WO2020248368A1 - Procédé d'accès intranet, système, et dispositif associé - Google Patents

Procédé d'accès intranet, système, et dispositif associé Download PDF

Info

Publication number
WO2020248368A1
WO2020248368A1 PCT/CN2019/102346 CN2019102346W WO2020248368A1 WO 2020248368 A1 WO2020248368 A1 WO 2020248368A1 CN 2019102346 W CN2019102346 W CN 2019102346W WO 2020248368 A1 WO2020248368 A1 WO 2020248368A1
Authority
WO
WIPO (PCT)
Prior art keywords
intranet
firewall
access device
mobile wireless
wireless access
Prior art date
Application number
PCT/CN2019/102346
Other languages
English (en)
Chinese (zh)
Inventor
范安心
谢文
黄成尧
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020248368A1 publication Critical patent/WO2020248368A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Definitions

  • This application relates to the computer field, and in particular to an intranet access method, system and related devices.
  • VPN Virtual Private Network
  • This application provides an intranet access method, system, and related devices, through which the access efficiency for the target intranet can be improved.
  • the first aspect of the embodiments of the present application provides an intranet access method, including:
  • the intranet firewall distribution device receives the intranet connection request for the target intranet sent by the mobile wireless access device;
  • the intranet firewall distribution device Acquiring, by the intranet firewall distribution device, the geographic location of the mobile wireless access device according to the intranet connection request;
  • the intranet firewall allocation device determines the first intranet firewall matched by the mobile wireless access device from among the multiple intranet firewalls deployed for the target intranet according to the geographic location;
  • the intranet firewall allocation device sends the first IP address of the first intranet firewall to the mobile wireless access device, so that the mobile wireless access device communicates with the mobile wireless access device according to the first IP address
  • the first intranet firewall routes the received intranet access request to the intranet server of the target intranet, and the intranet access request is for the user terminal to pass through the mobile wireless
  • the access request for the intranet server of the target intranet sent by the access device, the first intranet firewall will also pass the intranet request response message returned by the intranet server in response to the intranet access request through all
  • the mobile wireless access device is sent to the user terminal.
  • the second aspect of the embodiments of the present application provides an intranet access method, including:
  • the mobile wireless access device sends an intranet connection request for the target intranet to the intranet firewall distribution device, so that the intranet firewall distribution device obtains the geographic location of the mobile wireless access device according to the intranet connection request. Location, and determine the first intranet firewall matched by the mobile wireless access device from among the multiple intranet firewalls deployed for the intranet according to the geographic location;
  • the mobile wireless access device sends a firewall connection request to the first intranet firewall according to the first IP address, so that the first intranet firewall communicates with the mobile radio according to the firewall connection request.
  • the device establishes a connection;
  • the mobile wireless access device After receiving the intranet access request for the target intranet sent by the user terminal, the mobile wireless access device routes the intranet access request to the target intranet through the first intranet firewall.
  • Intranet server
  • the mobile wireless access device After receiving the intranet request response message returned by the intranet server through the first intranet firewall in response to the intranet access request, the mobile wireless access device sends the intranet request response message to all The user terminal.
  • the third aspect of this application provides an intranet firewall distribution device, including:
  • the request receiving unit is configured to receive the intranet connection request for the target intranet sent by the mobile wireless access device;
  • a location obtaining unit configured to obtain the geographic location of the mobile wireless access device according to the intranet connection request
  • An intranet firewall determining unit configured to determine the first intranet firewall matched by the mobile wireless access device from a plurality of intranet firewalls deployed for the target intranet according to the geographic location;
  • the address sending unit is configured to send the first IP address of the first intranet firewall to the mobile wireless access device, so that the mobile wireless access device communicates with the first IP address according to the first IP address.
  • the first intranet firewall routes the received target intranet access request to the intranet server of the target intranet, and the intranet access request is for the user terminal to pass through the mobile wireless
  • the access request sent by the access device to the intranet server of the target intranet the first intranet firewall will also send the intranet request response message returned by the target intranet server in response to the intranet access request through
  • the mobile wireless access device is sent to the user terminal.
  • a fourth aspect of the embodiments of the present application provides a mobile wireless access device, including:
  • the request sending unit is configured to send an intranet connection request for the target intranet to an intranet firewall distribution device, so that the intranet firewall distribution device determines the mobile wireless access from the multiple intranet firewalls The first intranet firewall that the device matches;
  • An address receiving unit configured to receive the first IP address of the first intranet firewall sent by the intranet firewall distribution device
  • the firewall connection unit is configured to send a firewall connection request to the first intranet firewall according to the first IP address, so that the first intranet firewall communicates with the mobile wireless access device according to the firewall connection request establish connection;
  • the message transmission unit is configured to, after receiving the intranet access request for the target intranet from the user terminal, route the intranet access request to the intranet of the target intranet through the first intranet firewall server;
  • the message transmission unit is further configured to send the intranet request response message after receiving the intranet request response message returned by the intranet server in response to the intranet access request through the first intranet firewall To the user terminal.
  • the fifth aspect of the embodiments of the present application provides an intranet access system, including an intranet firewall distribution device and a mobile wireless access device, where:
  • the intranet firewall distribution device Acquiring, by the intranet firewall distribution device, the geographic location of the mobile wireless access device according to the intranet connection request;
  • the intranet firewall allocation device determines the first intranet firewall matched by the mobile wireless access device from among the multiple intranet firewalls deployed for the target intranet according to the geographic location;
  • the intranet firewall distribution device sends the first IP address of the first intranet firewall to the mobile wireless access device;
  • the mobile wireless access device sends a firewall connection request to the first intranet firewall according to the first IP address, so that the first intranet firewall communicates with the mobile wireless access device according to the firewall connection request. establish connection;
  • the mobile wireless access device After receiving the intranet access request for the target intranet sent by the user terminal, the mobile wireless access device routes the intranet access request to the target intranet through the first intranet firewall.
  • Intranet server
  • the mobile wireless access device After receiving the intranet request response message returned by the intranet server through the first intranet firewall in response to the intranet access request, the mobile wireless access device sends the intranet request response message to all The user terminal.
  • the sixth aspect of the embodiments of the present application provides an intranet firewall distribution device, including a processor, a memory, and a communication interface.
  • the processor, the memory, and the communication interface are connected to each other, wherein the communication interface is used to receive and send data
  • the memory is used for storing program code
  • the processor is used for calling the program code, and when the program code is executed by a computer, the computer executes the method of the first aspect.
  • a seventh aspect of the embodiments of the present application provides a mobile wireless access device, including a processor, a memory, and a communication interface.
  • the processor, the memory, and the communication interface are connected to each other, wherein the communication interface is used to receive and send data.
  • the memory is used for storing program code
  • the processor is used for calling the program code, and when the program code is executed by a computer, the computer executes the method of the second aspect.
  • the present application provides a computer non-volatile readable storage medium
  • the computer non-volatile readable storage medium stores a computer program
  • the computer program includes program instructions
  • the program instructions should be When the computer is executed, the computer is caused to execute any one of the methods in the first aspect and the second aspect.
  • the user terminal achieves access to the target intranet through the intranet access framework based on the mobile wireless access device and the firewall deployed for the target intranet. There is no need to configure any parameters before access, which improves the targeting of the target intranet. Access efficiency.
  • FIG. 1 is a schematic diagram of a framework of an intranet access system provided by an embodiment of this application;
  • FIG. 2 is a schematic diagram of system interaction of an intranet access method provided by an embodiment of this application.
  • FIG. 3 is a schematic diagram of system interaction of another intranet access method provided by an embodiment of this application.
  • FIG. 4 is a schematic diagram of system interaction of another intranet access method provided by an embodiment of this application.
  • FIG. 5 is a schematic structural diagram of an intranet firewall distribution device provided by an embodiment of the application.
  • FIG. 6 is a schematic structural diagram of a mobile wireless access device provided by an embodiment of this application.
  • FIG. 7 is a schematic structural diagram of another intranet firewall distribution device provided by an embodiment of the application.
  • FIG. 8 is a schematic structural diagram of another mobile wireless access device provided by an embodiment of this application.
  • FIG. 1 is a schematic diagram of the framework of an intranet access system provided by an embodiment of the application.
  • the intranet firewall 1, the intranet firewall 2, and the intranet firewall 3 are targeted Three intranet firewalls deployed in the intranet, mobile wireless access device 1 and mobile wireless access device 2 are respectively connected to the intranet firewall 1, the mobile wireless access device 3 is connected to the intranet firewall 3, and the user terminal 1 and The mobile wireless access device 1 is connected, and the user terminal 2 is connected with the mobile wireless access device 3.
  • the intranet firewall allocation device sends the allocated IP addresses of the intranet firewall to the mobile wireless access device 1, the mobile wireless access device 2 and the mobile wireless access device 3 respectively.
  • the target intranet is a local communication network that connects various computers, servers, and databases in a local geographic area of a specific enterprise, a specific institution, a specific school, and so on.
  • the terminal or server in the target intranet communicates with the terminal or server in the target intranet, it is realized through the data link layer, and the communication message does not need to be routed through the router; in the terminal or server outside the target intranet When communicating, it is achieved through the network layer.
  • the communication message sent by the terminal or server in the target intranet needs to be routed to the terminal or server outside the target intranet, the terminal or the terminal outside the target intranet, and
  • the communication message returned by the server needs to be routed to the terminal or server on the target intranet after the router undergoes network address translation.
  • the intranet firewall deployed for the target intranet can be a firewall deployed around the world for filtering data packets entering and leaving the target intranet.
  • the intranet firewall is connected to the router of the target intranet through the WAN, and then passes through the target intranet.
  • the router realizes the connection to the intranet server of the target intranet.
  • the mobile wireless access device is a mobile wireless access device that can transmit wireless network signals and has a routing function.
  • the mobile wireless access device will access the data network by inserting a SIM (Subscriber Identification Module) card. It can also access a wired network by inserting a network cable, and can also access a wireless network by connecting to WIFI.
  • the user terminal can access the wireless network transmitted by the mobile wireless access device to connect with the mobile wireless access device.
  • SIM Subscriber Identification Module
  • the intranet firewall distribution device may be a device that has a domain name resolution function for the target intranet, and stores the IP addresses and deployment locations of each firewall deployed for the target intranet, such as GTM (Global Traffic Manager, global traffic management) Equipment etc.
  • GTM Global Traffic Manager, global traffic management
  • the user terminal may be a terminal device with a wireless network receiving function, such as a notebook computer, a mobile phone, and a tablet computer.
  • the intranet access method may include:
  • S201 The mobile wireless access device sends an intranet connection request for the target intranet to the intranet firewall distribution device.
  • the mobile wireless access device may send an intranet connection request to the intranet firewall distribution device after being triggered to start, or it may be after receiving a function start instruction sent by the user to access the target intranet Later, sending an intranet connection request to the intranet firewall distribution device, or when receiving an intranet access request for the target intranet sent by a connected user terminal, sending an intranet connection request to the intranet firewall distribution device Network connection request.
  • the intranet connection request may carry the intranet domain name of the target intranet, so that the intranet firewall distribution device determines the intranet connection request for the target intranet after analyzing the intranet domain name.
  • the intranet firewall distribution device obtains the geographic location of the mobile wireless access device according to the intranet connection request.
  • the intranet connection request may carry the geographic location of the mobile wireless access device, and the intranet firewall distribution device directly obtains the geographic location of the mobile wireless access device from the intranet connection request;
  • the intranet connection request may also carry the positioning information of the mobile wireless access device, and the intranet firewall distribution device may obtain the positioning information from the intranet connection request, and use positioning technology according to the positioning information , Determine the location of the mobile wireless access device, for example, the positioning information may be the IP address of the mobile wireless access device, GPS data, WIFI access point information, connection base station information, etc., the positioning technology It can be IP positioning technology, GPS positioning technology, WIFI positioning technology, base station positioning technology, etc.
  • the intranet firewall allocation device determines a first intranet firewall matched by the mobile wireless access device from a plurality of intranet firewalls deployed for the target intranet according to the geographic location.
  • the intranet firewall distribution device can store the IP addresses and deployment locations of the firewalls separately deployed for multiple intranets.
  • the mobile wireless access device of company M can simultaneously store the IP addresses and deployment locations of each internal network firewall for the deployment of subsidiary A’s internal network , And the IP addresses and deployment locations of each intranet firewall deployed for subsidiary B's intranet.
  • the intranet connection request may carry the intranet domain name of the target intranet, so that the intranet firewall distribution device, after receiving the intranet connection request, resolves the intranet domain name and determines the
  • the intranet connection request is an intranet connection request for the target intranet, and then the IP addresses and deployment locations of multiple firewalls deployed for the target intranet are obtained.
  • the intranet firewall distribution device may, according to the geographic location and the deployment position of each intranet firewall deployed for the target intranet, combine the multiple intranet firewalls deployed for the target intranet Among the firewalls, the intranet firewall closest to the mobile wireless access device is determined to be the first intranet firewall.
  • all access areas for the target intranet are divided into intranet access sub-areas for each intranet firewall of the target intranet in advance, and the intranet firewall distribution device Setting the correspondence between the intranet access sub-area and the intranet firewall of the target intranet.
  • the intranet firewall distribution device determines the target intranet access subarea where the mobile wireless access device is located according to the geographic location of the mobile wireless access device, and then assigns the intranet corresponding to the target intranet access subarea to The network firewall is determined to be the first intranet firewall.
  • the intranet firewall distribution device sends the first IP address of the first intranet firewall to the mobile wireless access device.
  • S205 The mobile wireless access device establishes a connection with the first intranet firewall according to the first IP address.
  • the mobile wireless access device sends a firewall connection request to the first intranet firewall according to the first IP address, so that the first intranet firewall sends a firewall connection request to the mobile device according to the firewall connection request.
  • a connection with the mobile wireless access device is established.
  • the firewall connection request carries the access device identification code of the mobile wireless access device, such as a MAC address, and the first intranet firewall determines that the access device identification code is preset When one of the identification codes of the access device is allowed to be connected, it is determined that the identity authentication of the mobile wireless access device is passed.
  • the firewall connection request carries the user name and password input by the user through the mobile wireless access device
  • the first intranet firewall determines that the user name and password are preset users allowed to connect When one of the name and password is set, it is determined that the identity authentication of the mobile wireless access device is passed.
  • the firewall connection request carries the access device digital certificate of the mobile wireless access device
  • the first intranet firewall carries the access device digital certificate according to the access device digital certificate.
  • the issuer information of the device digital certificate determines the certificate issuer of the access device digital certificate; after the first intranet firewall obtains the issuer’s digital certificate of the certificate issuer, the issuer’s digital certificate contains The public key of the issuing party decrypts the digital signature in the digital certificate of the access device to obtain the certificate fingerprint of the digital certificate of the access device.
  • the first intranet firewall will use a specified hash algorithm to The digital certificate of the access device is hashed to obtain the hash value of the digital certificate; the first intranet firewall determines that the hash value of the digital certificate obtained by the hash calculation of the first intranet firewall and the access device certificate When the fingerprints are consistent, it is determined that the identity authentication of the mobile wireless access device is passed.
  • the mobile wireless access device initiates a three-way handshake to establish a connection based on the TCP/IP protocol with the first intranet firewall.
  • the specific steps are as follows: the mobile wireless access device sends to the first intranet firewall SYN (Synchronize Sequence Numbers, synchronization sequence number) data packet; after the first intranet firewall receives the SYN data packet, it sends a SYN+ACK (ACKnowledge Character, confirmation character) data packet to the mobile wireless access device After the mobile wireless access device receives the SYN+ACK data packet, it feeds back the ACK data packet to the first intranet firewall; the first intranet firewall receives the feedback from the mobile wireless access device After the ACK packet, the connection between the mobile wireless access device and the first intranet firewall is established.
  • SYN Synchromize Sequence Numbers, synchronization sequence number
  • S206 The user terminal sends an intranet access request for the target intranet to the mobile wireless access device.
  • the user terminal may send a wireless network connection request to the mobile wireless access device, and the mobile wireless access device may directly establish a connection with the user terminal, or through the wireless network After the user terminal identity information carried in the connection request is verified, a connection with the user terminal is established.
  • the user terminal identity information may be the user name and password input by the user inputted by the user terminal to access the wireless network established by the mobile wireless access device, and may also be the biometric input received by the user terminal.
  • the information may also be terminal equipment identification information of the user terminal.
  • step S206 can be performed at any time before step S207.
  • S207 The mobile wireless access device sends the intranet access request to the first intranet firewall.
  • S208 The first intranet firewall routes the intranet access request to the intranet server of the target intranet.
  • the intranet access request is an access request for a server in the target intranet, such as an access request for a Web server in the target intranet, an access request for an FTP server in the target intranet, and an access request for a server in the target intranet. State the access request of the mail server in the target intranet, etc.
  • the first intranet firewall After the first intranet firewall receives the intranet access request sent by the mobile wireless access device, it sends the intranet access request to the router of the target intranet through the external network. The router routes the intranet access request to the corresponding intranet server in the target intranet through the target intranet.
  • the specific method for the first intranet firewall to route the intranet access request to the intranet server may be as follows: the first intranet firewall selects the one to the intranet server according to its own configured network protocol and the routing principle corresponding to the protocol The optimal routing path, and then routing the intranet access request to the intranet server according to the optimal routing path.
  • the intranet server returns an intranet request response message in response to the intranet access request to the first intranet firewall.
  • the intranet server After the intranet server generates an intranet request response message in response to the intranet access request, it sends the intranet request response message to the router of the target intranet through the target intranet, and the target The router of the internal network sends the internal network request response message to the first internal network firewall through the external network.
  • the intranet access request is a request to obtain a file in a file server in the target intranet
  • the intranet request response message may be the file sent by the file server.
  • S210 The first intranet firewall sends the intranet request response message to the mobile wireless access device.
  • the mobile wireless access device sends the intranet request response message to the user terminal.
  • the intranet firewall distribution device After receiving the intranet connection request for the target intranet sent by the mobile wireless access device, the intranet firewall distribution device in the embodiment of the present application obtains the geographic location of the mobile wireless access device according to the intranet connection request, And according to the geographic location, the first intranet firewall matched by the mobile wireless access device is determined from among the multiple intranet firewalls deployed for the target intranet, and the mobile wireless access device receives the The intranet firewall assigns the first IP address of the first intranet firewall sent by the device, and sends a firewall connection request to the first intranet firewall, so that the first intranet firewall and the mobile wireless access device are established connection. After receiving the intranet access request for the target intranet sent by the user terminal, the mobile wireless access device routes the intranet access request to the target intranet through the first intranet firewall.
  • the intranet server after receiving an intranet request response message returned by the intranet server through the first intranet firewall in response to the intranet access request, sends the intranet request response message to the user terminal .
  • the user terminal realizes the access to the target intranet through the intranet access framework based on the mobile wireless access device and the firewall deployed for the target intranet. There is no need to configure any parameters before access, which improves the access efficiency to the target intranet.
  • Figure 3 is a schematic diagram of system interaction of another intranet access method provided by an embodiment of the application.
  • the intranet firewall distribution device can monitor whether the mobile wireless access device needs to switch the connected first intranet firewall.
  • the intranet firewall distribution device obtains the distance between the mobile wireless access device and the geographic location according to a preset period.
  • the geographic location is the geographic location where the mobile wireless access device is located when it sends an intranet connection request for the target intranet to the intranet firewall distribution device.
  • the distance between the mobile wireless access device and the geographic location may be periodically sent by the mobile wireless access device to the intranet firewall distribution device, or may be sent by the intranet firewall distribution device according to
  • the positioning information periodically sent by the mobile wireless access device is determined through positioning technology.
  • the intranet firewall distribution device obtains the real-time geographic location of the mobile wireless access device.
  • the real-time geographic location of the mobile wireless access device may be determined by the intranet firewall distribution device through positioning technology, or may be obtained from the mobile wireless access device.
  • the intranet firewall allocation device determines the network delay between the mobile wireless access device and the first intranet firewall Increase, in order to improve the network quality of the user accessing the target intranet, trigger the intranet firewall distribution device to re-match the connected firewall for the mobile wireless access device.
  • the intranet firewall distribution device serves the mobile wireless access device from the plurality of intranet firewalls according to the real-time geographic location of the mobile wireless access device and the deployment positions of the plurality of intranet firewalls Determine the matching second intranet firewall.
  • the intranet firewall distribution device sends the second IP address of the second intranet firewall to the mobile wireless access device.
  • S305 The mobile wireless access device sends a firewall connection request to the second intranet firewall according to the second IP address.
  • the second intranet firewall establishes a connection with the mobile wireless access device according to the firewall connection request.
  • S307 The mobile wireless access device disconnects from the first intranet firewall.
  • the mobile wireless access device disconnects the TCP/IP connection with the second intranet firewall by initiating four waves of hands.
  • the specific steps are as follows: the mobile wireless access device sends to the second intranet firewall FIN (Finish Character) data packet; after receiving the FIN data packet, the second intranet firewall sends an ACK data packet to the mobile wireless access device; the second intranet firewall sends an ACK data packet to the mobile wireless access device; The mobile wireless access device sends a FIN data packet; after the mobile wireless access device receives the FIN data packet, it sends an ACK data packet to the second intranet firewall; the second intranet firewall distribution device receives After the ACK packet, the disconnection of the connection between the mobile wireless access device and the second intranet firewall is completed.
  • FIN Franceish Character
  • step S308 is executed after step S307, and the intranet access request sent by the user terminal in step S308 is to connect to the mobile radio after the mobile radio access device is disconnected from the first intranet firewall.
  • Intranet access request sent by the incoming device is routed to the target intranet through the first intranet firewall of the target intranet The corresponding intranet server in the network.
  • the mobile wireless access device sends the intranet access request to the second intranet firewall.
  • S310 The second intranet firewall routes the intranet access request to the intranet server of the target intranet.
  • the intranet server returns an intranet request response message in response to the intranet access request to the second intranet firewall.
  • the second intranet firewall sends the intranet request response message to the mobile wireless access device.
  • the mobile wireless access device sends the intranet request response message to the user terminal.
  • step S308 to step S313 the connection between the mobile wireless access device and the second intranet firewall provides the user terminal with a service to access the target intranet, which can be referred to in Figure 2
  • the connection between the mobile wireless access device and the first intranet firewall in step S206 to step S211 provides the user terminal with a specific implementation method for accessing the target intranet service, which will not be repeated here. .
  • the intranet firewall distribution device checks the connection between the mobile wireless access device and the geographic location according to a preset period. The distance is detected, and when it is determined that the distance is greater than the preset distance, a second intranet firewall is re-allocated to the mobile wireless access device, so that the mobile wireless access device removes the connected intranet firewall from the first intranet firewall.
  • the network firewall is switched to the second intranet firewall to ensure that when the mobile wireless access device moves, the intranet firewall connected to the mobile wireless access device is always connected to the mobile wireless access device in real time.
  • the optimal intranet firewall with matching location ensures the network quality of the user accessing the intranet through the mobile wireless access device.
  • FIG. 4 is a schematic diagram of system interaction of another intranet access method provided by an embodiment of the application.
  • the mobile wireless access device can monitor whether the mobile wireless access device needs to switch the connected first intranet firewall.
  • the specific implementation steps may be as follows:
  • the mobile wireless access device acquires connection status information of the access device connected to the first intranet firewall according to a preset period, and/or, the user terminal is directed to the terminal access status information of the target intranet .
  • the access device connection state information may include indicator information such as the uplink packet loss rate, the downlink packet loss rate, the number of data packets sent per second, and the number of data packets received per second of the mobile wireless access device.
  • the terminal access state information may include indicator information such as the uplink packet loss rate, the downlink packet loss rate, the number of data packets sent per second, and the number of data packets received per second of the user terminal.
  • the terminal access state information may be determined by the user terminal and sent to the mobile wireless access device.
  • the intranet firewall distribution device sends a firewall switching request.
  • an evaluation model for each indicator in the connection status information of the access device and/or an evaluation model for each indicator in the terminal connection status information may be set in the mobile wireless access device in advance, so The mobile wireless access device may evaluate the connection state information of the access device and/or the terminal access state information through the above evaluation model to determine whether the user terminal's access to the target intranet is in Abnormal state.
  • the uplink packet loss rate in the connection status information of the access device will be greater than the preset packet loss rate threshold, and the mobile The wireless access device determines that the user terminal's access to the target intranet is in an abnormal state; if the first intranet firewall is congested, the number of data packets received per second in the terminal connection status information will be less than A threshold for receiving data packets is preset, and the mobile wireless access device determines that the access of the user terminal to the target intranet is in an abnormal state.
  • the intranet firewall distribution device determines a third intranet firewall matched by the mobile wireless access device from the multiple intranet firewalls according to the firewall swap request.
  • the intranet firewall distribution device determines from the multiple intranet firewalls according to the firewall switching request that the third intranet firewall matched by the mobile wireless access device is implemented, please refer to the implementation corresponding to FIG. 2
  • the intranet firewall allocation device determines the mobile wireless access device to match the mobile wireless access device from among multiple intranet firewalls deployed for the target intranet. The implementation of an intranet firewall will not be repeated here.
  • the third intranet firewall and the first intranet firewall determined in step S403 may be the same intranet firewall, and all of them can be removed from the firewall at this time.
  • the third intranet firewall is determined again among other intranet firewalls deployed for the target intranet of the first intranet firewall.
  • S404 The mobile wireless access device receives the third IP address of the third intranet firewall sent by the intranet firewall allocation device.
  • S405 The mobile wireless access device sends a firewall connection request to the third intranet firewall according to the third IP address.
  • the third intranet firewall establishes a connection with the mobile wireless access device according to the firewall connection request.
  • step S205 the first intranet firewall establishes a connection with the mobile wireless access device. The implementation method of is not repeated here.
  • S407 The mobile wireless access device disconnects from the first intranet firewall.
  • the disconnection of the connection between the mobile wireless access device and the first intranet firewall may refer to the disconnection of the connection between the mobile wireless access device and the first intranet firewall in step S307 in the embodiment corresponding to FIG.
  • the specific implementation method of opening will not be repeated here.
  • S408 The user terminal sends an intranet access request for the target intranet to the mobile wireless access device.
  • step S408 is performed after step S407, and the intranet access request sent by the user terminal in step S408 is that after the mobile wireless access device is disconnected from the first intranet firewall, the mobile wireless access Intranet access request sent by the incoming device. And before step S407, the intranet access request for the target intranet sent by the user terminal received by the mobile wireless access device is routed to the target intranet through the first intranet firewall of the target intranet The corresponding intranet server in the network.
  • S409 The mobile wireless access device sends the intranet access request to the second intranet firewall.
  • S410 The second intranet firewall routes the intranet access request to the intranet server of the target intranet.
  • the intranet server returns an intranet request response message in response to the intranet access request to the second intranet firewall.
  • S412 The second intranet firewall sends the intranet request response message to the mobile wireless access device.
  • S413 The mobile wireless access device sends the intranet request response message to the user terminal.
  • step S408 to step S413 the connection between the mobile wireless access device and the second intranet firewall provides the user terminal with a service to access the target intranet.
  • the connection between the mobile wireless access device and the first intranet firewall in step S206 to step S211 provides the user terminal with a specific implementation method for accessing the target intranet service, which will not be repeated here. .
  • the mobile wireless access device after the mobile wireless access device establishes a connection with the first intranet firewall, the mobile wireless access device checks the mobile wireless access device with the first intranet according to a preset period. Information about the connection status of the access device connected to the network firewall, and/or the user terminal detects the access status information of the terminal of the target intranet, based on the connection status information of the access device, and/or, The terminal connection status information, when it is determined that the user terminal's access to the target intranet is in an abnormal state, request the intranet firewall distribution device to switch the connected first intranet firewall, and the intranet firewall distribution device is After the mobile wireless access device reallocates the third intranet firewall, the mobile wireless access device switches the connected intranet firewall from the first intranet firewall to the third intranet firewall, and the user passes through the mobile wireless The network quality of the access device to access the intranet.
  • FIG. 5 is a schematic structural diagram of an intranet firewall distribution device provided by an embodiment of the application.
  • the intranet firewall distribution device 50 may at least include a request receiving unit 501, a location obtaining unit 502, Intranet firewall determining unit 503 and address sending unit 504, where:
  • the request receiving unit 501 is configured to receive an intranet connection request for a target intranet sent by a mobile wireless access device.
  • the location obtaining unit 502 is configured to obtain the geographic location of the mobile wireless access device according to the intranet connection request.
  • the intranet firewall determining unit 503 is configured to determine the first intranet firewall matched by the mobile wireless access device from a plurality of intranet firewalls deployed for the target intranet according to the geographic location.
  • the address sending unit 504 is configured to send the first IP address of the first intranet firewall to the mobile wireless access device, so that the mobile wireless access device communicates with the mobile wireless access device according to the first IP address.
  • the first intranet firewall After the first intranet firewall establishes a connection, the first intranet firewall routes the received target intranet access request to the intranet server of the target intranet, and the intranet access request is for the user terminal through the mobile
  • the access request for the intranet server of the target intranet sent by the wireless access device, and the first intranet firewall also returns an intranet request response message returned by the target intranet server in response to the intranet access request, Send to the user terminal through a mobile wireless access device.
  • the intranet firewall distribution device can execute each step performed by the intranet firewall distribution device described in the intranet access method shown in Figures 2 to 4 through its built-in functional modules.
  • the intranet firewall distribution device can execute each step performed by the intranet firewall distribution device described in the intranet access method shown in Figures 2 to 4 through its built-in functional modules.
  • the intranet firewall distribution device can execute each step performed by the intranet firewall distribution device described in the intranet access method shown in Figures 2 to 4 through its built-in functional modules.
  • the intranet firewall distribution device can execute each step performed by the intranet firewall distribution device described in the intranet access method shown in Figures 2 to 4 through its built-in functional modules.
  • the location obtaining unit obtains the geographic location of the mobile wireless access device according to the intranet connection request .
  • the intranet firewall determining unit determines the first intranet firewall that matches the mobile wireless access device from the multiple intranet firewalls deployed for the target intranet according to the geographic location, and the mobile wireless access device According to the received IP address of the first intranet firewall sent by the address sending unit, a firewall connection request is sent to the first intranet firewall, so that the first intranet firewall and the mobile wireless access device establish connection.
  • the mobile wireless access device After receiving the intranet access request for the target intranet sent by the user terminal, the mobile wireless access device routes the intranet access request to the target intranet through the first intranet firewall.
  • the intranet server After receiving an intranet request response message returned by the intranet server through the first intranet firewall in response to the intranet access request, sends the intranet request response message to the user terminal .
  • the user terminal realizes the access to the target intranet through the intranet access framework based on the mobile wireless access device and the firewall deployed for the target intranet. There is no need to configure any parameters before access, which improves the access efficiency to the target intranet.
  • FIG. 6 is a schematic structural diagram of a mobile wireless access device provided by an embodiment of the application.
  • the mobile wireless access device 60 may at least include a request sending unit 601, an address receiving unit 602, The firewall connection unit 603 and the message transmission unit 604, wherein:
  • the request sending unit 601 is configured to send an intranet connection request for the target intranet to an intranet firewall distribution device, so that the intranet firewall distribution device determines the mobile wireless connection from the multiple intranet firewalls. Enter the first intranet firewall that matches the device.
  • the address receiving unit 602 is configured to receive the first IP address of the first intranet firewall sent by the intranet firewall distribution device.
  • the firewall connection unit 603 is configured to send a firewall connection request to the first intranet firewall according to the first IP address, so that the first intranet firewall communicates with the mobile radio according to the firewall connection request
  • the device establishes a connection.
  • the message transmission unit 604 is configured to, after receiving the intranet access request for the target intranet from the user terminal, route the intranet access request to the intranet of the target intranet through the first intranet firewall. Web server.
  • the message transmission unit 605 is further configured to transmit the intranet request response message after receiving the intranet request response message returned by the intranet server in response to the intranet access request through the first intranet firewall Sent to the user terminal.
  • the mobile wireless access device can execute various steps performed by the mobile wireless access device in the intranet access methods shown in Figures 2 to 4 through its built-in functional modules.
  • the mobile wireless access device can execute various steps performed by the mobile wireless access device in the intranet access methods shown in Figures 2 to 4 through its built-in functional modules.
  • the intranet firewall distribution device obtains the geographic location according to the intranet connection request, and obtains the geographic location from the target according to the geographic location.
  • the first intranet firewall that matches the mobile wireless access device is determined among the multiple intranet firewalls deployed in the intranet, and the firewall connection unit receives the address sent by the intranet firewall distribution device according to the address receiving unit.
  • the IP address of the first intranet firewall sends a firewall connection request to the first intranet firewall, so that after the first intranet firewall establishes a connection with the firewall connection unit, the message transmission unit is
  • the user terminal connected to the mobile wireless access device provides a service for accessing the target intranet.
  • the user terminal realizes the access to the target intranet through the intranet access framework based on the mobile wireless access device and the firewall deployed for the target intranet. There is no need to configure any parameters before access, which improves the access efficiency to the target intranet.
  • FIG. 7 is a schematic structural diagram of another intranet firewall distribution device according to an embodiment of the application.
  • the intranet firewall distribution device 70 includes a processor 701, a memory 702, and a communication interface 703.
  • the processor 701 is connected to the memory 702 and the communication interface 703.
  • the processor 701 may be connected to the memory 702 and the communication interface 703 through a bus.
  • the processor 701 is configured to support the intranet firewall distribution device to perform the corresponding functions of the intranet firewall distribution device in the intranet access method described in FIGS. 2 to 4.
  • the processor 701 may be a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), a hardware chip, or any combination thereof.
  • the foregoing hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (Programmable Logic Device, PLD), or a combination thereof.
  • the aforementioned PLD may be a complex programmable logic device (Complex Programmable Logic Device, CPLD), a field programmable logic gate array (Field-Programmable Gate Array, FPGA), a general array logic (Generic Array Logic, GAL) or any combination thereof.
  • CPLD Complex Programmable Logic Device
  • FPGA Field-Programmable Gate Array
  • GAL General array logic
  • the memory 702 is used to store program codes and the like.
  • the memory 702 includes internal memory, which may include at least one of the following: volatile memory (such as dynamic random access memory (DRAM), static RAM (SRAM), synchronous dynamic RAM (SDRAM), etc.) and non-volatile memory (For example, one-time programmable read-only memory (OTPROM), programmable ROM (PROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM).
  • volatile memory such as dynamic random access memory (DRAM), static RAM (SRAM), synchronous dynamic RAM (SDRAM), etc.
  • non-volatile memory for example, one-time programmable read-only memory (OTPROM), programmable ROM (PROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM).
  • OTPROM one-time programmable read-only memory
  • PROM programmable ROM
  • EPROM erasable programm
  • the memory 702 may also include external memory,
  • the memory may include at least one of the following: Hard Disk Drive (HDD) or Solid-State Drive (SSD), flash drive, such as high-density flash (CF), secure digital (SD), micro SD, mini type SD, limit number (xD), memory stick, etc.
  • HDD Hard Disk Drive
  • SSD Solid-State Drive
  • flash drive such as high-density flash (CF), secure digital (SD), micro SD, mini type SD, limit number (xD), memory stick, etc.
  • the communication interface 703 is used to receive or send data.
  • the processor 701 may call the program code to perform the following operations:
  • the first intranet firewall routes the received intranet access request to the intranet server of the target intranet, and the intranet access request is a user terminal sent by the mobile wireless access device for all users.
  • the access request of the intranet server of the target intranet, the first intranet firewall also sends the intranet request response message returned by the intranet server in response to the intranet access request through the mobile wireless access device To the user terminal.
  • each operation may also correspond to the corresponding description of the method embodiments shown in FIGS. 2 to 4; the processor 701 may also be used to perform other operations in the above method embodiments.
  • FIG. 8 is a schematic structural diagram of another mobile wireless access device according to an embodiment of the application.
  • the mobile wireless access device 80 includes a processor 801, a memory 802, and a communication interface 803.
  • the processor 801 is connected to the memory 802 and the communication interface 803.
  • the processor 801 may be connected to the memory 802 and the communication interface 803 through a bus.
  • the processor 801 is configured to support the mobile wireless access device to perform the corresponding functions of the mobile wireless access device in the intranet access methods described in FIGS. 2 to 4.
  • the processor 801 may be a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), a hardware chip, or any combination thereof.
  • the foregoing hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (Programmable Logic Device, PLD), or a combination thereof.
  • the aforementioned PLD may be a complex programmable logic device (Complex Programmable Logic Device, CPLD), a field programmable logic gate array (Field-Programmable Gate Array, FPGA), a general array logic (Generic Array Logic, GAL) or any combination thereof.
  • CPLD Complex Programmable Logic Device
  • FPGA Field-Programmable Gate Array
  • GAL General array logic
  • the memory 802 is used to store program codes and the like.
  • the memory 802 includes internal memory, which may include at least one of the following: volatile memory (such as dynamic random access memory (DRAM), static RAM (SRAM), synchronous dynamic RAM (SDRAM), etc.) and nonvolatile memory (For example, one-time programmable read-only memory (OTPROM), programmable ROM (PROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM).
  • volatile memory such as dynamic random access memory (DRAM), static RAM (SRAM), synchronous dynamic RAM (SDRAM), etc.
  • nonvolatile memory for example, one-time programmable read-only memory (OTPROM), programmable ROM (PROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM).
  • OTPROM one-time programmable read-only memory
  • PROM programmable ROM
  • EPROM erasable programmable
  • the memory 802 may also include external memory, external
  • the memory may include at least one of the following: Hard Disk Drive (HDD) or Solid-State Drive (SSD), flash drive, such as high-density flash (CF), secure digital (SD), micro SD, mini type SD, limit number (xD), memory stick, etc.
  • HDD Hard Disk Drive
  • SSD Solid-State Drive
  • flash drive such as high-density flash (CF), secure digital (SD), micro SD, mini type SD, limit number (xD), memory stick, etc.
  • the communication interface 803 is used to receive or send data.
  • the processor 801 may call the program code to perform the following operations:
  • the intranet firewall distribution device send an intranet connection request for the target intranet to the intranet firewall distribution device, so that the intranet firewall distribution device obtains the geographic location of the mobile wireless access device according to the intranet connection request, and according to the The geographic location determines the first intranet firewall matched by the mobile wireless access device from a plurality of intranet firewalls deployed for the intranet;
  • the intranet request response message After receiving the intranet request response message returned by the intranet server through the first intranet firewall in response to the intranet access request, the intranet request response message is sent to the user terminal.
  • each operation may also correspond to the corresponding description of the method embodiments shown in FIGS. 2 to 4; the processor 801 may also be used to perform other operations in the above method embodiments.
  • the embodiments of the present application also provide a computer non-volatile readable storage medium, the computer non-volatile readable storage medium stores a computer program, the computer program includes program instructions, and the program instructions are executed by a computer.
  • the computer When the computer is caused to execute the method described in the foregoing embodiment, the computer may be the aforementioned intranet firewall distribution device or a part of the mobile wireless access device.
  • the program can be stored in a computer readable storage medium. During execution, it may include the procedures of the above-mentioned method embodiments.
  • the storage medium may be a magnetic disk, an optical disc, a read-only memory (Read-Only Memory, ROM), or a random access memory (Random Access Memory, RAM), etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne, selon des modes de réalisation, le contrôle d'accès dans le domaine de la protection de la sécurité. La présente invention concerne un procédé d'accès intranet et un dispositif associé. Le procédé comprend les étapes consistant à : acquérir, par un dispositif d'attribution de pare-feu intranet, des informations de trajet planifié d'un dispositif d'accès sans fil mobile pour accéder à un intranet cible ; déterminer, par le dispositif d'attribution de pare-feu intranet, un premier pare-feu intranet attribué au dispositif d'accès sans fil mobile ; transmettre, par le dispositif d'attribution de pare-feu intranet lorsqu'il est déterminé qu'un critère de nœud de trajet est satisfait, une première adresse IP du premier pare-feu intranet au dispositif d'accès sans fil mobile, de façon à permettre au dispositif d'accès sans fil mobile d'établir une connexion avec le premier pare-feu intranet et de couper une connexion avec un second pare-feu intranet, ce qui permet de mettre en œuvre un commutateur dans le pare-feu intranet auquel le dispositif d'accès sans fil mobile est connecté. La présente invention met en œuvre, sur la base des informations de trajet planifié du dispositif d'accès sans fil mobile, une recommandation au dispositif d'accès sans fil mobile pour commuter le pare-feu intranet auquel il est connecté, garantissant ainsi une qualité de réseau pour un utilisateur accédant à l'intranet cible.
PCT/CN2019/102346 2019-06-10 2019-08-23 Procédé d'accès intranet, système, et dispositif associé WO2020248368A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910499038.0 2019-06-10
CN201910499038.0A CN110336794B (zh) 2019-06-10 2019-06-10 一种内网访问方法、系统及相关装置

Publications (1)

Publication Number Publication Date
WO2020248368A1 true WO2020248368A1 (fr) 2020-12-17

Family

ID=68140876

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/102346 WO2020248368A1 (fr) 2019-06-10 2019-08-23 Procédé d'accès intranet, système, et dispositif associé

Country Status (2)

Country Link
CN (1) CN110336794B (fr)
WO (1) WO2020248368A1 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111490993B (zh) * 2020-04-13 2021-03-30 江苏易安联网络技术有限公司 一种应用访问控制安全系统及方法
CN112150047B (zh) * 2020-11-24 2021-03-09 山东富通信息科技有限公司 专线网络环境下的资源管理系统
CN112867041B (zh) * 2020-12-28 2023-03-21 美的集团股份有限公司 家电设备的配网方法、家电设备、移动终端及介质

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102769631A (zh) * 2012-07-31 2012-11-07 华为技术有限公司 访问云服务器的方法、系统和接入设备
CN109076005A (zh) * 2018-04-28 2018-12-21 深圳前海达闼云端智能科技有限公司 一种vpn线路切换方法、装置及电子设备
CN109617780A (zh) * 2019-01-29 2019-04-12 新华三技术有限公司 接入网络的方法、装置、终端设备及机器可读存储介质

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7805756B2 (en) * 1996-11-29 2010-09-28 Frampton E Ellis Microchips with inner firewalls, faraday cages, and/or photovoltaic cells
US6880089B1 (en) * 2000-03-31 2005-04-12 Avaya Technology Corp. Firewall clustering for multiple network servers
CN101635759A (zh) * 2009-08-26 2010-01-27 深圳华为通信技术有限公司 一种移动终端防火墙的实现方法及装置
US8850513B2 (en) * 2011-12-28 2014-09-30 Samsung Electronics Co., Ltd. System for data flow protection and use control of applications and portable devices configured by location
CN109347783A (zh) * 2018-08-01 2019-02-15 株洲凯创技术有限公司 数据过滤方法、装置、系统及列车车载防火墙设备
CN108989352B (zh) * 2018-09-03 2022-11-11 平安科技(深圳)有限公司 防火墙实现方法、装置、计算机设备及存储介质
CN109246257B (zh) * 2018-10-12 2021-10-08 平安科技(深圳)有限公司 流量调配方法、装置、计算机设备及存储介质

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102769631A (zh) * 2012-07-31 2012-11-07 华为技术有限公司 访问云服务器的方法、系统和接入设备
CN109076005A (zh) * 2018-04-28 2018-12-21 深圳前海达闼云端智能科技有限公司 一种vpn线路切换方法、装置及电子设备
CN109617780A (zh) * 2019-01-29 2019-04-12 新华三技术有限公司 接入网络的方法、装置、终端设备及机器可读存储介质

Also Published As

Publication number Publication date
CN110336794A (zh) 2019-10-15
CN110336794B (zh) 2022-08-30

Similar Documents

Publication Publication Date Title
EP2553898B1 (fr) Procédé et système d'authentification d'un point d'accès
WO2015101125A1 (fr) Procédé et dispositif de contrôle d'accès au réseau
CN105635084B (zh) 终端认证装置及方法
CN106878135B (zh) 一种连接方法及装置
JP2017537576A (ja) モバイル仮想ネットワークにおけるモバイル認証
WO2020248368A1 (fr) Procédé d'accès intranet, système, et dispositif associé
US11302451B2 (en) Internet of things connectivity device and method
WO2017167249A1 (fr) Procédé, dispositif et système d'accès à un réseau privé
CN110266674B (zh) 一种内网访问方法及相关装置
CN103179100A (zh) 一种防止域名系统隧道攻击的方法及设备
US11743724B2 (en) System and method for accessing a privately hosted application from a device connected to a wireless network
CN101711031A (zh) 一种本地转发中的Portal认证方法和接入控制器
CN111226452B (zh) 一种业务策略创建方法及装置
CN110336793B (zh) 一种内网访问方法及相关装置
KR101991340B1 (ko) 보안 관리를 위한 장치 및 방법
CN110311785B (zh) 一种内网访问方法及相关装置
CN110324826B (zh) 一种内网访问方法及相关装置
WO2017084322A1 (fr) Procédé et système de commande d'accès au réseau basé sur routeur, et dispositif associé
CN110324318B (zh) 一种内网访问方法及相关装置
Nguyen et al. An SDN‐based connectivity control system for Wi‐Fi devices
WO2020248367A1 (fr) Procédé de connexion de réseau et appareil associé
WO2017091949A1 (fr) Procédé de communication, station de base petite cellule, contrôleur de station de base petite cellule, terminal, et système
WO2016061981A1 (fr) Procédé et système de partage de wlan, et serveur d'enregistrement de partage de wlan
CN114338167B (zh) 通信加密系统、方法、存储介质及电子设备
JP7076051B1 (ja) Ipネットワークにアクセスするための通信サービスを提供するための装置、方法及びそのためのプログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19932473

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19932473

Country of ref document: EP

Kind code of ref document: A1