WO2015169120A1 - Network access system, network protection device and terminal server - Google Patents

Network access system, network protection device and terminal server Download PDF

Info

Publication number
WO2015169120A1
WO2015169120A1 PCT/CN2015/073552 CN2015073552W WO2015169120A1 WO 2015169120 A1 WO2015169120 A1 WO 2015169120A1 CN 2015073552 W CN2015073552 W CN 2015073552W WO 2015169120 A1 WO2015169120 A1 WO 2015169120A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
transmission line
external
network
intranet
Prior art date
Application number
PCT/CN2015/073552
Other languages
French (fr)
Chinese (zh)
Inventor
周宏斌
Original Assignee
周宏斌
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 周宏斌 filed Critical 周宏斌
Publication of WO2015169120A1 publication Critical patent/WO2015169120A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application relates to the field of network technologies, and in particular, to a network access system, a network protection device, and a terminal server.
  • a local area network is a group of computers that are interconnected by multiple computers in a certain area.
  • the computer can perform data communication and realize data sharing. For example, some schools or units are internally a local area network.
  • the present application provides a network access system, a network protection device, and a terminal server to improve data security during an internal LAN access to an external network.
  • a network access system including: at least one client disposed in a local area network, a network protection device and a terminal server disposed between the local area network and an external network, The terminal server is connected to an external network;
  • the client is configured to initiate a remote connection request to the terminal server, and after receiving the response information of the terminal server for the remote connection request, send the locally acquired access operation data to the terminal server;
  • the network protection device includes: an internal processing device; an intranet monitoring device connected to the internal processing device through a first transmission line; and an external processing device connected to the intranet monitoring device through a second transmission line, and The external processing device is connected to the internal processing device through a third transmission line;
  • the internal processing device is configured to transmit intranet data sent by the client to the intranet monitoring device by using the first transmission line, and pass the external processing device to the third transmission line Transmitting the response information and the external network data to the client; wherein the intranet data includes the remote connection request and the access operation data; the external network data includes the terminal server for the Accessing the access response data returned by the operational data;
  • the intranet monitoring device is configured to transmit the intranet data to the external processing device by using the second transmission line when determining that the intranet data is preset legal data;
  • the external processing device is configured to send the intranet data to the terminal server, and transmit the response information and the external network data returned by the terminal server to the internal processing by using the third transmission line Device
  • the terminal server is configured to respond to the remote connection request, access the external network according to the access operation data, and return the access response data to the client.
  • the internal processing device includes: a first internal processing unit connected to the internal network monitoring device through the first transmission line, and a second connected to the external processing device through the third transmission line Internal processing unit;
  • the first internal processing unit is configured to send the intranet data to the intranet monitoring device by using the first transmission line;
  • the second internal processing unit is configured to receive the response information and the external network data that are transmitted by the external processing device by using the third transmission line, and send the response information and the external network data to the client .
  • the external processing device includes: a first external processing unit connected to the internal network monitoring device through the second transmission line, and a second internal processing unit connected to the second internal processing unit a second external processing unit;
  • the first external processing unit configured to send the intranet data transmitted by the intranet monitoring device by using the second transmission line to the terminal server;
  • the second external processing unit is configured to transmit the response information sent by the terminal server and the external network data to the second internal processing unit by using the third transmission line.
  • the first transmission line is an optical fiber whose signal transmission direction is unidirectionally transmitted from the internal processing device to the intranet monitoring device;
  • the second transmission line is an optical fiber that is unidirectionally transmitted from the intranet monitoring device to the external processing device in a signal transmission direction;
  • the third transmission line is an optical fiber that is unidirectionally transmitted from the external processing device to the internal processing device in a signal transmission direction.
  • the present application further provides a network protection device, which is disposed between a local area network and a terminal server connected to an external network, and the network protection device includes:
  • An internal processing device An intranet monitoring device connected to the internal processing device through a first transmission line; and an external processing device connected to the intranet monitoring device via a second transmission line, and the external processing device passes the third a transmission line is connected to the internal processing device;
  • the internal processing device is configured to transmit, by the first transmission line, intranet data sent by a client in the local area network to the intranet monitoring device, and pass the external processing device through the third And transmitting, by the client, the remote connection request sent by the client to the terminal server, and the client receiving the And the access operation data sent by the terminal server to the terminal server after the response information of the remote connection request;
  • the external network data includes access response data returned by the terminal server for the access operation data;
  • the intranet monitoring device is configured to transmit the intranet data to the external processing device by using the second transmission line when determining that the intranet data is preset legal data;
  • the external processing device is configured to send the intranet data to the terminal server, and transmit the response information and the external network data returned by the terminal server to the internal processing by using the third transmission line Device.
  • the internal processing device includes: a first internal processing unit connected to the internal network monitoring device through the first transmission line, and a second connected to the external processing device through the third transmission line Internal processing unit;
  • the first internal processing unit is configured to send the intranet data to the intranet monitoring device by using the first transmission line;
  • the second internal processing unit is configured to receive the response information and the external network data that are transmitted by the external processing device by using the third transmission line, and send the response information and the external network data to the client .
  • the external processing device includes: a first external processing unit connected to the internal network monitoring device through the second transmission line, and a second internal processing unit connected to the second internal processing unit a second external processing unit;
  • the first external processing unit configured to send the intranet data transmitted by the intranet monitoring device by using the second transmission line to the terminal server;
  • the second external processing unit is configured to transmit the response information sent by the terminal server and the external network data to the second internal processing unit by using the third transmission line.
  • the first transmission line is an optical fiber whose signal transmission direction is unidirectionally transmitted from the internal processing device to the intranet monitoring device;
  • the second transmission line is an optical fiber that is unidirectionally transmitted from the intranet monitoring device to the external processing device in a signal transmission direction;
  • the third transmission line is an optical fiber that is unidirectionally transmitted from the external processing device to the internal processing device in a signal transmission direction.
  • the application also provides a terminal server, which is set on a local area network and outside. Between the network, the terminal server is connected to a network protection device disposed between the local area network and the external network, and the network protection device is connected to a local area network, and the terminal server is connected to the external network;
  • the terminal server is configured to receive, by the network protection device, a remote connection request sent by a client in the local area network, and return, by using the network protection device, confirmation information for the remote connection request;
  • the device receives the access operation data sent by the client, and accesses the external network according to the access operation data, and returns the access response data to the client by using the network protection device;
  • the access operation data is locally acquired operation data sent by the client to the terminal server after receiving the response information for the remote connection request.
  • the client when a client in the local area network needs to access the external network, the client needs to initiate a remote connection request to the terminal server, and after receiving the confirmation information of the remote connection request by the terminal server, The access operation data obtained locally by the client is sent to the terminal server to access the external network through the terminal server, so that when the malicious website is accidentally connected to the external network, the malicious website is only the terminal server outside the local area network.
  • FIG. 1 is a schematic structural diagram of a network protection system in an embodiment of the present application.
  • FIG. 2 is a schematic structural diagram of a network protection system in another embodiment of the present application.
  • FIG. 3 is a schematic structural diagram of a network protection system in another embodiment of the present application.
  • FIG. 4 is a schematic structural diagram of an embodiment of a network protection device according to the present application.
  • the embodiment of the present application discloses a network protection system, a network protection device, and a terminal server to improve the security of an internal LAN to access an external network.
  • FIG. 1 it is a schematic structural diagram of a network protection system in an embodiment of the present application.
  • the network protection system includes:
  • a network protection device 12 and a terminal server 13 disposed between the local area network and the external network.
  • the network protection device is connected to the local area network, and the terminal server is connected to the external network.
  • the connection relationship mentioned here may be a physical line connection or a wireless network connection.
  • the client 11 is configured to initiate a remote connection request to the terminal server, and after receiving the response information of the terminal server for the remote connection request, to the terminal The server sends the access operation data obtained locally.
  • the network protection device 12 includes:
  • the internal processing device 121 is connected to the internal processing device 121 via the first transmission line L1; and the external processing device 123 connected to the internal network monitoring device 122 via the second transmission line L2, and the external processing device 123 is connected to the internal processing device 121 via a third transmission line L3.
  • the internal processing device 121 is configured to transmit the intranet data sent by the client 101 to the intranet monitoring device 122 through the first transmission line, and transmit the external processing device 123 through the third transmission line.
  • the response information and the external network data are sent to the client 11.
  • the intranet data includes: the remote connection request and the access operation data.
  • the external network data includes: access response data returned by the terminal server for the access operation data.
  • the intranet monitoring device 122 is configured to transmit the intranet data to the external processing device through the second transmission line when determining that the intranet data is preset legal data.
  • the external processing device 123 is configured to send the intranet data to the terminal server, and transmit the response information and the external network data returned by the terminal server to the internal processing by using the third transmission line. Device.
  • the terminal server 13 is configured to respond to the remote connection request, access the external network according to the access operation data, and return the access response data to the client 11.
  • the client when the client in the local area network needs to access the external network, the client needs to initiate a remote connection request to the terminal server, and after receiving the confirmation information of the remote connection request by the terminal server, Sending the access operation data locally obtained by the client to the terminal server to access the external network through the terminal server, so that when the malicious website in the external network is accidentally connected, the malicious website is only outside the local area network.
  • the terminal server is connected, and is not directly connected to the client in the local area network, so that the information in the client of the local area network cannot be installed, and the Trojan or the virus cannot be installed in the client, thereby reducing the risk of data leakage inside the local area network. It also avoids the destruction of client data in the LAN and improves the security of data in the LAN. Sex.
  • the internal network data needs to be transmitted by the internal processing device in the network protection device to the internal network monitoring device via the first transmission line. And transmitted by the internal network monitoring device to the external processing device through the second transmission line, and finally sent by the external processing device to the terminal server; and the confirmation information returned by the terminal server and the external network data need to be processed by the external processing device through the third
  • the transmission line is transmitted to the internal processing device, which can then be transmitted back to the client in the local area network.
  • the intranet data is transmitted from the local area network, and the transmission path of the data outside the local area network to the client in the local area network is different, and the transmission path of the external network of the intranet data of the local area network has unidirectionality, and the local area network The transmission path of external data to the local area network is also unidirectional.
  • the intranet monitoring device detects the intranet data as the preset legal data, and then transmits the intranet data to the second transmission line in one direction.
  • the intranet data that is not legal data can be prevented from leaking into the external network, which improves the security of the data.
  • the external network data can only be transmitted to the internal processing device through the third transmission line through the external processing device, even if a Trojan virus or the like in the external network can cross the terminal server, and the external processing device passes the
  • the three transmission lines transmit the internal processing device, and finally enter the client of the local area network, but after the intranet data in the client collected by the Trojan or the virus based on the network transmission protocol, the internal processing device needs to pass through the
  • the intranet data can be transmitted to the external network, and the unidirectionality of the transmission of the third transmission line is impossible for the intranet data to pass through the internal processing device.
  • the three transmission lines are transmitted to the external processing device, thereby reducing the risk of data leakage inside the local area network.
  • the local area network in the present application may be an internal network of a certain factory, a company, or a home.
  • the local area network may include a database server, a file server, and the like in addition to the client.
  • the external network is relative to the local area network, is Refers to the network outside the LAN.
  • the client in the local area network can access the network in the local area network to realize data sharing in the local area network.
  • a user needs to use a client to access an external network, it is necessary to switch the state of the client from accessing the internal network to the state of accessing the external network.
  • the end is connected to the local area network or to the external network.
  • the KBS obtains the current mouse or keyboard operation data of the client, and the current operation data is used as access operation data for accessing the external network, and is sent to the external network.
  • each client in the local area network needs to be connected to a KBS, so that when the number of clients deployed in the local area network is large, A large amount of KBS is required, which increases the complexity of the network access system.
  • each client it is not necessary for each client to connect to the KBS, and only the client needs to initiate a remote connection request to the terminal server, and then can switch to the state connected to the external network, and determine the input operation of the client as The operation behavior of the external network is accessed, and the acquired access operation data is sent out, thereby further reducing the complexity of the network access system under the premise of improving the security of the internal LAN to access the external network.
  • the operation data input by the user through the input device such as the keyboard and the mouse in the client can be regarded as an access operation for accessing the remote network. data.
  • the terminal server According to the received access operation data, the specific network access behavior of the client may be determined, such as which external website is accessed, and which data needs to be obtained from the external website, and then the corresponding network access is performed according to the access operation data to obtain an influence. data.
  • the corresponding operation interface data may be included in the confirmation information returned by the client.
  • the client displays a corresponding operation interface according to the operation interface data, and the user can perform corresponding input operations in the operation interface for external network access.
  • the internal processing device in the network protection device may be only an integral device, and the internal processing device may correspond to the role of the internal terminal.
  • the internal processing device may include two internal processing units to separately send the intranet data and send the external network data back to the intranet.
  • FIG. 2 is a schematic structural diagram of a network protection system according to another embodiment of the present application.
  • the network protection system of the previous embodiment is different in the following embodiments:
  • the internal processing device 121 in the network protection device 12 includes:
  • first internal processing unit 1211 connected to the internal network monitoring device via a first transmission line L1
  • second internal processing unit 1212 connected to the external processing device 123 via the third transmission line L3;
  • the first internal processing unit 1211 is configured to send the intranet data to the intranet monitoring device through the first transmission line L1.
  • the second internal processing unit 1212 is configured to receive the response information and the external network data that the external processing device 123 transmits through the third transmission line L3, and send the response information and the external network data to the client 11 .
  • the client first sends the intranet data to the first internal processing unit 1212 in the network protection device, and the first internal processing unit 1211 transmits the data to the first internal processing unit 1211.
  • the intranet monitoring unit is transmitted by the intranet monitoring unit to the external processing unit 123 through the second transmission line to transmit the intranet data to the terminal server through the external processing unit; and the external data returned by the terminal server Then, the external processing unit 123 transmits the data to the second internal processing unit 1232 via the third transmission line, thereby realizing the unidirectional data transmission of the intranet data and the external network data by using different transmission lines.
  • the internal network monitoring device can preset legal data, for example, the input data of the mouse, the keyboard, and the like in the client can be regarded as legal data, if the client transmission is detected.
  • the intranet data includes data other than input data such as a mouse or a keyboard, and the intranet data is not transmitted to the external processing device.
  • the external processing device may also be composed of two external processing units, and the two external processing units respectively implement the intranet data to be sent out, and the external network data is transmitted back to the internal area of the local area network.
  • FIG. 3 a schematic flowchart of a network protection system according to another embodiment of the present application is shown. The difference between this embodiment and any of the previously described network protection systems is that:
  • the external processing device 123 in the network protection device 12 may include:
  • a first external processing unit 1231 connected to the intranet monitoring device via the second transmission line L2, and a second external processing unit 1232 connected to the second internal processing unit 1212 via the third transmission line L3.
  • the first external processing unit 1231 is configured to send the intranet data transmitted by the intranet monitoring device through the second transmission line L2 to the terminal server 13;
  • the second external processing unit 1232 is configured to transmit the response information and the external network data sent by the terminal server 13 to the second internal processing unit through the third transmission line L3.
  • the intranet data is transmitted outward and the external data of the external network is transmitted to the internal area of the local area network respectively through different network protection devices.
  • Internal processing unit and external processing unit further reducing the risk of internal data being compromised and improving internal network access to the outside Network security.
  • the internal processing device includes a first internal processing unit and a second internal processing unit as an example, but in practical applications, if the internal processing unit does not separately include the first An internal processing unit and a second internal processing unit, the composition of the external processing device in this embodiment is also applicable, except that the second internal processing unit of the external processing device can directly communicate with the third internal processing unit through the third transmission line.
  • the internal processing device can be connected.
  • the internal processing device, the monitoring device, and the external processing device, or the internal processing device and the external processing device, respectively may be included.
  • Settings are made in the unit to limit the direction of data transfer.
  • the intranet data received by the internal processing device from the client can only be transmitted to the monitoring device through the first transmission line
  • the external network data received by the external processing device from the terminal server can only pass through the third The transmission line is transmitted to the internal processing device.
  • the first transmission line, the second transmission line, and the third transmission line can only complete one-way data signal transmission.
  • the first transmission line can be set as an optical fiber whose signal transmission direction is unidirectionally transmitted from the internal processing device to the intranet monitoring device.
  • the second transmission line may be configured as an optical fiber whose signal transmission direction is unidirectionally transmitted from the intranet monitoring device to the external processing device;
  • the third transmission line may be provided as an optical fiber whose signal transmission direction is unidirectionally transmitted from the external processing device to the internal processing device.
  • the first transmission line, the second transmission line and the third transmission line both utilize the unidirectional transmission property of the optical signal to realize the one-way transmission of the data signal on the optical fiber, so as to realize the intranet data and the external network.
  • the unidirectionality of data during transmission Specifically, a corresponding optical transmitter and receiver are disposed in each of the transmission lines.
  • the first transmission line actually includes an optical transmitter connected to the internal processing device and is monitored by the internal network.
  • the optical receiver connected to the device is connected by an optical fiber between the optical transmitter and the optical receiver.
  • the second transmission line actually includes an optical transmitter connected to the intranet monitoring device, and an optical receiver connected to the external processing device, and the optical transmitter and the optical receiver are connected by an optical fiber; correspondingly,
  • the third transmission line also actually includes an optical transmitter connected to the external processing device and an optical receiver connected to the internal processing device, and the optical transmitter and the optical receiver are connected by an optical fiber.
  • the network protection system may further set a firewall between the local area network and the network protection device.
  • the present application also provides a network protection device.
  • FIG. 4 it is a schematic structural diagram of an embodiment of a network protection device according to the present application.
  • the network protection device is disposed between a local area network and a terminal server connected to an external network.
  • the network protection device can include:
  • the internal processing device 41 is configured to transmit the intranet data sent by the client in the local area network to the intranet monitoring device 42 through the first transmission line, and transmit the external processing device 43 through the third transmission line L3.
  • the response information and the external network data are sent to the client.
  • the intranet data includes a remote connection request sent by the client to the terminal server, and an access operation sent by the client to the terminal server after receiving the response information of the terminal server for the remote connection request. data;
  • the external network data includes access response data returned by the terminal server for the access operation data.
  • the intranet monitoring device 42 is configured to transmit the intranet data to the external processing device by using the second transmission line when determining that the intranet data is preset legal data. Set.
  • the external processing device 43 is configured to send the intranet data to the terminal server, and transmit the response information and the external network data returned by the terminal server to the internal through the third transmission line. Processing device.
  • the client when the client in the local area network needs to access the external network, the client initiates a remote connection request to the terminal server, and sends the request to the network protection device to request the remote connection through the network protection device.
  • Sending to the terminal server after receiving the confirmation information of the terminal server for the remote connection request, the client obtains the access operation data locally obtained by the client through the network protection device to be accessed by the terminal server.
  • An external network such that when a malicious website is accidentally connected to the external network, since the malicious website is only connected to the terminal server outside the local area network, and is not directly connected to the client in the local area network, the customer cannot be from the local area network.
  • the information in the terminal can not install Trojans or viruses in the client, which reduces the risk of data leakage inside the LAN, and also avoids the destruction of client data in the LAN, and improves the security of data in the LAN.
  • the intranet data is transmitted by the internal processing device to the external processing device via the first transmission line, the intranet monitoring device, and the second transmission line, and The external processing device finally sends the data to the terminal server; and the external network data returned by the terminal server is transmitted by the external processing device to the internal processing device via the third transmission line, thereby realizing one-way transmission of the intranet data and the external network data sub-path, avoiding Intranet data that is not legal data is leaked to the external network.
  • the virus or the like can not transmit data from the client to the original path, thereby preventing the intranet data from being leaked. Improves the security of devices accessing the external network in the LAN.
  • the internal processing device may include: a first internal processing unit connected to the intranet monitoring device through the first transmission line, and a first connection to the external processing device through the third transmission line Two internal processing units;
  • the first internal processing unit is configured to use the first transmission line to The intranet data is sent to the intranet monitoring device;
  • the second internal processing unit is configured to receive the response information and the external network data that are transmitted by the external processing device by using the third transmission line, and send the response information and the external network data to the client .
  • the external processing device may include: a first external processing unit connected to the intranet monitoring device through the second transmission line, and a second internal processing unit connected through the third transmission line a second external processing unit;
  • the first external processing unit configured to send the intranet data transmitted by the intranet monitoring device by using the second transmission line to the terminal server;
  • the second external processing unit is configured to transmit the response information sent by the terminal server and the external network data to the second internal processing unit by using the third transmission line.
  • composition of the above internal processing device and external processing device and related description can be referred to the related description of the embodiment of FIG. 2 and FIG. 3.
  • the first transmission line is an optical fiber that is unidirectionally transmitted from the internal processing device to the intranet monitoring device in a signal transmission direction;
  • the second transmission line is an optical fiber that is unidirectionally transmitted from the intranet monitoring device to the external processing device in a signal transmission direction;
  • the third transmission line is an optical fiber that is unidirectionally transmitted from the external processing device to the internal processing device in a signal transmission direction.
  • the present application further provides a terminal server, where the terminal server is disposed between a local area network and an external network, and the terminal server is connected to a network protection device disposed between the local area network and the external network, and The network protection device is connected to a local area network, and the terminal server is connected to the external network;
  • the terminal server is configured to receive, by the network protection device, a remote connection request sent by a client in the local area network, and return, by using the network protection device, Acknowledgement information of the remote connection request; receiving, by the network protection device, access operation data sent by the client, accessing the external network according to the access operation data, and responding to the access by the network protection device Data is returned to the client;
  • the access operation data is locally acquired operation data sent by the client to the terminal server after receiving the response information for the remote connection request.
  • terminal server mentioned in any of the above embodiments may be a terminal server of windows, a cloud host, or a Linux server providing remote access, and is not limited herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Provided are a network access system, a network protection device and a terminal server. The network protection system comprises: at least one client in a local area network, a network protection device and a terminal server, wherein the client initiates a remote connection request to the terminal server, and sends locally acquired access operation data to the terminal server after receiving response information for the remote connection request; an internal processing apparatus in the network protection device transmits intranet data sent by the client to an intranet monitoring apparatus through a first transmission line, and sends the response information and extranet data transmitted by an external processing apparatus through a third transmission line to the client; and the intranet monitoring apparatus transmits the intranet data to the external processing apparatus through a second transmission line to transmit the intranet data to the terminal server through the external processing apparatus and access a network by the terminal server according to the intranet data, so as to improve the security for the local area network to access an extranet.

Description

网络访问系统、网络防护设备和终端服务器Network access system, network protection device and terminal server
本申请要求于2014年05月06日提交中国专利局、申请号为201410190365.5、发明名称为“网络访问系统、网络防护设备和终端服务器”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to Chinese Patent Application No. 201410190365.5, entitled "Network Access System, Network Protection Equipment, and Terminal Server" on May 6, 2014, the entire contents of which are incorporated by reference. In this application.
技术领域Technical field
本申请涉及网络技术领域,更具体的说是涉及一种网络访问系统、网络防护设备和终端服务器。The present application relates to the field of network technologies, and in particular, to a network access system, a network protection device, and a terminal server.
背景技术Background technique
局域网是指在某一区域内由多台计算机互联成的计算机组。在局域网内计算机可以进行数据通信,实现数据共享。如,一些学校或者单位内部是一个局域网。A local area network is a group of computers that are interconnected by multiple computers in a certain area. In the LAN, the computer can perform data communication and realize data sharing. For example, some schools or units are internally a local area network.
随着网络技术的发展,已经实现了局域网到外部因特网之间的通信。为了保证局域网内部的数据资源的安全性,在局域网与外部因特网之间会设置防火墙,以降低数据资源被泄露或破坏的风险。然而一旦外部因特网中的木马、病毒等攻破了该防火墙,则会使得局域网内部的资源面临具体的威胁。With the development of network technology, communication between the local area network and the external Internet has been realized. In order to ensure the security of data resources inside the LAN, a firewall is set up between the LAN and the external Internet to reduce the risk of data resources being leaked or destroyed. However, once the Trojans, viruses, etc. in the external Internet break the firewall, the resources inside the LAN will face specific threats.
发明内容Summary of the invention
有鉴于此,本申请提供一种网络访问系统、网络防护设备和终端服务器,以提高内部局域网访问外部网络过程中的数据安全性。In view of this, the present application provides a network access system, a network protection device, and a terminal server to improve data security during an internal LAN access to an external network.
为实现上述目的,本申请提供如下技术方案:一种网络访问系统,包括:设置在局域网内的至少一个客户端,设置在所述局域网与外部网络之间的网络防护设备和终端服务器,所述终端服务器与外部网络连接; To achieve the above objective, the present application provides the following technical solution: a network access system, including: at least one client disposed in a local area network, a network protection device and a terminal server disposed between the local area network and an external network, The terminal server is connected to an external network;
其中,所述客户端,用于向终端服务器发起远程连接请求,并在接收到所述终端服务器针对所述远程连接请求的响应信息后,向所述终端服务器发送本地获取到的访问操作数据;The client is configured to initiate a remote connection request to the terminal server, and after receiving the response information of the terminal server for the remote connection request, send the locally acquired access operation data to the terminal server;
所述网络防护设备包括:内部处理装置;通过第一传输线路与所述内部处理装置相连的内网监测装置;以及通过第二传输线路与所述内网监测装置相连的外部处理装置,且所述外部处理装置通过第三传输线路与所述内部处理装置相连;The network protection device includes: an internal processing device; an intranet monitoring device connected to the internal processing device through a first transmission line; and an external processing device connected to the intranet monitoring device through a second transmission line, and The external processing device is connected to the internal processing device through a third transmission line;
其中,所述内部处理装置,用于通过所述第一传输线路将所述客户端发送的内网数据传输给所述内网监测装置,并将所述外部处理装置通过所述第三传输线路传输的所述响应信息和外网数据发送给所述客户端;其中,所述内网数据包括所述远程连接请求和所述访问操作数据;所述外网数据包括所述终端服务器针对所述访问操作数据返回的访问响应数据;The internal processing device is configured to transmit intranet data sent by the client to the intranet monitoring device by using the first transmission line, and pass the external processing device to the third transmission line Transmitting the response information and the external network data to the client; wherein the intranet data includes the remote connection request and the access operation data; the external network data includes the terminal server for the Accessing the access response data returned by the operational data;
所述内网监测装置,用于在确定所述内网数据为预设的合法数据时,通过所述第二传输线路将所述内网数据传输给所述外部处理装置;The intranet monitoring device is configured to transmit the intranet data to the external processing device by using the second transmission line when determining that the intranet data is preset legal data;
所述外部处理装置,用于将所述内网数据发送给所述终端服务器,并将所述终端服务器返回的所述响应信息和外网数据通过所述第三传输线路传输给所述内部处理装置;The external processing device is configured to send the intranet data to the terminal server, and transmit the response information and the external network data returned by the terminal server to the internal processing by using the third transmission line Device
所述终端服务器,用于响应所述远程连接请求,并根据所述访问操作数据访问所述外部网络,并将访问响应数据返回给所述客户端。The terminal server is configured to respond to the remote connection request, access the external network according to the access operation data, and return the access response data to the client.
优选的,所述内部处理装置包括:通过所述第一传输线路与所述内网监测装置相连的第一内部处理单元,以及通过所述第三传输线路与所述外部处理装置相连的第二内部处理单元;Preferably, the internal processing device includes: a first internal processing unit connected to the internal network monitoring device through the first transmission line, and a second connected to the external processing device through the third transmission line Internal processing unit;
则,所述第一内部处理单元,用于通过所述第一传输线路将所述内网数据发送给所述内网监测装置;The first internal processing unit is configured to send the intranet data to the intranet monitoring device by using the first transmission line;
所述第二内部处理单元,用于接收所述外部处理装置通过所述第三传输线路传输的所述响应信息和外网数据,并将所述响应信息和外网数据发送给所述客户端。 The second internal processing unit is configured to receive the response information and the external network data that are transmitted by the external processing device by using the third transmission line, and send the response information and the external network data to the client .
优选的,所述外部处理装置包括:通过所述第二传输线路与所述内网监测装置相连的第一外部处理单元,以及通过所述第三传输线路与所述第二内部处理单元相连的第二外部处理单元;Preferably, the external processing device includes: a first external processing unit connected to the internal network monitoring device through the second transmission line, and a second internal processing unit connected to the second internal processing unit a second external processing unit;
则所述第一外部处理单元,用于将所述内网监测装置通过所述第二传输线路传输的所述内网数据发送给所述终端服务器;The first external processing unit, configured to send the intranet data transmitted by the intranet monitoring device by using the second transmission line to the terminal server;
所述第二外部处理单元,用于将所述终端服务器发送的所述响应信息和所述外网数据通过所述第三传输线路传输给所述第二内部处理单元。The second external processing unit is configured to transmit the response information sent by the terminal server and the external network data to the second internal processing unit by using the third transmission line.
优选的,所述第一传输线路为信号传输方向从所述内部处理装置到所述内网监测装置单向传输的光纤;Preferably, the first transmission line is an optical fiber whose signal transmission direction is unidirectionally transmitted from the internal processing device to the intranet monitoring device;
所述第二传输线路为信号传输方向从所述内网监测装置到所述外部处理装置单向传输的光纤;The second transmission line is an optical fiber that is unidirectionally transmitted from the intranet monitoring device to the external processing device in a signal transmission direction;
所述第三传输线路为信号传输方向从所述外部处理装置到所述内部处理装置单向传输的光纤。The third transmission line is an optical fiber that is unidirectionally transmitted from the external processing device to the internal processing device in a signal transmission direction.
另一方面,本申请还提供了一种网络防护设备,该网络防护装置设置于局域网以及与外部网络连接的终端服务器之间,所述网络防护装置包括:On the other hand, the present application further provides a network protection device, which is disposed between a local area network and a terminal server connected to an external network, and the network protection device includes:
内部处理装置;通过第一传输线路与所述内部处理装置相连的内网监测装置;以及通过第二传输线路与所述内网监测装置相连的外部处理装置,且所述外部处理装置通过第三传输线路与所述内部处理装置相连;An internal processing device; an intranet monitoring device connected to the internal processing device through a first transmission line; and an external processing device connected to the intranet monitoring device via a second transmission line, and the external processing device passes the third a transmission line is connected to the internal processing device;
其中,所述内部处理装置,用于通过所述第一传输线路将所述局域网中客户端发送的内网数据传输给所述内网监测装置,并将所述外部处理装置通过所述第三传输线路传输的响应信息和外网数据发送给所述客户端;其中,所述内网数据包括所述客户端向所述终端服务器发送的远程连接请求,以及所述客户端在接收到所述终端服务器针对所述远程连接请求的所述响应信息后,向所述终端服务器发送的访问操作数据;所述外网数据包括所述终端服务器针对所述访问操作数据返回的访问响应数据; The internal processing device is configured to transmit, by the first transmission line, intranet data sent by a client in the local area network to the intranet monitoring device, and pass the external processing device through the third And transmitting, by the client, the remote connection request sent by the client to the terminal server, and the client receiving the And the access operation data sent by the terminal server to the terminal server after the response information of the remote connection request; the external network data includes access response data returned by the terminal server for the access operation data;
所述内网监测装置,用于在确定所述内网数据为预设的合法数据时,通过所述第二传输线路将所述内网数据传输给所述外部处理装置;The intranet monitoring device is configured to transmit the intranet data to the external processing device by using the second transmission line when determining that the intranet data is preset legal data;
所述外部处理装置,用于将所述内网数据发送给所述终端服务器,并将所述终端服务器返回的所述响应信息和外网数据通过所述第三传输线路传输给所述内部处理装置。The external processing device is configured to send the intranet data to the terminal server, and transmit the response information and the external network data returned by the terminal server to the internal processing by using the third transmission line Device.
优选的,所述内部处理装置包括:通过所述第一传输线路与所述内网监测装置相连的第一内部处理单元,以及通过所述第三传输线路与所述外部处理装置相连的第二内部处理单元;Preferably, the internal processing device includes: a first internal processing unit connected to the internal network monitoring device through the first transmission line, and a second connected to the external processing device through the third transmission line Internal processing unit;
则,所述第一内部处理单元,用于通过所述第一传输线路将所述内网数据发送给所述内网监测装置;The first internal processing unit is configured to send the intranet data to the intranet monitoring device by using the first transmission line;
所述第二内部处理单元,用于接收所述外部处理装置通过所述第三传输线路传输的所述响应信息和外网数据,并将所述响应信息和外网数据发送给所述客户端。The second internal processing unit is configured to receive the response information and the external network data that are transmitted by the external processing device by using the third transmission line, and send the response information and the external network data to the client .
优选的,所述外部处理装置包括:通过所述第二传输线路与所述内网监测装置相连的第一外部处理单元,以及通过所述第三传输线路与所述第二内部处理单元相连的第二外部处理单元;Preferably, the external processing device includes: a first external processing unit connected to the internal network monitoring device through the second transmission line, and a second internal processing unit connected to the second internal processing unit a second external processing unit;
则所述第一外部处理单元,用于将所述内网监测装置通过所述第二传输线路传输的所述内网数据发送给所述终端服务器;The first external processing unit, configured to send the intranet data transmitted by the intranet monitoring device by using the second transmission line to the terminal server;
所述第二外部处理单元,用于将所述终端服务器发送的所述响应信息和所述外网数据通过所述第三传输线路传输给所述第二内部处理单元。The second external processing unit is configured to transmit the response information sent by the terminal server and the external network data to the second internal processing unit by using the third transmission line.
优选的,所述第一传输线路为信号传输方向从所述内部处理装置到所述内网监测装置单向传输的光纤;Preferably, the first transmission line is an optical fiber whose signal transmission direction is unidirectionally transmitted from the internal processing device to the intranet monitoring device;
所述第二传输线路为信号传输方向从所述内网监测装置到所述外部处理装置单向传输的光纤;The second transmission line is an optical fiber that is unidirectionally transmitted from the intranet monitoring device to the external processing device in a signal transmission direction;
所述第三传输线路为信号传输方向从所述外部处理装置到所述内部处理装置单向传输的光纤。The third transmission line is an optical fiber that is unidirectionally transmitted from the external processing device to the internal processing device in a signal transmission direction.
另一方面,本申请还提供了一种终端服务器,设置于局域网与外 部网络之间,所述终端服务器与设置与所述局域网和所述外部网络之间的网络防护设备相连,且所述网络防护设备与局域网相连,所述终端服务器与所述外部网络相连;On the other hand, the application also provides a terminal server, which is set on a local area network and outside. Between the network, the terminal server is connected to a network protection device disposed between the local area network and the external network, and the network protection device is connected to a local area network, and the terminal server is connected to the external network;
所述终端服务器用于通过所述网络防护设备接收由所述局域网中的客户端发送的远程连接请求,并通过所述网络防护设备返回针对所述远程连接请求的确认信息;通过所述网络防护设备接收所述客户端发送的访问操作数据,并依据所述访问操作数据访问所述外部网络,并通过所述网络防护设备将所述访问响应数据返回给所述客户端;The terminal server is configured to receive, by the network protection device, a remote connection request sent by a client in the local area network, and return, by using the network protection device, confirmation information for the remote connection request; The device receives the access operation data sent by the client, and accesses the external network according to the access operation data, and returns the access response data to the client by using the network protection device;
其中,所述访问操作数据为所述客户端在接收到针对所述远程连接请求的响应信息后,向所述终端服务器发送的本地获取到的操作数据。The access operation data is locally acquired operation data sent by the client to the terminal server after receiving the response information for the remote connection request.
经由上述的技术方案可知,当局域网内的客户端需要访问外部网络时,该客户端需要向该终端服务器发起远程连接请求,并接收到该终端服务器针对该远程连接请求的确认信息后,将该客户端本地获取到的访问操作数据发送给终端服务器,以通过该终端服务器访问外部网络,这样,当意外连接到该外部网络中的恶意网站后,由于该恶意网站只是与该局域网外的终端服务器相连,而没有直接与该局域网内的客户端相连,从而无法从局域网的客户端中内的信息,也无法在该客户端中安装木马或病毒等,降低了局域网内部数据泄露的风险,也避免了局域网内的客户端数据被破坏,提高了局域网内数据的安全性。According to the foregoing technical solution, when a client in the local area network needs to access the external network, the client needs to initiate a remote connection request to the terminal server, and after receiving the confirmation information of the remote connection request by the terminal server, The access operation data obtained locally by the client is sent to the terminal server to access the external network through the terminal server, so that when the malicious website is accidentally connected to the external network, the malicious website is only the terminal server outside the local area network. Connected, but not directly connected to the client in the LAN, so that the information in the client of the LAN can not be installed, nor can the Trojan or virus be installed in the client, thereby reducing the risk of data leakage inside the LAN and avoiding The client data in the LAN is destroyed, which improves the security of the data in the LAN.
附图说明DRAWINGS
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附 图获得其他的附图。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings to be used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description are only It is an embodiment of the present application, and can be provided by a person of ordinary skill in the art without any creative work. The figure obtains other figures.
图1示出了本申请一个实施例中该网络防护系统的组成结构示意图;1 is a schematic structural diagram of a network protection system in an embodiment of the present application;
图2示出了本申请另一个实施例中该网络防护系统的组成结构示意图;2 is a schematic structural diagram of a network protection system in another embodiment of the present application;
图3示出了本申请另一个实施例中该网络防护系统的组成结构示意图;3 is a schematic structural diagram of a network protection system in another embodiment of the present application;
图4示出了本申请一种网络防护设备一个实施例的组成结构示意图。FIG. 4 is a schematic structural diagram of an embodiment of a network protection device according to the present application.
具体实施方式detailed description
本申请实施例公开了一种网络防护系统、网络防护设备和终端服务器以提高内部局域网访问外部网络的安全性。The embodiment of the present application discloses a network protection system, a network protection device, and a terminal server to improve the security of an internal LAN to access an external network.
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application are clearly and completely described in the following with reference to the drawings in the embodiments of the present application. It is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without departing from the inventive scope are the scope of the present application.
首先对一种网络防护系统进行介绍。First, a network protection system is introduced.
参见图1,其示出了本申请一个实施例中该网络防护系统的组成结构示意图,本实施例中该网络防护系统包括:Referring to FIG. 1 , it is a schematic structural diagram of a network protection system in an embodiment of the present application. In this embodiment, the network protection system includes:
设置在局域网内的至少一个客户端11;Setting at least one client 11 in the local area network;
以及设置在该局域网与外部网络之间的网络防护设备12和终端服务器13。And a network protection device 12 and a terminal server 13 disposed between the local area network and the external network.
其中,网络防护设备与该局域网之间相连,该终端服务器与该外部网络相连。其中,此处提到的该连接关系可以为物理线路的连接,也可以是无线网络连接。The network protection device is connected to the local area network, and the terminal server is connected to the external network. The connection relationship mentioned here may be a physical line connection or a wireless network connection.
其中,该客户端11,用于向终端服务器发起远程连接请求,并在接收到该终端服务器针对该远程连接请求的响应信息后,向该终端 服务器发送本地获取到的访问操作数据。The client 11 is configured to initiate a remote connection request to the terminal server, and after receiving the response information of the terminal server for the remote connection request, to the terminal The server sends the access operation data obtained locally.
该网络防护设备12包括:The network protection device 12 includes:
内部处理装置121通过第一传输线路L1与该内部处理装置121相连的内网监测装置122;以及通过第二传输线路L2与该内网监测装置122相连的外部处理装置123,且该外部处理装置123通过第三传输线路L3与该内部处理装置121相连。The internal processing device 121 is connected to the internal processing device 121 via the first transmission line L1; and the external processing device 123 connected to the internal network monitoring device 122 via the second transmission line L2, and the external processing device 123 is connected to the internal processing device 121 via a third transmission line L3.
其中,该内部处理装置121,用于通过该第一传输线路将客户端101发送的内网数据传输给该内网监测装置122,并将该外部处理装置123通过该第三传输线路传输的该响应信息和外网数据发送给该客户端11。The internal processing device 121 is configured to transmit the intranet data sent by the client 101 to the intranet monitoring device 122 through the first transmission line, and transmit the external processing device 123 through the third transmission line. The response information and the external network data are sent to the client 11.
其中,该内网数据包括:该远程连接请求和访问操作数据。该外网数据包括:该终端服务器针对该访问操作数据返回的访问响应数据。The intranet data includes: the remote connection request and the access operation data. The external network data includes: access response data returned by the terminal server for the access operation data.
该内网监测装置122,用于在确定该内网数据为预设的合法数据时,通过该第二传输线路将该内网数据传输给所述外部处理装置。The intranet monitoring device 122 is configured to transmit the intranet data to the external processing device through the second transmission line when determining that the intranet data is preset legal data.
该外部处理装置123,用于将所述内网数据发送给所述终端服务器,并将所述终端服务器返回的所述响应信息和外网数据通过所述第三传输线路传输给所述内部处理装置。The external processing device 123 is configured to send the intranet data to the terminal server, and transmit the response information and the external network data returned by the terminal server to the internal processing by using the third transmission line. Device.
该终端服务器13,用于响应该远程连接请求,并根据该访问操作数据访问该外部网络,并将访问响应数据返回给该客户端11。The terminal server 13 is configured to respond to the remote connection request, access the external network according to the access operation data, and return the access response data to the client 11.
可见,在本申请实施例中,当局域网内的客户端需要访问外部网络时,该客户端需要向该终端服务器发起远程连接请求,并接收到该终端服务器针对该远程连接请求的确认信息后,将该客户端本地获取到的访问操作数据发送给终端服务器,以通过该终端服务器访问外部网络,这样,当意外连接到该外部网络中的恶意网站后,由于该恶意网站只是与该局域网外的终端服务器相连,而没有直接与该局域网内的客户端相连,从而无法从局域网的客户端中内的信息,也无法在该客户端中安装木马或病毒等,降低了局域网内部数据泄露的风险,也避免了局域网内的客户端数据被破坏,提高了局域网内数据的安全 性。It can be seen that, in the embodiment of the present application, when the client in the local area network needs to access the external network, the client needs to initiate a remote connection request to the terminal server, and after receiving the confirmation information of the remote connection request by the terminal server, Sending the access operation data locally obtained by the client to the terminal server to access the external network through the terminal server, so that when the malicious website in the external network is accidentally connected, the malicious website is only outside the local area network. The terminal server is connected, and is not directly connected to the client in the local area network, so that the information in the client of the local area network cannot be installed, and the Trojan or the virus cannot be installed in the client, thereby reducing the risk of data leakage inside the local area network. It also avoids the destruction of client data in the LAN and improves the security of data in the LAN. Sex.
同时,在本申请中局域网内的客户端发出的远程连接请求或者该访问操作数据后,这些内网数据需要由该网络防护装置中的内部处理装置经该第一传输线路传输给内网监测装置、并由内网监测装置通过第二传输线路传输给外部处理装置,最后由外部处理装置发送给终端服务器;而终端服务器返回的确认信息以及外网数据均需要由该外部处理装置经该第三传输线路传输给内部处理装置,再由内部处理装置才能传输回该局域网内的客户端。由以上数据传输过程可知,内网数据从局域网向外传输,以及局域网外部的数据向局域网内的客户端传输的传输路径不同,局域网的内网数据外部网络的传输路径具有单向性,而局域网外部的数据向局域网内传输的传输路径同样具有单向性。Meanwhile, after the remote connection request or the access operation data sent by the client in the local area network in the present application, the internal network data needs to be transmitted by the internal processing device in the network protection device to the internal network monitoring device via the first transmission line. And transmitted by the internal network monitoring device to the external processing device through the second transmission line, and finally sent by the external processing device to the terminal server; and the confirmation information returned by the terminal server and the external network data need to be processed by the external processing device through the third The transmission line is transmitted to the internal processing device, which can then be transmitted back to the client in the local area network. It can be known from the above data transmission process that the intranet data is transmitted from the local area network, and the transmission path of the data outside the local area network to the client in the local area network is different, and the transmission path of the external network of the intranet data of the local area network has unidirectionality, and the local area network The transmission path of external data to the local area network is also unidirectional.
由于内网数据由局域网向外网数据传输的传输路径具有单向性,内网监测装置检测该内网数据为预设的合法数据后,又将该内网数据经第二传输线路单向传输给外部处理单元,从而可以避免不是合法数据的内网数据泄露到外部网络中,提高了数据的安全性。Since the transmission path of the intranet data to the external network data transmission is unidirectional, the intranet monitoring device detects the intranet data as the preset legal data, and then transmits the intranet data to the second transmission line in one direction. For the external processing unit, the intranet data that is not legal data can be prevented from leaking into the external network, which improves the security of the data.
基于外网数据只能通过该外部处理装置经该第三传输线路单向传输到该内部处理装置,即使外部网络中的木马病毒等能够跨过该终端服务器,并通过该外部处理装置经该第三传输线路传输内部处理装置,最终进入到该局域网的客户端中,但是而由于基于网络传输协议,木马或病毒收集到的客户端中的内网数据后,需通过该内部处理装置并经该第三传输线路传输到外部处理装置后,才能将内网数据传输到外部网络,而该第三传输线路传输的单向性,则不可能会出现将内网数据从该内部处理装置经该第三传输线路传输到该外部处理装置中,从而降低了局域网内部数据被泄露的风险。The external network data can only be transmitted to the internal processing device through the third transmission line through the external processing device, even if a Trojan virus or the like in the external network can cross the terminal server, and the external processing device passes the The three transmission lines transmit the internal processing device, and finally enter the client of the local area network, but after the intranet data in the client collected by the Trojan or the virus based on the network transmission protocol, the internal processing device needs to pass through the After the third transmission line is transmitted to the external processing device, the intranet data can be transmitted to the external network, and the unidirectionality of the transmission of the third transmission line is impossible for the intranet data to pass through the internal processing device. The three transmission lines are transmitted to the external processing device, thereby reducing the risk of data leakage inside the local area network.
其中,本申请中的局域网可以是某个工厂、公司或者家庭的内部网络,当然,该局域网中除了包含有客户端之外,还可以包括数据库服务器、文件服务器等设备。外部网络是相对于该局域网而言的,是 指该局域网之外的网络。The local area network in the present application may be an internal network of a certain factory, a company, or a home. Of course, the local area network may include a database server, a file server, and the like in addition to the client. The external network is relative to the local area network, is Refers to the network outside the LAN.
局域网内的客户端可以访问该局域网内的网络,实现局域网内的数据共享。当用户需要利用客户端访问外部网络时,需要将客户端由访问内部网络的状态切换至访问外部网络的状态。The client in the local area network can access the network in the local area network to realize data sharing in the local area network. When a user needs to use a client to access an external network, it is necessary to switch the state of the client from accessing the internal network to the state of accessing the external network.
发明人在研究中发现,通过在局域网中增加键盘转换器(KBS,Keyboard Switch)可以实现客户端与局域网相连或者与外部网络相连两种状态的切换,用户通过切换该KBS上的开关可以实现客户端与局域网或者是与外部网络相连。如,用户将KBS切换到与外部网络相连的状态后,该KBS获取该客户端当前的鼠标或键盘等操作数据,并当前的操作数据作为访问外部网络的访问操作数据,并向外部网络发送。但是在实际应用中发现,为了实现客户端从局域网切换到与外部网络相连,这样,需要局域网中的每个客户端均分别连接一个KBS,这样,当局域网内部署的客户端的数量较多时,则需要大量的KBS,增加了网络访问系统的复杂度。The inventor found in the research that by adding a keyboard switch (KBS, Keyboard Switch) in the local area network, the client can be connected to the local area network or connected to the external network, and the user can realize the customer by switching the switch on the KBS. The end is connected to the local area network or to the external network. For example, after the user switches the KBS to the state connected to the external network, the KBS obtains the current mouse or keyboard operation data of the client, and the current operation data is used as access operation data for accessing the external network, and is sent to the external network. However, in practical applications, it is found that in order to switch the client from the local area network to the external network, each client in the local area network needs to be connected to a KBS, so that when the number of clients deployed in the local area network is large, A large amount of KBS is required, which increases the complexity of the network access system.
同时,在局域网中部署KBS,需要将KBS的一个引出网线与客户端相连,该KBS的另一个引出网线与外部网络相连,也就是说需要双网布线。当用户不小心将连接外部网络的引出网线与该客户端相连后,用户对该客户端的操作,就会使得该客户端中的数据被发送到外部网络,引起信息泄露的问题。At the same time, to deploy KBS in the local area network, it is necessary to connect an outgoing network cable of the KBS to the client, and another outgoing network cable of the KBS is connected to the external network, that is, double network wiring is required. When the user accidentally connects the outgoing network cable connected to the external network to the client, the user's operation on the client causes the data in the client to be sent to the external network, causing information leakage.
而本申请中的网络防护系统中无需每个客户端均连接KBS,只需要由客户端向终端服务器发起远程连接请求,便可以切换到与外部网络相连的状态,将对客户端的输入操作确定为访问外部网络的操作行为,并向外发送获取到的访问操作数据,从而在提高内部局域网访问外部网络的安全性的前提下,进一步降低了网络访问系统的复杂度。In the network protection system of the present application, it is not necessary for each client to connect to the KBS, and only the client needs to initiate a remote connection request to the terminal server, and then can switch to the state connected to the external network, and determine the input operation of the client as The operation behavior of the external network is accessed, and the acquired access operation data is sent out, thereby further reducing the complexity of the network access system under the premise of improving the security of the internal LAN to access the external network.
可以理解的是,在实际应用中客户端向终端服务器发起远程连接请求后,用户通过该客户端中的键盘和鼠标等输入装置输入的操作数据均可以认为是对用于访问远程网络的访问操作数据。该终端服务器 根据接收到的该访问操作数据可以确定该客户端具体的网络访问行为,如访问哪个外部网站,以及需要从外部网站获取哪些数据等,进而依据该访问操作数据执行相应的网络访问,以获取影响数据。It can be understood that, after the client initiates the remote connection request to the terminal server in the actual application, the operation data input by the user through the input device such as the keyboard and the mouse in the client can be regarded as an access operation for accessing the remote network. data. The terminal server According to the received access operation data, the specific network access behavior of the client may be determined, such as which external website is accessed, and which data needs to be obtained from the external website, and then the corresponding network access is performed according to the access operation data to obtain an influence. data.
可选的,终端服务器响应该远程连接请求后,为客户端返回确认信息中可以包括相应的操作界面数据。该客户端依据该操作界面数据展现相应的操作界面,用户可以在该操作界面中进行相应的输入操作,以进行外部网络访问。Optionally, after the terminal server responds to the remote connection request, the corresponding operation interface data may be included in the confirmation information returned by the client. The client displays a corresponding operation interface according to the operation interface data, and the user can perform corresponding input operations in the operation interface for external network access.
在以上任意一个实施例中,该网络防护设备中该内部处理装置可以仅仅为一个整体的设备,该内部处理装置可以相应于内端机的作用。可选的,该内部处理装置可以包括两个内部处理单元,以分别实现将内网数据向外发送,以及将外网数据发送回内网。In any of the above embodiments, the internal processing device in the network protection device may be only an integral device, and the internal processing device may correspond to the role of the internal terminal. Optionally, the internal processing device may include two internal processing units to separately send the intranet data and send the external network data back to the intranet.
具体的,可以参见图2,其示出了本申请另一个实施例中一种网络防护系统的组成结构示意图,本实施例上一实施例的网络防护系统的不同之处在于:Specifically, reference may be made to FIG. 2, which is a schematic structural diagram of a network protection system according to another embodiment of the present application. The network protection system of the previous embodiment is different in the following embodiments:
在本实施例中,该网络防护设备12中的内部处理装置121包括:In this embodiment, the internal processing device 121 in the network protection device 12 includes:
通过第一传输线路L1与该内网监测装置相连的第一内部处理单元1211,以及通过该第三传输线路L3与该外部处理装置123相连的第二内部处理单元1212;a first internal processing unit 1211 connected to the internal network monitoring device via a first transmission line L1, and a second internal processing unit 1212 connected to the external processing device 123 via the third transmission line L3;
相应的,第一内部处理单元1211,用于通过该第一传输线路L1将该内网数据发送给该内网监测装置。Correspondingly, the first internal processing unit 1211 is configured to send the intranet data to the intranet monitoring device through the first transmission line L1.
该第二内部处理单元1212,用于接收该外部处理装置123通过该第三传输线路L3传输的所述响应信息和外网数据,并将所述响应信息和外网数据发送给该客户端11。The second internal processing unit 1212 is configured to receive the response information and the external network data that the external processing device 123 transmits through the third transmission line L3, and send the response information and the external network data to the client 11 .
可见,在这种本实施例中,客户端将内网数据首先发送给该网络防护装置中的第一内部处理单元1212,并由该第一内部处理单元1211通过该第一传输线路传输给该内网监测单元,并由内网监测单元通过该第二传输线路传输给外部处理单元123,以通过外部处理单元将该内网数据传输给该终端服务器;而终端服务器返回的外部数据 则由该外部处理单元123经该第三传输线路传输给第二内部处理单元1232,从而实现了内网数据和外网数据采用不同的传输线路单向的数据传输。It can be seen that, in this embodiment, the client first sends the intranet data to the first internal processing unit 1212 in the network protection device, and the first internal processing unit 1211 transmits the data to the first internal processing unit 1211. The intranet monitoring unit is transmitted by the intranet monitoring unit to the external processing unit 123 through the second transmission line to transmit the intranet data to the terminal server through the external processing unit; and the external data returned by the terminal server Then, the external processing unit 123 transmits the data to the second internal processing unit 1232 via the third transmission line, thereby realizing the unidirectional data transmission of the intranet data and the external network data by using different transmission lines.
可以理解的是,在以上任意一个实施例中,该内网监测装置中可以预先设定合法数据,如,可以将客户端中鼠标、键盘等输入数据认为是合法数据,如果检测到客户端传输的内网数据包括鼠标、键盘等输入数据之外的数据,则不会向外部处理装置传输该内网数据。It can be understood that, in any of the above embodiments, the internal network monitoring device can preset legal data, for example, the input data of the mouse, the keyboard, and the like in the client can be regarded as legal data, if the client transmission is detected. The intranet data includes data other than input data such as a mouse or a keyboard, and the intranet data is not transmitted to the external processing device.
进一步的,该外部处理装置也可以由两个外部处理单元组成,并由这两个外部处理单元分别实现内网数据向外发送,以及将外网数据传回局域网内部。Further, the external processing device may also be composed of two external processing units, and the two external processing units respectively implement the intranet data to be sent out, and the external network data is transmitted back to the internal area of the local area network.
参见图3,其示出了本申请另一实施例的网络防护系统的流程示意图。在本实施例与前面描述的网络防护系统任意一个实施例的不同之处在于:Referring to FIG. 3, a schematic flowchart of a network protection system according to another embodiment of the present application is shown. The difference between this embodiment and any of the previously described network protection systems is that:
在本实施例中,该网络防护设备12中的外部处理装置123可以包括:In this embodiment, the external processing device 123 in the network protection device 12 may include:
通过该第二传输线路L2与该内网监测装置相连的第一外部处理单元1231,以及通过该第三传输线路L3与该第二内部处理单元1212相连的第二外部处理单元1232。A first external processing unit 1231 connected to the intranet monitoring device via the second transmission line L2, and a second external processing unit 1232 connected to the second internal processing unit 1212 via the third transmission line L3.
相应的,该第一外部处理单元1231,用于将该内网监测装置通过第二传输线路L2传输的内网数据发送给终端服务器13;Correspondingly, the first external processing unit 1231 is configured to send the intranet data transmitted by the intranet monitoring device through the second transmission line L2 to the terminal server 13;
该第二外部处理单元1232,用于将该终端服务器13发送的响应信息和外网数据通过该第三传输线路L3传输给该第二内部处理单元。The second external processing unit 1232 is configured to transmit the response information and the external network data sent by the terminal server 13 to the second internal processing unit through the third transmission line L3.
可见,在本实施例中,在实现内网数据和外网数据单向传输的基础上,该内网数据向外传输以及外部网络的外部数据向局域网内部传输分别经过该网络防护设备中不同的内部处理单元和外部处理单元,从而进一步减少了内部数据被泄露的风险,提高了内部网络访问外部 网络的安全性。It can be seen that, in the embodiment, on the basis of realizing the one-way transmission of the intranet data and the external network data, the intranet data is transmitted outward and the external data of the external network is transmitted to the internal area of the local area network respectively through different network protection devices. Internal processing unit and external processing unit, further reducing the risk of internal data being compromised and improving internal network access to the outside Network security.
可以理解的是,在该图4实施例中是以该内部处理装置包含第一内部处理单元和第二内部处理单元为例进行的描述,但是在实际应用中,如果内部处理单元没有单独包括第一处内部处理单元和第二内部处理单元,本实施例中该外部处理装置的组成结构同样适用,不同之处仅在于,该外部处理装置的第二内部处理单元可以通过第三传输线路直接与该内部处理装置相连即可。It can be understood that, in the embodiment of FIG. 4, the internal processing device includes a first internal processing unit and a second internal processing unit as an example, but in practical applications, if the internal processing unit does not separately include the first An internal processing unit and a second internal processing unit, the composition of the external processing device in this embodiment is also applicable, except that the second internal processing unit of the external processing device can directly communicate with the third internal processing unit through the third transmission line. The internal processing device can be connected.
在以上任意一个实施例中,为了能够以上内网数据和外网数据的单向传输,可以分别在该内部处理装置、监测装置和外部处理装置,或者是内部处理装置和外部处理装置所包含的单元中进行设置,以限制数据传输的方向。如,设置该内部处理装置从该客户端接收到的内网数据只能通过第一传输线路传输到该监测装置,而该外部处理装置从终端服务器接收到的外网数据只能通过该第三传输线路传输给该内部处理装置。In any of the above embodiments, in order to enable one-way transmission of the above intranet data and the external network data, the internal processing device, the monitoring device, and the external processing device, or the internal processing device and the external processing device, respectively, may be included. Settings are made in the unit to limit the direction of data transfer. For example, the intranet data received by the internal processing device from the client can only be transmitted to the monitoring device through the first transmission line, and the external network data received by the external processing device from the terminal server can only pass through the third The transmission line is transmitted to the internal processing device.
可选的,为了实现数据的单向传输性,该第一传输线路、第二传输线路和第三传输线路均只能完成单向的数据信号传输。Optionally, in order to achieve unidirectional transmission of data, the first transmission line, the second transmission line, and the third transmission line can only complete one-way data signal transmission.
如,在本申请中可以将该第一传输线路设置为信号传输方向从该内部处理装置到该内网监测装置单向传输的光纤。For example, in the present application, the first transmission line can be set as an optical fiber whose signal transmission direction is unidirectionally transmitted from the internal processing device to the intranet monitoring device.
相应的,第二传输线路可以设置为信号传输方向从所述内网监测装置到所述外部处理装置单向传输的光纤;Correspondingly, the second transmission line may be configured as an optical fiber whose signal transmission direction is unidirectionally transmitted from the intranet monitoring device to the external processing device;
第三传输线路可以设置为信号传输方向从该外部处理装置到所述内部处理装置单向传输的光纤。The third transmission line may be provided as an optical fiber whose signal transmission direction is unidirectionally transmitted from the external processing device to the internal processing device.
也就是说,该第一传输线路、第二传输线路和第三传输线路均利用了光信号的单向传输性来实现该数据信号在光纤上的单向传输,以实现内网数据和外网数据在传输过程中的单向性。具体的,在这几个传输线路中均设置有相应的光发射器和接收器,如,该第一传输线路实际上是包含了与该内部处理装置相连的光发射器以及与该内网监测装置相连的光接收器,在光发射器和光接收器之间通过光纤相连。 该第二传输线路实际上也包含了与该内网监测装置相连的光发射器,以及与外部处理装置相连的光接收器,在该光发射器和光接收器之间通过光纤相连;相应的,该第三传输线路实际上也包含了与该外部处理装置相连的光发射器以及与该内部处理装置相连的光接收器,在该光发射器和光接收器之间通过光纤相连。That is to say, the first transmission line, the second transmission line and the third transmission line both utilize the unidirectional transmission property of the optical signal to realize the one-way transmission of the data signal on the optical fiber, so as to realize the intranet data and the external network. The unidirectionality of data during transmission. Specifically, a corresponding optical transmitter and receiver are disposed in each of the transmission lines. For example, the first transmission line actually includes an optical transmitter connected to the internal processing device and is monitored by the internal network. The optical receiver connected to the device is connected by an optical fiber between the optical transmitter and the optical receiver. The second transmission line actually includes an optical transmitter connected to the intranet monitoring device, and an optical receiver connected to the external processing device, and the optical transmitter and the optical receiver are connected by an optical fiber; correspondingly, The third transmission line also actually includes an optical transmitter connected to the external processing device and an optical receiver connected to the internal processing device, and the optical transmitter and the optical receiver are connected by an optical fiber.
在以上任意一个实施例中,为了进一步提高网络防护系统中网络访问的安全性,该网络防护系统还可以在局域网与该网络防护设备之间设置防火墙。In any of the above embodiments, in order to further improve the security of network access in the network protection system, the network protection system may further set a firewall between the local area network and the network protection device.
另一方面,本申请还提供了一种网络防护设备。参见图4,其示出了本申请一种网络防护设备一个实施例的组成结构示意图,本实施例中该网络防护设备设置于局域网以及与外部网络连接的终端服务器之间。该网络防护装置可以包括:In another aspect, the present application also provides a network protection device. Referring to FIG. 4, it is a schematic structural diagram of an embodiment of a network protection device according to the present application. In this embodiment, the network protection device is disposed between a local area network and a terminal server connected to an external network. The network protection device can include:
内部处理装置41;通过第一传输线路L1与该内部处理装置41相连的内网监测装置42;以及通过第二传输线路L2与内网监测装置41相连的外部处理装置42,且该外部处理装置43通过第三传输线路L3与该内部处理装置41相连。An internal processing device 41; an intranet monitoring device 42 connected to the internal processing device 41 via a first transmission line L1; and an external processing device 42 connected to the intranet monitoring device 41 via a second transmission line L2, and the external processing device 43 is connected to the internal processing device 41 via a third transmission line L3.
其中,该内部处理装置41,用于通过该第一传输线路将该局域网中客户端发送的内网数据传输给该内网监测装置42,并将该外部处理装置43通过第三传输线路L3传输的响应信息和外网数据发送给该客户端。The internal processing device 41 is configured to transmit the intranet data sent by the client in the local area network to the intranet monitoring device 42 through the first transmission line, and transmit the external processing device 43 through the third transmission line L3. The response information and the external network data are sent to the client.
其中,内网数据包括客户端向终端服务器发送的远程连接请求,以及所述客户端在接收到所述终端服务器针对所述远程连接请求的该响应信息后,向所述终端服务器发送的访问操作数据;The intranet data includes a remote connection request sent by the client to the terminal server, and an access operation sent by the client to the terminal server after receiving the response information of the terminal server for the remote connection request. data;
该外网数据包括所述终端服务器针对所述访问操作数据返回的访问响应数据。The external network data includes access response data returned by the terminal server for the access operation data.
该内网监测装置42,用于在确定所述内网数据为预设的合法数据时,通过所述第二传输线路将所述内网数据传输给所述外部处理装 置。The intranet monitoring device 42 is configured to transmit the intranet data to the external processing device by using the second transmission line when determining that the intranet data is preset legal data. Set.
所述外部处理装置43,用于将所述内网数据发送给所述终端服务器,并将所述终端服务器返回的所述响应信息和外网数据通过所述第三传输线路传输给所述内部处理装置。The external processing device 43 is configured to send the intranet data to the terminal server, and transmit the response information and the external network data returned by the terminal server to the internal through the third transmission line. Processing device.
可见,在本申请实施例中,当局域网内的客户端需要访问外部网络时,该客户端将向该终端服务器发起远程连接请求,发送给网络防护设备,以通过网络防护设备将该远程连接请求发送给终端服务器,当客户端接收到该终端服务器针对该远程连接请求的确认信息后,将该客户端本地获取到的访问操作数据通过该网络防护设备发送给终端服务器,以通过该终端服务器访问外部网络,这样,当意外连接到该外部网络中的恶意网站后,由于该恶意网站只是与该局域网外的终端服务器相连,而没有直接与该局域网内的客户端相连,从而无法从局域网的客户端中内的信息,也无法在该客户端中安装木马或病毒等,降低了局域网内部数据泄露的风险,也避免了局域网内的客户端数据被破坏,提高了局域网内数据的安全性。It can be seen that, in the embodiment of the present application, when the client in the local area network needs to access the external network, the client initiates a remote connection request to the terminal server, and sends the request to the network protection device to request the remote connection through the network protection device. Sending to the terminal server, after receiving the confirmation information of the terminal server for the remote connection request, the client obtains the access operation data locally obtained by the client through the network protection device to be accessed by the terminal server. An external network, such that when a malicious website is accidentally connected to the external network, since the malicious website is only connected to the terminal server outside the local area network, and is not directly connected to the client in the local area network, the customer cannot be from the local area network. The information in the terminal can not install Trojans or viruses in the client, which reduces the risk of data leakage inside the LAN, and also avoids the destruction of client data in the LAN, and improves the security of data in the LAN.
另外,由于该网络防护设备接收到客户端发送的内网数据后,将该内网数据由内部处理装置经第一传输线路、内网监测装置以及该第二传输线路传输给外部处理装置,并由外部处理装置最终发送给终端服务器;而终端服务器返回的外网数据由该外部处理装置经第三传输线路传输给内部处理装置,实现了内网数据与外网数据分路径单向传输,避免不是合法数据的内网数据泄露到外部网络中。同时,即使外部网络中的木马病毒等能够跨过该终端服务器并最终进入到客户端,该病毒木马等从客户端获取到数据也不能沿原路径向外传输,从而避免了内网数据被泄露,提高了局域网中设备访问外部网络的安全性。In addition, after the network protection device receives the intranet data sent by the client, the intranet data is transmitted by the internal processing device to the external processing device via the first transmission line, the intranet monitoring device, and the second transmission line, and The external processing device finally sends the data to the terminal server; and the external network data returned by the terminal server is transmitted by the external processing device to the internal processing device via the third transmission line, thereby realizing one-way transmission of the intranet data and the external network data sub-path, avoiding Intranet data that is not legal data is leaked to the external network. At the same time, even if the Trojan virus in the external network can cross the terminal server and finally enter the client, the virus or the like can not transmit data from the client to the original path, thereby preventing the intranet data from being leaked. Improves the security of devices accessing the external network in the LAN.
可选的,该内部处理装置可以包括:通过所述第一传输线路与所述内网监测装置相连的第一内部处理单元,以及通过所述第三传输线路与所述外部处理装置相连的第二内部处理单元;Optionally, the internal processing device may include: a first internal processing unit connected to the intranet monitoring device through the first transmission line, and a first connection to the external processing device through the third transmission line Two internal processing units;
则,所述第一内部处理单元,用于通过所述第一传输线路将所述 内网数据发送给所述内网监测装置;Then, the first internal processing unit is configured to use the first transmission line to The intranet data is sent to the intranet monitoring device;
所述第二内部处理单元,用于接收所述外部处理装置通过所述第三传输线路传输的所述响应信息和外网数据,并将所述响应信息和外网数据发送给所述客户端。The second internal processing unit is configured to receive the response information and the external network data that are transmitted by the external processing device by using the third transmission line, and send the response information and the external network data to the client .
进一步的,该外部处理装置可以包括:通过所述第二传输线路与所述内网监测装置相连的第一外部处理单元,以及通过所述第三传输线路与所述第二内部处理单元相连的第二外部处理单元;Further, the external processing device may include: a first external processing unit connected to the intranet monitoring device through the second transmission line, and a second internal processing unit connected through the third transmission line a second external processing unit;
则所述第一外部处理单元,用于将所述内网监测装置通过所述第二传输线路传输的所述内网数据发送给所述终端服务器;The first external processing unit, configured to send the intranet data transmitted by the intranet monitoring device by using the second transmission line to the terminal server;
所述第二外部处理单元,用于将所述终端服务器发送的所述响应信息和所述外网数据通过所述第三传输线路传输给所述第二内部处理单元。The second external processing unit is configured to transmit the response information sent by the terminal server and the external network data to the second internal processing unit by using the third transmission line.
以上内部处理装置和外部处理装置的组成结构以及相关描述可以参照图2和图3实施例的相关介绍。The composition of the above internal processing device and external processing device and related description can be referred to the related description of the embodiment of FIG. 2 and FIG. 3.
可选的,该第一传输线路为信号传输方向从所述内部处理装置到所述内网监测装置单向传输的光纤;Optionally, the first transmission line is an optical fiber that is unidirectionally transmitted from the internal processing device to the intranet monitoring device in a signal transmission direction;
则第二传输线路为信号传输方向从所述内网监测装置到所述外部处理装置单向传输的光纤;The second transmission line is an optical fiber that is unidirectionally transmitted from the intranet monitoring device to the external processing device in a signal transmission direction;
该第三传输线路为信号传输方向从所述外部处理装置到所述内部处理装置单向传输的光纤。具体的,可以参照前面实施例的相关描述,在此不再赘述。The third transmission line is an optical fiber that is unidirectionally transmitted from the external processing device to the internal processing device in a signal transmission direction. For details, refer to related descriptions of the previous embodiments, and details are not described herein again.
另一方面,本申请还提供了一种终端服务器,该终端服务器设置于局域网与外部网络之间,所述终端服务器与设置与所述局域网和所述外部网络之间的网络防护设备相连,且所述网络防护设备与局域网相连,所述终端服务器与所述外部网络相连;In another aspect, the present application further provides a terminal server, where the terminal server is disposed between a local area network and an external network, and the terminal server is connected to a network protection device disposed between the local area network and the external network, and The network protection device is connected to a local area network, and the terminal server is connected to the external network;
该终端服务器用于通过所述网络防护设备接收由所述局域网中的客户端发送的远程连接请求,并通过所述网络防护设备返回针对所 述远程连接请求的确认信息;通过所述网络防护设备接收所述客户端发送的访问操作数据,并依据所述访问操作数据访问所述外部网络,并通过所述网络防护设备将所述访问响应数据返回给所述客户端;The terminal server is configured to receive, by the network protection device, a remote connection request sent by a client in the local area network, and return, by using the network protection device, Acknowledgement information of the remote connection request; receiving, by the network protection device, access operation data sent by the client, accessing the external network according to the access operation data, and responding to the access by the network protection device Data is returned to the client;
其中,该访问操作数据为所述客户端在接收到针对所述远程连接请求的响应信息后,向所述终端服务器发送的本地获取到的操作数据。The access operation data is locally acquired operation data sent by the client to the terminal server after receiving the response information for the remote connection request.
可以理解的是,在本申请以上任意一个实施例中所提到的该终端服务器可以是windows的终端服务器、是云主机或者是提供远程访问的Linux服务器等,在此不加以限制。It is to be understood that the terminal server mentioned in any of the above embodiments may be a terminal server of windows, a cloud host, or a Linux server providing remote access, and is not limited herein.
本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。The various embodiments in the present specification are described in a progressive manner, and each embodiment focuses on differences from other embodiments, and the same similar parts between the various embodiments may be referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant parts can be referred to the method part.
对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本申请。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本申请的精神或范围的情况下,在其它实施例中实现。因此,本申请将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。 The above description of the disclosed embodiments enables those skilled in the art to make or use the application. Various modifications to these embodiments are obvious to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the application. Therefore, the application is not limited to the embodiments shown herein, but is to be accorded the broadest scope of the principles and novel features disclosed herein.

Claims (10)

  1. 一种网络访问系统,其特征在于,包括:设置在局域网内的至少一个客户端,设置在所述局域网与外部网络之间的网络防护设备和终端服务器,所述终端服务器与外部网络连接;A network access system, comprising: at least one client disposed in a local area network, a network protection device and a terminal server disposed between the local area network and an external network, wherein the terminal server is connected to an external network;
    其中,所述客户端,用于向所述终端服务器发起远程连接请求,并在接收到所述终端服务器针对所述远程连接请求的响应信息后,向所述终端服务器发送本地获取到的访问操作数据;The client is configured to initiate a remote connection request to the terminal server, and after receiving the response information of the terminal server for the remote connection request, send the locally acquired access operation to the terminal server. data;
    所述网络防护设备包括:内部处理装置;通过第一传输线路与所述内部处理装置相连的内网监测装置;以及通过第二传输线路与所述内网监测装置相连的外部处理装置,且所述外部处理装置通过第三传输线路与所述内部处理装置相连;The network protection device includes: an internal processing device; an intranet monitoring device connected to the internal processing device through a first transmission line; and an external processing device connected to the intranet monitoring device through a second transmission line, and The external processing device is connected to the internal processing device through a third transmission line;
    其中,所述内部处理装置,用于通过所述第一传输线路将所述客户端发送的内网数据传输给所述内网监测装置,并将所述外部处理装置通过所述第三传输线路传输的所述响应信息和外网数据发送给所述客户端;其中,所述内网数据包括所述远程连接请求和所述访问操作数据;所述外网数据包括所述终端服务器针对所述访问操作数据返回的访问响应数据;The internal processing device is configured to transmit intranet data sent by the client to the intranet monitoring device by using the first transmission line, and pass the external processing device to the third transmission line Transmitting the response information and the external network data to the client; wherein the intranet data includes the remote connection request and the access operation data; the external network data includes the terminal server for the Accessing the access response data returned by the operational data;
    所述内网监测装置,用于在确定所述内网数据为预设的合法数据时,通过所述第二传输线路将所述内网数据传输给所述外部处理装置;The intranet monitoring device is configured to transmit the intranet data to the external processing device by using the second transmission line when determining that the intranet data is preset legal data;
    所述外部处理装置,用于将所述内网数据发送给所述终端服务器,并将所述终端服务器返回的所述响应信息和外网数据通过所述第三传输线路传输给所述内部处理装置;The external processing device is configured to send the intranet data to the terminal server, and transmit the response information and the external network data returned by the terminal server to the internal processing by using the third transmission line Device
    所述终端服务器,用于响应所述远程连接请求,并根据所述访问操作数据访问所述外部网络,并将访问响应数据返回给所述客户端。The terminal server is configured to respond to the remote connection request, access the external network according to the access operation data, and return the access response data to the client.
  2. 根据权利要求1所述的系统,其特征在于,所述内部处理装置包括:通过所述第一传输线路与所述内网监测装置相连的第一内部处理单元,以及通过所述第三传输线路与所述外部处理装置相连的第二内部处理单元; The system of claim 1 wherein said internal processing means comprises: a first internal processing unit coupled to said intranet monitoring device via said first transmission line, and said third transmission line a second internal processing unit coupled to the external processing device;
    则,所述第一内部处理单元,用于通过所述第一传输线路将所述内网数据发送给所述内网监测装置;The first internal processing unit is configured to send the intranet data to the intranet monitoring device by using the first transmission line;
    所述第二内部处理单元,用于接收所述外部处理装置通过所述第三传输线路传输的所述响应信息和外网数据,并将所述响应信息和外网数据发送给所述客户端。The second internal processing unit is configured to receive the response information and the external network data that are transmitted by the external processing device by using the third transmission line, and send the response information and the external network data to the client .
  3. 根据权利要求2所述的系统,其特征在于,所述外部处理装置包括:通过所述第二传输线路与所述内网监测装置相连的第一外部处理单元,以及通过所述第三传输线路与所述第二内部处理单元相连的第二外部处理单元;The system according to claim 2, wherein said external processing means comprises: a first external processing unit connected to said intranet monitoring device via said second transmission line, and said third transmission line a second external processing unit coupled to the second internal processing unit;
    则所述第一外部处理单元,用于将所述内网监测装置通过所述第二传输线路传输的所述内网数据发送给所述终端服务器;The first external processing unit, configured to send the intranet data transmitted by the intranet monitoring device by using the second transmission line to the terminal server;
    所述第二外部处理单元,用于将所述终端服务器发送的所述响应信息和所述外网数据通过所述第三传输线路传输给所述第二内部处理单元。The second external processing unit is configured to transmit the response information sent by the terminal server and the external network data to the second internal processing unit by using the third transmission line.
  4. 根据权利要求1至3任一项所述的系统,其特征在于,所述第一传输线路为信号传输方向从所述内部处理装置到所述内网监测装置单向传输的光纤;The system according to any one of claims 1 to 3, wherein the first transmission line is an optical fiber whose signal transmission direction is unidirectionally transmitted from the internal processing device to the intranet monitoring device;
    所述第二传输线路为信号传输方向从所述内网监测装置到所述外部处理装置单向传输的光纤;The second transmission line is an optical fiber that is unidirectionally transmitted from the intranet monitoring device to the external processing device in a signal transmission direction;
    所述第三传输线路为信号传输方向从所述外部处理装置到所述内部处理装置单向传输的光纤。The third transmission line is an optical fiber that is unidirectionally transmitted from the external processing device to the internal processing device in a signal transmission direction.
  5. 根据权利要求1所述的系统,其特征在于,所述系统还包括:设置于所述局域网与所述网络防护设备之间的防火墙。The system according to claim 1, wherein the system further comprises: a firewall disposed between the local area network and the network protection device.
  6. 一种网络防护设备,其特征在于,设置于局域网以及与外部网络连接的终端服务器之间,所述网络防护装置包括:A network protection device, configured to be disposed between a local area network and a terminal server connected to an external network, where the network protection device comprises:
    内部处理装置;通过第一传输线路与所述内部处理装置相连的内网监测装置;以及通过第二传输线路与所述内网监测装置相连的外部处理装置,且所述外部处理装置通过第三传输线路与所述内部处理装置相连; An internal processing device; an intranet monitoring device connected to the internal processing device through a first transmission line; and an external processing device connected to the intranet monitoring device via a second transmission line, and the external processing device passes the third a transmission line is connected to the internal processing device;
    其中,所述内部处理装置,用于通过所述第一传输线路将所述局域网中客户端发送的内网数据传输给所述内网监测装置,并将所述外部处理装置通过所述第三传输线路传输的响应信息和外网数据发送给所述客户端;其中,所述内网数据包括所述客户端向所述终端服务器发送的远程连接请求,以及所述客户端在接收到所述终端服务器针对所述远程连接请求的所述响应信息后,向所述终端服务器发送的访问操作数据;所述外网数据包括所述终端服务器针对所述访问操作数据返回的访问响应数据;The internal processing device is configured to transmit, by the first transmission line, intranet data sent by a client in the local area network to the intranet monitoring device, and pass the external processing device through the third And transmitting, by the client, the remote connection request sent by the client to the terminal server, and the client receiving the And the access operation data sent by the terminal server to the terminal server after the response information of the remote connection request; the external network data includes access response data returned by the terminal server for the access operation data;
    所述内网监测装置,用于在确定所述内网数据为预设的合法数据时,通过所述第二传输线路将所述内网数据传输给所述外部处理装置;The intranet monitoring device is configured to transmit the intranet data to the external processing device by using the second transmission line when determining that the intranet data is preset legal data;
    所述外部处理装置,用于将所述内网数据发送给所述终端服务器,并将所述终端服务器返回的所述响应信息和外网数据通过所述第三传输线路传输给所述内部处理装置。The external processing device is configured to send the intranet data to the terminal server, and transmit the response information and the external network data returned by the terminal server to the internal processing by using the third transmission line Device.
  7. 根据权利要求6所述的设备,其特征在于,所述内部处理装置包括:通过所述第一传输线路与所述内网监测装置相连的第一内部处理单元,以及通过所述第三传输线路与所述外部处理装置相连的第二内部处理单元;The apparatus according to claim 6, wherein said internal processing means comprises: a first internal processing unit connected to said intranet monitoring means via said first transmission line, and said third transmission line a second internal processing unit coupled to the external processing device;
    则,所述第一内部处理单元,用于通过所述第一传输线路将所述内网数据发送给所述内网监测装置;The first internal processing unit is configured to send the intranet data to the intranet monitoring device by using the first transmission line;
    所述第二内部处理单元,用于接收所述外部处理装置通过所述第三传输线路传输的所述响应信息和外网数据,并将所述响应信息和外网数据发送给所述客户端。The second internal processing unit is configured to receive the response information and the external network data that are transmitted by the external processing device by using the third transmission line, and send the response information and the external network data to the client .
  8. 根据权利要求7所述的设备,其特征在于,所述外部处理装置包括:通过所述第二传输线路与所述内网监测装置相连的第一外部处理单元,以及通过所述第三传输线路与所述第二内部处理单元相连的第二外部处理单元;The apparatus according to claim 7, wherein said external processing means comprises: a first external processing unit connected to said intranet monitoring means via said second transmission line, and said third transmission line a second external processing unit coupled to the second internal processing unit;
    则所述第一外部处理单元,用于将所述内网监测装置通过所述第二传输线路传输的所述内网数据发送给所述终端服务器; The first external processing unit, configured to send the intranet data transmitted by the intranet monitoring device by using the second transmission line to the terminal server;
    所述第二外部处理单元,用于将所述终端服务器发送的所述响应信息和所述外网数据通过所述第三传输线路传输给所述第二内部处理单元。The second external processing unit is configured to transmit the response information sent by the terminal server and the external network data to the second internal processing unit by using the third transmission line.
  9. 根据权利要求6至8任一项所述的设备,其特征在于,所述第一传输线路为信号传输方向从所述内部处理装置到所述内网监测装置单向传输的光纤;The apparatus according to any one of claims 6 to 8, wherein the first transmission line is an optical fiber whose signal transmission direction is unidirectionally transmitted from the internal processing device to the intranet monitoring device;
    所述第二传输线路为信号传输方向从所述内网监测装置到所述外部处理装置单向传输的光纤;The second transmission line is an optical fiber that is unidirectionally transmitted from the intranet monitoring device to the external processing device in a signal transmission direction;
    所述第三传输线路为信号传输方向从所述外部处理装置到所述内部处理装置单向传输的光纤。The third transmission line is an optical fiber that is unidirectionally transmitted from the external processing device to the internal processing device in a signal transmission direction.
  10. 一种终端服务器,其特征在于,设置于局域网与外部网络之间,所述终端服务器与设置与所述局域网和所述外部网络之间的网络防护设备相连,且所述网络防护设备与局域网相连,所述终端服务器与所述外部网络相连;A terminal server, configured to be disposed between a local area network and an external network, wherein the terminal server is connected to a network protection device disposed between the local area network and the external network, and the network protection device is connected to a local area network The terminal server is connected to the external network;
    所述终端服务器用于通过所述网络防护设备接收由所述局域网中的客户端发送的远程连接请求,并通过所述网络防护设备返回针对所述远程连接请求的确认信息;通过所述网络防护设备接收所述客户端发送的访问操作数据,并依据所述访问操作数据访问所述外部网络,并通过所述网络防护设备将所述访问响应数据返回给所述客户端;The terminal server is configured to receive, by the network protection device, a remote connection request sent by a client in the local area network, and return, by using the network protection device, confirmation information for the remote connection request; The device receives the access operation data sent by the client, and accesses the external network according to the access operation data, and returns the access response data to the client by using the network protection device;
    其中,所述访问操作数据为所述客户端在接收到针对所述远程连接请求的响应信息后,向所述终端服务器发送的本地获取到的操作数据。 The access operation data is locally acquired operation data sent by the client to the terminal server after receiving the response information for the remote connection request.
PCT/CN2015/073552 2014-05-06 2015-03-03 Network access system, network protection device and terminal server WO2015169120A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410190365.5 2014-05-06
CN201410190365.5A CN104243442A (en) 2014-05-06 2014-05-06 Network access system, network protective equipment and terminal server

Publications (1)

Publication Number Publication Date
WO2015169120A1 true WO2015169120A1 (en) 2015-11-12

Family

ID=52230795

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/073552 WO2015169120A1 (en) 2014-05-06 2015-03-03 Network access system, network protection device and terminal server

Country Status (2)

Country Link
CN (1) CN104243442A (en)
WO (1) WO2015169120A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685992A (en) * 2017-02-14 2017-05-17 厦门畅享信息技术有限公司 Over-network safe exchange and interactive application system based on unidirectional transmission technology, and method thereof
CN111371741A (en) * 2020-02-19 2020-07-03 中国平安人寿保险股份有限公司 Method and device for transmitting data of external network to internal network, computer equipment and storage medium
CN114285586A (en) * 2020-09-17 2022-04-05 英业达科技有限公司 Data transmission and maintenance system with safety and convenient maintenance and method thereof

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243442A (en) * 2014-05-06 2014-12-24 周宏斌 Network access system, network protective equipment and terminal server
CN106789854A (en) * 2015-11-25 2017-05-31 西安宇信数据服务有限责任公司 A kind of one-way transmission Ferrying machine point to multi--point system
CN106713359A (en) * 2017-02-08 2017-05-24 广东霍德韦信息技术有限公司 Internal and external network data switching equipment
CN109979493B (en) * 2019-03-27 2021-02-26 徐文超 Data storage safety switching device
CN113259305B (en) * 2020-02-13 2022-07-12 山东亚华电子股份有限公司 Intranet and extranet communication method and device
CN112288348B (en) * 2020-09-10 2021-10-15 浙江省疾病预防控制中心 Biological safety transfer supervision method and system
CN114661801B (en) * 2020-12-23 2024-08-23 深圳云天励飞技术股份有限公司 Data access method based on dual-network environment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN203038499U (en) * 2013-01-24 2013-07-03 范长英 Multimedia teaching video generation and network security access system
WO2014051326A1 (en) * 2012-09-26 2014-04-03 Samsung Electronics Co., Ltd. Image forming apparatus supporting wifi direct and method of controlling internet access in image forming apparatus
CN103731431A (en) * 2014-01-10 2014-04-16 厦门市美亚柏科信息股份有限公司 System and method for resource interaction between intranet device and external storage device
CN104243442A (en) * 2014-05-06 2014-12-24 周宏斌 Network access system, network protective equipment and terminal server

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101340290A (en) * 2008-08-27 2009-01-07 张树新 Method, system and transmission card for safe data transmission between internal and external networks
US8155761B2 (en) * 2009-07-23 2012-04-10 Fisher-Rosemount Systems, Inc. Process control system with integrated external data sources
CN101997892A (en) * 2009-08-25 2011-03-30 成都市华为赛门铁克科技有限公司 Data transmission method, device and system, and network node
CN102006246B (en) * 2010-11-26 2012-04-18 中国航天科工集团第二研究院七○六所 Trusted separate gateway
CN202178780U (en) * 2011-08-31 2012-03-28 公安部第三研究所 Internal-and-external network safety isolation system based on one-way transmission
CN102752286A (en) * 2012-06-05 2012-10-24 东莞市博晟电子科技有限公司 Network isolation system
CN202906969U (en) * 2012-09-25 2013-04-24 上海辰锐信息科技公司 Boundary safety transmission equipment base on unidirectional light technology and a communication system employing the equipment
EP2717516A1 (en) * 2012-10-04 2014-04-09 Thomson Licensing Method of protection of data shared between local area network devices and apparatus implementing the method
CN102932368B (en) * 2012-11-15 2016-08-03 北京锐安科技有限公司 A kind of across a network http safety access method and system
CN103220214A (en) * 2013-03-07 2013-07-24 北京远光通联科技有限公司 Physical isolation unidirectional data transmitting device
CN103200201B (en) * 2013-04-18 2015-12-02 杭州中威电子股份有限公司 The shielding system of a kind of public security Intranet and video private network and partition method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014051326A1 (en) * 2012-09-26 2014-04-03 Samsung Electronics Co., Ltd. Image forming apparatus supporting wifi direct and method of controlling internet access in image forming apparatus
CN203038499U (en) * 2013-01-24 2013-07-03 范长英 Multimedia teaching video generation and network security access system
CN103731431A (en) * 2014-01-10 2014-04-16 厦门市美亚柏科信息股份有限公司 System and method for resource interaction between intranet device and external storage device
CN104243442A (en) * 2014-05-06 2014-12-24 周宏斌 Network access system, network protective equipment and terminal server

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685992A (en) * 2017-02-14 2017-05-17 厦门畅享信息技术有限公司 Over-network safe exchange and interactive application system based on unidirectional transmission technology, and method thereof
CN106685992B (en) * 2017-02-14 2023-05-23 厦门畅享信息技术有限公司 Cross-network security switching and interactive application system and method based on unidirectional transmission technology
CN111371741A (en) * 2020-02-19 2020-07-03 中国平安人寿保险股份有限公司 Method and device for transmitting data of external network to internal network, computer equipment and storage medium
CN111371741B (en) * 2020-02-19 2024-04-26 中国平安人寿保险股份有限公司 Method, device, computer equipment and storage medium for transmitting external network data to internal network
CN114285586A (en) * 2020-09-17 2022-04-05 英业达科技有限公司 Data transmission and maintenance system with safety and convenient maintenance and method thereof

Also Published As

Publication number Publication date
CN104243442A (en) 2014-12-24

Similar Documents

Publication Publication Date Title
WO2015169120A1 (en) Network access system, network protection device and terminal server
US10666686B1 (en) Virtualized exploit detection system
US11165812B2 (en) Containment of security threats within a computing environment
US8434141B2 (en) System for preventing normal user being blocked in network address translation (NAT) based web service and method for controlling the same
US20140136681A1 (en) Enterprise Application Session Control and Monitoring in a Large Distributed Environment
US8990893B2 (en) Enterprise application session control and monitoring in a large distributed environment
US9166951B2 (en) Strict communications transport security
JP5678261B2 (en) Wireless LAN device setting system
CN104168339A (en) Method and device for preventing domain name from being intercepted
US10686832B2 (en) Dynamic allocation of a signal receiver for dissemination of threat information
Maksutov et al. Detection and prevention of DNS spoofing attacks
CN110351233A (en) A kind of two-way transparent transmission technology based on safety isolation network gate
US9444845B2 (en) Network security apparatus and method
US10205738B2 (en) Advanced persistent threat mitigation
KR101494329B1 (en) System and Method for detecting malignant process
US9203851B1 (en) Redirection of data from an on-premise computer to a cloud scanning service
CN114143103B (en) AD domain threat detection method and device and electronic equipment
US11240172B2 (en) Methods and apparatuses for responding to requests for network resources implemented in a cloud computing infrastructure
US10959239B2 (en) Communication method in directional communications system, communications system, and receiver
CN104935649A (en) Method for preventing virus propagation and securely transmitting U disk file on counter of financial network
JP2018142927A (en) System and method for addressing malware unauthorized communication
US9578057B1 (en) Techniques for detecting an intranet spoofing attack
US20170155680A1 (en) Inject probe transmission to determine network address conflict
CN105721453A (en) Network isolation system and network videocorder
KR101490227B1 (en) Method and apparatus for controlling traffic

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15789340

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15789340

Country of ref document: EP

Kind code of ref document: A1