirectional link access and effectively limits attack paths of malicious codes, network intrusion and code execution loopholes.
It can be seen that the present invention has outstanding substantial features and significant advances over the prior art, as well as the benefits of its implementation.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a system configuration diagram of a specific embodiment of the present invention.
In the figure, 1, an Internet open area; 2. a data interaction area; 3. a network protection layer; 4. a core data production zone; 11. a big data application service platform; 21. a reverse proxy server; 22. an interactive data server; 23. an interactive file server; 31. a net gate; 32. a firewall; 33. a data leakage prevention component; 41 a background application server; 42. data lake.
Detailed Description
In order to better understand the aspects of the present invention, the present invention will be described in further detail with reference to the accompanying drawings and detailed description. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, the present invention provides a data element circulation system based on DMZ network architecture, including: an internet open area 1, a data interaction area 2, a network protection layer 3 and a core data production area 4.
The Internet open area 1 is used for providing Internet data services for different users and different service scenes.
A plurality of different kinds of big data application service platforms 11 are deployed in the internet open area 1, and a plurality of application servers are arranged in each big data application service platform 11. The big data application service platform 11 is used for opening to the outside of the Internet and providing a data service function for clients; after receiving the data request of the client, auditing the client authorization information, generating a client digital signature aiming at the client identity after the client authorization information passes the auditing, and sending the data request of the client to the core data production area 4 through the data interaction area 2.
The core data production area 4 is used for generating derivative data by utilizing big data analysis and calculation according to the internet data service requirement and delivering the data to the internet open area 1 through the data interaction area 2.
The core data production area 4 is deployed with a background application server 41 and a data lake 42. The background application server 41 includes: a data sandbox server, an analysis model server, a data AI platform server and the like. The background application server 41 is configured to receive a data request from a client, respond to the content of the data request, call the data lake 42 to generate a data file or desensitized data, seal the data file according to the client digital signature, generate a data watermark for the desensitized data, and write the generated data file, the desensitized data and the corresponding client digital signature into the data interaction area 2.
The data interaction area 2 is used for data interaction between the Internet open area 1 and the core data production area 4, and the data interaction area 2 does not store or retrieve the original data and only serves as a temporary transfer station to store the derivative data.
The data interaction area 2 is provided with a reverse proxy server 21, an interaction data server 22 and an interaction file server 23; the interaction data server 22, the interaction file server 23 and the reverse proxy server 21 are not interoperable.
The reverse proxy server 21 is configured to forward the data request to the designated background application server 41IP and the port according to the written mapping relationship and the port from which the big data application service platform 11 sends the data request, and perform preliminary screening on the header file and the format of the request during forwarding, so as to block the illegal request that does not meet the format requirement. An interactive data server 22 for storing desensitized data transmitted from the background application server 41; the interaction file server 23 is used for storing the data file sent by the background application server 41. Wherein the data file comprises: the data analysis report form, the encryption calculation result record form and the data statistics result record form.
And the network protection layer 3 is used for controlling access between the data interaction area 2 and the Internet open area 1 and between the data interaction area 2 and the core data production area 4.
Specifically, the network protection layer 3 includes: gatekeeper 31, firewall 32, and data leak prevention component 33. The firewall 32 and gatekeeper 31 are used to restrict access between servers, only opening specific IP, protocols and ports by configuring protection policies, only allowing unidirectional access of the reverse proxy server 21 to the core data production zone 4, and unidirectional access of the core data production zone 4 to the interaction data server 22 and interaction file server 23. The data leakage prevention component 33 is configured to monitor the content of the transmitted data, and avoid leakage of sensitive data.
The core data production area 4 and the data interaction area 2 are isolated and unidirectionally transmitted through the gateway 31, and network access control and sensitive data blocking are realized through the firewall 32 and the data leakage prevention component 33.
It can be seen that the core data production area 4 has the right to write to the interactive data server 22 and the interactive file server 23, and the internet open area 1 has only the right to read and copy to the interactive data server 22 and the interactive file server 23.
In a specific embodiment, the big data application service platform 11 will open to the outside of the internet and provide a data service function, the client side, for example, applies for data service, first needs to pass real name authentication, then selects corresponding service content and parameters, submits corresponding authorization proof, after receiving a request of the client side for data, the big data application service platform 11 will verify the client authorization information, after the verification passes, the system will call the password server and the timestamp server, and generate a client digital signature for the client identity information and the request content, and in this process, the client login data, service flow, the digital signature and the authorization file are all maintained in the local database of the big data application service platform 11. Thereafter, the big data application service platform 11 sends an API request, which generates an api_key, an api_secret and a client digital signature, to a specific port of the reverse proxy server 21 of the data interaction zone 2.
The big data application service platform 11 only has the authority of reading the server of the data interaction area 2; the big data application service platform 11 continuously sends requests to the interactive data server 22 and the interactive file server 23 of the data interaction area 2, and reads or copies the incremental data according to the service requirements.
In a specific embodiment, the reverse proxy server 21 forwards the API request to the designated background application server 41IP and port according to the port requested by the front end server according to the written mapping relationship, and in this process, the reverse proxy server 21 performs preliminary screening for the header file and format of the request, and blocks the illegal API request that does not meet the format requirement.
Specifically, the reverse proxy server 21 of the data interaction area 2 forwards the API request to the designated background application server 41IP and the port according to the port requested by the big data application service platform 11 according to the written mapping relationship, and in this process, the reverse proxy server 21 performs preliminary screening on the requested message by configuring the parameter variables (such as arg_ name, host, head, IP, port, etc.) in the filter, so as to block the illegal API request that does not meet the format requirement.
In addition, the server of the data interaction area 2 can set timing tasks according to service requirements and clear stored data regularly.
In a specific embodiment, the background application server 41 responds to the content requested by the front-end API, and calls the data lake 42 to generate a data analysis report, an encryption calculation result, a data statistics result and other files or desensitized data, and seals the files according to the client digital signature, so as to generate a data watermark for the desensitized database. At the same time, the background application server 41 will write the generated file and the desensitized data and the corresponding client digital signature to the server of the data interaction area 2.
Specifically, after receiving the front-end API request, the background application server 41 checks the content such as the API message format, the api_key, the api_secret, and the like, and after the check is passed, the background application server invokes the data in the data lake 42 according to the request content, calculates the data, and finally produces various derivative data including a data analysis report, an encryption calculation result, a data statistics result, desensitization data, and the like. After the background application server 41 generates the derivative data, the derivative data is further processed through digital signature, so that the follow-up of the data flow direction in later period is facilitated, for example, the document report is signed with digital signature, and the desensitization database is recorded with data watermark.
In summary, the invention can realize that the data analysis result is provided for the client in a safe and compliant way under the condition that the original data and the personal sensitive information are not directly provided when the client with the big data analysis requirement is faced, and realize the isolation of the service platform and the data production environment, thereby guaranteeing the availability of the data to be invisible.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the method disclosed in the embodiment, since it corresponds to the system disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
In the several embodiments provided by the present invention, it should be understood that the disclosed systems, and methods may be implemented in other ways. For example, the system embodiments described above are merely illustrative, e.g., the division of the elements is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interface, system or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in the embodiments of the present invention may be integrated in one processing unit, or each module may exist alone physically, or two or more modules may be integrated in one unit.
Similarly, each processing unit in the embodiments of the present invention may be integrated in one functional module, or each processing unit may exist physically, or two or more processing units may be integrated in one functional module.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The data element circulation system based on the DMZ network architecture provided by the invention is described in detail above. The principles and embodiments of the present invention have been described herein with reference to specific examples, the description of which is intended only to facilitate an understanding of the method of the present invention and its core ideas. It should be noted that it will be apparent to those skilled in the art that various modifications and adaptations of the invention can be made without departing from the principles of the invention and these modifications and adaptations are intended to be within the scope of the invention as defined in the following claims.
Claims (3)
1. A DMZ network architecture-based data element flow system, comprising: the system comprises an Internet open area, a data interaction area, a network protection layer and a core data production area;
The Internet open area is used for providing Internet data services for different users and different service scenes;
the core data production area is used for generating derivative data by utilizing big data analysis and calculation according to the internet data service requirement and delivering the data to the internet open area through the data interaction area;
the data interaction area is used for data interaction between the Internet open area and the core data production area, the data interaction area does not store or call the original data, only serves as a temporary transfer station to temporarily store the derivative data, and the overwriting and the clearing are carried out regularly;
The network protection layer is used for controlling access between the data interaction area and the Internet open area and between the data interaction area and the core data production area;
A plurality of different kinds of big data application service platforms are deployed in the Internet open area, and a plurality of application servers are arranged in each big data application service platform;
the big data application service platform is used for opening to the outside of the Internet and providing a data service function for clients; after receiving a data request of a client, auditing the client authorization information, generating a client digital signature aiming at the identity of the client after the client authorization information passes the auditing, and sending the data request of the client to a core data production area through a data interaction area;
The core data production area is provided with a background application server and a data lake;
The background application server is used for receiving a data request of a client, responding to the content of the data request, calling a data lake to generate a data file or desensitized data, capping the data file with a digital signature according to the digital signature of the client, generating a data watermark for the desensitized data, and writing the generated data file, the desensitized data and the corresponding digital signature of the client into the data interaction area;
The data interaction area is provided with a reverse proxy server, an interaction data server and an interaction file server;
The reverse proxy server is used for forwarding the data request to the designated background application server IP and the port according to the written mapping relation and the port for sending the data request by the big data application service platform, and performing preliminary screening on the message header file and the format of the request in the forwarding process to block the illegal request which does not meet the format requirement;
the interactive data server is used for storing the desensitization data sent by the background application server;
The interactive file server is used for storing the data file sent by the background application server;
The background application server is specifically configured to:
Receiving an API request forwarded by a reverse proxy server;
After receiving the API request, checking the API message format, the API_key and the API_secret, calling data in a data lake according to the request content after the check is passed, calculating the data to generate a data file or desensitized data, capping the data file with a digital signature according to a client digital signature, generating a data watermark for the desensitized data, and writing the generated data file, the desensitized data and the corresponding client digital signature into a data interaction area;
The network protection layer comprises: the system comprises a gatekeeper, a firewall and a data leakage prevention component;
The firewall and the gatekeeper are used for limiting the access among the servers, only specific IP, protocol and port are opened by configuring a protection strategy, only the unidirectional access from the reverse proxy server to the core data production area is allowed, and the unidirectional access from the core data production area to the interactive data server and the interactive file server is allowed;
The data leakage prevention assembly is used for monitoring the transmitted data content and avoiding sensitive data leakage;
the interactive data server, the interactive file server and the reverse proxy server are not mutually communicated.
2. The DMZ network architecture based data element circulation system of claim 1, wherein the background application server includes, but is not limited to: the system comprises a data sandbox server, an analysis model server and a data AI platform server.
3. The DMZ network architecture based data element flow system of claim 1, wherein the data file includes, but is not limited to: the data analysis report form, the encryption calculation result record form and the data statistics result record form.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410295698.8A CN117914627B (en) | 2024-03-15 | 2024-03-15 | Data element circulation system based on DMZ network architecture |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410295698.8A CN117914627B (en) | 2024-03-15 | 2024-03-15 | Data element circulation system based on DMZ network architecture |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117914627A CN117914627A (en) | 2024-04-19 |
| CN117914627B true CN117914627B (en) | 2024-07-19 |
Family
ID=90690812
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410295698.8A Active CN117914627B (en) | 2024-03-15 | 2024-03-15 | Data element circulation system based on DMZ network architecture |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117914627B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109411073A (en) * | 2018-10-11 | 2019-03-01 | 北京医鸣技术有限公司 | Medical data integrated system |
| CN111147550A (en) * | 2019-12-10 | 2020-05-12 | 华能集团技术创新中心有限公司 | Data access method and device based on big data e-commerce platform |
| CN114448748A (en) * | 2021-12-22 | 2022-05-06 | 中国人民解放军联勤保障部队战勤部信息保障处 | System-centric deployment network system |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160057211A1 (en) * | 2014-08-21 | 2016-02-25 | Verasynth, Inc. | System and method for secure integration of web and mobile applications on the public internet with enterprise application servers in the public, private or hybrid cloud |
| CN109408503B (en) * | 2018-07-12 | 2021-07-02 | 首都经济贸易大学 | Cooperative old-age care service method and system based on intelligent terminal and big data analysis |
| CN110708338A (en) * | 2019-11-05 | 2020-01-17 | 江苏税软软件科技有限公司 | Internal and external network data interaction system and method based on three-layer network architecture |
| CN113448289B (en) * | 2020-03-27 | 2022-11-08 | 中国石油化工股份有限公司 | Oil gas industry internet data processing system based on DMZ |
| CN113364735B (en) * | 2021-05-01 | 2022-08-19 | 西安电子科技大学 | Data cross-link access control method, system, equipment and terminal under multi-link scene |
| CN116307757B (en) * | 2023-01-18 | 2024-02-20 | 辽宁荣科智维云科技有限公司 | Intelligent data interaction method, interaction system, computer equipment and application |
| CN116566747B (en) * | 2023-07-11 | 2023-10-31 | 华能信息技术有限公司 | Safety protection method and device based on industrial Internet |
| CN117611174A (en) * | 2023-11-30 | 2024-02-27 | 天翼视讯传媒有限公司 | Centralized platform for information interaction management of security processing |
-
2024
- 2024-03-15 CN CN202410295698.8A patent/CN117914627B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109411073A (en) * | 2018-10-11 | 2019-03-01 | 北京医鸣技术有限公司 | Medical data integrated system |
| CN111147550A (en) * | 2019-12-10 | 2020-05-12 | 华能集团技术创新中心有限公司 | Data access method and device based on big data e-commerce platform |
| CN114448748A (en) * | 2021-12-22 | 2022-05-06 | 中国人民解放军联勤保障部队战勤部信息保障处 | System-centric deployment network system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117914627A (en) | 2024-04-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zawoad et al. | OCF: an open cloud forensics model for reliable digital forensics | |
| US7188366B2 (en) | Distributed denial of service attack defense method and device | |
| US12063246B2 (en) | Security mechanisms for preventing retry or replay attacks | |
| CN111130990A (en) | Mobile comprehensive office system | |
| CN111314381A (en) | Safety isolation gateway | |
| CN116032533A (en) | Remote office access method and system based on zero trust | |
| CN114666341B (en) | Method for implementing de-centralized SDP controller and computer storage medium | |
| US20070162596A1 (en) | Server monitor program, server monitor device, and server monitor method | |
| CN114254269B (en) | System and method for determining rights of biological digital assets based on block chain technology | |
| CN116582365B (en) | Network traffic safety control method and device and computer equipment | |
| JP2002533792A (en) | Method and system for protecting the operation of a trusted internal network | |
| CN114499976B (en) | Data exchange method for realizing cross-network exchange | |
| KR101858207B1 (en) | System for security network | |
| CN117914627B (en) | Data element circulation system based on DMZ network architecture | |
| CN111740973A (en) | Intelligent defense system and method for block chain service and application | |
| US20230328107A1 (en) | Systems and methods for controlling access to an unadvertised cloud-based resource | |
| Gritzalis et al. | Addressing threats and security issues in World Wide Web technology | |
| KR102024148B1 (en) | An access control system of monitoring the file data during file transferring | |
| CN108093078B (en) | Safe document circulation method | |
| CN118300899B (en) | Authorized communication method, device, computer equipment and storage medium | |
| Bameyi et al. | End-to-end security in communication networks: a review | |
| Smorti | Analysis and improvement of ransomware detection techniques | |
| US12088735B1 (en) | Apparatus, systems, and methods relying on non-flashable circuitry for improving security on public or private networks | |
| CN118300899A (en) | Authorized communication method, device, computer equipment and storage medium | |
| CN118018234A (en) | Cloud desktop access method, cloud desktop terminal, SDP controller, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |