CN204314881U - A kind of LAN data security protection system - Google Patents
A kind of LAN data security protection system Download PDFInfo
- Publication number
- CN204314881U CN204314881U CN201420481975.6U CN201420481975U CN204314881U CN 204314881 U CN204314881 U CN 204314881U CN 201420481975 U CN201420481975 U CN 201420481975U CN 204314881 U CN204314881 U CN 204314881U
- Authority
- CN
- China
- Prior art keywords
- user
- data
- file
- lan
- usbkey
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
This patent discloses a kind of LAN data security protection system, by distributing individual district mode, sensitive data in terminal is managed concentratedly, ensure that sensitive data is all safe under any state by storage encryption, channel encryption mode, individual district is controlled by user's autonomous operation, the multiple authority mode that utilizes that can be autonomous shares sensitive data to other staff, makes sensitive document all be in controllable state.Sensitive data is backed up by backup module; The while of being ensured physical identity and the digital identity of visitor conforming by usbkey, complete data security in addition and store and use safely.
Description
Technical field
The present invention relates to a kind of data security guard system, relate to the data protection system in a kind of LAN (Local Area Network) in particular.
Background technology
Along with informationalized development, unit more and more utilizes computing machine to carry out routine office work operation, the data message that internal institution is a large amount of and capsule information are all exist with the form of e-file, how can better the security of the inner significant data information of guarantor unit and data, confidentiality, prevent capsule information from being caused information-leakage by illegal diffusion, these e-files can be made again reasonably to be used efficiently by competent person, are the problems that constituent parts compares concern.
And for large unit, its network environment is complicated, grass-roots unit is many, distribution is wide, working environment difference is large, and computer terminal is many.How building a kind of comprehensive anti-environment of divulging a secret not affecting work efficiency is the topic that large unit is difficult to resolve.And the structure of anti-environment of divulging a secret generally needs to complete network data security construction and terminal data Security Construction simultaneously; Network data security construction present stage technology has been tending towards ripe, and for network layer data, affects hardly the work efficiency of user.And terminal is direct user oriented, in terminal data Security Construction, work efficiency is had a significant impact.How the i.e. safety of terminal construction but also convenient be the emphasis of anti-environment construction work of divulging a secret.
For above problem, prior art is generally adopted one of with the following method:
1. visual angle is concentrated on the means of defence in terminal: with terminal be protection point principal character be that management and control software is installed in each terminal, the use of class external interface in limiting computer terminal, as usb interface and CD-ROM driver interface, significantly limit the convenience of terminal, art methods has: based on intranet security management method (patent: 201110323798.X), the unit security protection system (patent: 201310356953.7) etc. of cooperative mode.
2. visual angle is concentrated on the means of defence on e-file: e-file comprises relevant policies, regulation, resolves, prepares, plans, scheme, report, Business Information over the years etc., for the fields such as party and government, military affairs, scientific research, business, enterprise, e-file is topmost sensitive carrier, is also the main path that the leakage of a state or party secret occurs.Keep a grip on e-file, terminal data safety can be realized.The principal character being protection point based on e-file is: be encrypted the e-file of terminal, the strategy according to server distribution is decrypted access etc. to e-file.The decryption policy of encrypt file needed in flow of work process is different, needs the cost plenty of time to customize different decryption policy.Main method has: file security crime prevention system (patent-201310388918.3).
3. visual angle is concentrated on the means of defence on user: principal character adopts control of authority technology, for user distributes role and authority, the data that qualified user could be responsive.Prevent unauthorized user from having a mind to or unintentionally the operation of file caused to the destruction of file.The Role and privilege of user changes with the change of personnel.Keeper needs the change of tracking individuals constantly.
The combination of various mode or various mode all can use terminal to impact to user above, impacts, have a strong impact on work efficiency to the use habit of file.
Summary of the invention
For the weakness of above-mentioned solution, the present invention proposes to solve as follows in large unit the thoughts and methods of the problem of the terminal data safety accessed under particular network environment, ensures that work efficiency is unaffected simultaneously:
In large unit, terminal may be in different network environments, in order to more comprehensively, more effective protection terminal data safety, can not be simple with terminal, file, user-center, the visual angle of protection is needed to improve a level, terminal user is divided into different LAN (Local Area Network) according to the difference of department or type of service, centered by LAN (Local Area Network), concentrates protection terminal data safety, the sensitive data of terminal is transferred in LAN (Local Area Network) and manages concentratedly.
By distributing individual district mode, sensitive data in terminal is managed concentratedly, ensure that sensitive data is all safe under any state by storage encryption, channel encryption mode, individual district is controlled by user's autonomous operation, the multiple authority mode that utilizes that can be autonomous shares sensitive data to other staff, makes sensitive document all be in controllable state.Sensitive data is backed up by backup module; The while of being ensured physical identity and the digital identity of visitor conforming by usbkey, complete data security in addition and store and use safely.
The data of sensitive data only when showing in internal memory are expressly, and carry out management and control to internal storage data; At store status, transmission state, all that ciphertext exists, the mess code file also just after encryption that ensure that no matter important information data take any technological means to take, there is no legal use identity, access rights, correct escape way, all important files are all ciphertext states, ensure that when, where data are all safe, under which kind of state.The work efficiency of user is not affected under tight anti-environment of divulging a secret.
Specifically, the present invention arranges a kind of system of LAN data security protection, comprises computing machine, LAN,
Described Operation system setting collection control memory device, single computing machine does not arrange memory device, and computing machine stores data by LAN (Local Area Network) access collection control memory device;
Described collection control memory device is divided into personal user district and group user area, personal user district operates data for unique user, comprise increasing, delete, change, upload, download, print, share, group user area operates data for multiple user, comprises increasing, deletes, changes, uploads, downloads, prints;
User by be stored in described collection control memory device in data Replica to External memory equipment time, must by having the usbkey of encryption safe memory block.
Described usbkey comprises as lower module:
A. user authentication usbkey user identity;
B. the encryption of external tape file;
C. the deciphering of external tape file;
D. externally tape file do the record operated;
E. the anti-copying of external tape file.
When user edits in described system the data be stored in collection control memory device, adopt one of following three kinds of EMS memory management process:
A. computing machine does not use the memory headroom of computing machine this locality, terminal is mapped to as local disk by integrating part in control memory device, in Map Disk, virtual memory space is set, the internal storage data of file is all buffered in virtual memory space, system carries out security control by virtual memory space protection kernel to data, ensure that memory information all controls in virtual memory space in editing process, and to editor's process carry out anti-controls of divulging a secret (anti-printing, copy screen, content replication is pasted, pull, the transmission of screen word-selecting, network)
B. computing machine uses the memory headroom of computing machine this locality, carries out anti-compromising operations control to the process of visit data, forbid printing data, copy screen, content replication is pasted, pull, screen word-selecting, network transmit operation.
C. computing machine does not use the memory headroom of computing machine this locality, computing machine is when being stored in the data in collection control memory device, in usbkey, virtual memory space is set, the internal storage data of data is all buffered in usbkey, system is protected kernel by usbkey and is carried out security control to data, ensure that memory information all controls in usbkey in editing process, forbid printing data, copy screen, content replication is pasted, pull, screen word-selecting, network transmit operation.
When described LAN (Local Area Network) and another LAN (Local Area Network) exchange data:
A. between a LAN (Local Area Network) and another LAN (Local Area Network), exclusive data escape way is set;
B. in a LAN (Local Area Network) after user's specified file, first select the collection control memory device of another LAN (Local Area Network), select the user name in another LAN (Local Area Network) again, and after specifying Share Permissions, by exclusive data escape way safety share to another LAN (Local Area Network) by selection user;
C. the user that selected of another LAN (Local Area Network) logs in the collection control memory device in oneself netting, and by exclusive data escape way, data are shared in the outgoing access of safety.
Described system possesses messaging module between user, and user is undertaken sharing notice, instant messaging and non-online message automatically by messaging module, and can read and reply.
Described system possesses logger module, the daily record of data Life cycle in logger module register system, and the callable log recording of detachment system in usbkey.
Accompanying drawing explanation
Fig. 1 is security of system partition and administration module schematic diagram
Fig. 2 is security of system sharing module schematic diagram
Fig. 3 is system journal module diagram
Fig. 4 carries out data sharing schematic diagram between across user during LAN (Local Area Network)
Embodiment
Below in conjunction with illustrating a kind of specific implementation method that this invention is described:
1, safe partition and administration module
As Fig. 1, system is isolated centralized stores space, mark off mutually isolated space, use allocation of space to each individual subscriber, also certain special group people can be distributed to as public area in space to use, file is managed concentratedly by public area and individual district, what deposit in public area is the public documents of whole company or certain business department, that deposit in individual district is the personal document of personal user, the subregion owner can carry out rights management to subregion belonging to it, as the file or folder in subregion licensed to other people access.Terminal does not retain any sensitive document information.
Keeper can be whole LAN (Local Area Network) or each department or certain service creation public area, for each employee creates personal district.Individual district is for depositing the file of employee's relating to persons.Content between space and space cannot be accessed mutually in undelegated situation, and space, by terminal user oneself management maintenance, comprises the uploading of file, reading and writing, deletes, prints, download etc. and file permission comprise: reading and writing, the distribution of deleting, printing.Compared to the means of defence centered by file, management with can worry about priority assignation problem in user file circulation process.
2, encrypting module, storage encryption, data transmission channel is encrypted
3, safe sharing module flexibly
User's autonomous operation, flexibly, safety, controlled data are shared, do not need the participation of keeper, user can independently file-sharing to the shared target determined (user or group), set simultaneously access right root control (comprising: reading and writing, delete, print, download etc.), while facilitating user data mutual, the unsafe sharing mode of traditional network neighbor can be stopped again, such as, easy infected virus, easily attacked by artificial (hacker).
System has file and file safe sharing module, file-sharing in oneself individual district can be checked to others by this module by user, priority assignation flexibly can be carried out time shared, the group can selecting to authorize, department or individual, can arrange each donor access rights (comprising: reading and writing, delete, print, download etc.).
4, the module of safety
When office gone out by needs, in order to prevent data leak problem, data set control memory protection system adopts the usbkey with encryption safe memory block, can store important outer tape file.
The wherein module that has of usbkey:
A for the consistance of the physical identity and digital identity that ensure visitor;
B authorization terminal user access outside space, corresponding individual district;
C is used for the outer tape file of cryptographic storage sensitivity;
D the identity that uses of user authentication usbkey;
E in the successful situation of authentication, automatically decipher during user's access file be stored on usbkey sensitive document.
The use record of the outer tape file of f whole process record
These module usbkey can have simultaneously, also can partly have, and customize according to practical application.
Ensure the security of outer tape file, if by force through the outer tape file copying of normal verification process or mirror image not out, this file is ciphertext; Only have through normal certification usbkey, when ensureing that the physical identity of the visitor of usbkey is consistent with data identity, just initiatively can decipher access.File in addition only allows to be present in usbkey, can revise editor and preserve, but can not separately deposit and copy in usbkey.
1. outer tape file: usbkey is inserted terminal, after authentication success, tyre file download in usbkey, if user does not have the download permission of outer tape file, needs first file owners to revise authority.
2. the use of outer tape file: migrant person holds usbkey in addition and just can go out to handle official business, when needs use outer tape file, user inserts tyre usbkey to end host of going out, after usbkey certification is passed through, the active declassified document when access file.
3. log recording, the omnidistance log of file use procedure, and prevent user from copying the outgoing document opened, paste, screen copy, the behavior of divulging a secret such as network transmission; The security mechanism of USB flash disk in addition: file in addition can not produce temporary file on terminating machine, the hidden area that temporal cache file is placed directly in usbkey is in addition preserved temporarily, can automatically remove when exiting.In addition the writing of All Files of USB flash disk, buffer memory are all complete in tyre usbkey.
4. file journalization reclaims in addition: after user goes out to get back to LAN (Local Area Network), directly inserted by usbkey on any station terminal be connected with LAN (Local Area Network), and the use Operation Log of outer tape file reclaims and is saved in system.
5, online process and internal storage data management and control module:
The operation of user to Miscellaneous Documents comprises the uploading of file, reading and writing, deletes, prints, download etc., retains any vestige to not allow sensitive data in terminal.Data set control memory protection system also provides three kinds of online processing modules of file.
1. during online editing, computing machine does not use the memory headroom of computing machine this locality, by integrate control memory device in part spatial mappings to terminal as local disk, in Map Disk, virtual memory space is set, the internal storage data of file is all buffered in virtual memory space, system carries out security control by virtual memory space protection kernel to data, ensure that memory information all controls in virtual memory space in editing process, and to editor's process carry out anti-controls of divulging a secret (anti-printing, copy screen, content replication is pasted, pull, the transmission of screen word-selecting, network).
2. 1. online editing file time, use the memory headroom of terminal local, online editing simple operation, equivalent and locally to edit, comprise online new files, online editing file, copy and paste online.
The process of data set control memory protection system to access sensitive document is carried out storage and is controlled, and prevents responsive process from the file content in tag memory is write out security context.Anti-compromising operations control is carried out to the process of access file, prevent responsive process by file content by printing, copy screen, the channel such as content replication is pasted, pull, screen word-selecting, network transmission divulges a secret away.
3. during online editing file, do not use terminal local memory headroom, terminal editor one at line file time, in usbkey, virtual memory space is set, the internal storage data of file is all buffered in usbkey, system is protected kernel by usbkey and is carried out security control to data, ensures that memory information all controls in usbkey in editing process, and to editor's process carry out anti-control of divulging a secret (anti-printing, copy screen, content replication is pasted, pull, screen word-selecting, network transmission etc.).
6, file Life cycle usage log logging modle
The usage log of log file Life cycle.Security official can search the various events of log recording, statistics and analysis, monitors the use procedure of file.
7, across LAN (Local Area Network) file sharing module
In the application process of reality, be no matter according to department or type of service or other modes to divide LAN (Local Area Network), also likely carry out data interaction between LAN (Local Area Network) and LAN (Local Area Network).
As Fig. 4, set up by respective data set control memory protection system between LAN (Local Area Network) and LAN (Local Area Network) and realize safe sharing across LAN (Local Area Network) exclusive data escape way.As user in A LAN (Local Area Network) will share to user in B LAN (Local Area Network) file with read-write mode,
1. all there is exclusive data escape way between LAN (Local Area Network) and LAN (Local Area Network), use when needed.
2. after party A-subscriber's specified file, first select the data set control memory protection system of B LAN (Local Area Network), then select the user name in B LAN (Local Area Network), and after specifying Share Permissions, file security shared to B LAN subscriber;
2. B LAN subscriber logs in the data set control memory protection system in oneself net, utilizes exclusive data escape way, and data are shared in the outgoing access of safety.
8, message notification module
Data set control memory protection system possesses messaging module between user; instant messaging and non-online message can be carried out; check whether message is read, the message managing module such as information-reply, for unit internal coordination office provides flexibly communication approach easily simultaneously.There is the module of the prompting message of shared information.Do work for user is daily and play collaborative effect.
Carry out under the sensitive data of terminal being transferred to data set control memory protection system by private district mode concentrating protection; the operating system that user uses in data set control memory protection system and terminal are consistent; all have that file is newly-built, amendment, delete, share, printing, the function such as search; do not change any use habit; be only expressly exist in calculator memory during normal use, terminal hard disk does not exist the data of any sensitivity.There is no legal use identity, access rights, correct escape way, all important files are all ciphertext states, the mess code file also just after encryption that ensure that no matter important information data take any technological means to take, ensure that when, where data are all safe, under which kind of state.And the usage log of log file Life cycle.Security official can search the various events of log recording, statistics and analysis, monitors the use procedure of file.
Claims (4)
1. a system for LAN data security protection, comprises computing machine, LAN, it is characterized in that:
Described Operation system setting collection control memory device, single computing machine does not arrange memory device, and computing machine stores data by LAN (Local Area Network) access collection control memory device;
Described collection control memory device is divided into personal user district and group user area, personal user district operates data for unique user, comprise increasing, delete, change, upload, download, print, share, group user area operates data for multiple user, comprises increasing, deletes, changes, uploads, downloads, prints;
User by be stored in described collection control memory device in data Replica to External memory equipment time, must by having the usbkey of encryption safe memory block.
2. a LAN data security protection system as claimed in claim 1, is characterized in that:
Described usbkey comprises as lower module:
A. user authentication usbkey user identity;
B. the encryption of external tape file;
C. the deciphering of external tape file;
D. externally tape file do the record operated;
E. the anti-copying of external tape file.
3., as the LAN data security protection system as described in arbitrary in claim 1-2, it is characterized in that:
Described system possesses messaging module between user, and user is undertaken sharing notice, instant messaging and non-online message automatically by messaging module, and can read and reply.
4., as the LAN data security protection system as described in arbitrary in claim 1-2, it is characterized in that:
Described system possesses logger module, the daily record of data Life cycle in logger module register system, and the callable log recording of detachment system in usbkey.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201420481975.6U CN204314881U (en) | 2014-08-25 | 2014-08-25 | A kind of LAN data security protection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201420481975.6U CN204314881U (en) | 2014-08-25 | 2014-08-25 | A kind of LAN data security protection system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN204314881U true CN204314881U (en) | 2015-05-06 |
Family
ID=53137185
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201420481975.6U Active CN204314881U (en) | 2014-08-25 | 2014-08-25 | A kind of LAN data security protection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN204314881U (en) |
-
2014
- 2014-08-25 CN CN201420481975.6U patent/CN204314881U/en active Active
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101729550B (en) | Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof | |
| CN104239812A (en) | Local area network data safety protection method and system | |
| CN103561034B (en) | A kind of secure file shared system | |
| CN101547199B (en) | Electronic document safety guarantee system and method | |
| CN102710633B (en) | Cloud security management system of security electronic documents and method | |
| CN103530570A (en) | Electronic document safety management system and method | |
| CN106330868A (en) | Encrypted storage key management system and method of high-speed network | |
| CN102821096A (en) | Distributed storage system and file sharing method thereof | |
| CN102761521A (en) | Cloud security storage and sharing service platform | |
| CN102394894A (en) | Network virtual disk file safety management method based on cloud computing | |
| CN101953111A (en) | System and method for securing data | |
| CN102156844A (en) | Implementation method of electronic document on-line/off-line safety management system | |
| CN201682524U (en) | Document transfer authority control system based on document filtering driver | |
| CN102667792B (en) | For the method and apparatus of the file of the file server of access security | |
| EP2575070A1 (en) | Classification-based digital rights management | |
| CN102790770B (en) | Electronic document concentrated preservation and takeout safety management system and method | |
| CA3016395A1 (en) | Using geographically defined, private interplanetary file system clusters for the secure storage, retrieval and sharing of encrypted business data | |
| CN102984125A (en) | System and method of isolating mobile data | |
| CN108399341A (en) | A kind of Windows dualized file managing and control systems based on mobile terminal | |
| CN204314881U (en) | A kind of LAN data security protection system | |
| Anusree et al. | Rubik’s cube encryption for securing cloud stored data | |
| CN113918516A (en) | Business secret safe circulation control system and method based on application virtualization | |
| CN105915547A (en) | Method for realizing control and leakage prevention of data out of service system | |
| Dahshan | Data security in cloud storage services | |
| CN106778320B (en) | A kind of method of ERP online document encryption |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210304 Address after: 350001 room 505, 5th floor, scientific research building, Hongshan Science Park, Gongye Road, Gulou District, Fuzhou City, Fujian Province Patentee after: Fujian Nebula Big Data Application Service Co.,Ltd. Address before: 4f, area B, Fujian Overseas Students Pioneer Park, 108 Jiangbin East Avenue, Mawei District, Fuzhou City, Fujian Province, 350015 Patentee before: FUJIAN ETIM INFORMATION & TECHNOLOGY Co.,Ltd. |