TW201917595A - Cloud safety network browsing method and system - Google Patents

Cloud safety network browsing method and system Download PDF

Info

Publication number
TW201917595A
TW201917595A TW106136822A TW106136822A TW201917595A TW 201917595 A TW201917595 A TW 201917595A TW 106136822 A TW106136822 A TW 106136822A TW 106136822 A TW106136822 A TW 106136822A TW 201917595 A TW201917595 A TW 201917595A
Authority
TW
Taiwan
Prior art keywords
cloud
file
virtual browser
browser
desired connection
Prior art date
Application number
TW106136822A
Other languages
Chinese (zh)
Other versions
TWI647574B (en
Inventor
林華鵬
周國森
雲首博
王貞力
單張麟
潘建全
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW106136822A priority Critical patent/TWI647574B/en
Application granted granted Critical
Publication of TWI647574B publication Critical patent/TWI647574B/en
Publication of TW201917595A publication Critical patent/TW201917595A/en

Links

Abstract

A cloud safety network browsing method and system are provided. A user sends a URL request through a browser. A proxy server determines whether the URL is the address in a trust intra network list. If so, the intra resource can be accessed. If not, a connection of VPN would be established, and a cloud virtual browser is operated based on a virtualization technique, such that the browser can obtain page content of the distrust URL request and present a screen of the page content on the browser, to protect safety of the intra enterprise environment. In addition, the user can download a purified document file in the external environment or provide the same to intra enterprise environment.

Description

雲端安全網路瀏覽方法及系統Cloud security network browsing method and system

本發明是有關於一種資安技術,且特別是有關於一種雲端安全網路瀏覽方法及系統。The present invention relates to a security technology, and in particular to a cloud security network browsing method and system.

隨著科技快速發展,各類型的企業或公司甚至一般民眾家中都設有電腦主機,以透過電腦主機來協助使用者的工作、取得資訊或提供休閒娛樂。而針對企業或公司的網路安全,雖然人們已經習慣藉由電腦上的網頁瀏覽器連線至網際網路來取得相關資源,但企業內部仍有許多資源是需要特別保護且不得讓外界隨意取得。雖然大部分企業都會設有防火牆來阻擋不正常連線,但近年來惡意程式攻擊頻傳,單憑防火牆機制已不足以將企業內部網路與外界隔離。由此可知,如何讓用戶能安心瀏覽網頁並保護企業內部資源,係各企業重視的資訊安全議題及技術。With the rapid development of technology, various types of enterprises or companies and even the general public have computer hosts to assist users in their work, information, or entertainment. For the network security of enterprises or companies, although people have been accustomed to using the web browser on the computer to connect to the Internet to obtain relevant resources, there are still many resources inside the enterprise that need special protection and must not be allowed to obtain freely. . Although most enterprises have firewalls to block abnormal connections, in recent years, malicious programs have been frequently transmitted, and the firewall mechanism alone is not enough to isolate the internal network from the outside world. It can be seen that how to enable users to browse the web and protect the internal resources of the enterprise is the information security issue and technology that all enterprises value.

有鑑於此,本發明提供一種雲端安全網路瀏覽方法及系統,其將外部網際網路網頁透過雲端虛擬瀏覽器執行並呈現,從而確保內部資源的安全,實現內部與外部網路隔離的功效。In view of this, the present invention provides a cloud security network browsing method and system, which executes and presents an external Internet webpage through a cloud virtual browser, thereby ensuring the security of internal resources and realizing the isolation between internal and external networks.

本發明的雲端安源網路瀏覽系統,其包括代理伺服器及雲端虛擬瀏覽器伺服器。代理伺服器判斷所欲連線網址是否與內部資源相關。若所欲連線網址與內部資源不相關,則代理伺服器建立虛擬私人網路(virtual Private Network,VPN),以連線至雲端虛擬瀏覽器。而雲端虛擬瀏覽器伺服器基於虛擬化技術運行雲端虛擬瀏覽器,並控制雲端虛擬瀏覽器經由虛擬私人網路執行該所欲連線網址的瀏覽作業。The cloud Anyuan web browsing system of the invention comprises a proxy server and a cloud virtual browser server. The proxy server determines whether the desired connection URL is related to internal resources. If the desired connection URL is not related to internal resources, the proxy server establishes a virtual private network (VPN) to connect to the cloud virtual browser. The cloud virtual browser server runs the cloud virtual browser based on the virtualization technology, and controls the cloud virtual browser to perform the browsing operation of the desired connection URL via the virtual private network.

本發明的雲端安全網路瀏覽方法,其包括下列步驟。判斷所欲連線網址是否與內部資源相關。若所欲連線網址與內部資源不相關,則建立虛擬私人網路,以連線至雲端虛擬瀏覽器。基於虛擬化技術運行雲端虛擬瀏覽器,並控制雲端虛擬瀏覽器經由虛擬私人網路執行所欲連線網址的瀏覽作業。The cloud security network browsing method of the present invention comprises the following steps. Determine if the desired connection URL is related to internal resources. If the desired connection URL is not related to internal resources, create a virtual private network to connect to the cloud virtual browser. The cloud virtual browser is run based on the virtualization technology, and the cloud virtual browser is controlled to perform the browsing operation of the desired connection URL via the virtual private network.

基於上述,本發明實施例對非存取內部資源的網址要求,經由虛擬私人網路而由雲端虛擬瀏覽器執行瀏覽作業,使企業內外網路環境隔離,且外部惡意程式僅能在雲端虛擬瀏覽器執行而不影響內部網路,確保企業內部資源安全。Based on the foregoing, in the embodiment of the present invention, the web address requirement of the non-access internal resource is performed by the cloud virtual browser via the virtual private network, so that the internal and external network environments are isolated, and the external malicious program can only be virtualized in the cloud. The implementation of the device does not affect the internal network, ensuring the security of the internal resources of the enterprise.

為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。The above described features and advantages of the invention will be apparent from the following description.

圖1是依據本發明一實施例之雲端安全網路瀏覽系統1的示意圖。請參照圖1,雲端安全網路瀏覽系統1包括電腦主機20、代理伺服器30、內部資料庫40、防火牆及VPN伺服器50、雲端虛擬瀏覽器伺服器60、跳板伺服器70及檔案淨化閘道90。1 is a schematic diagram of a cloud secure network browsing system 1 in accordance with an embodiment of the present invention. Referring to FIG. 1, the cloud security network browsing system 1 includes a computer host 20, a proxy server 30, an internal database 40, a firewall and a VPN server 50, a cloud virtual browser server 60, a springboard server 70, and a file cleaning gate. Road 90.

電腦主機20可以係桌上型電腦、筆記型電腦、手機、平板電腦、智慧電視等具連網功能的電子裝置,其可運行網頁瀏覽器(例如,chrome、Firefox、Internet Explore等)。The host computer 20 can be a networked electronic device such as a desktop computer, a notebook computer, a mobile phone, a tablet computer, a smart TV, etc., which can run a web browser (for example, chrome, Firefox, Internet Explore, etc.).

代理伺服器30可以是各類型伺服器、個人電腦、工作站等電子裝置。於本實施例中,代理伺服器30包括內網白名單判斷模組31及VPN客戶端連接模組32。The proxy server 30 can be an electronic device of various types of servers, personal computers, workstations, and the like. In this embodiment, the proxy server 30 includes an intranet whitelist determination module 31 and a VPN client connection module 32.

內部資料庫40可以係網路連接儲存設備(Network Attached Storage)、伺服器、個人電腦等具備內部儲存空間41(例如,傳統硬碟(hard disk drive)、固態硬碟(solid-state drive)或類似元件)的電子裝置。值得注意的是,電腦主機20、代理伺服器30、內部資料庫40處於內部網路10。The internal database 40 can be a network attached storage device (Network Attached Storage), a server, a personal computer, etc. with an internal storage space 41 (for example, a hard disk drive, a solid-state drive, or Electronic device similar to the component). It should be noted that the host computer 20, the proxy server 30, and the internal database 40 are located in the internal network 10.

防火牆及VPN伺服器50可以係閘道裝置、伺服器、網路存取裝置等電子裝置。於本實施例中,代理伺服器30包括VPN連接狀態通知模組51。防火牆及VPN伺服器50處於內部網路10及外部網路之間。The firewall and VPN server 50 can be connected to electronic devices such as gateway devices, servers, and network access devices. In this embodiment, the proxy server 30 includes a VPN connection status notification module 51. The firewall and VPN server 50 is located between the internal network 10 and the external network.

雲端虛擬瀏覽器伺服器60可以係各類型伺服器、個人電腦、工作站等電子裝置。於本實施例中,雲端虛擬瀏覽器伺服器60包括虛擬資源池管控與調整模組61、虛擬資源池62、一個或更多個雲端虛擬瀏覽器63、以及下載檔案管控模組64。The cloud virtual browser server 60 can be an electronic device of various types of servers, personal computers, workstations, and the like. In this embodiment, the cloud virtual browser server 60 includes a virtual resource pool management and adjustment module 61, a virtual resource pool 62, one or more cloud virtual browsers 63, and a download file management module 64.

跳板伺服器70可以係各類型伺服器、個人電腦、工作站等電子裝置。於本實施例中,跳板伺服器70包括雲端虛擬瀏覽器選擇與連接模組71及雲端虛擬瀏覽器網際網路畫面呈現模組72。The springboard server 70 can be an electronic device of various types of servers, personal computers, workstations, and the like. In this embodiment, the springboard server 70 includes a cloud virtual browser selection and connection module 71 and a cloud virtual browser internet screen presentation module 72.

檔案淨化閘道90可以係閘道裝置、伺服器、網路存取裝置等電子裝置。於本實施例中,檔案淨化閘道90包括檔案淨化模組91。檔案淨化閘道90處於內部網路10及外部網路之間。The file cleaning gateway 90 can be an electronic device such as a gateway device, a server, or a network access device. In the present embodiment, the file cleaning gateway 90 includes a file cleaning module 91. The file cleanup gateway 90 is located between the internal network 10 and the external network.

需說明的是,前述代理伺服器30、防火牆及VPN伺服器50、雲端虛擬瀏覽器伺服器60、跳板伺服器70及檔案淨化閘道90所記錄的軟體模組係由諸如CPU、微控制器或晶片等處理器載入並執行,且其詳細運作待後續實施例詳述。此外,代理伺服器30、防火牆及VPN伺服器50、檔案淨化閘道90可作為軟體模組形式而整合成單一裝置或多台裝置來執行,本發明不加以限制。It should be noted that the software modules recorded by the proxy server 30, the firewall and VPN server 50, the cloud virtual browser server 60, the springboard server 70, and the file cleaning gateway 90 are composed of, for example, a CPU and a microcontroller. A processor such as a chip is loaded and executed, and its detailed operation is detailed in the subsequent embodiments. In addition, the proxy server 30, the firewall and VPN server 50, and the file clearing gateway 90 may be integrated into a single device or a plurality of devices as a software module, and the present invention is not limited thereto.

為了方便理解本發明實施例的操作流程,以下將舉諸多實施例詳細說明本發明實施例中雲端安全網路瀏覽系統1之運作。圖2是依據本發明一實施例說明一種雲端安全網路瀏覽方法之流程圖。請參照圖2,本實施例的方法適用於圖1中雲端安全網路瀏覽系統1中的各裝置。下文中,將搭配雲端安全網路瀏覽系統1的各項元件及模組說明本發明實施例所述之方法。本方法的各個流程可依照實施情形而隨之調整,且並不僅限於此。In order to facilitate the understanding of the operation flow of the embodiment of the present invention, the operation of the cloud security network browsing system 1 in the embodiment of the present invention will be described in detail below. FIG. 2 is a flowchart illustrating a cloud security network browsing method according to an embodiment of the invention. Referring to FIG. 2, the method of this embodiment is applicable to each device in the cloud security network browsing system 1 of FIG. Hereinafter, the methods and embodiments of the cloud security network browsing system 1 will be described with reference to the methods described in the embodiments of the present invention. The various processes of the method can be adjusted accordingly according to the implementation situation, and are not limited thereto.

當企業內部有外部網頁瀏覽的需求,電腦主機20上的網頁瀏覽器接受使用者所輸入的所欲連線網址,而送出全球資源定址器(Uniform Resource Locator,URL)的請求,URL請求將送往代理伺服器30。由代理伺服器30判斷所欲連線網址是否與內部儲存空間41所儲存的內部資源相關(步驟S210)。其中,內網白名單判斷模組31係判斷所欲連線網址是否存在於信任內網白名單中所記錄的URL(例如,內部儲存空間41中檔案的連結)。若存在於信任內網白名單,則電腦主機20可以直接存取內部資料庫40之內部儲存空間41所儲存的內部資源(步驟S220)。When there is a need for external web browsing within the enterprise, the web browser on the host computer 20 accepts the desired connection URL input by the user, and sends a request for the global resource locator (URL), and the URL request will be sent. Go to proxy server 30. It is judged by the proxy server 30 whether or not the desired connection URL is associated with the internal resource stored in the internal storage space 41 (step S210). The intranet whitelist determination module 31 determines whether the desired connection URL exists in the URL recorded in the trusted intranet whitelist (for example, the link in the internal storage space 41). If it exists in the trusted intranet whitelist, the host computer 20 can directly access the internal resources stored in the internal storage space 41 of the internal repository 40 (step S220).

而若未存在於信任內網白名單,則電腦主機20所運行的網頁瀏覽器將啟動VPN客戶端連接模組32,並利用網頁瀏覽器建立VPN撥號連線至防火牆及VPN伺服器50。VPN連線成功後,VPN連接狀態通知模組51提供VPN狀態變更清單資訊,傳送至雲端虛擬瀏覽器伺服器60中的虛擬資源池管控與調整模組61。而雲端虛擬瀏覽器資源池管控與調整模組61依據此清單資訊,透過資源調整演算法,基於虛擬化技術而於Docker或虛擬平台上執行虛擬資源池62的雲端虛擬瀏覽器資源調整作業。VPN撥接連線成功後,防火牆及VPN伺服器模組50將動態派送防火牆規則,使得電腦主機20的網頁瀏覽器連接至跳板伺服器模組70中的雲端虛擬瀏覽器網際網路畫面呈現模組72。雲端虛擬瀏覽器選擇與連接模組71則會隨機選擇虛擬資源池62中任一未被使用過的雲端虛擬瀏覽器63進行連接(步驟S230) 。If it does not exist in the trusted intranet whitelist, the web browser running by the computer host 20 will launch the VPN client connection module 32, and use the web browser to establish a VPN dial-up connection to the firewall and VPN server 50. After the VPN connection is successful, the VPN connection status notification module 51 provides the VPN status change list information to the virtual resource pool management and adjustment module 61 in the cloud virtual browser server 60. The cloud virtual browser resource pool management and adjustment module 61 performs the cloud virtual browser resource adjustment operation of the virtual resource pool 62 on the Docker or the virtual platform based on the virtualization technology based on the inventory information. After the VPN dial-up connection is successful, the firewall and VPN server module 50 will dynamically dispatch firewall rules, so that the web browser of the host computer 20 is connected to the cloud virtual browser Internet screen presentation mode in the springboard server module 70. Group 72. The cloud virtual browser selection and connection module 71 randomly selects any cloud virtual browser 63 that has not been used in the virtual resource pool 62 to connect (step S230).

接著,雲端虛擬瀏覽器63可接收電腦主機20上鍵盤及滑鼠鼠標或其他輸入裝置(例如,觸控板、繪圖板、搖桿等)之操作資訊,以取得使用者鍵入之URL請求,雲端虛擬瀏覽器63即可自網際網路80取得URL請求之頁面內容,並透過雲端虛擬瀏覽器網際網路畫面呈現模組72執行URL請求內容的瀏覽作業呈現,使雲端虛擬瀏覽器60能執行電腦主機20所欲連線網址的瀏覽作業(例如,捲動網頁、點選網頁、填入留言等)(步驟S240)。換句而言,電腦主機20僅有執行網頁畫面呈現及輸入操作之取得,而實際的瀏覽作業全由雲端虛擬瀏覽器60來執行。Then, the cloud virtual browser 63 can receive operation information of a keyboard and a mouse mouse or other input device (for example, a touchpad, a tablet, a joystick, etc.) on the host computer 20 to obtain a URL request typed by the user, and the cloud The virtual browser 63 can obtain the page content of the URL request from the Internet 80, and perform the browsing job presentation of the URL request content through the cloud virtual browser Internet screen presentation module 72, so that the cloud virtual browser 60 can execute the computer. The browsing operation of the host 20 to connect to the web site (for example, scrolling a web page, clicking a web page, filling in a message, etc.) (step S240). In other words, the host computer 20 only performs the acquisition of the web page and the input operation, and the actual browsing operation is all performed by the cloud virtual browser 60.

而當電腦主機20欲利用雲端虛擬瀏覽器63之使用者介面下載所需要的檔案時,下載檔案管控模組64會判斷其檔案類型是否在檔案白名單(例如,doc、pdf等)中;若不存在於檔案白名單中,則下載檔案管控模組64將此檔案刪除或隔離,使此檔案無法傳送至電腦主機20;若存在於檔案白名單中,則傳送下載之檔案至檔案淨化閘道90,由檔案淨化模組91濾除檔案中的惡意程式、物件及語法,並將淨化後的檔案儲存於內部儲存空間41,讓電腦主機20所運行的網頁瀏覽器輸入特定網址後進入內部儲存空間41而取得淨化後的檔案。When the host computer 20 wants to use the user interface of the cloud virtual browser 63 to download the required file, the download file management module 64 determines whether the file type is in the file white list (for example, doc, pdf, etc.); If the file is not in the white list of the file, the download file management module 64 deletes or quarantines the file, so that the file cannot be transferred to the host computer 20; if it exists in the file white list, the downloaded file is transmitted to the file clearing gateway. 90. The file cleaning module 91 filters out malicious programs, objects, and grammars in the file, and stores the cleaned files in the internal storage space 41, so that the web browser running on the host computer 20 inputs a specific URL and enters the internal storage. The space 41 is used to obtain a cleaned file.

為了方便讀者更加清楚本發明實施例之運作,以下另舉一情境範例說明。需注意的是,情境範例中所舉之參數或步驟可視情況而自行調整,但不脫離前述實施例之發明精神。In order to make the reader more aware of the operation of the embodiment of the present invention, a contextual example is described below. It should be noted that the parameters or steps mentioned in the context example may be adjusted by themselves, without departing from the spirit of the invention of the foregoing embodiments.

企業內部使用者透過電腦主機20執行企業內部瀏覽器以送出URL請求,而此URL請求將被送往代理伺服器30。假設使用者提出之URL請求為〝tw.yahoo.com〞,代理伺服器30之內網白名單判斷模組31將判斷〝tw.yahoo.com〞並不在信任內網白名單中,則表示此URL為不信任的外部請求,且企業內部瀏覽器上將呈現提醒頁面,以呈現使用者「tw.yahoo.com為未知的URL網域」警示標語,並於提醒頁面上提供「VPN撥號連接雲端虛擬瀏覽器」按鍵供使用者撥號連接VPN。The internal user of the enterprise executes the internal browser of the enterprise through the host computer 20 to send a URL request, and the URL request is sent to the proxy server 30. Assuming that the URL request submitted by the user is 〝tw.yahoo.com, the intranet whitelist judgment module 31 of the proxy server 30 determines that 〝tw.yahoo.com is not in the intranet whitelist, indicating that The URL is an untrusted external request, and a reminder page will be presented on the internal browser of the enterprise to present the user's "tw.yahoo.com as an unknown URL domain" warning slogan, and provide a "VPN dial-up connection cloud" on the reminder page. The "Virtual Browser" button allows the user to dial in to connect to the VPN.

若使用者仍要瀏覽其內容,可點擊提醒之頁面上「VPN播號連接雲端虛擬瀏覽器」的按鍵,電腦主機20即可透過 VPN客戶端連接模組32,撥號連線至防火牆及VPN伺服器50。If the user still wants to browse the content, click the button of "VPN broadcast number to connect to the cloud virtual browser" on the reminder page. The host computer 20 can connect to the firewall and VPN server through the VPN client connection module 32. 50.

VPN撥號連線成功後,VPN連接狀態通知模組51將自動傳送VPN狀態變更資訊至雲端虛擬瀏覽器伺服器60中的雲端虛擬瀏覽器資源池管控與調整模組61。而雲端虛擬瀏覽器資源池管控與調整模組61將依據VPN狀態變更資訊,透過資源調整演算法,於Docker或虛擬平台上執行雲端虛擬瀏覽器資源池62的雲端虛擬瀏覽器資源調整作業。此外,VPN播號連線成功的同時,防火牆及VPN伺服器模組50亦動態派送防火牆規則,使得電腦主機20連接至跳板伺服器模組70中的雲端虛擬瀏覽器網際網路畫面呈現模組72。此外,雲端虛擬瀏覽器選擇與連接模組71將隨機選擇虛擬資源池62中任一未被使用之雲端虛擬瀏覽器63進行連接,雲端虛擬瀏覽器接收到使用者鍵入之URL請求,將於網際網路80上取得〝tw.yahoo.com〞請求之頁面內容,利用雲端虛擬瀏覽器網際網路畫面呈現模組72呈現網頁畫面,使企業內部瀏覽器能呈現雲端虛擬瀏覽器63請求之〝tw.yahoo.com〞頁面內容。After the VPN dial-up connection is successful, the VPN connection status notification module 51 will automatically transmit the VPN status change information to the cloud virtual browser resource pool management and adjustment module 61 in the cloud virtual browser server 60. The cloud virtual browser resource pool management and adjustment module 61 performs the cloud virtual browser resource adjustment operation of the cloud virtual browser resource pool 62 on the Docker or the virtual platform according to the VPN state change information. In addition, while the VPN broadcast connection is successful, the firewall and VPN server module 50 also dynamically dispatch firewall rules, so that the host computer 20 is connected to the cloud virtual browser Internet screen presentation module in the springboard server module 70. 72. In addition, the cloud virtual browser selection and connection module 71 connects any unused cloud virtual browser 63 in the randomly selected virtual resource pool 62, and the cloud virtual browser receives the URL request entered by the user, and will be connected to the Internet. The content of the page requested by 〝tw.yahoo.com is obtained on the network 80, and the webpage screen is presented by the cloud virtual browser Internet screen presentation module 72, so that the internal browser of the enterprise can present the request of the cloud virtual browser 63. .yahoo.com〞 page content.

另一方面,假設使用者需要下載頁面上之〝document.docx〞檔案至企業內部,而於頁面上下載〝document.docx〞文件檔案至單一目錄,下載檔案管控模組64將監控單一目錄檔案變動之狀態。下載檔案管控模組64發現新檔案〝document.docx〞出現,並判斷〝document.docx〞為一般文件檔案,則傳送〝document.docx〞至檔案淨化閘道90,由檔案淨化模組91濾除惡意動態程式語法後,將淨化後的檔案〝purified-document.docx〞儲存於內部儲存空間41。On the other hand, suppose the user needs to download the document.docx file on the page to the inside of the enterprise, and download the document.docx file to the single directory on the page. The download file management module 64 will monitor the change of the single directory file. State. After downloading the file management module 64, the new file 〝document.docx〞 is found, and the document.docx is determined to be a general file file, and then the document.docx file is transmitted to the file cleaning gateway 90, which is filtered by the file cleaning module 91. After the malicious dynamic program syntax, the cleaned file 〝purified-document.docx〞 is stored in the internal storage space 41.

若使用者欲取得淨化後的文件檔案,可透過電腦主機20提出內部網路儲存空間之URL請求,則此URL請求被送往代理伺服器30。代理伺服器30之內網白名單判斷模組31,判斷內部網路儲存空間之URL在信任內網白名單中,則表示此URL為與內部資源相關,電腦主機20即可直接瀏覽並存取企業內部儲存空間41之淨化後的檔案〝purified-document.docx〞。If the user wants to obtain the cleaned file file, the URL request of the internal network storage space can be submitted through the host computer 20, and the URL request is sent to the proxy server 30. The intranet whitelist judging module 31 of the proxy server 30 determines that the URL of the internal network storage space is in the trusted intranet whitelist, indicating that the URL is related to the internal resource, and the computer host 20 can directly browse and access. The cleaned file of the internal storage space of the enterprise 〝purified-document.docx〞.

綜上所述,本發明實施例提供一種企業雲端安全網路瀏覽系統,其具有以下特點。將企業內外環境隔離,使得外部惡意程式僅能在雲端虛擬瀏覽器執行,能確保企業內部資源安全。所有不信任外網URL頁面內容或檔案,僅能在雲端虛擬瀏覽器上執行,保護企業內資源不受外部環境威脅。企業內部用戶僅可透過超文本傳輸協定(HyperText Transfer Protocol,HTTP)協定連接至跳板伺服器而呈現雲端虛擬瀏覽器之網頁內容,其餘對外連線皆禁止,確保企業內部資源安全,並避免企業連接至外部中繼站。雲端虛擬瀏覽器選擇與連接模組可以快速的選擇並連接到虛擬資源池中的雲端虛擬瀏覽器。於VPN連接時,隨機選擇虛擬資源池中任一未被使用雲端虛擬瀏覽器,由雲端虛擬瀏覽器呈現不信任外網URL頁面內容,即使遭受到惡意攻擊的威脅,下次重新連接時,仍為安全之未使用過雲端虛擬瀏覽器,確保每次使用的雲端虛擬瀏覽器都是安全無虞的。將文件檔案之惡意動態語法移除並由雲端虛擬瀏覽器下載的文件檔案,經由檔案淨化模組濾除惡意動態程式語法,淨化後的檔案傳送並儲存於企業內部儲存空間,確保所有由外部網路進入企業內部的文件檔案,都是安全無虞的。In summary, the embodiment of the present invention provides an enterprise cloud security network browsing system, which has the following features. Isolating the internal and external environment of the enterprise, so that external malicious programs can only be executed in the cloud virtual browser, which can ensure the internal resources of the enterprise. All content or files that do not trust the external URL page can only be executed on the cloud virtual browser to protect the resources in the enterprise from the external environment. Internal users can only connect to the springboard browser through the HyperText Transfer Protocol (HTTP) protocol to present the web content of the cloud virtual browser. The rest of the external connections are forbidden, ensuring the internal resources of the enterprise and avoiding enterprise connections. To an external relay station. The cloud virtual browser selection and connection module can quickly select and connect to the cloud virtual browser in the virtual resource pool. During the VPN connection, any cloud virtual browser in the virtual resource pool is randomly selected, and the cloud virtual browser renders the content of the untrusted external URL page. Even if it is threatened by malicious attack, the next time it reconnects, For the sake of security, you have never used a cloud virtual browser to ensure that every time you use the cloud virtual browser is safe. The malicious dynamic grammar of the file file is removed and the file file downloaded by the cloud virtual browser is filtered out by the file cleaning module to filter out the malicious dynamic program grammar, and the purified file is transmitted and stored in the internal storage space of the enterprise, ensuring that all the external network is provided. The roads entering the company's internal file files are safe and sound.

雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed in the above embodiments, it is not intended to limit the present invention, and any one of ordinary skill in the art can make some changes and refinements without departing from the spirit and scope of the present invention. The scope of the invention is defined by the scope of the appended claims.

1‧‧‧雲端安全網路瀏覽系統1‧‧‧Cloud Security Network Browsing System

20‧‧‧電腦主機20‧‧‧Computer host

30‧‧‧代理伺服器30‧‧‧Proxy server

31‧‧‧內網白名單判斷模組31‧‧‧Intranet Whitelist Judgment Module

32‧‧‧虛擬私人網路客戶端連接模組32‧‧‧Virtual Private Network Client Connection Module

40‧‧‧內部資料庫40‧‧‧Internal database

41‧‧‧內部儲存空間41‧‧‧Internal storage space

50‧‧‧防火牆及虛擬私人網路伺服器50‧‧‧Firewall and virtual private network server

51‧‧‧虛擬私人網路連接狀態通知模組51‧‧‧Virtual Private Network Connection Status Notification Module

60‧‧‧雲端虛擬瀏覽器伺服器60‧‧‧Cloud virtual browser server

61‧‧‧虛擬資源池管控與調整模組61‧‧‧Virtual Resource Pool Control and Adjustment Module

62‧‧‧虛擬資源池62‧‧‧Virtual Resource Pool

63‧‧‧雲端虛擬瀏覽器63‧‧‧Cloud virtual browser

64‧‧‧下載檔案管控模組64‧‧‧Download file management module

70‧‧‧跳板伺服器70‧‧‧springboard server

71‧‧‧雲端虛擬瀏覽器選擇與連接模組71‧‧‧Cloud virtual browser selection and connection module

72‧‧‧雲端虛擬瀏覽器網際網路畫面呈現模組72‧‧‧Cloud virtual browser Internet screen rendering module

80‧‧‧網際網路80‧‧‧Internet

90‧‧‧檔案淨化閘道90‧‧‧File clearing gateway

91‧‧‧檔案淨化模組91‧‧‧File Purification Module

S210~S240‧‧‧步驟S210~S240‧‧‧Steps

圖1是依據本發明一實施例之雲端安全網路瀏覽系統的示意圖。 圖2是依據本發明一實施例之雲端安全網路瀏覽方法的流程圖。1 is a schematic diagram of a cloud security network browsing system according to an embodiment of the invention. 2 is a flow chart of a cloud security network browsing method according to an embodiment of the invention.

Claims (10)

一種雲端安全網路瀏覽系統,包括: 一代理伺服器,判斷一所欲連線網址是否與一內部資源相關,若該所欲連線網址與該內部資源不相關,則建立一虛擬私人網路(Virtual Private Network,VPN),以連線至一雲端虛擬瀏覽器;以及 一雲端虛擬瀏覽器伺服器,基於一虛擬化技術運行該雲端虛擬瀏覽器,並控制該雲端虛擬瀏覽器經由該虛擬私人網路執行該所欲連線網址的瀏覽作業。A cloud security network browsing system, comprising: a proxy server, determining whether a desired connection URL is related to an internal resource, and if the desired connection URL is not related to the internal resource, establishing a virtual private network (Virtual Private Network, VPN) to connect to a cloud virtual browser; and a cloud virtual browser server, running the cloud virtual browser based on a virtualization technology, and controlling the cloud virtual browser via the virtual private The network performs a browsing operation of the desired connection URL. 如申請專利範圍第1項所述的雲端安全網路瀏覽系統,其中該代理伺服器記錄有一信任內網白名單,且該代理伺服器判斷該所欲連線網址是否存在於該信任內網白名單中,以決定該所欲網線網址與該內部資源是否相關。The cloud security network browsing system of claim 1, wherein the proxy server records a trusted intranet whitelist, and the proxy server determines whether the desired connection URL exists in the trusted intranet. In the list, it is determined whether the website URL of the website is related to the internal resource. 如申請專利範圍第1項所述的雲端安全網路瀏覽系統,更包括: 一跳板伺服器,選擇虛擬資源池中任一未被使用之雲端虛擬瀏覽器進行連線,並呈現該瀏覽作業之畫面。The cloud security network browsing system described in claim 1 further includes: a springboard server, selecting any unused cloud virtual browser in the virtual resource pool to connect, and presenting the browsing operation. Picture. 如申請專利範圍第1項所述的雲端安全網路瀏覽系統,其中該雲端虛擬瀏覽器伺服器記錄有一檔案白名單,且該雲端虛擬瀏覽器伺服器判斷該雲端虛擬瀏覽器所下載之檔案是否存在於該檔案白名單中;若存在於該檔案白名單中,則將該雲端虛擬瀏覽器所下載之檔案中的惡意程式、物件及語法濾除;若不存在於該檔案白名單中,則將該雲端虛擬瀏覽器所下載之檔案刪除。The cloud security web browsing system of claim 1, wherein the cloud virtual browser server records a file whitelist, and the cloud virtual browser server determines whether the file downloaded by the cloud virtual browser is Exists in the white list of the file; if it exists in the white list of the file, the malicious program, object and grammar in the file downloaded by the cloud virtual browser are filtered out; if not in the white list of the file, Delete the file downloaded by the cloud virtual browser. 如申請專利範圍第1項所述的雲端安全網路瀏覽系統,其中若該所欲連線網址與該內部資源相關,則該代理伺服器基於該所欲連線網址存取該內部資源。The cloud security web browsing system of claim 1, wherein if the desired connection URL is related to the internal resource, the proxy server accesses the internal resource based on the desired connection URL. 一種雲端安全網路瀏覽方法,包括: 判斷一所欲連線網址是否與一內部資源相關; 若該所欲連線網址與該內部資源不相關,則建立一虛擬私人網路,以連線至一雲端虛擬瀏覽器;以及 基於一虛擬化技術運行該雲端虛擬瀏覽器,並控制該雲端虛擬瀏覽器經由該虛擬私人網路執行該所欲連線網址的瀏覽作業。A cloud security network browsing method includes: determining whether a desired connection URL is related to an internal resource; if the desired connection URL is not related to the internal resource, establishing a virtual private network to connect to a cloud virtual browser; and running the cloud virtual browser based on a virtualization technology, and controlling the cloud virtual browser to perform the browsing operation of the desired connection URL via the virtual private network. 如申請專利範圍第6項所述的雲端安全網路瀏覽方法,其中判斷該所欲連線網址是否與該內部資源相關,包括: 判斷該所欲連線網址是否存在於一信任內網白名單中。The cloud security network browsing method of claim 6, wherein determining whether the desired connection URL is related to the internal resource comprises: determining whether the desired connection URL exists in a trusted intranet whitelist. in. 如申請專利範圍第6項所述的雲端安全網路瀏覽方法,其中控制該雲端虛擬瀏覽器經由該虛擬私人網路執行該所欲連線網址的瀏覽作業,包括: 選擇虛擬資源池中任一未被使用之雲端虛擬瀏覽器進行連線;以及 透過選擇之雲端虛擬瀏覽器呈現該瀏覽作業之畫面。The cloud security network browsing method of claim 6, wherein controlling the cloud virtual browser to perform the browsing operation of the desired connection URL via the virtual private network comprises: selecting any one of the virtual resource pools The cloud virtual browser that is not used is connected; and the screen of the browsing job is presented through the selected cloud virtual browser. 如申請專利範圍第6項所述的雲端安全網路瀏覽方法,其中控制該雲端虛擬瀏覽器經由該虛擬私人網路執行該所欲連線網址的瀏覽作業,包括: 判斷該雲端虛擬瀏覽器所下載之檔案是否存在於該檔案白名單中; 若存在於該檔案白名單中,則將該雲端虛擬瀏覽器所下載之檔案中的惡意程式、物件及語法濾除;以及 若不存在於該檔案白名單中,則將該雲端虛擬瀏覽器所下載之檔案刪除。The cloud security network browsing method of claim 6, wherein controlling the cloud virtual browser to perform the browsing operation of the desired connection URL via the virtual private network comprises: determining the cloud virtual browser Whether the downloaded file exists in the white list of the file; if it exists in the white list of the file, the malicious program, the object and the grammar in the file downloaded by the cloud virtual browser are filtered out; and if it does not exist in the file In the white list, the file downloaded by the cloud virtual browser is deleted. 如申請專利範圍第6項所述的雲端安全網路瀏覽方法,其中判斷該所欲連線網址是否與該內部資源相關之後,更包括: 若該所欲連線網址與該內部資源相關,則基於該所欲連線網址存取該內部資源。The cloud security network browsing method of claim 6, wherein determining whether the desired connection URL is related to the internal resource further comprises: if the desired connection URL is related to the internal resource, Accessing the internal resource based on the desired connection URL.
TW106136822A 2017-10-26 2017-10-26 Cloud safety network browsing method and system TWI647574B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW106136822A TWI647574B (en) 2017-10-26 2017-10-26 Cloud safety network browsing method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW106136822A TWI647574B (en) 2017-10-26 2017-10-26 Cloud safety network browsing method and system

Publications (2)

Publication Number Publication Date
TWI647574B TWI647574B (en) 2019-01-11
TW201917595A true TW201917595A (en) 2019-05-01

Family

ID=65803731

Family Applications (1)

Application Number Title Priority Date Filing Date
TW106136822A TWI647574B (en) 2017-10-26 2017-10-26 Cloud safety network browsing method and system

Country Status (1)

Country Link
TW (1) TWI647574B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI741698B (en) * 2020-07-28 2021-10-01 中華電信股份有限公司 Method for detecting malicious attacks and network security management device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201220784A (en) * 2010-11-12 2012-05-16 Nat Taichung Inst Of Technology which comprises a portable access device which stores a personal firewall including an access control table, the secure webpage control, the application program management, and the account management configure
CN102801574B (en) * 2011-05-27 2016-08-31 阿里巴巴集团控股有限公司 The detection method of a kind of web page interlinkage, device and system
CN102263824B (en) * 2011-07-26 2017-07-18 深圳市中兴物联科技有限公司 A kind of safe browsing method and virtual browser
US9525697B2 (en) * 2015-04-02 2016-12-20 Varmour Networks, Inc. Delivering security functions to distributed networks
TWI591511B (en) * 2015-11-30 2017-07-11 Chunghwa Telecom Co Ltd Cloud DHCP security system and method

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI741698B (en) * 2020-07-28 2021-10-01 中華電信股份有限公司 Method for detecting malicious attacks and network security management device

Also Published As

Publication number Publication date
TWI647574B (en) 2019-01-11

Similar Documents

Publication Publication Date Title
KR102386560B1 (en) Hardware-based virtualized security isolation technique
US10164993B2 (en) Distributed split browser content inspection and analysis
US10021129B2 (en) Systems and methods for malware detection and scanning
US8516591B2 (en) Security monitoring
US8301653B2 (en) System and method for capturing and reporting online sessions
US10491566B2 (en) Firewall informed by web server security policy identifying authorized resources and hosts
US9349007B2 (en) Web malware blocking through parallel resource rendering
US11323522B2 (en) Secure, anonymous browsing with a remote browsing server
US9231972B2 (en) Malicious website identifying method and system
US20140283078A1 (en) Scanning and filtering of hosted content
WO2013040460A1 (en) Device-tailored whitelists
US9058490B1 (en) Systems and methods for providing a secure uniform resource locator (URL) shortening service
CA3072545A1 (en) Systems and methods for web collaboration
JP2017097662A (en) Information processor, control method of information processor, and program
EP3987728A1 (en) Dynamically controlling access to linked content in electronic communications
US8978139B1 (en) Method and apparatus for detecting malicious software activity based on an internet resource information database
AU2020335015B2 (en) Dynamic region based application operations
US20160226888A1 (en) Web malware blocking through parallel resource rendering
TWI647574B (en) Cloud safety network browsing method and system
CN111988292B (en) Method, device and system for accessing Internet by intranet terminal
CN103561076A (en) Webpage trojan-linking real-time protection method and system based on cloud
JP4542122B2 (en) An apparatus for performing URL filtering by acquiring an original URL of content stored in a cache server or the like
US11562092B1 (en) Loading and managing third-party tools on a website
US11720699B2 (en) Inline file download controls in remote browser isolation system
US8566950B1 (en) Method and apparatus for detecting potentially misleading visual representation objects to secure a computer