WO2020248369A1 - Firewall switching method and related apparatus - Google Patents

Firewall switching method and related apparatus Download PDF

Info

Publication number
WO2020248369A1
WO2020248369A1 PCT/CN2019/102347 CN2019102347W WO2020248369A1 WO 2020248369 A1 WO2020248369 A1 WO 2020248369A1 CN 2019102347 W CN2019102347 W CN 2019102347W WO 2020248369 A1 WO2020248369 A1 WO 2020248369A1
Authority
WO
WIPO (PCT)
Prior art keywords
intranet
firewall
access device
mobile wireless
wireless access
Prior art date
Application number
PCT/CN2019/102347
Other languages
French (fr)
Chinese (zh)
Inventor
王绪军
黄成尧
谢文
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020248369A1 publication Critical patent/WO2020248369A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent

Definitions

  • This application relates to the field of communications, and in particular to a firewall switching method and related devices.
  • VPN Virtual Private Network
  • This application provides a firewall switching method and related devices. Through this application, the efficiency of a user's access to a target intranet can be improved, and the network quality of the access to the target intranet can be guaranteed.
  • the first aspect of the embodiments of the present application provides a firewall switching method, including:
  • the intranet firewall distribution device obtains the status information of the access device connected to the mobile wireless access device and the first intranet firewall of the target intranet, and the first intranet firewall is the target device after receiving the mobile wireless access device After the intranet connection request of the target intranet, the firewall that matches the mobile wireless access device is determined from the multiple intranet firewalls deployed for the target intranet according to the intranet connection request, and the access
  • the device status information includes the real-time geographic location of the mobile wireless access device;
  • the intranet firewall distribution device determines based on the real-time geographic location that the mobile wireless access device satisfies the conditions for switching the connected firewall, it selects multiple devices deployed for the target intranet based on the access device status information. Determine the second intranet firewall matched by the mobile wireless access device in the intranet firewall;
  • the intranet firewall allocation device sends the second IP address of the second intranet firewall to the mobile wireless access device, so that the mobile wireless access device communicates with the first IP address according to the second IP address Second, the internal network firewall establishes a connection, and after the connection with the first internal network firewall is disconnected, the second internal network firewall transmits the internal network for the target internal network sent by the user terminal through the mobile wireless access device
  • the access request is routed to the intranet server of the target intranet, and the second intranet firewall also passes the intranet request response message returned by the intranet server in response to the intranet access request through the mobile wireless access device Sent to the user terminal.
  • the second aspect of the embodiments of the present application provides an intranet firewall distribution device, including:
  • the status acquiring unit is configured to acquire the status information of the access device connected to the first intranet firewall of the target intranet by the mobile wireless access device, and the first intranet firewall is configured to receive the information sent by the mobile wireless access device After the intranet connection request for the target intranet, the firewall that matches the mobile wireless access device is determined from the multiple intranet firewalls deployed for the target intranet according to the intranet connection request, and the connection
  • the incoming device status information includes the real-time geographic location of the mobile wireless access device;
  • the firewall determining unit is configured to, when it is determined according to the real-time geographic location that the mobile wireless access device meets the conditions for switching the connected firewall, select from multiple internal networks deployed for the target intranet according to the access device status information. Determine a second intranet firewall that matches the mobile wireless access device in the network firewall;
  • the address sending unit is configured to send the second IP address of the second intranet firewall to the mobile wireless access device, so that the mobile wireless access device communicates with the second IP address according to the second IP address.
  • the second intranet firewall After the intranet firewall establishes a connection and disconnects from the first intranet firewall, the second intranet firewall transmits the intranet access request for the target intranet sent by the user terminal through the mobile wireless access device Routed to the intranet server of the target intranet, the second intranet firewall also sends the intranet request response message returned by the intranet server in response to the intranet access request to the mobile wireless access device The user terminal.
  • the third aspect of the embodiments of the present application provides an intranet firewall distribution device, including a processor, a memory, and a communication interface.
  • the processor, the memory, and the communication interface are connected to each other, wherein the communication interface is used to receive and send data
  • the memory is used to store program code, and the processor is used to call the program code.
  • the program code is executed by a computer, the computer executes any of the above-mentioned first aspect and each possible implementation of the first aspect. Any method.
  • the fourth aspect of the embodiments of the present application provides a computer non-volatile readable storage medium
  • the computer non-volatile readable storage medium stores a computer program
  • the computer program includes program instructions
  • the program instructions are When executed by a computer, the computer is caused to execute any one of the foregoing first aspect and each possible implementation manner of the first aspect.
  • the user does not need to configure any parameters before accessing the target intranet, which improves the access efficiency for the target intranet.
  • the intranet firewall distribution device determines that the mobile wireless access device meets the requirement of switching the connected firewall based on the real-time geographic location.
  • the second intranet firewall is re-allocated for the mobile wireless access device to ensure that the intranet firewall connected to the mobile wireless access device is always the optimal intranet firewall that matches the status information of the access device, ensuring users The network quality of the terminal accessing the intranet.
  • FIG. 1 is a schematic diagram of a framework of an intranet access system provided by an embodiment of this application;
  • FIG. 2 is a schematic diagram of system interaction of a firewall switching method provided by an embodiment of this application.
  • FIG. 3 is a schematic diagram of system interaction of another firewall switching method provided by an embodiment of the application.
  • FIG. 4 is a schematic structural diagram of an intranet firewall distribution device provided by an embodiment of the application.
  • Fig. 5 is a schematic structural diagram of another intranet firewall distribution device provided by an embodiment of the application.
  • firewall switching method and related devices provided by the embodiments of the present application will be described with reference to FIGS. 1 to 5.
  • Figure 1 is a schematic diagram of the framework of an intranet access system provided by an embodiment of the application.
  • the intranet firewall 1, the intranet firewall 2, and the intranet firewall 3 are targeted Three intranet firewalls deployed in the intranet, mobile wireless access device 1 and mobile wireless access device 2 are respectively connected to the intranet firewall 1, the mobile wireless access device 3 is connected to the intranet firewall 3, and the user terminal 1 and The mobile wireless access device 2 is connected, and the user terminal 2 is connected with the mobile wireless access device.
  • the target intranet is a local communication network that interconnects various computers, servers, and databases in a local geographic area of a specific enterprise, a specific institution, a specific school, etc.
  • the terminal or server in the target intranet communicates with the terminal or server in the target intranet, it is realized through the data link layer, and the communication message does not need to be routed through the router; in the terminal or server outside the target intranet When communicating, it is achieved through the network layer.
  • the communication message sent by the terminal or server in the target intranet needs to be routed to the terminal or server outside the target intranet, the terminal or the terminal outside the target intranet, and
  • the communication message returned by the server needs to be routed to the terminal or server on the target intranet after the router undergoes network address translation.
  • the intranet firewall deployed for the target intranet can be a firewall deployed around the world for filtering data packets entering and leaving the target intranet.
  • the intranet firewall is connected to the router of the target intranet through the WAN, and then passes through the target intranet.
  • the router realizes the connection to the intranet server of the target intranet.
  • the mobile wireless access device is a mobile wireless access device that can transmit wireless network signals and has a routing function.
  • the mobile wireless access device will access the data network by inserting a SIM (Subscriber Identification Module) card. It can also access a wired network by inserting a network cable, and can also access a wireless network by connecting to WIFI.
  • the user terminal can access the wireless network transmitted by the mobile wireless access device to connect with the mobile wireless access device.
  • SIM Subscriber Identification Module
  • the intranet firewall distribution device may be a device that has a domain name resolution function for the target intranet, and stores the IP addresses and deployment locations of each intranet firewall deployed for the target intranet, such as GTM (Global Traffic Manager, global traffic manager) Management) equipment, etc.
  • GTM Global Traffic Manager, global traffic manager
  • the user terminal may be a terminal device with a wireless network receiving function, such as a notebook computer, a mobile phone, and a tablet computer.
  • Figure 2 is a schematic diagram of system interaction of a firewall switching method provided by an embodiment of the application. As shown in the figure, the method may include:
  • S201 The mobile wireless access device sends an intranet connection request for the target intranet to the intranet firewall distribution device.
  • the mobile wireless access device may send an intranet connection request to the intranet firewall distribution device after being triggered to start, or it may be after receiving a function start instruction sent by the user to access the target intranet Later, sending an intranet connection request to the intranet firewall distribution device, or when receiving an intranet access request for the target intranet sent by a connected user terminal, sending an intranet connection request to the intranet firewall distribution device Network connection request.
  • the intranet connection request may carry the intranet domain name of the target intranet, so that the intranet firewall distribution device determines the intranet connection request for the target intranet after analyzing the intranet domain name.
  • the intranet firewall distribution device determines the current geographic location of the mobile wireless access device according to the intranet connection request.
  • the intranet connection request may carry the geographic location of the mobile wireless access device, and the intranet firewall distribution device directly obtains the geographic location of the mobile wireless access device from the intranet connection request;
  • the intranet connection request may also carry the positioning information of the mobile wireless access device, and the intranet firewall distribution device may obtain the positioning information from the intranet connection request, and use positioning technology according to the positioning information , Determine the location of the mobile wireless access device, for example, the positioning information may be the IP address of the mobile wireless access device, GPS data, WIFI access point information, connection base station information, etc., the positioning technology It can be IP positioning technology, GPS positioning technology, WIFI positioning technology, base station positioning technology, etc.
  • the intranet connection request sent by the mobile wireless access device may carry the identity verification information of the mobile wireless access device, and the intranet firewall distribution device may send a check to the mobile according to the identity verification information in the intranet connection request.
  • the wireless access device performs identity verification. After the identity verification is passed, the current geographic location of the mobile wireless access device is determined.
  • the identity verification information carried in the intranet connection request may include the access device identification code, the user name and password entered by the user, or One of the digital certificates of mobile wireless access devices.
  • the intranet firewall allocation device determines a first intranet firewall matched by the mobile wireless access device from a plurality of intranet firewalls deployed for the target intranet according to the current geographic location.
  • the intranet firewall distribution device can store the IP addresses and deployment locations of the firewalls separately deployed for multiple intranets.
  • the mobile wireless access device of company M can simultaneously store the IP addresses and deployment locations of each internal network firewall for the deployment of subsidiary A’s internal network , And the IP addresses and deployment locations of each intranet firewall deployed for subsidiary B's intranet.
  • the intranet connection request may carry the intranet domain name of the target intranet, so that the intranet firewall distribution device, after receiving the intranet connection request, resolves the intranet domain name and determines the
  • the intranet connection request is an intranet connection request for the target intranet, and the IP addresses and deployment locations of multiple intranet firewalls deployed for the target intranet are obtained.
  • the intranet firewall distribution device may determine all the intranet firewalls according to the geographic location and the deployment position of each intranet firewall deployed for the target intranet. Among the multiple intranet firewalls deployed for the target intranet, the intranet firewall closest to the mobile wireless access device is determined to be the first intranet firewall.
  • all access areas for the target intranet are divided into intranet access sub-areas for each intranet firewall of the target intranet in advance, and A correspondence relationship between the intranet access sub-area and the intranet firewall of the target intranet is preset in the intranet firewall distribution device.
  • the intranet firewall distribution device determines the first intranet access subregion where the mobile wireless access device is located according to the geographic location of the mobile wireless access device, and then corresponds the first intranet access subregion to The internal firewall of is determined to be the first internal firewall.
  • the intranet firewall distribution device sends the first IP address of the first intranet firewall to the mobile wireless access device.
  • S205 The mobile wireless access device establishes a connection with the first intranet firewall according to the first IP address.
  • the mobile wireless access device sends a firewall connection request to the first intranet firewall according to the first IP address, so that the first intranet firewall sends a firewall connection request to the mobile device according to the firewall connection request.
  • a connection with the mobile wireless access device is established.
  • the firewall connection request carries the access device identification code of the mobile wireless access device, such as a MAC address, and the first intranet firewall determines that the access device identification code is preset When one of the identification codes of the access device is allowed to be connected, it is determined that the identity authentication of the mobile wireless access device is passed.
  • the firewall connection request carries the user name and password input by the user through the mobile wireless access device
  • the first intranet firewall determines that the user name and password are preset users allowed to connect When one of the name and password is set, it is determined that the identity authentication of the mobile wireless access device is passed.
  • the firewall connection request carries the digital certificate of the mobile wireless access device
  • the first intranet firewall is based on the access device digital certificate carried in the access device digital certificate.
  • the issuer information of the access device determines the certificate issuer of the digital certificate of the access device; after the first intranet firewall obtains the issuer digital certificate of the certificate issuer, it passes the issuer contained in the issuer’s digital certificate
  • the public key is used to decrypt the digital signature in the digital certificate of the access device using the public key of the issuing party to obtain the certificate fingerprint of the digital certificate of the access device.
  • the first intranet firewall will use the specified Ukraine
  • the Greek algorithm performs a hash calculation on the digital certificate of the access device to obtain the hash value of the digital certificate; the first intranet firewall determines that the hash value of the digital certificate obtained by the hash calculation of the first intranet firewall is When the fingerprints of the access device certificates are consistent, it is determined that the identity authentication of the mobile wireless access device is passed.
  • the mobile wireless access device initiates a three-way handshake to establish a connection based on the TCP/IP protocol with the first intranet firewall.
  • the specific steps are as follows: the mobile wireless access device sends a SYN to the first intranet firewall (Synchronize Sequence Numbers) data packet; after receiving the SYN data packet, the first intranet firewall sends a SYN+ACK (ACKnowledge Character) data packet to the mobile wireless access device; After receiving the SYN+ACK data packet, the mobile wireless access device feeds back an ACK data packet to the first intranet firewall; the first intranet firewall receives the ACK fed back by the mobile wireless access device After the data packet, the connection between the mobile wireless access device and the first intranet firewall is established.
  • the intranet firewall distribution device obtains state information of the access device connected to the mobile wireless access device and the first intranet firewall.
  • the access device status information may include the real-time geographic location of the mobile wireless access device when the access device status information is acquired, or it may include when the access device status information is acquired, the mobile
  • the network delay between the wireless access device and each intranet firewall deployed for the target intranet may be determined by the intranet firewall distribution device through IP positioning, GPS positioning, WIFI positioning, base station positioning, and other positioning methods according to the positioning information sent by the mobile wireless access device. , It may also be directly sent by the mobile wireless access device to the intranet firewall.
  • the network delay between the mobile wireless access device and each intranet firewall may be a one-way network delay between the mobile wireless access device and each intranet firewall, or it may be a round trip network delay.
  • the network delay between the mobile wireless access device and each intranet firewall may be determined by the intranet firewall distribution device, or may be determined by the mobile wireless access device or each intranet firewall. , Sent to the intranet firewall distribution device.
  • the intranet firewall distribution device may periodically obtain the current access device status information of the mobile wireless access device, and then periodically determine the mobile device based on the real-time geographic location contained in the access status information. Whether the wireless access device meets the conditions for switching the connected firewall in the current cycle; it can also obtain the access device status information of the mobile wireless access device when receiving the firewall switching request sent by the mobile wireless access device, and then According to the real-time geographic location included in the access status information, it is determined whether the mobile wireless access device does meet the conditions for switching the connected firewall, and the firewall switching request is that the mobile wireless access device is based on its geographic location, or The network status of the internal network accessed by oneself, etc., to determine that oneself meets the request to switch the connected firewall when the internal network firewall is replaced. For example, the mobile wireless access device monitors the packet loss rate of message transmission between itself and the first intranet firewall, and when it is determined that the packet loss rate is greater than a preset threshold, sends to the intranet firewall distribution device Firewall switch request.
  • the intranet firewall distribution device determines the mobile wireless access device Satisfying the condition for switching the connected firewall may include: In an implementation manner, the intranet firewall distribution device obtains the deployment positions of multiple intranet firewalls deployed for the target intranet, and the intranet firewall distribution device The real-time geographic location and the deployment positions of the multiple intranet firewalls deployed for the target intranet determine that the first intranet firewall is not among the multiple intranet firewalls deployed for the target intranet.
  • the intranet firewall distribution device is determining the mobile wireless access When the incoming device transfers from the first intranet access sub-area to the second intranet access sub-area for the target intranet, it is determined that the mobile wireless access device satisfies the conditions for switching the connected firewall.
  • An implementation manner in which the intranet firewall distribution device determines a second intranet firewall matched by the mobile wireless access device from a plurality of intranet firewalls deployed for the target intranet according to the access device status information It may be: the intranet firewall distribution device determines the mobile wireless access device corresponding to the mobile wireless access device from a plurality of intranet firewalls deployed for the target intranet according to the real-time geographic location included in the access device status information The second intranet firewall.
  • the intranet firewall distribution device determines the implementation manner of the second intranet firewall according to the real-time geographic location of the mobile wireless access device. For details, refer to the intranet firewall distribution device in step S203 for obtaining according to step S202 The geographic location of the mobile wireless access device determines the implementation manner of the first intranet firewall, which is not repeated here.
  • the intranet firewall distribution device sends the second IP address of the second intranet firewall to the mobile wireless access device.
  • S209 The mobile wireless access device establishes a connection with the second intranet firewall according to the second IP address.
  • the mobile wireless access device initiates a three-way handshake to establish a TCP/IP protocol-based connection with the second intranet firewall.
  • the mobile wireless access device initiates a three-way handshake to establish a TCP/IP protocol-based connection with the second intranet firewall.
  • the step S205 of the mobile wireless access device and the first intranet firewall The method of establishing a connection will not be described here.
  • S210 The mobile wireless access device disconnects from the first intranet firewall.
  • the mobile wireless access device initiates four waves to disconnect the TCP/IP connection with the first intranet firewall.
  • the specific steps are as follows: the mobile wireless access device sends a FIN (Finish) to the first intranet firewall. Character, the end character) data packet; after receiving the FIN data packet, the first intranet firewall sends an ACK data packet to the mobile wireless access device; the first intranet firewall sends an ACK data packet to the mobile wireless access device The incoming device sends a FIN data packet; after receiving the FIN data packet, the mobile wireless access device sends an ACK data packet to the first intranet firewall; the first intranet firewall distribution device receives the ACK After the data packet, the disconnection of the connection between the mobile wireless access device and the first intranet firewall is completed.
  • S211 The user terminal sends an intranet access request for the target intranet to the mobile wireless access device.
  • the user terminal may send a wireless network connection request to the mobile wireless access device, and the mobile wireless access device may directly establish a connection with the user terminal, or through the wireless network After the user terminal identity information carried in the connection request is verified, a connection with the user terminal is established.
  • the user terminal identity information may be the user name and password input by the user inputted by the user terminal to access the wireless network established by the mobile wireless access device, and may also be the biometric input received by the user terminal.
  • the information may also be terminal equipment identification information of the user terminal.
  • step S211 is performed after step S210, that is, the intranet access request of the user terminal in step S211 is that after the mobile wireless access device is disconnected from the second intranet firewall, the user terminal Intranet access request to the target intranet.
  • S212 The mobile wireless access device sends the intranet access request to the second intranet firewall.
  • S213 The second intranet firewall routes the intranet access request to the intranet server of the target intranet.
  • the intranet access request is an access request for a server in the target intranet, such as an access request for a Web server in the target intranet, an access request for an FTP server in the target intranet, and an access request for a server in the target intranet. State the access request of the mail server in the target intranet, etc.
  • the second intranet firewall After the second intranet firewall receives the intranet access request sent by the mobile wireless access device, it sends the intranet access request to the router of the target intranet through the external network. The router routes the intranet access request to the corresponding intranet server in the target intranet through the target intranet.
  • the intranet server returns an intranet request response message in response to the intranet access request to the second intranet firewall.
  • the intranet server After the intranet server generates an intranet request response message in response to the intranet access request, it sends the intranet request response message to the router of the target intranet through the target intranet, and the target The router of the internal network sends the internal network request response message to the second internal network firewall through the external network.
  • the intranet access request is a request to obtain a file in a file server in the target intranet
  • the intranet request response message may be the file sent by the file server.
  • S215 The second intranet firewall sends the intranet request response message to the mobile wireless access device.
  • S216 The mobile wireless access device sends the intranet request response message to the user terminal.
  • the intranet firewall distribution device receives the intranet connection request for the target intranet sent by the mobile wireless access device, according to the intranet connection request from multiple intranet firewalls deployed for the target intranet
  • the mobile wireless access device allocates a matching first intranet firewall to the mobile wireless access device.
  • the intranet firewall distribution device judges whether it is satisfied according to the real-time geographic location of the mobile wireless access device The conditions for switching firewalls.
  • the internal network firewall distribution device allocates the switched second internal network to the mobile wireless access device according to the status information of the access device connected to the first internal network firewall Firewall, after the mobile wireless access device establishes a connection with the second intranet firewall, it disconnects the connection with the first intranet firewall, and provides the user terminal with access to the target intranet service through the connection with the second intranet firewall.
  • the intranet firewall distribution device determines that the mobile wireless access device meets the requirement of switching the connected firewall based on the real-time geographic location.
  • the second intranet firewall is re-allocated for the mobile wireless access device to ensure that the intranet firewall connected to the mobile wireless access device is always the optimal intranet firewall that matches the status information of the access device, ensuring users The network quality of the terminal accessing the intranet.
  • FIG. 3 is a schematic diagram of system interaction of another firewall switching method provided by an embodiment of the application. As shown in the figure, the method may include:
  • S301 The mobile wireless access device sends an intranet connection request for the target intranet to the intranet firewall distribution device.
  • the intranet firewall distribution device determines the current network delay between the mobile wireless access device and each intranet firewall deployed for the target intranet according to the intranet connection request.
  • an implementation manner for the intranet firewall distribution device to determine the current network delay between the mobile wireless access device and each intranet firewall may be: the intranet firewall distribution device sends to each intranet firewall The access device IP address of the mobile wireless access device, each intranet firewall sends a network delay test message to the mobile wireless access device according to the access device IP address, and the mobile wireless access device will receive The network delay test message is forwarded to the intranet firewall distribution device, and the network delay test message received by the intranet firewall distribution device carries the network delay test message for each intranet firewall deployed in the target intranet.
  • the intranet firewall distribution device determines the current network delay between the mobile wireless access device and each intranet firewall may be: the intranet firewall distribution device directs the mobile wireless access device Send the firewall IP address of each intranet firewall deployed for the target intranet, the mobile wireless access device sends a network delay test message to each intranet firewall according to the firewall IP address, and each intranet firewall will receive The network delay test message is forwarded to the intranet firewall distribution device, and the network delay test message received by the intranet firewall distribution device carries the transmission time data for the mobile wireless access device to send the network delay test message, And the receiving time data of each intranet firewall deployed for the target intranet receiving the network delay test message; the intranet firewall distribution device according to the sending time data carried in each received network delay test message and The time data is received to determine the target network delay between the mobile wireless access device and each intranet firewall deployed for the target intranet.
  • An implementation manner for the mobile wireless access device to determine the current network delay between the mobile wireless access device and each intranet firewall may be: the intranet firewall distribution device sends to the mobile wireless access device For the firewall IP addresses of each intranet firewall deployed in the target intranet, the mobile wireless access device sends a network delay test message to each intranet firewall according to the IP address, and each intranet firewall receives the After the network delay test message, the network delay test message is returned to the mobile wireless access device; the mobile wireless access device sends the network delay test message to each intranet firewall according to the sending time data of the network delay test message, and receives The receiving time data of the network delay test message returned by each intranet firewall determines the network delay between the mobile wireless access device and each intranet firewall.
  • An implementation manner for determining the current network delay between the mobile wireless access device and each intranet firewall for each intranet firewall deployed in the target intranet may be: the intranet firewall distribution device sends to each intranet firewall The access device IP address of the mobile wireless access device, each intranet firewall sends a network delay test message to the mobile wireless access device according to the access device IP address, and the mobile wireless access device receives each After the network delay test message sent by the internal network firewall, the received network delay test message is returned to each internal network firewall, and each internal network firewall sends the network delay test message to the mobile wireless access device according to the sending time data of the network delay test message, and The receiving time data of the network delay test message returned by the mobile wireless access device is received, and the network delay between the mobile wireless access device and itself is determined.
  • the intranet firewall distribution device determines a first intranet firewall matched by the mobile wireless access device from among multiple intranet firewalls deployed for the target intranet according to the current network delay.
  • the intranet firewall distribution device determines that among the current network delays between the mobile wireless access device and each intranet firewall deployed for the target intranet, the smallest network delay corresponding to the intranet firewall is determined Describe the first intranet firewall.
  • the intranet firewall distribution device sends the first IP address of the first intranet firewall to the mobile wireless access device.
  • the mobile wireless access device establishes a connection with the first intranet firewall according to the first IP address.
  • the intranet firewall distribution device obtains the access device status information of the mobile wireless access device.
  • the access device status information includes the intranet firewall corresponding to the smallest network delay among the real-time network delays between the mobile wireless access device and each intranet firewall, and is determined to be the second intranet firewall.
  • the second IP address of the second intranet firewall is sent to the mobile wireless access device, so that the mobile wireless access device can connect to the connected intranet firewall
  • the first intranet firewall to the second intranet firewall for specific implementation steps, refer to the implementation manner of step S208 to step S216 in the embodiment corresponding to FIG. 2, and details are not described herein again.
  • the intranet firewall distribution device after the intranet firewall distribution device receives the intranet connection request for the target intranet sent by the mobile wireless access device, it will target one of the multiple intranet firewalls deployed on the target intranet and the mobile wireless access device.
  • the first intranet firewall with the smallest current network delay is assigned to the mobile wireless access device.
  • the intranet firewall determines that the first intranet firewall is not a distance
  • the internal network firewall with the smallest network delay between the mobile wireless access device and the mobile wireless access device is determined as the second internal network firewall assigned and switched by the mobile wireless access device.
  • the device After the device establishes a connection with the second intranet firewall, it disconnects the connection with the first intranet firewall, and provides the user terminal with the service of accessing the target intranet through the connection with the second intranet firewall.
  • the user does not need to configure any parameters before accessing the target intranet, which improves the access efficiency for the target intranet.
  • the intranet firewall distribution device determines that the mobile wireless access device meets the requirements of switching the connected intranet firewall. When the conditions are met, it is ensured that the mobile wireless access device is connected to the second intranet firewall with the smallest network delay between the mobile wireless access device and the mobile wireless access device, thereby ensuring the network quality of the user terminal accessing the intranet.
  • FIG. 4 is a schematic structural diagram of a mobile wireless access device provided by an embodiment of the application.
  • the intranet firewall distribution device 40 may at least include a state acquisition unit 401, a firewall determination unit 402, and Address sending unit 403, where:
  • the status obtaining unit 401 is configured to obtain status information of the access device connected to the first intranet firewall of the mobile wireless access device and the target intranet. After the intranet connection request for the target intranet, according to the intranet connection request, determine the firewall that matches the mobile wireless access device from among the multiple intranet firewalls deployed for the target intranet, the The access device status information includes the real-time geographic location of the mobile wireless access device;
  • the firewall determining unit 402 is configured to, when it is determined according to the real-time geographic location that the mobile wireless access device satisfies the conditions for switching the connected firewall, according to the status information of the access device, select the target intranet from multiple Determine the second intranet firewall matched by the mobile wireless access device in the intranet firewall;
  • the address sending unit 403 is configured to send the second IP address of the second intranet firewall to the mobile wireless access device, so that the mobile wireless access device compares the second IP address with the first 2.
  • the second internal network firewall transmits the user terminal’s internal network access to the target internal network sent by the user terminal through the mobile wireless access device
  • the request is routed to the intranet server of the target intranet, and the second intranet firewall also sends the intranet request response message returned by the intranet server in response to the intranet access request through the mobile wireless access device To the user terminal.
  • firewall determining unit 402 is specifically configured to:
  • the firewall Determining that the first intranet firewall is not among the multiple intranet firewalls deployed for the target intranet according to the real-time geographic location and the deployment positions of the multiple intranet firewalls deployed for the target intranet, When the firewall is closest to the mobile wireless access device, it is determined that the mobile wireless access device satisfies the condition of the firewall connected to the handover.
  • the state acquiring unit 401 is further configured to:
  • the first IP address of the first intranet firewall is sent to the mobile wireless access device, so that the mobile wireless access device establishes a connection with the first intranet firewall according to the first IP address.
  • the status obtaining unit 401 is specifically configured to:
  • the firewall determining unit is specifically configured to:
  • the mobile wireless access device When it is determined that the mobile wireless access device is transferred from the first intranet access subarea to the second intranet access subarea for the target intranet, it is determined that the mobile wireless access device satisfies the handover requirements. Conditions for connecting to the firewall.
  • the intranet firewall connection request carries identity verification information of the mobile wireless access device
  • the status obtaining unit 401 is specifically configured to:
  • the current geographic location of the mobile wireless access device is determined.
  • firewall determining unit 402 is specifically configured to:
  • a second intranet firewall matched by the mobile wireless access device is determined from a plurality of intranet firewalls deployed for the target intranet.
  • the access device state information includes the network delay between the mobile wireless access device and each intranet firewall deployed for the target intranet when the access device state information is acquired;
  • the firewall determining unit 402 is specifically configured to:
  • the firewall corresponding to the smallest network delay is determined as the second intranet firewall.
  • firewall determining unit 402 is further configured to:
  • the status obtaining unit 401 is specifically configured to:
  • the state information of the access device connected to the first intranet firewall of the incoming device and the target intranet, the firewall switching request is that the mobile wireless access device determines that the mobile wireless access device satisfies the need to replace the connected intranet firewall When sending a request to switch the connected firewall.
  • the intranet firewall distribution device can execute each step performed by the intranet firewall distribution device in the firewall switching method shown in Figures 2 to 3 through its built-in functional modules.
  • the intranet firewall distribution device can execute each step performed by the intranet firewall distribution device in the firewall switching method shown in Figures 2 to 3 through its built-in functional modules.
  • Figure 2 please refer to Figure 2.
  • the implementation details of each step in the embodiment corresponding to FIG. 3 will not be repeated here.
  • the state acquisition unit after the state acquisition unit receives the intranet connection request for the target intranet sent by the mobile wireless access device, the state acquisition unit is based on the intranet connection request from multiple intranet firewalls deployed for the target intranet.
  • the mobile wireless access device allocates a matching first intranet firewall.
  • the state obtaining unit obtains the real-time geographic location of the mobile wireless access device, and the firewall determining unit is based on The real-time geographic location of the mobile wireless access device determines whether the conditions for switching firewalls are met. When it is determined that the above conditions are met, it is the mobile wireless access device based on the status information of the access device connected to the first intranet firewall.
  • the address sending unit sends the second IP address of the second intranet firewall to the mobile wireless access device.
  • the mobile wireless access device After the mobile wireless access device establishes a connection with the second intranet firewall, it disconnects from The first intranet firewall is connected, and the service of accessing the target intranet is provided for the user terminal through the connection with the second intranet firewall.
  • the firewall determining unit determines based on the real-time geographic location that the mobile wireless access device meets the conditions for switching the connected firewall. When the mobile wireless access device is redistributed to the second intranet firewall to ensure that the intranet firewall connected to the mobile wireless access device is always the optimal intranet firewall that matches the status information of the access device, ensuring user terminal access The network quality of the intranet.
  • FIG. 5 is a schematic structural diagram of another intranet firewall distribution device provided by an embodiment of the application.
  • the intranet firewall distribution device 50 includes a processor 501, a memory 502, and a communication interface 503.
  • the processor 501 is connected to the memory 502 and the communication interface 503.
  • the processor 501 may be connected to the memory 502 and the communication interface 503 through a bus.
  • the processor 501 is configured to support the internal firewall distribution device to perform the corresponding functions of the internal firewall distribution device in the firewall switching method described in FIGS. 2 to 3.
  • the processor 501 may be a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), a hardware chip, or any combination thereof.
  • the foregoing hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (Programmable Logic Device, PLD), or a combination thereof.
  • the aforementioned PLD may be a complex programmable logic device (Complex Programmable Logic Device, CPLD), a field programmable logic gate array (Field-Programmable Gate Array, FPGA), a general array logic (Generic Array Logic, GAL) or any combination thereof.
  • CPLD Complex Programmable Logic Device
  • FPGA Field-Programmable Gate Array
  • GAL General array logic
  • the memory 502 is used to store program codes and the like.
  • the memory 502 includes internal memory, which may include at least one of the following: volatile memory (such as dynamic random access memory (DRAM), static RAM (SRAM), synchronous dynamic RAM (SDRAM), etc.) and non-volatile memory (For example, one-time programmable read-only memory (OTPROM), programmable ROM (PROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM).
  • volatile memory such as dynamic random access memory (DRAM), static RAM (SRAM), synchronous dynamic RAM (SDRAM), etc.
  • non-volatile memory for example, one-time programmable read-only memory (OTPROM), programmable ROM (PROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM).
  • OTPROM one-time programmable read-only memory
  • PROM programmable ROM
  • EPROM erasable programm
  • the memory 502 may also include external memory, external
  • the memory may include at least one of the following: Hard Disk Drive (HDD) or Solid-State Drive (SSD), flash drive, such as high-density flash (CF), secure digital (SD), micro SD, mini type SD, limit number (xD), memory stick, etc.
  • HDD Hard Disk Drive
  • SSD Solid-State Drive
  • flash drive such as high-density flash (CF), secure digital (SD), micro SD, mini type SD, limit number (xD), memory stick, etc.
  • the communication interface 503 is used to receive or send data.
  • the processor 501 may call the program code to perform the following operations:
  • the firewall that matches the mobile wireless access device is determined from multiple intranet firewalls deployed for the target intranet according to the intranet connection request, and the access device status information includes all State the real-time geographic location of the mobile wireless access device;
  • the mobile wireless access device When it is determined according to the real-time geographic location that the mobile wireless access device satisfies the conditions for switching the connected firewalls, it is determined from the multiple intranet firewalls deployed for the target intranet according to the access device status information The second intranet firewall matched by the mobile wireless access device;
  • the second intranet firewall sends the second IP address of the second intranet firewall to the mobile wireless access device, so that the mobile wireless access device establishes a connection with the second intranet firewall according to the second IP address, And after disconnecting from the first intranet firewall, the second intranet firewall routes the intranet access request for the target intranet sent by the user terminal through the mobile wireless access device to the target intranet
  • the second intranet firewall also sends the intranet request response message returned by the intranet server in response to the intranet access request to the user terminal through the mobile wireless access device.
  • each operation may also correspond to the corresponding description of the method embodiments shown in FIGS. 2 to 3; the processor 501 may also be used to perform other operations in the above method embodiments.
  • the embodiment of the present application also provides a computer non-volatile readable storage medium, the computer non-volatile readable storage medium stores a computer program, the computer program includes program instructions, and the program instructions are When the computer is caused to execute the method described in the foregoing embodiment, the computer may be a part of the aforementioned intranet firewall distribution device.
  • the program can be stored in a computer readable storage medium. During execution, it may include the procedures of the above-mentioned method embodiments.
  • the storage medium may be a magnetic disk, an optical disc, a read-only memory (Read-Only Memory, ROM), or a random access memory (Random Access Memory, RAM), etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Disclosed in embodiments of the present invention are a firewall switching method and a related apparatus, which are suitable for access control in security protection, the method comprising: an intranet firewall distribution device obtaining access device status information that a mobile wireless access device is connected to a first intranet firewall of a target intranet; when the intranet firewall distribution device determines that the mobile wireless access device meets conditions for switching the connected firewall, determining a second intranet firewall matched by the mobile wireless access device; once the mobile wireless access device establishes a connection to the second intranet firewall and disconnects from the first intranet firewall, by means of connecting to the second intranet firewall, providing a service of accessing the target intranet to a user terminal. By means of the present application, the efficiency with which users access the target intranet may be improved, and the access quality of accessing the target intranet is ensured.

Description

一种防火墙切换方法及相关装置A firewall switching method and related device
本申请要求于2019年06月10日提交中国专利局、申请号为2019105036765、申请名称为“一种内网访问方法及相关装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on June 10, 2019, the application number is 2019105036765, and the application name is "a method for accessing an intranet and related devices", the entire content of which is incorporated herein by reference Applying.
技术领域Technical field
本申请涉及通信领域,尤其涉及一种防火墙切换方法及相关装置。This application relates to the field of communications, and in particular to a firewall switching method and related devices.
背景技术Background technique
随着全球经济的一体化,越来越多的企业在全球各地都开展了相关业务,这就需要企业的员工被派遣到全球各地去办公。在一些办公场景中,在外地的企业员工需要访问得到公司内网服务器的一些资源,例如访问企业内网网页、访问内网文件服务器中共享文件夹中存储的文件等。传统的方式中,通常通过VPN(Virtual Private Network,虚拟专用网络)实现,需要在公司内网建立VPN服务器,外地员工通过手机、电脑等在当地连上互联网后,通过互联网连接企业内网的VPN服务器,然后通过VPN服务器访问企业内网。在企业员工通过电脑等终端连接内网时,需要事先配置连接企业内网VPN的参数,例如内网VPN服务器的地址,用户的登录名和密码等,然后进行拨号并连接。用户操作较多且等待时间较长,较为影响连接效率。With the integration of the global economy, more and more companies have carried out related businesses all over the world, which requires company employees to be dispatched to work around the world. In some office scenarios, corporate employees in other places need to access some resources of the company's intranet server, such as accessing corporate intranet webpages, accessing files stored in shared folders in intranet file servers, and so on. In the traditional way, it is usually implemented through a VPN (Virtual Private Network), which requires a VPN server to be established on the company's intranet. After external employees connect to the Internet through mobile phones, computers, etc., they connect to the VPN of the corporate intranet through the Internet. Server, and then access the corporate intranet through the VPN server. When enterprise employees connect to the intranet through computers and other terminals, they need to configure the parameters of the intranet VPN connection in advance, such as the address of the intranet VPN server, the user's login name and password, etc., and then dial and connect. Many user operations and long waiting time affect the connection efficiency.
申请内容Application content
本申请提供一种防火墙切换方法及相关装置,通过本申请可以提高用户对目标内网的访问效率,并保证访问目标内网的网络质量。This application provides a firewall switching method and related devices. Through this application, the efficiency of a user's access to a target intranet can be improved, and the network quality of the access to the target intranet can be guaranteed.
本申请实施例第一方面提供了一种防火墙切换方法,包括:The first aspect of the embodiments of the present application provides a firewall switching method, including:
内网防火墙分配设备获取移动无线接入设备与目标内网的第一内网防火墙连接的接入设备状态信息,所述第一内网防火墙为在接收到所述移动无线接入设备发送的针对目标内网的内网连接请求后,根据所述内网连接请求从针对所述目标内网部署的多个内网防火墙中,确定的所述移动无线接入设备匹配的防火墙,所述接入设备状态信息包含所述移动无线接入设备的实时地理位置;The intranet firewall distribution device obtains the status information of the access device connected to the mobile wireless access device and the first intranet firewall of the target intranet, and the first intranet firewall is the target device after receiving the mobile wireless access device After the intranet connection request of the target intranet, the firewall that matches the mobile wireless access device is determined from the multiple intranet firewalls deployed for the target intranet according to the intranet connection request, and the access The device status information includes the real-time geographic location of the mobile wireless access device;
所述内网防火墙分配设备在根据所述实时地理位置确定所述移动无线接入设备满足切换所连接防火墙的条件时,根据所述接入设备状态信息从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第二内网防火墙;When the intranet firewall distribution device determines based on the real-time geographic location that the mobile wireless access device satisfies the conditions for switching the connected firewall, it selects multiple devices deployed for the target intranet based on the access device status information. Determine the second intranet firewall matched by the mobile wireless access device in the intranet firewall;
所述内网防火墙分配设备将所述第二内网防火墙的第二IP地址发送给所述移动无线接入设备,以使所述移动无线接入设备根据所述第二IP地址与所述第二内网防火墙建立连接,并在断开与第一内网防火墙的连接后,所述第二内网防火墙将用户终端通过所述移动无线接入设备发送的针对所述目标内网的内网访问请求路由至所述目标内网的内网服务器,所述第二内网防火墙还将所述内网服务器响应所述内网访问请求返回的内网请求响应消息通过所述移动无线接入设备发送至所述用户终端。The intranet firewall allocation device sends the second IP address of the second intranet firewall to the mobile wireless access device, so that the mobile wireless access device communicates with the first IP address according to the second IP address Second, the internal network firewall establishes a connection, and after the connection with the first internal network firewall is disconnected, the second internal network firewall transmits the internal network for the target internal network sent by the user terminal through the mobile wireless access device The access request is routed to the intranet server of the target intranet, and the second intranet firewall also passes the intranet request response message returned by the intranet server in response to the intranet access request through the mobile wireless access device Sent to the user terminal.
本申请实施例第二方面提供了一种内网防火墙分配设备,包括:The second aspect of the embodiments of the present application provides an intranet firewall distribution device, including:
状态获取单元,用于获取移动无线接入设备与目标内网的第一内网防火墙连接的接入设备状态信息,所述第一内网防火墙为在接收到所述移动无线接入设备发送的针对目标内网的内网连接请求后,根据所述内网连接请求从针对所述目标内网部署的多个内网防火墙中,确定的所述移动无线接入设备匹配的防火墙,所述接入设备状态信息包含所述移动无线接入设备的实时地理位置;The status acquiring unit is configured to acquire the status information of the access device connected to the first intranet firewall of the target intranet by the mobile wireless access device, and the first intranet firewall is configured to receive the information sent by the mobile wireless access device After the intranet connection request for the target intranet, the firewall that matches the mobile wireless access device is determined from the multiple intranet firewalls deployed for the target intranet according to the intranet connection request, and the connection The incoming device status information includes the real-time geographic location of the mobile wireless access device;
防火墙确定单元,用于在根据所述实时地理位置确定所述移动无线接入设备满足切换所连接防火墙的条件时,根据所述接入设备状态信息从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第二内网防火墙;The firewall determining unit is configured to, when it is determined according to the real-time geographic location that the mobile wireless access device meets the conditions for switching the connected firewall, select from multiple internal networks deployed for the target intranet according to the access device status information. Determine a second intranet firewall that matches the mobile wireless access device in the network firewall;
地址发送单元,用于将所述第二内网防火墙的第二IP地址发送给所述移动无线接入设备,以使所述移动无线接入设备根据所述第二IP地址与所述第二内网防火墙建立连接,并断开与第一内网防火墙的连接后,所述第二内网防火墙将用户终端通过所述移动无线接入设备发送的针对所述目标内网的内网访问请求路由至所述目标内网的内网服务器,所述第二内网防火墙还将所述内网服务器响应所述内网访问请求返回的内网请求响应消息通过所述移动无线接入设备发送至所述用户终端。The address sending unit is configured to send the second IP address of the second intranet firewall to the mobile wireless access device, so that the mobile wireless access device communicates with the second IP address according to the second IP address. After the intranet firewall establishes a connection and disconnects from the first intranet firewall, the second intranet firewall transmits the intranet access request for the target intranet sent by the user terminal through the mobile wireless access device Routed to the intranet server of the target intranet, the second intranet firewall also sends the intranet request response message returned by the intranet server in response to the intranet access request to the mobile wireless access device The user terminal.
本申请实施例第三方面提供了一种内网防火墙分配设备,包括处理器、存储器以及通信接口,所述处理器、存储器和通信接口相互连接,其中,所述通信接口用于接收和发送数据,所述存储器用于存储程序代码,所述处理器用于调用所述程序代码,所述程序代码当被计算机执行时使所述计算机执行上述第一方面和第一方面各个可能的实现方式中的任意一种方法。The third aspect of the embodiments of the present application provides an intranet firewall distribution device, including a processor, a memory, and a communication interface. The processor, the memory, and the communication interface are connected to each other, wherein the communication interface is used to receive and send data The memory is used to store program code, and the processor is used to call the program code. When the program code is executed by a computer, the computer executes any of the above-mentioned first aspect and each possible implementation of the first aspect. Any method.
本申请实施例第四方面提供了一种计算机非易失性可读存储介质,所述计算机非易失性可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被计算机执行时使所述计算机执行上述第一方面和第一方面各个可能的实现方式中的任意一种方法。The fourth aspect of the embodiments of the present application provides a computer non-volatile readable storage medium, the computer non-volatile readable storage medium stores a computer program, the computer program includes program instructions, and the program instructions are When executed by a computer, the computer is caused to execute any one of the foregoing first aspect and each possible implementation manner of the first aspect.
通过本申请实施例,用户在访问目标内网之前无需配置任何参数,提高了针对目标内网的访问效率,同时内网防火墙分配设备在根据实时地理位置确定移动无线接入设备满足切换所连接防火墙的条件时,为移动无线接入设备重新分配第二内网防火墙,保证了与移动无线接入设备连接的内网防火墙总是与接入设备状态信息匹配的最优内网防火墙,保证了用户终端访问内网的网络质量。Through the embodiments of this application, the user does not need to configure any parameters before accessing the target intranet, which improves the access efficiency for the target intranet. At the same time, the intranet firewall distribution device determines that the mobile wireless access device meets the requirement of switching the connected firewall based on the real-time geographic location. When the conditions are met, the second intranet firewall is re-allocated for the mobile wireless access device to ensure that the intranet firewall connected to the mobile wireless access device is always the optimal intranet firewall that matches the status information of the access device, ensuring users The network quality of the terminal accessing the intranet.
附图说明Description of the drawings
图1为本申请实施例提供的一种内网访问系统的框架示意图;FIG. 1 is a schematic diagram of a framework of an intranet access system provided by an embodiment of this application;
图2为本申请实施例提供的一种防火墙切换方法的系统交互示意图;2 is a schematic diagram of system interaction of a firewall switching method provided by an embodiment of this application;
图3为本申请实施例提供的另一种防火墙切换方法的系统交互示意图;3 is a schematic diagram of system interaction of another firewall switching method provided by an embodiment of the application;
图4为本申请实施例提供的一种内网防火墙分配设备的结构示意图;4 is a schematic structural diagram of an intranet firewall distribution device provided by an embodiment of the application;
图5为本申请实施例提供的另一种内网防火墙分配设备的结构示意图。Fig. 5 is a schematic structural diagram of another intranet firewall distribution device provided by an embodiment of the application.
具体实施方式Detailed ways
下面将结合图1至图5,对本申请实施例提供的防火墙切换方法及相关装置进行说明。In the following, the firewall switching method and related devices provided by the embodiments of the present application will be described with reference to FIGS. 1 to 5.
图1为本申请实施例提供的一种内网访问系统的框架示意图,如图所示,在该内网访 问系统框架中,内网防火墙1、内网防火墙2和内网防火墙3为针对目标内网部署的3个内网防火墙,移动无线接入设备1和移动无线接入设备2分别与内网防火墙1相连接,移动无线接入设备3与内网防火墙3相连接,用户终端1与移动无线接入设备2相连接,用户终端2与移动无线接入设备相连接。Figure 1 is a schematic diagram of the framework of an intranet access system provided by an embodiment of the application. As shown in the figure, in the framework of the intranet access system, the intranet firewall 1, the intranet firewall 2, and the intranet firewall 3 are targeted Three intranet firewalls deployed in the intranet, mobile wireless access device 1 and mobile wireless access device 2 are respectively connected to the intranet firewall 1, the mobile wireless access device 3 is connected to the intranet firewall 3, and the user terminal 1 and The mobile wireless access device 2 is connected, and the user terminal 2 is connected with the mobile wireless access device.
这里,目标内网为将特定企业、特定机构、特定学校等的一个局部地理范围内的各种计算机、服务器和数据库等互相连接起来的局域通信网络。目标内网中的终端或服务器在于所述目标内网中的终端或服务器等进行通信时,通过数据链路层实现,通信消息无需经过路由器的路由;在于所述目标内网外的终端或服务器进行通信时,通过网络层实现,目标内网内的终端或服务器发送的通信消息需要经过路由器经过网络地址转换后,路由至所述目标内网外的终端或服务器,目标内网外的终端或服务器返回的通信消息需要路由器经过网络地址转换后,路由至目标内网的终端或服务器。Here, the target intranet is a local communication network that interconnects various computers, servers, and databases in a local geographic area of a specific enterprise, a specific institution, a specific school, etc. When the terminal or server in the target intranet communicates with the terminal or server in the target intranet, it is realized through the data link layer, and the communication message does not need to be routed through the router; in the terminal or server outside the target intranet When communicating, it is achieved through the network layer. The communication message sent by the terminal or server in the target intranet needs to be routed to the terminal or server outside the target intranet, the terminal or the terminal outside the target intranet, and The communication message returned by the server needs to be routed to the terminal or server on the target intranet after the router undergoes network address translation.
这里,针对目标内网部署的内网防火墙可以是部署在全球各地的针对进出目标内网的数据包进行过滤的防火墙,内网防火墙通过广域网与目标内网的路由器相连接,进而通过目标内网的路由器实现于目标内网的内网服务器的连接。Here, the intranet firewall deployed for the target intranet can be a firewall deployed around the world for filtering data packets entering and leaving the target intranet. The intranet firewall is connected to the router of the target intranet through the WAN, and then passes through the target intranet. The router realizes the connection to the intranet server of the target intranet.
这里,移动无线接入设备为可移动的,能发射无线网络信号的,且有路由功能的无线接入设备。移动无线接入设备将通过插入SIM(Subscriber Identification Module,用户身份识别)卡接入数据网络,也可以通过插入网线的方式接入有线网络,还可以通过连接WIFI的方式接入无线网络。用户终端可以接入移动无线接入设备发射的无线网络与移动无线接入设备连接。Here, the mobile wireless access device is a mobile wireless access device that can transmit wireless network signals and has a routing function. The mobile wireless access device will access the data network by inserting a SIM (Subscriber Identification Module) card. It can also access a wired network by inserting a network cable, and can also access a wireless network by connecting to WIFI. The user terminal can access the wireless network transmitted by the mobile wireless access device to connect with the mobile wireless access device.
这里,内网防火墙分配装置可以是具有针对目标内网的域名解析功能的,且存储有针对目标内网部署的各个内网防火墙IP地址和部署位置的设备,如GTM(Global Traffic Manager,全局流量管理)设备等。Here, the intranet firewall distribution device may be a device that has a domain name resolution function for the target intranet, and stores the IP addresses and deployment locations of each intranet firewall deployed for the target intranet, such as GTM (Global Traffic Manager, global traffic manager) Management) equipment, etc.
这里,用户终端可以为包括笔记本电脑、手机、平板电脑等具有无线网络接收功能的终端设备。Here, the user terminal may be a terminal device with a wireless network receiving function, such as a notebook computer, a mobile phone, and a tablet computer.
参见图2,图2为本申请实施例提供的一种防火墙切换方法的系统交互示意图,如图所示,所述方法可以包括:Referring to Figure 2, Figure 2 is a schematic diagram of system interaction of a firewall switching method provided by an embodiment of the application. As shown in the figure, the method may include:
S201,移动无线接入设备向内网防火墙分配设备发送针对目标内网的内网连接请求。S201: The mobile wireless access device sends an intranet connection request for the target intranet to the intranet firewall distribution device.
具体的,所述移动无线接入设备可以是在被触发启动后,即向所述内网防火墙分配设备发送内网连接请求,也可以是在接收到用户发送的访问目标内网的功能启动指令后,向所述内网防火墙分配设备发送内网连接请求,还可以是在接收到所连接的用户终端发送的针对目标内网的内网访问请求时,向所述内网防火墙分配设备发送内网连接请求。所述内网连接请求可以携带所述目标内网的内网域名,以使所述内网防火墙分配设备对所述内网域名进行解析后,确定为针对目标内网的内网连接请求。Specifically, the mobile wireless access device may send an intranet connection request to the intranet firewall distribution device after being triggered to start, or it may be after receiving a function start instruction sent by the user to access the target intranet Later, sending an intranet connection request to the intranet firewall distribution device, or when receiving an intranet access request for the target intranet sent by a connected user terminal, sending an intranet connection request to the intranet firewall distribution device Network connection request. The intranet connection request may carry the intranet domain name of the target intranet, so that the intranet firewall distribution device determines the intranet connection request for the target intranet after analyzing the intranet domain name.
S202,所述内网防火墙分配设备根据所述内网连接请求确定所述移动无线接入设备当前的地理位置。S202: The intranet firewall distribution device determines the current geographic location of the mobile wireless access device according to the intranet connection request.
具体的,所述内网连接请求可以携带所述移动无线接入设备的地理位置,所述内网防火墙分配设备直接从所述内网连接请求中获取所述移动无线接入设备的地理位置;所述内 网连接请求也可以携带所述移动无线接入设备的定位信息,所述内网防火墙分配设备可以从所述内网连接请求中获取所述定位信息,根据所述定位信息通过定位技术,确定所述移动无线接入设备的地点位置,例如,所述定位信息可以是所述移动无线接入设备的IP地址、GPS数据、WIFI接入点信息、连接基站信息等,所述定位技术可以是IP定位技术、GPS定位技术、WIFI定位技术、基站定位技术等。Specifically, the intranet connection request may carry the geographic location of the mobile wireless access device, and the intranet firewall distribution device directly obtains the geographic location of the mobile wireless access device from the intranet connection request; The intranet connection request may also carry the positioning information of the mobile wireless access device, and the intranet firewall distribution device may obtain the positioning information from the intranet connection request, and use positioning technology according to the positioning information , Determine the location of the mobile wireless access device, for example, the positioning information may be the IP address of the mobile wireless access device, GPS data, WIFI access point information, connection base station information, etc., the positioning technology It can be IP positioning technology, GPS positioning technology, WIFI positioning technology, base station positioning technology, etc.
这里,所述移动无线接入设备发送的内网连接请求可以携带所述移动无线接入设备的身份验证信息,所述内网防火墙分配设备可以根据内网连接请求中的身份验证信息,对移动无线接入设备进行身份验证,在身份验证通过后确定移动无线接入设备当前的地理位置,其中,内网连接请求携带的身份验证信息可以包括接入设备识别码、用户输入的用户名和密码或移动无线接入设备的数字证书中的一种。Here, the intranet connection request sent by the mobile wireless access device may carry the identity verification information of the mobile wireless access device, and the intranet firewall distribution device may send a check to the mobile according to the identity verification information in the intranet connection request. The wireless access device performs identity verification. After the identity verification is passed, the current geographic location of the mobile wireless access device is determined. The identity verification information carried in the intranet connection request may include the access device identification code, the user name and password entered by the user, or One of the digital certificates of mobile wireless access devices.
S203,所述内网防火墙分配设备根据所述当前的地理位置,从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第一内网防火墙。S203: The intranet firewall allocation device determines a first intranet firewall matched by the mobile wireless access device from a plurality of intranet firewalls deployed for the target intranet according to the current geographic location.
这里,所述内网防火墙分配设备中可以存储针对多个内网的分别部署的防火墙的IP地址和部署位置,例如,针对公司M有子公司A和子公司B,子公司A和子公司B分别有针对各自子公司的内网,且内网之间需要通过外网连接,公司M的移动无线接入设备中可以同时存储针对子公司A内网的部署的各个内网防火墙的IP地址和部署位置,以及针对子公司B内网部署的各个内网防火墙的IP地址和部署位置。所述内网连接请求可以携带所述目标内网的内网域名,以使所述内网防火墙分配设备在接收到所述内网连接请求后,对所述内网域名进行解析后确定所述内网连接请求为针对所述目标内网的内网连接请求,进而获取针对所述目标内网部署的多个内网防火墙的IP地址和部署位置。Here, the intranet firewall distribution device can store the IP addresses and deployment locations of the firewalls separately deployed for multiple intranets. For example, there are subsidiary A and subsidiary B for company M, and subsidiary A and subsidiary B respectively. For the internal networks of the respective subsidiaries, and the internal networks need to be connected through the external network, the mobile wireless access device of company M can simultaneously store the IP addresses and deployment locations of each internal network firewall for the deployment of subsidiary A’s internal network , And the IP addresses and deployment locations of each intranet firewall deployed for subsidiary B's intranet. The intranet connection request may carry the intranet domain name of the target intranet, so that the intranet firewall distribution device, after receiving the intranet connection request, resolves the intranet domain name and determines the The intranet connection request is an intranet connection request for the target intranet, and the IP addresses and deployment locations of multiple intranet firewalls deployed for the target intranet are obtained.
其中,一种确定所述第一内网防火墙的实现方式中,所述内网防火墙分配设备可以根据所述地理位置,和针对所述目标内网部署的各个内网防火墙的部署位置,将所述针对所述目标内网部署的多个内网防火墙中,距离所述移动无线接入设备最近的内网防火墙确定为所述第一内网防火墙。Wherein, in an implementation manner for determining the first intranet firewall, the intranet firewall distribution device may determine all the intranet firewalls according to the geographic location and the deployment position of each intranet firewall deployed for the target intranet. Among the multiple intranet firewalls deployed for the target intranet, the intranet firewall closest to the mobile wireless access device is determined to be the first intranet firewall.
另一种确定所述第一内网防火墙的实现方式中,预先将针对所述目标内网的全部的访问区域划分成针对所述目标内网的各个内网防火墙的内网访问子区域,在所述内网防火墙分配设备中预先设置针对所述内网访问子区域与所述目标内网的内网防火墙的对应关系。所述内网防火墙分配设备根据所述移动无线接入设备的地理位置,确定所述移动无线接入设备所处于的第一内网访问子区域,进而将所述第一内网访问子区域对应的内网防火墙确定为所述第一内网防火墙。In another implementation manner of determining the first intranet firewall, all access areas for the target intranet are divided into intranet access sub-areas for each intranet firewall of the target intranet in advance, and A correspondence relationship between the intranet access sub-area and the intranet firewall of the target intranet is preset in the intranet firewall distribution device. The intranet firewall distribution device determines the first intranet access subregion where the mobile wireless access device is located according to the geographic location of the mobile wireless access device, and then corresponds the first intranet access subregion to The internal firewall of is determined to be the first internal firewall.
S204,所述内网防火墙分配设备将所述第一内网防火墙的第一IP地址发送给所述移动无线接入设备。S204: The intranet firewall distribution device sends the first IP address of the first intranet firewall to the mobile wireless access device.
S205,所述移动无线接入设备根据所述第一IP地址与所述第一内网防火墙建立连接。S205: The mobile wireless access device establishes a connection with the first intranet firewall according to the first IP address.
具体的,所述移动无线接入设备根据所述第一IP地址,向所述第一内网防火墙发送防火墙连接请求,以使所述第一内网防火墙根据所述防火墙连接请求对所述移动接入设备的身份验证通过后,建立与所述移动无线接入设备的连接。Specifically, the mobile wireless access device sends a firewall connection request to the first intranet firewall according to the first IP address, so that the first intranet firewall sends a firewall connection request to the mobile device according to the firewall connection request. After the identity verification of the access device is passed, a connection with the mobile wireless access device is established.
一种实现方式中,所述防火墙连接请求中携带所述移动无线接入设备的接入设备识别码,如MAC地址,所述第一内网防火墙在确定所述接入设备识别码为预设的允许连接接 入设备识别码中的其中一个时,确定对所述移动无线接入设备的身份认证通过。In an implementation manner, the firewall connection request carries the access device identification code of the mobile wireless access device, such as a MAC address, and the first intranet firewall determines that the access device identification code is preset When one of the identification codes of the access device is allowed to be connected, it is determined that the identity authentication of the mobile wireless access device is passed.
另一种实现方式中,所述防火墙连接请求中携带用户通过所述移动无线接入设备输入的用户名和密码,所述第一内网防火墙在确定所述用户名和密码为预设的允许连接用户名和密码中的其中一组时,确定对所述移动无线接入设备的身份认证通过。In another implementation manner, the firewall connection request carries the user name and password input by the user through the mobile wireless access device, and the first intranet firewall determines that the user name and password are preset users allowed to connect When one of the name and password is set, it is determined that the identity authentication of the mobile wireless access device is passed.
又一种实现方式中,所述防火墙连接请求中携带所述移动无线接入设备的数字证书,所述第一内网防火墙根据所述接入设备数字证书中携带的所述接入设备数字证书的发布方信息,确定所述接入设备数字证书的证书发布方;所述第一内网防火墙获取所述证书发布方的发布方数字证书后,通过所述发布方数字证书中包含的发布方公钥,并使用所述发布方公钥对所述接入设备数字证书中的数字签名进行解密得到所述接入设备数字证书的证书指纹,所述第一内网防火墙在将使用指定的哈希算法对所述接入设备数字证书进行哈希计算得到数字证书哈希值;所述第一内网防火墙在确定所述第一内网防火墙进行哈希计算得到的数字证书哈希值与所述接入设备证书指纹一致时,确定对所述移动无线接入设备的身份认证通过。In yet another implementation manner, the firewall connection request carries the digital certificate of the mobile wireless access device, and the first intranet firewall is based on the access device digital certificate carried in the access device digital certificate. The issuer information of the access device determines the certificate issuer of the digital certificate of the access device; after the first intranet firewall obtains the issuer digital certificate of the certificate issuer, it passes the issuer contained in the issuer’s digital certificate The public key is used to decrypt the digital signature in the digital certificate of the access device using the public key of the issuing party to obtain the certificate fingerprint of the digital certificate of the access device. The first intranet firewall will use the specified Kazakhstan The Greek algorithm performs a hash calculation on the digital certificate of the access device to obtain the hash value of the digital certificate; the first intranet firewall determines that the hash value of the digital certificate obtained by the hash calculation of the first intranet firewall is When the fingerprints of the access device certificates are consistent, it is determined that the identity authentication of the mobile wireless access device is passed.
这里,所述移动无线接入设备发起三次握手与所述第一内网防火墙建立基于TCP/IP协议的连接,具体步骤如下:所述移动无线接入设备向所述第一内网防火墙发送SYN(Synchronize Sequence Numbers,同步序列编号)数据包;所述第一内网防火墙接收到所述SYN数据包后,向所述移动无线接入设备发送SYN+ACK(ACKnowledge Character,确认字符)数据包;所述移动无线接入设备接收到所述SYN+ACK数据包后,向所述第一内网防火墙反馈ACK数据包;所述第一内网防火墙接收到所述移动无线接入设备反馈的ACK数据包后,所述移动无线接入设备与所述第一内网防火墙之间的连接建立完成。Here, the mobile wireless access device initiates a three-way handshake to establish a connection based on the TCP/IP protocol with the first intranet firewall. The specific steps are as follows: the mobile wireless access device sends a SYN to the first intranet firewall (Synchronize Sequence Numbers) data packet; after receiving the SYN data packet, the first intranet firewall sends a SYN+ACK (ACKnowledge Character) data packet to the mobile wireless access device; After receiving the SYN+ACK data packet, the mobile wireless access device feeds back an ACK data packet to the first intranet firewall; the first intranet firewall receives the ACK fed back by the mobile wireless access device After the data packet, the connection between the mobile wireless access device and the first intranet firewall is established.
S206,所述内网防火墙分配设备获取所述移动无线接入设备与所述第一内网防火墙连接的接入设备状态信息。S206: The intranet firewall distribution device obtains state information of the access device connected to the mobile wireless access device and the first intranet firewall.
所述接入设备状态信息可以包含所述接入设备状态信息被获取时,所述移动无线接入设备的实时地理位置,也可以包含在所述接入设备状态信息被获取时,所述移动无线接入设备与针对所述目标内网部署的各个内网防火墙之间的网络延迟。所述移动无线接入设备的实时地理位置可以是所述内网防火墙分配设备根据所述移动无线接入设备发送的定位信息通过IP定位、GPS定位、WIFI定位、基站定位等定位方式确定得到的,也可以是所述移动无线接入设备直接向所述内网防火墙直接发送的。所述移动无线接入设备与各个内网防火墙之间的网络延迟可以是所述移动无线接入设备与各个内网防火墙之间的单向网络延迟,也可以是往返网络延迟。所述移动无线接入设备与各个内网防火墙之间的网络延迟可以是所述内网防火墙分配设备确定得到的,也可以是所述移动无线接入设备或所述各个内网防火墙确定得到后,发送给所述内网防火墙分配设备的。The access device status information may include the real-time geographic location of the mobile wireless access device when the access device status information is acquired, or it may include when the access device status information is acquired, the mobile The network delay between the wireless access device and each intranet firewall deployed for the target intranet. The real-time geographic location of the mobile wireless access device may be determined by the intranet firewall distribution device through IP positioning, GPS positioning, WIFI positioning, base station positioning, and other positioning methods according to the positioning information sent by the mobile wireless access device. , It may also be directly sent by the mobile wireless access device to the intranet firewall. The network delay between the mobile wireless access device and each intranet firewall may be a one-way network delay between the mobile wireless access device and each intranet firewall, or it may be a round trip network delay. The network delay between the mobile wireless access device and each intranet firewall may be determined by the intranet firewall distribution device, or may be determined by the mobile wireless access device or each intranet firewall. , Sent to the intranet firewall distribution device.
S207,所述内网防火墙分配设备在根据所述实时地理位置确定所述移动无线接入设备满足切换所连接防火墙的条件时,根据所述接入设备状态信息从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第二内网防火墙。S207: When the intranet firewall distribution device determines according to the real-time geographic location that the mobile wireless access device satisfies the conditions for switching the connected firewall, according to the state information of the access device, select the target intranet deployed A second intranet firewall matched by the mobile wireless access device is determined among the plurality of intranet firewalls.
具体的,所述内网防火墙分配设备可以周期性地获取所述移动无线接入设备当前的接入设备状态信息,进而周期性地根据所述接入状态信息包含的实时地理位置判断所述移动无线接入设备在当前周期中是否满足切换所连接防火墙的条件;也可以在接收到移动无线 接入设备发送的防火墙切换请求时,获取所述移动无线接入设备的接入设备状态信息,进而根据所述接入状态信息包含的实时地理位置判断所述移动无线接入设备是否确实满足切换所连接防火墙的条件,所述防火墙切换请求为所述移动无线接入设备在根据自身地理位置,或自身访问内网的网络状况等,确定自身满足更换所连接的内网防火墙时,发送的切换所连接的防火墙的请求。例如,所述移动无线接入设备对自身与所述第一内网防火墙之间消息传输的丢包率进行监控,在确定丢包率大于预设阈值时,向所述内网防火墙分配设备发送防火墙切换请求。Specifically, the intranet firewall distribution device may periodically obtain the current access device status information of the mobile wireless access device, and then periodically determine the mobile device based on the real-time geographic location contained in the access status information. Whether the wireless access device meets the conditions for switching the connected firewall in the current cycle; it can also obtain the access device status information of the mobile wireless access device when receiving the firewall switching request sent by the mobile wireless access device, and then According to the real-time geographic location included in the access status information, it is determined whether the mobile wireless access device does meet the conditions for switching the connected firewall, and the firewall switching request is that the mobile wireless access device is based on its geographic location, or The network status of the internal network accessed by oneself, etc., to determine that oneself meets the request to switch the connected firewall when the internal network firewall is replaced. For example, the mobile wireless access device monitors the packet loss rate of message transmission between itself and the first intranet firewall, and when it is determined that the packet loss rate is greater than a preset threshold, sends to the intranet firewall distribution device Firewall switch request.
这里,与步骤S203中所述内网防火墙分配设备为所述移动无线接入设备确定所述第一内网防火墙的实现方式相对应,所述内网防火墙分配设备确定所述移动无线接入设备满足切换所连接防火墙的条件可以包括:一种实现方式中,所述内网防火墙分配设备获取针对所述目标内网部署的多个内网防火墙的部署位置,所述内网防火墙分配设备在根据所述实时地理位置和针对所述目标内网部署的多个内网防火墙的部署位置,确定所述第一内网防火墙不为针对所述目标内网部署的多个内网防火墙中,距离所述移动无线接入设备最近的防火墙时,确定所述移动无线接入设备满足所述切换所连接防火墙的条件;另一种实现方式中,所述内网防火墙分配设备在确定所述移动无线接入设备从所述第一内网访问子区域转移至针对所述目标内网的第二内网访问子区域时,确定所述移动无线接入设备满足所述切换所连接防火墙的条件。Here, corresponding to the implementation manner in which the intranet firewall distribution device determines the first intranet firewall for the mobile wireless access device in step S203, the intranet firewall distribution device determines the mobile wireless access device Satisfying the condition for switching the connected firewall may include: In an implementation manner, the intranet firewall distribution device obtains the deployment positions of multiple intranet firewalls deployed for the target intranet, and the intranet firewall distribution device The real-time geographic location and the deployment positions of the multiple intranet firewalls deployed for the target intranet determine that the first intranet firewall is not among the multiple intranet firewalls deployed for the target intranet. In the case of the nearest firewall of the mobile wireless access device, it is determined that the mobile wireless access device satisfies the conditions of the firewall connected to the handover; in another implementation manner, the intranet firewall distribution device is determining the mobile wireless access When the incoming device transfers from the first intranet access sub-area to the second intranet access sub-area for the target intranet, it is determined that the mobile wireless access device satisfies the conditions for switching the connected firewall.
所述内网防火墙分配设备根据所述接入设备状态信息从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第二内网防火墙的一种实现方式可以为:所述内网防火墙分配设备根据所述接入设备状态信息中包含的实时地理位置,从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备对应的第二内网防火墙。所述内网防火墙分配设备根据所述移动无线接入设备的所述实时地理位置确定所述第二内网防火墙的实现方式,可参阅步骤S203中所述内网防火墙分配设备根据步骤S202中获取的所述移动无线接入设备的地理位置确定所述第一内网防火墙的实现方式,此处不再赘述。An implementation manner in which the intranet firewall distribution device determines a second intranet firewall matched by the mobile wireless access device from a plurality of intranet firewalls deployed for the target intranet according to the access device status information It may be: the intranet firewall distribution device determines the mobile wireless access device corresponding to the mobile wireless access device from a plurality of intranet firewalls deployed for the target intranet according to the real-time geographic location included in the access device status information The second intranet firewall. The intranet firewall distribution device determines the implementation manner of the second intranet firewall according to the real-time geographic location of the mobile wireless access device. For details, refer to the intranet firewall distribution device in step S203 for obtaining according to step S202 The geographic location of the mobile wireless access device determines the implementation manner of the first intranet firewall, which is not repeated here.
S208,所述内网防火墙分配设备将所述第二内网防火墙的第二IP地址发送给所述移动无线接入设备。S208: The intranet firewall distribution device sends the second IP address of the second intranet firewall to the mobile wireless access device.
S209,所述移动无线接入设备根据所述第二IP地址与所述第二内网防火墙建立连接。S209: The mobile wireless access device establishes a connection with the second intranet firewall according to the second IP address.
具体的,所述移动无线接入设备发起三次握手与所述第二内网防火墙建立基于TCP/IP协议的连接,可参阅步骤S205中所述移动无线接入设备与所述第一内网防火墙建立连接的实现方式,此处不再赘述。Specifically, the mobile wireless access device initiates a three-way handshake to establish a TCP/IP protocol-based connection with the second intranet firewall. For details, refer to the step S205 of the mobile wireless access device and the first intranet firewall The method of establishing a connection will not be described here.
S210,所述移动无线接入设备断开与所述第一内网防火墙的连接。S210: The mobile wireless access device disconnects from the first intranet firewall.
所述移动无线接入设备发起四次挥手断开与所述第一内网防火墙的TCP/IP连接,具体步骤如下:所述移动无线接入设备向所述第一内网防火墙发送FIN(Finish Character,结束字符)数据包;所述第一内网防火墙接收到所述FIN数据包后,向所述移动无线接入设备发送ACK数据包;所述第一内网防火墙向所述移动无线接入设备发送FIN数据包;所述移动无线接入设备接收到所述FIN数据包后,向所述第一内网防火墙发送ACK数据包;所述第一内网防火墙分配设备接收到所述ACK数据包后,所述移动无线接入设备与所述第一内网防火墙之间的连接断开完成。The mobile wireless access device initiates four waves to disconnect the TCP/IP connection with the first intranet firewall. The specific steps are as follows: the mobile wireless access device sends a FIN (Finish) to the first intranet firewall. Character, the end character) data packet; after receiving the FIN data packet, the first intranet firewall sends an ACK data packet to the mobile wireless access device; the first intranet firewall sends an ACK data packet to the mobile wireless access device The incoming device sends a FIN data packet; after receiving the FIN data packet, the mobile wireless access device sends an ACK data packet to the first intranet firewall; the first intranet firewall distribution device receives the ACK After the data packet, the disconnection of the connection between the mobile wireless access device and the first intranet firewall is completed.
S211,用户终端向所述移动无线接入设备发送针对目标内网的内网访问请求。S211: The user terminal sends an intranet access request for the target intranet to the mobile wireless access device.
具体的,步骤S211之前,所述用户终端可以向所述移动无线接入设备发送无线网络连接请求,所述移动无线接入设备可以直接与所述用户终端建立连接,也可以通过所述无线网络连接请求携带的用户终端身份信息进行验证后,建立与所述用户终端的连接。所述用户终端身份信息可以为所述用户终端接收到的用户输入的接入所述移动无线接入设备建立的无线网络的用户名与密码,还可以为用户终端接收到的用户输入的生物特征信息,还可以为所述用户终端的终端设备标识信息。Specifically, before step S211, the user terminal may send a wireless network connection request to the mobile wireless access device, and the mobile wireless access device may directly establish a connection with the user terminal, or through the wireless network After the user terminal identity information carried in the connection request is verified, a connection with the user terminal is established. The user terminal identity information may be the user name and password input by the user inputted by the user terminal to access the wireless network established by the mobile wireless access device, and may also be the biometric input received by the user terminal The information may also be terminal equipment identification information of the user terminal.
这里,步骤S211在步骤S210之后执行,即步骤S211中所述用户终端的所述内网访问请求为所述移动无线接入设备与所述第二内网防火墙断开连接后,所述用户终端对所述目标内网的内网访问请求。Here, step S211 is performed after step S210, that is, the intranet access request of the user terminal in step S211 is that after the mobile wireless access device is disconnected from the second intranet firewall, the user terminal Intranet access request to the target intranet.
S212,所述移动无线接入设备将所述内网访问请求发送给所述第二内网防火墙。S212: The mobile wireless access device sends the intranet access request to the second intranet firewall.
S213,所述第二内网防火墙将所述内网访问请求路由至所述目标内网的内网服务器。S213: The second intranet firewall routes the intranet access request to the intranet server of the target intranet.
具体的,所述内网访问请求为针对目标内网中的服务器的访问请求,例如针对所述目标内网中Web服务器的访问请求、针对所述目标内网中FTP服务器的访问请求、针对所述目标内网中邮件服务器的访问请求等。所述第二内网防火墙接收到所述移动无线接入设备发送的内网访问请求之后,通过外网将所述内网访问请求发送给所述目标内网的路由器,所述目标内网的路由器通过所述目标内网将所述内网访问请求路由至所述目标内网中对应的内网服务器。Specifically, the intranet access request is an access request for a server in the target intranet, such as an access request for a Web server in the target intranet, an access request for an FTP server in the target intranet, and an access request for a server in the target intranet. State the access request of the mail server in the target intranet, etc. After the second intranet firewall receives the intranet access request sent by the mobile wireless access device, it sends the intranet access request to the router of the target intranet through the external network. The router routes the intranet access request to the corresponding intranet server in the target intranet through the target intranet.
S214,所述内网服务器向所述第二内网防火墙返回响应所述内网访问请求的内网请求响应消息。S214: The intranet server returns an intranet request response message in response to the intranet access request to the second intranet firewall.
具体的,所述内网服务器响应所述内网访问请求生成内网请求响应消息后,将所述内网请求响应消息通过所述目标内网发送给所述目标内网的路由器,所述目标内网的路由器通过外网将所述内网请求响应消息发送给所述第二内网防火墙。例如,若所述内网访问请求为请求获取目标内网中文件服务器中的某文件,则所述内网请求响应消息可以为文件服务器发送的该文件。Specifically, after the intranet server generates an intranet request response message in response to the intranet access request, it sends the intranet request response message to the router of the target intranet through the target intranet, and the target The router of the internal network sends the internal network request response message to the second internal network firewall through the external network. For example, if the intranet access request is a request to obtain a file in a file server in the target intranet, the intranet request response message may be the file sent by the file server.
S215,所述第二内网防火墙将所述内网请求响应消息发送给所述移动无线接入设备。S215: The second intranet firewall sends the intranet request response message to the mobile wireless access device.
S216,所述移动无线接入设备将所述内网请求响应消息发送给所述用户终端。S216: The mobile wireless access device sends the intranet request response message to the user terminal.
本申请实施例中,内网防火墙分配设备接收到移动无线接入设备发送的针对目标内网的内网连接请求后,根据所述内网连接请求从针对目标内网部署的多个内网防火墙中为移动无线接入设备分配匹配的第一内网防火墙,在移动无线接入设备与第一内网防火墙建立连接后,内网防火墙分配设备根据移动无线接入设备的实时地理位置判断是否满足切换防火墙的条件,在确定满足上述条件时,内网防火墙分配设备根据移动无线接入设备与第一内网防火墙连接的接入设备状态信息,为移动无线接入设备分配切换的第二内网防火墙,移动无线接入设备与第二内网防火墙建立连接后,断开与第一内网防火墙的连接,并通过与第二内网防火墙的连接为用户终端提供访问目标内网的服务。通过本申请实施例,用户在访问目标内网之前无需配置任何参数,提高了针对目标内网的访问效率,同时内网防火墙分配设备在根据实时地理位置确定移动无线接入设备满足切换所连接防火墙的条件时,为移动无线接入设备重新分配第二内网防火墙,保证了与移动无线接入设备连接的内网防 火墙总是与接入设备状态信息匹配的最优内网防火墙,保证了用户终端访问内网的网络质量。In the embodiment of the present application, after the intranet firewall distribution device receives the intranet connection request for the target intranet sent by the mobile wireless access device, according to the intranet connection request from multiple intranet firewalls deployed for the target intranet The mobile wireless access device allocates a matching first intranet firewall to the mobile wireless access device. After the mobile wireless access device establishes a connection with the first intranet firewall, the intranet firewall distribution device judges whether it is satisfied according to the real-time geographic location of the mobile wireless access device The conditions for switching firewalls. When it is determined that the above conditions are met, the internal network firewall distribution device allocates the switched second internal network to the mobile wireless access device according to the status information of the access device connected to the first internal network firewall Firewall, after the mobile wireless access device establishes a connection with the second intranet firewall, it disconnects the connection with the first intranet firewall, and provides the user terminal with access to the target intranet service through the connection with the second intranet firewall. Through the embodiments of this application, the user does not need to configure any parameters before accessing the target intranet, which improves the access efficiency for the target intranet. At the same time, the intranet firewall distribution device determines that the mobile wireless access device meets the requirement of switching the connected firewall based on the real-time geographic location. When the conditions are met, the second intranet firewall is re-allocated for the mobile wireless access device to ensure that the intranet firewall connected to the mobile wireless access device is always the optimal intranet firewall that matches the status information of the access device, ensuring users The network quality of the terminal accessing the intranet.
参见图3,图3为本申请实施例提供的另一种防火墙切换方法的系统交互示意图,如图所示,所述方法可以包括:Referring to FIG. 3, FIG. 3 is a schematic diagram of system interaction of another firewall switching method provided by an embodiment of the application. As shown in the figure, the method may include:
S301,移动无线接入设备向内网防火墙分配设备发送针对目标内网的内网连接请求。S301: The mobile wireless access device sends an intranet connection request for the target intranet to the intranet firewall distribution device.
S302,所述内网防火墙分配设备根据所述内网连接请求确定所述移动无线接入设备与针对所述目标内网部署的各个内网防火墙之间当前的网络延迟。S302: The intranet firewall distribution device determines the current network delay between the mobile wireless access device and each intranet firewall deployed for the target intranet according to the intranet connection request.
具体的,所述内网防火墙分配设备确定所述移动无线接入设备与各个内网防火墙之间当前的网络延迟的一种实现方式可以为:所述内网防火墙分配设备向各个内网防火墙发送所述移动无线接入设备的接入设备IP地址,各个内网防火墙根据所述接入设备IP地址向所述移动无线接入设备发送网络延迟测试消息,所述移动无线接入设备将接收到的网络延迟测试消息转发给所述内网防火墙分配设备,所述内网防火墙分配设备接收到的网络延迟测试消息中携带针对所述目标内网部署的各个内网防火墙发送所述网络延迟测试消息的发送时间数据,以及所述移动无线接入设备接收所述网络延迟测试消息的接收时间数据,所述内网防火墙分配设备根据接收到的各个网络延迟测试消息中携带的发送时间数据和接收时间数据,确定所述移动无线接入设备与针对所述目标内网部署的各个内网防火墙之间的网络延迟。Specifically, an implementation manner for the intranet firewall distribution device to determine the current network delay between the mobile wireless access device and each intranet firewall may be: the intranet firewall distribution device sends to each intranet firewall The access device IP address of the mobile wireless access device, each intranet firewall sends a network delay test message to the mobile wireless access device according to the access device IP address, and the mobile wireless access device will receive The network delay test message is forwarded to the intranet firewall distribution device, and the network delay test message received by the intranet firewall distribution device carries the network delay test message for each intranet firewall deployed in the target intranet. The transmission time data of the mobile wireless access device and the reception time data of the network delay test message received by the mobile wireless access device, the intranet firewall distribution device according to the transmission time data and the reception time carried in each received network delay test message Data to determine the network delay between the mobile wireless access device and each intranet firewall deployed for the target intranet.
所述内网防火墙分配设备确定所述移动无线接入设备与各个内网防火墙之间当前的网络延迟的另一种实现方式可以为:所述内网防火墙分配设备向所述移动无线接入设备发送针对所述目标内网部署的各个内网防火墙的防火墙IP地址,所述移动无线接入设备根据所述防火墙IP地址,向各个内网防火墙发送网络延迟测试消息,各个内网防火墙将接收到的网络延迟测试消息转发给所述内网防火墙分配设备,所述内网防火墙分配设备接收到的网络延迟测试消息中携带所述移动无线接入设备发送所述网络延迟测试消息的发送时间数据,以及所述针对所述目标内网部署的各个内网防火墙接收所述网络延迟测试消息的接收时间数据;所述内网防火墙分配设备根据接收到的各个网络延迟测试消息中携带的发送时间数据和接收时间数据,确定所述移动无线接入设备与针对所述目标内网部署的各个内网防火墙之间的目标网络延迟。Another implementation manner for the intranet firewall distribution device to determine the current network delay between the mobile wireless access device and each intranet firewall may be: the intranet firewall distribution device directs the mobile wireless access device Send the firewall IP address of each intranet firewall deployed for the target intranet, the mobile wireless access device sends a network delay test message to each intranet firewall according to the firewall IP address, and each intranet firewall will receive The network delay test message is forwarded to the intranet firewall distribution device, and the network delay test message received by the intranet firewall distribution device carries the transmission time data for the mobile wireless access device to send the network delay test message, And the receiving time data of each intranet firewall deployed for the target intranet receiving the network delay test message; the intranet firewall distribution device according to the sending time data carried in each received network delay test message and The time data is received to determine the target network delay between the mobile wireless access device and each intranet firewall deployed for the target intranet.
所述移动无线接入设备确定所述移动无线接入设备与各个内网防火墙之间当前的网络延迟的一种实现方式可以为:所述内网防火墙分配设备向所述移动无线接入设备发送针对所述目标内网部署的各个内网防火墙的防火墙IP地址,所述移动无线接入设备根据所述IP地址,向各个内网防火墙发送网络延迟测试消息,各个内网防火墙在接收到所述网络延迟测试消息后,向所述移动无线接入设备返回所述网络延迟测试消息;所述移动无线接入设备根据向各个内网防火墙发送所述网络延迟测试消息的发送时间数据,以及接收到各个内网防火墙返回的网络延迟测试消息的接收时间数据,确定所述移动无线接入设备与各个内网防火墙之间的网络延迟。An implementation manner for the mobile wireless access device to determine the current network delay between the mobile wireless access device and each intranet firewall may be: the intranet firewall distribution device sends to the mobile wireless access device For the firewall IP addresses of each intranet firewall deployed in the target intranet, the mobile wireless access device sends a network delay test message to each intranet firewall according to the IP address, and each intranet firewall receives the After the network delay test message, the network delay test message is returned to the mobile wireless access device; the mobile wireless access device sends the network delay test message to each intranet firewall according to the sending time data of the network delay test message, and receives The receiving time data of the network delay test message returned by each intranet firewall determines the network delay between the mobile wireless access device and each intranet firewall.
针对目标内网部署的各个内网防火墙确定所述移动无线接入设备与各个内网防火墙之间当前的网络延迟的一种实现方式可以为:所述内网防火墙分配设备向各个内网防火墙发 送所述移动无线接入设备的接入设备IP地址,各个内网防火墙根据所述接入设备IP地址向所述移动无线接入设备发送网络延迟测试消息,所述移动无线接入设备接收到各个内网防火墙发送的网络延迟测试消息后,将接收到的网络延迟测试消息返回给各个内网防火墙,各个内网防火墙根据向移动无线接入设备发送所述网络延迟测试消息的发送时间数据,以及接收到所述移动无线接入设备返回的网络延迟测试消息的接收时间数据,确定所述移动无线接入设备与自身的网络延迟。An implementation manner for determining the current network delay between the mobile wireless access device and each intranet firewall for each intranet firewall deployed in the target intranet may be: the intranet firewall distribution device sends to each intranet firewall The access device IP address of the mobile wireless access device, each intranet firewall sends a network delay test message to the mobile wireless access device according to the access device IP address, and the mobile wireless access device receives each After the network delay test message sent by the internal network firewall, the received network delay test message is returned to each internal network firewall, and each internal network firewall sends the network delay test message to the mobile wireless access device according to the sending time data of the network delay test message, and The receiving time data of the network delay test message returned by the mobile wireless access device is received, and the network delay between the mobile wireless access device and itself is determined.
S303,所述内网防火墙分配设备根据所述当前的网络延迟,从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第一内网防火墙。S303: The intranet firewall distribution device determines a first intranet firewall matched by the mobile wireless access device from among multiple intranet firewalls deployed for the target intranet according to the current network delay.
具体的,所述内网防火墙分配设备将所述移动无线接入设备与针对所述目标内网部署的各个内网防火墙之间当前的网络延迟中,最小的网络延迟对应内网防火墙确定为所述第一内网防火墙。Specifically, the intranet firewall distribution device determines that among the current network delays between the mobile wireless access device and each intranet firewall deployed for the target intranet, the smallest network delay corresponding to the intranet firewall is determined Describe the first intranet firewall.
S304,所述内网防火墙分配设备将所述第一内网防火墙的第一IP地址发送给所述移动无线接入设备。S304: The intranet firewall distribution device sends the first IP address of the first intranet firewall to the mobile wireless access device.
S305,所述移动无线接入设备根据所述第一IP地址与所述第一内网防火墙建立连接。S305. The mobile wireless access device establishes a connection with the first intranet firewall according to the first IP address.
S306,所述内网防火墙分配设备获取所述移动无线接入设备的接入设备状态信息。S306: The intranet firewall distribution device obtains the access device status information of the mobile wireless access device.
S307,所述内网防火墙分配设备在根据所述接入设备状态信息包含的实时地理位置确定所述第一内网防火墙不为距离所述移动无线接入设备最近的内网防火墙时,将所述接入设备状态信息包含所述移动无线接入设备与各个内网防火墙之间的实时网络延迟中最小的网络延迟对应的内网防火墙,确定为所述第二内网防火墙。S307: When the intranet firewall distribution device determines that the first intranet firewall is not the intranet firewall closest to the mobile wireless access device according to the real-time geographic location contained in the access device status information, The access device status information includes the intranet firewall corresponding to the smallest network delay among the real-time network delays between the mobile wireless access device and each intranet firewall, and is determined to be the second intranet firewall.
步骤S307中确定所述第二内网防火墙后,将第二内网防火墙的第二IP地址发送给所述移动无线接入设备,以使所述移动无线接入设备将所连接的内网防火墙从所述第一内网防火墙切换至所述第二内网防火墙,具体实现步骤参阅图2对应的实施例中步骤S208~步骤S216的实现方式,此处不再赘述。After the second intranet firewall is determined in step S307, the second IP address of the second intranet firewall is sent to the mobile wireless access device, so that the mobile wireless access device can connect to the connected intranet firewall For switching from the first intranet firewall to the second intranet firewall, for specific implementation steps, refer to the implementation manner of step S208 to step S216 in the embodiment corresponding to FIG. 2, and details are not described herein again.
本申请实施例中,内网防火墙分配设备接收到移动无线接入设备发送的针对目标内网的内网连接请求后,将针对目标内网部署的多个内网防火墙与移动无线接入设备之间当前的网络延迟最小的第一内网防火墙分配给移动无线接入设备,在移动无线接入设备与第一内网防火墙建立连接后,内网防火墙在确定所述第一内网防火墙不是距离所述移动无线接入设备最近的内网防火墙时,将与移动无线接入设备之间网络延迟最小的内网防火墙确定为移动无线接入设备分配切换的第二内网防火墙,移动无线接入设备与第二内网防火墙建立连接后,断开与第一内网防火墙的连接,并通过与第二内网防火墙的连接为用户终端提供访问目标内网的服务。通过本申请实施例,用户在访问目标内网之前无需配置任何参数,提高了针对目标内网的访问效率,同时内网防火墙分配设备确定所述移动无线接入设备满足切换所连接内网防火墙的条件时,保证了移动无线接入设备切换与移动无线接入设备之间网络延迟最小的第二内网防火墙相连,保证了用户终端访问内网的网络质量。In the embodiment of the present application, after the intranet firewall distribution device receives the intranet connection request for the target intranet sent by the mobile wireless access device, it will target one of the multiple intranet firewalls deployed on the target intranet and the mobile wireless access device. The first intranet firewall with the smallest current network delay is assigned to the mobile wireless access device. After the mobile wireless access device establishes a connection with the first intranet firewall, the intranet firewall determines that the first intranet firewall is not a distance When the mobile wireless access device is closest to the internal network firewall, the internal network firewall with the smallest network delay between the mobile wireless access device and the mobile wireless access device is determined as the second internal network firewall assigned and switched by the mobile wireless access device. After the device establishes a connection with the second intranet firewall, it disconnects the connection with the first intranet firewall, and provides the user terminal with the service of accessing the target intranet through the connection with the second intranet firewall. Through the embodiment of this application, the user does not need to configure any parameters before accessing the target intranet, which improves the access efficiency for the target intranet. At the same time, the intranet firewall distribution device determines that the mobile wireless access device meets the requirements of switching the connected intranet firewall. When the conditions are met, it is ensured that the mobile wireless access device is connected to the second intranet firewall with the smallest network delay between the mobile wireless access device and the mobile wireless access device, thereby ensuring the network quality of the user terminal accessing the intranet.
参阅图4,图4为本申请实施例提供的一种移动无线接入设备的结构示意图,如图所示,所述内网防火墙分配设备40可以至少包括状态获取单元401、防火墙确定单元402和地址发送单元403,其中:Referring to FIG. 4, FIG. 4 is a schematic structural diagram of a mobile wireless access device provided by an embodiment of the application. As shown in the figure, the intranet firewall distribution device 40 may at least include a state acquisition unit 401, a firewall determination unit 402, and Address sending unit 403, where:
状态获取单元401,用于获取移动无线接入设备与目标内网的第一内网防火墙连接的接入设备状态信息,所述第一内网防火墙为在接收到所述移动无线接入设备发送的针对目标内网的内网连接请求后,根据所述内网连接请求从针对所述目标内网部署的多个内网防火墙中,确定的所述移动无线接入设备匹配的防火墙,所述接入设备状态信息包含所述移动无线接入设备的实时地理位置;The status obtaining unit 401 is configured to obtain status information of the access device connected to the first intranet firewall of the mobile wireless access device and the target intranet. After the intranet connection request for the target intranet, according to the intranet connection request, determine the firewall that matches the mobile wireless access device from among the multiple intranet firewalls deployed for the target intranet, the The access device status information includes the real-time geographic location of the mobile wireless access device;
防火墙确定单元402,用于在根据所述实时地理位置确定所述移动无线接入设备满足切换所连接防火墙的条件时,根据所述接入设备状态信息从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第二内网防火墙;The firewall determining unit 402 is configured to, when it is determined according to the real-time geographic location that the mobile wireless access device satisfies the conditions for switching the connected firewall, according to the status information of the access device, select the target intranet from multiple Determine the second intranet firewall matched by the mobile wireless access device in the intranet firewall;
地址发送单元403,用于将所述第二内网防火墙的第二IP地址发送给所述移动无线接入设备,以使所述移动无线接入设备根据所述第二IP地址与所述第二内网防火墙建立连接,并断开与第一内网防火墙的连接后,所述第二内网防火墙将用户终端通过所述移动无线接入设备发送的针对所述目标内网的内网访问请求路由至所述目标内网的内网服务器,所述第二内网防火墙还将所述内网服务器响应所述内网访问请求返回的内网请求响应消息通过所述移动无线接入设备发送至所述用户终端。The address sending unit 403 is configured to send the second IP address of the second intranet firewall to the mobile wireless access device, so that the mobile wireless access device compares the second IP address with the first 2. After the internal network firewall establishes a connection and disconnects from the first internal network firewall, the second internal network firewall transmits the user terminal’s internal network access to the target internal network sent by the user terminal through the mobile wireless access device The request is routed to the intranet server of the target intranet, and the second intranet firewall also sends the intranet request response message returned by the intranet server in response to the intranet access request through the mobile wireless access device To the user terminal.
其中,所述防火墙确定单元402具体用于:Wherein, the firewall determining unit 402 is specifically configured to:
获取针对所述目标内网部署的多个内网防火墙的部署位置;Acquiring deployment locations of multiple intranet firewalls deployed for the target intranet;
在根据所述实时地理位置和针对所述目标内网部署的多个内网防火墙的部署位置,确定所述第一内网防火墙不为针对所述目标内网部署的多个内网防火墙中,距离所述移动无线接入设备最近的防火墙时,确定所述移动无线接入设备满足所述切换所连接防火墙的条件。Determining that the first intranet firewall is not among the multiple intranet firewalls deployed for the target intranet according to the real-time geographic location and the deployment positions of the multiple intranet firewalls deployed for the target intranet, When the firewall is closest to the mobile wireless access device, it is determined that the mobile wireless access device satisfies the condition of the firewall connected to the handover.
其中,所述状态获取单元401还用于:Wherein, the state acquiring unit 401 is further configured to:
接收所述移动无线接入设备针对所述目标内网发送的内网连接请求;Receiving an intranet connection request sent by the mobile wireless access device for the target intranet;
根据所述内网连接请求确定所述移动无线接入设备当前的地理位置;Determining the current geographic location of the mobile wireless access device according to the intranet connection request;
根据所述当前的地理位置,从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第一内网防火墙;Determine the first intranet firewall matched by the mobile wireless access device from among the multiple intranet firewalls deployed for the target intranet according to the current geographic location;
将所述第一内网防火墙的第一IP地址发送给所述移动无线接入设备,以使所述移动无线接入设备根据所述第一IP地址与所述第一内网防火墙建立连接。The first IP address of the first intranet firewall is sent to the mobile wireless access device, so that the mobile wireless access device establishes a connection with the first intranet firewall according to the first IP address.
其中,所述状态获取单元401具体用于:Wherein, the status obtaining unit 401 is specifically configured to:
根据所述当前的地理位置,确定所述移动无线接入设备所处于的针对所述目标内网的第一内网访问子区域;Determine, according to the current geographic location, the first intranet access subregion for the target intranet where the mobile wireless access device is located;
根据预设的内网访问子区域和所述目标内网的防火墙的对应关系,确定所述第一内网访问子区域对应的所述第一内网防火墙;Determine the first intranet firewall corresponding to the first intranet access subarea according to the preset correspondence between the intranet access subarea and the firewall of the target intranet;
所述防火墙确定单元具体用于:The firewall determining unit is specifically configured to:
在确定所述移动无线接入设备从所述第一内网访问子区域转移至针对所述目标内网的第二内网访问子区域时,确定所述移动无线接入设备满足所述切换所连接防火墙的条件。When it is determined that the mobile wireless access device is transferred from the first intranet access subarea to the second intranet access subarea for the target intranet, it is determined that the mobile wireless access device satisfies the handover requirements. Conditions for connecting to the firewall.
其中,所述内网防火墙连接请求携带所述移动无线接入设备的身份验证信息;Wherein, the intranet firewall connection request carries identity verification information of the mobile wireless access device;
所述状态获取单元401具体用于:The status obtaining unit 401 is specifically configured to:
根据所述身份验证信息对所述移动无线接入设备进行身份验证;Perform identity verification on the mobile wireless access device according to the identity verification information;
在所述身份验证通过后,确定所述移动无线接入设备当前的地理位置。After the identity verification is passed, the current geographic location of the mobile wireless access device is determined.
其中,所述防火墙确定单元402具体用于:Wherein, the firewall determining unit 402 is specifically configured to:
根据所述实时地理位置,从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第二内网防火墙。According to the real-time geographic location, a second intranet firewall matched by the mobile wireless access device is determined from a plurality of intranet firewalls deployed for the target intranet.
其中,所述接入设备状态信息包含在所述接入设备状态信息被获取时,所述移动无线接入设备与针对所述目标内网部署的各个内网防火墙之间的网络延迟;Wherein, the access device state information includes the network delay between the mobile wireless access device and each intranet firewall deployed for the target intranet when the access device state information is acquired;
所述防火墙确定单元402,具体用于:The firewall determining unit 402 is specifically configured to:
将所述移动无线接入设备与针对所述目标内网部署的各个内网防火墙之间的网络延迟中,最小的网络延迟对应的防火墙确定为所述第二内网防火墙。Among the network delays between the mobile wireless access device and each intranet firewall deployed for the target intranet, the firewall corresponding to the smallest network delay is determined as the second intranet firewall.
其中,所述防火墙确定单元402,还用于:Wherein, the firewall determining unit 402 is further configured to:
向针对目标内网部署的各个内网防火墙发送所述移动无线接入设备的接入设备IP地址,以使所述各个内网防火墙根据所述接入设备IP地址向所述移动无线接入设备发送网络延迟测试消息;Send the access device IP address of the mobile wireless access device to each intranet firewall deployed for the target intranet, so that each intranet firewall sends the mobile wireless access device IP address to the mobile wireless access device according to the access device IP address. Send network delay test message;
接收所述移动无线接入设备转发的所述各个内网防火墙发送的网络延迟测试消息,所述内网防火墙分配设备接收到的网络延迟测试消息中携带所述各个内网防火墙发送所述网络延迟测试消息的发送时间数据,以及所述移动无线接入设备接收所述网络延迟测试消息的接收时间数据;Receive the network delay test message sent by each intranet firewall forwarded by the mobile wireless access device, and the network delay test message received by the intranet firewall distribution device carries the network delay sent by each intranet firewall Sending time data of the test message, and receiving time data of the network delay test message received by the mobile wireless access device;
根据接收到的各个网络延迟测试消息中携带的发送时间数据和接收时间数据,确定所述移动无线接入设备与所述各个内网防火墙之间的网络延迟。Determine the network delay between the mobile wireless access device and each intranet firewall according to the sending time data and the receiving time data carried in each received network delay test message.
其中,所述状态获取单元401具体用于:Wherein, the status obtaining unit 401 is specifically configured to:
周期性地获取移动无线接入设备与目标内网的第一内网防火墙连接的接入设备状态信息,或,在接收到所述移动无线接入设备发送的防火墙切换请求时,获取移动无线接入设备与目标内网的第一内网防火墙连接的接入设备状态信息,所述防火墙切换请求为所述移动无线接入设备在确定所述移动无线接入设备满足更换所连接的内网防火墙时,发送的切换所连接的防火墙的请求。Periodically obtain the access device status information of the mobile wireless access device connected to the first intranet firewall of the target intranet, or obtain the mobile wireless access device when the firewall switching request sent by the mobile wireless access device is received The state information of the access device connected to the first intranet firewall of the incoming device and the target intranet, the firewall switching request is that the mobile wireless access device determines that the mobile wireless access device satisfies the need to replace the connected intranet firewall When sending a request to switch the connected firewall.
具体实现中,所述内网防火墙分配设备可以通过其内置的各个功能模块执行如图2至图3的防火墙切换方法中所述内网防火墙分配设备执行的各个步骤,具体实施细节可参阅图2至图3对应的实施例中各个步骤的实现细节,此处不再赘述。In specific implementation, the intranet firewall distribution device can execute each step performed by the intranet firewall distribution device in the firewall switching method shown in Figures 2 to 3 through its built-in functional modules. For specific implementation details, please refer to Figure 2. The implementation details of each step in the embodiment corresponding to FIG. 3 will not be repeated here.
本申请实施例中,状态获取单元接收到移动无线接入设备发送的针对目标内网的内网连接请求后,根据所述内网连接请求从针对目标内网部署的多个内网防火墙中为移动无线接入设备分配匹配的第一内网防火墙,在移动无线接入设备与第一内网防火墙建立连接后,状态获取单元获取所述移动无线接入设备的实时地理位置,防火墙确定单元根据移动无线接入设备的实时地理位置判断是否满足切换防火墙的条件,在确定满足上述条件时,根据移动无线接入设备与第一内网防火墙连接的接入设备状态信息,为移动无线接入设备分配切换的第二内网防火墙,地址发送单元将第二内网防火墙的第二IP地址发送给移动无线接入设备后,移动无线接入设备与第二内网防火墙建立连接后,断开与第一内网防火墙的连接,并通过与第二内网防火墙的连接为用户终端提供访问目标内网的服务。通过本申请实施例,用户在访问目标内网之前无需配置任何参数,提高了针对目标内网的访问效率,同 时防火墙确定单元在根据实时地理位置确定移动无线接入设备满足切换所连接防火墙的条件时,为移动无线接入设备重新分配第二内网防火墙,保证了与移动无线接入设备连接的内网防火墙总是与接入设备状态信息匹配的最优内网防火墙,保证了用户终端访问内网的网络质量。In the embodiment of the present application, after the state acquisition unit receives the intranet connection request for the target intranet sent by the mobile wireless access device, the state acquisition unit is based on the intranet connection request from multiple intranet firewalls deployed for the target intranet. The mobile wireless access device allocates a matching first intranet firewall. After the mobile wireless access device establishes a connection with the first intranet firewall, the state obtaining unit obtains the real-time geographic location of the mobile wireless access device, and the firewall determining unit is based on The real-time geographic location of the mobile wireless access device determines whether the conditions for switching firewalls are met. When it is determined that the above conditions are met, it is the mobile wireless access device based on the status information of the access device connected to the first intranet firewall. After assigning the switched second intranet firewall, the address sending unit sends the second IP address of the second intranet firewall to the mobile wireless access device. After the mobile wireless access device establishes a connection with the second intranet firewall, it disconnects from The first intranet firewall is connected, and the service of accessing the target intranet is provided for the user terminal through the connection with the second intranet firewall. Through the embodiment of this application, the user does not need to configure any parameters before accessing the target intranet, which improves the access efficiency for the target intranet. At the same time, the firewall determining unit determines based on the real-time geographic location that the mobile wireless access device meets the conditions for switching the connected firewall. When the mobile wireless access device is redistributed to the second intranet firewall to ensure that the intranet firewall connected to the mobile wireless access device is always the optimal intranet firewall that matches the status information of the access device, ensuring user terminal access The network quality of the intranet.
参见图5,图5为本申请实施例提供的另一种内网防火墙分配设备的结构示意图,如图所示,所述内网防火墙分配设备50包括处理器501、存储器502以及通信接口503。处理器501连接到存储器502和通信接口503,例如处理器501可以通过总线连接到存储器502和通信接口503。Referring to FIG. 5, FIG. 5 is a schematic structural diagram of another intranet firewall distribution device provided by an embodiment of the application. As shown in the figure, the intranet firewall distribution device 50 includes a processor 501, a memory 502, and a communication interface 503. The processor 501 is connected to the memory 502 and the communication interface 503. For example, the processor 501 may be connected to the memory 502 and the communication interface 503 through a bus.
处理器501被配置为支持内网防火墙分配设备执行图2-图3所述的防火墙切换方法中内网防火墙分配设备的相应的功能。该处理器501可以是中央处理器(Central Processing Unit,CPU),网络处理器(Network Processor,NP),硬件芯片或者其任意组合。上述硬件芯片可以是专用集成电路(Application-Specific Integrated Circuit,ASIC),可编程逻辑器件(Programmable Logic Device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(Complex Programmable Logic Device,CPLD),现场可编程逻辑门阵列(Field-Programmable Gate Array,FPGA),通用阵列逻辑(Generic Array Logic,GAL)或其任意组合。The processor 501 is configured to support the internal firewall distribution device to perform the corresponding functions of the internal firewall distribution device in the firewall switching method described in FIGS. 2 to 3. The processor 501 may be a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), a hardware chip, or any combination thereof. The foregoing hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (Programmable Logic Device, PLD), or a combination thereof. The aforementioned PLD may be a complex programmable logic device (Complex Programmable Logic Device, CPLD), a field programmable logic gate array (Field-Programmable Gate Array, FPGA), a general array logic (Generic Array Logic, GAL) or any combination thereof.
存储器502用于存储程序代码等。存储器502包括内部存储器,内部存储器可以包括以下至少一项:易失性存储器(例如动态随机存取存储器(DRAM)、静态RAM(SRAM)、同步动态RAM(SDRAM)等)和非易失性存储器(例如一次性可编程只读存储器(OTPROM)、可编程ROM(PROM)、可擦除可编程ROM(EPROM)、电可擦除可编程ROM(EEPROM)。存储器502还可以包括外部存储器,外部存储器可以包括以下至少一项:硬盘(Hard Disk Drive,HDD)或固态硬盘(Solid-State Drive,SSD)、闪驱,例如高密度闪存(CF)、安全数字(SD)、微型SD、迷你型SD、极限数字(xD)、存储棒等。The memory 502 is used to store program codes and the like. The memory 502 includes internal memory, which may include at least one of the following: volatile memory (such as dynamic random access memory (DRAM), static RAM (SRAM), synchronous dynamic RAM (SDRAM), etc.) and non-volatile memory (For example, one-time programmable read-only memory (OTPROM), programmable ROM (PROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM). The memory 502 may also include external memory, external The memory may include at least one of the following: Hard Disk Drive (HDD) or Solid-State Drive (SSD), flash drive, such as high-density flash (CF), secure digital (SD), micro SD, mini type SD, limit number (xD), memory stick, etc.
所述通信接口503用于接收或发送数据。The communication interface 503 is used to receive or send data.
处理器501可以调用所述程序代码以执行以下操作:The processor 501 may call the program code to perform the following operations:
获取移动无线接入设备与目标内网的第一内网防火墙连接的接入设备状态信息,所述第一内网防火墙为在接收到所述移动无线接入设备发送的针对目标内网的内网连接请求后,根据所述内网连接请求从针对所述目标内网部署的多个内网防火墙中,确定的所述移动无线接入设备匹配的防火墙,所述接入设备状态信息包含所述移动无线接入设备的实时地理位置;Acquire the status information of the access device connected to the first intranet firewall of the mobile wireless access device and the target intranet, where the first intranet firewall is an intranet specific to the target intranet sent by the mobile wireless access device After the network connection request, the firewall that matches the mobile wireless access device is determined from multiple intranet firewalls deployed for the target intranet according to the intranet connection request, and the access device status information includes all State the real-time geographic location of the mobile wireless access device;
在根据所述实时地理位置确定所述移动无线接入设备满足切换所连接防火墙的条件时,根据所述接入设备状态信息从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第二内网防火墙;When it is determined according to the real-time geographic location that the mobile wireless access device satisfies the conditions for switching the connected firewalls, it is determined from the multiple intranet firewalls deployed for the target intranet according to the access device status information The second intranet firewall matched by the mobile wireless access device;
将所述第二内网防火墙的第二IP地址发送给所述移动无线接入设备,以使所述移动无线接入设备根据所述第二IP地址与所述第二内网防火墙建立连接,并断开与第一内网防火墙的连接后,所述第二内网防火墙将用户终端通过所述移动无线接入设备发送的针对所述目标内网的内网访问请求路由至所述目标内网的内网服务器,所述第二内网防火墙还将所述内网服务器响应所述内网访问请求返回的内网请求响应消息通过所述移动无线接入设备 发送至所述用户终端。Sending the second IP address of the second intranet firewall to the mobile wireless access device, so that the mobile wireless access device establishes a connection with the second intranet firewall according to the second IP address, And after disconnecting from the first intranet firewall, the second intranet firewall routes the intranet access request for the target intranet sent by the user terminal through the mobile wireless access device to the target intranet The second intranet firewall also sends the intranet request response message returned by the intranet server in response to the intranet access request to the user terminal through the mobile wireless access device.
需要说明的是,各个操作的实现还可以对应参照图2-图3所示的方法实施例的相应描述;所述处理器501还可以用于执行上述方法实施例中的其他操作。It should be noted that the implementation of each operation may also correspond to the corresponding description of the method embodiments shown in FIGS. 2 to 3; the processor 501 may also be used to perform other operations in the above method embodiments.
本申请实施例还提供一种计算机非易失性可读存储介质,所述计算机非易失性可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被计算机执行时使所述计算机执行如前述实施例所述的方法,所述计算机可以为上述提到的内网防火墙分配设备的一部分。The embodiment of the present application also provides a computer non-volatile readable storage medium, the computer non-volatile readable storage medium stores a computer program, the computer program includes program instructions, and the program instructions are When the computer is caused to execute the method described in the foregoing embodiment, the computer may be a part of the aforementioned intranet firewall distribution device.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于一计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)或随机存储记忆体(Random Access Memory,RAM)等。A person of ordinary skill in the art can understand that all or part of the processes in the above-mentioned embodiment methods can be implemented by instructing relevant hardware through a computer program. The program can be stored in a computer readable storage medium. During execution, it may include the procedures of the above-mentioned method embodiments. Wherein, the storage medium may be a magnetic disk, an optical disc, a read-only memory (Read-Only Memory, ROM), or a random access memory (Random Access Memory, RAM), etc.

Claims (20)

  1. 一种防火墙切换方法,其特征在于,包括:A firewall switching method is characterized in that it comprises:
    内网防火墙分配设备获取移动无线接入设备与目标内网的第一内网防火墙连接的接入设备状态信息,所述第一内网防火墙为在接收到所述移动无线接入设备发送的针对目标内网的内网连接请求后,根据所述内网连接请求从针对所述目标内网部署的多个内网防火墙中,确定的所述移动无线接入设备匹配的防火墙,所述接入设备状态信息包含所述移动无线接入设备的实时地理位置;The intranet firewall distribution device obtains the status information of the access device connected to the mobile wireless access device and the first intranet firewall of the target intranet, and the first intranet firewall is the target device after receiving the mobile wireless access device After the intranet connection request of the target intranet, the firewall that matches the mobile wireless access device is determined from the multiple intranet firewalls deployed for the target intranet according to the intranet connection request, and the access The device status information includes the real-time geographic location of the mobile wireless access device;
    所述内网防火墙分配设备在根据所述实时地理位置确定所述移动无线接入设备满足切换所连接防火墙的条件时,根据所述接入设备状态信息从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第二内网防火墙;When the intranet firewall distribution device determines based on the real-time geographic location that the mobile wireless access device satisfies the conditions for switching the connected firewall, it selects multiple devices deployed for the target intranet based on the access device status information. Determine the second intranet firewall matched by the mobile wireless access device in the intranet firewall;
    所述内网防火墙分配设备将所述第二内网防火墙的第二IP地址发送给所述移动无线接入设备,以使所述移动无线接入设备根据所述第二IP地址与所述第二内网防火墙建立连接,并在断开与第一内网防火墙的连接后,所述第二内网防火墙将用户终端通过所述移动无线接入设备发送的针对所述目标内网的内网访问请求路由至所述目标内网的内网服务器,所述第二内网防火墙还将所述内网服务器响应所述内网访问请求返回的内网请求响应消息通过所述移动无线接入设备发送至所述用户终端。The intranet firewall allocation device sends the second IP address of the second intranet firewall to the mobile wireless access device, so that the mobile wireless access device communicates with the first IP address according to the second IP address Second, the internal network firewall establishes a connection, and after the connection with the first internal network firewall is disconnected, the second internal network firewall transmits the internal network for the target internal network sent by the user terminal through the mobile wireless access device The access request is routed to the intranet server of the target intranet, and the second intranet firewall also passes the intranet request response message returned by the intranet server in response to the intranet access request through the mobile wireless access device Sent to the user terminal.
  2. 如权利要求1所述的方法,其特征在于,所述内网防火墙分配设备根据所述实时地理位置确定所述移动无线接入设备满足切换所连接防火墙的条件包括:The method according to claim 1, wherein the determination by the intranet firewall distribution device that the mobile wireless access device meets the conditions for switching the connected firewall according to the real-time geographic location comprises:
    所述内网防火墙分配设备获取针对所述目标内网部署的多个内网防火墙的部署位置;Acquiring, by the intranet firewall distribution device, the deployment positions of multiple intranet firewalls deployed for the target intranet;
    所述内网防火墙分配设备在根据所述实时地理位置和针对所述目标内网部署的多个内网防火墙的部署位置,确定所述第一内网防火墙不为针对所述目标内网部署的多个内网防火墙中,距离所述移动无线接入设备最近的防火墙时,确定所述移动无线接入设备满足所述切换所连接防火墙的条件。The intranet firewall allocation device determines that the first intranet firewall is not deployed for the target intranet based on the real-time geographic location and the deployment positions of the multiple intranet firewalls deployed for the target intranet Among the multiple intranet firewalls, when the firewall is closest to the mobile wireless access device, it is determined that the mobile wireless access device satisfies the condition for switching the connected firewall.
  3. 如权利要求1~2任一所述的方法,其特征在于,所述内网防火墙分配设备获取移动无线接入设备与目标内网的第一内网防火墙连接的接入设备状态信息之前,所述方法还包括:The method according to any one of claims 1 to 2, characterized in that, before the intranet firewall distribution device obtains the status information of the access device connected to the mobile wireless access device and the first intranet firewall of the target intranet, The method also includes:
    所述内网防火墙分配设备接收所述移动无线接入设备针对所述目标内网发送的内网连接请求;Receiving, by the intranet firewall distribution device, the intranet connection request sent by the mobile wireless access device for the target intranet;
    所述内网防火墙分配设备根据所述内网连接请求确定所述移动无线接入设备当前的地理位置;The intranet firewall distribution device determines the current geographic location of the mobile wireless access device according to the intranet connection request;
    所述内网防火墙分配设备根据所述当前的地理位置,从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第一内网防火墙;The intranet firewall allocation device determines the first intranet firewall matched by the mobile wireless access device from among the multiple intranet firewalls deployed for the target intranet according to the current geographic location;
    所述内网防火墙分配设备将所述第一内网防火墙的第一IP地址发送给所述移动无线接入设备,以使所述移动无线接入设备根据所述第一IP地址与所述第一内网防火墙建立连接。The intranet firewall assigning device sends the first IP address of the first intranet firewall to the mobile wireless access device, so that the mobile wireless access device compares the first IP address with the first IP address An intranet firewall establishes a connection.
  4. 如权利要求3所述的方法,其特征在于,所述内网防火墙分配设备根据所述当前的地理位置,从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第一内网防火墙包括:The method of claim 3, wherein the intranet firewall allocation device determines the mobile wireless access from a plurality of intranet firewalls deployed for the target intranet according to the current geographic location. The first intranet firewall matched by the device includes:
    所述内网防火墙分配设备根据所述当前的地理位置,确定所述移动无线接入设备所处于的针对所述目标内网的第一内网访问子区域;The intranet firewall allocation device determines, according to the current geographic location, the first intranet access subarea for the target intranet where the mobile wireless access device is located;
    所述内网防火墙分配设备根据预设的内网访问子区域和所述目标内网的防火墙的对应关系,确定所述第一内网访问子区域对应的所述第一内网防火墙;The intranet firewall distribution device determines the first intranet firewall corresponding to the first intranet access subregion according to the preset correspondence between the intranet access subarea and the target intranet firewall;
    所述内网防火墙分配设备根据所述实时地理位置确定所述移动无线接入设备满足切换所连接防火墙的条件包括:The determination by the intranet firewall distribution device that the mobile wireless access device meets the conditions for switching the connected firewall according to the real-time geographic location includes:
    所述内网防火墙分配设备在确定所述移动无线接入设备从所述第一内网访问子区域转移至针对所述目标内网的第二内网访问子区域时,确定所述移动无线接入设备满足所述切换所连接防火墙的条件。The intranet firewall distribution device determines that the mobile wireless access device is transferred from the first intranet access sub-area to the second intranet access sub-area for the target intranet. The incoming device satisfies the condition of the firewall connected to the switch.
  5. 如权利要求3所述的方法,其特征在于,所述内网防火墙连接请求携带所述移动无线接入设备的身份验证信息;The method according to claim 3, wherein the intranet firewall connection request carries identity verification information of the mobile wireless access device;
    所述内网防火墙分配设备根据所述内网连接请求确定所述移动无线接入设备当前的地理位置包括:The determining, by the intranet firewall distribution device, of the current geographic location of the mobile wireless access device according to the intranet connection request includes:
    所述内网防火墙分配设备根据所述身份验证信息对所述移动无线接入设备进行身份验证;The intranet firewall distribution device performs identity verification on the mobile wireless access device according to the identity verification information;
    在所述身份验证通过后,所述内网防火墙分配设备确定所述移动无线接入设备当前的地理位置。After the identity verification is passed, the intranet firewall distribution device determines the current geographic location of the mobile wireless access device.
  6. 如权利要求1~5任一所述的方法,其特征在于,所述内网防火墙分配设备根据接入设备状态信息从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第二内网防火墙包括:The method according to any one of claims 1 to 5, wherein the intranet firewall distribution device determines the mobile wireless firewall from a plurality of intranet firewalls deployed for the target intranet according to the access device status information. The second intranet firewall matched by the access device includes:
    所述内网防火墙分配设备根据所述实时地理位置,从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第二内网防火墙。According to the real-time geographic location, the intranet firewall allocation device determines a second intranet firewall matched by the mobile wireless access device from a plurality of intranet firewalls deployed for the target intranet.
  7. 如权利要求1~6任一所述的方法,其特征在于,所述接入设备状态信息包含在所述接入设备状态信息被获取时,所述移动无线接入设备与针对所述目标内网部署的各个内网防火墙之间的网络延迟;The method according to any one of claims 1 to 6, wherein the access device status information includes when the access device status information is acquired, the mobile wireless access device and the target The network delay between the various intranet firewalls deployed on the network;
    所述内网防火墙分配设备根据接入设备状态信息从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第二内网防火墙包括:The intranet firewall distribution device determines from the multiple intranet firewalls deployed for the target intranet according to the access device status information that the second intranet firewall matched by the mobile wireless access device includes:
    所述内网防火墙分配设备将所述移动无线接入设备与针对所述目标内网部署的各个内网防火墙之间的网络延迟中,最小的网络延迟对应的防火墙确定为所述第二内网防火墙。The intranet firewall distribution device determines the firewall corresponding to the smallest network delay among the network delays between the mobile wireless access device and each intranet firewall deployed for the target intranet as the second intranet Firewall.
  8. 如权利要求7所述的方法,其特征在于,所述内网防火墙分配设备根据接入设备状态信息从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第二内网防火墙之前,还包括:The method according to claim 7, wherein the intranet firewall distribution device determines that the mobile wireless access device matches from a plurality of intranet firewalls deployed for the target intranet according to the access device status information Before the second intranet firewall, it also includes:
    所述内网防火墙分配设备向针对目标内网部署的各个内网防火墙发送所述移动无线接入设备的接入设备IP地址,以使所述各个内网防火墙根据所述接入设备IP地址向所述移动无线接入设备发送网络延迟测试消息;The intranet firewall distribution device sends the access device IP address of the mobile wireless access device to each intranet firewall deployed for the target intranet, so that each intranet firewall sends the access device IP address according to the access device IP address. Sending a network delay test message by the mobile wireless access device;
    所述内网防火墙分配设备接收所述移动无线接入设备转发的所述各个内网防火墙发送的网络延迟测试消息,所述内网防火墙分配设备接收到的网络延迟测试消息中携带所述各个内网防火墙发送所述网络延迟测试消息的发送时间数据,以及所述移动无线接入设备接 收所述网络延迟测试消息的接收时间数据;The intranet firewall distribution device receives the network delay test message sent by the various intranet firewalls forwarded by the mobile wireless access device, and the network delay test message received by the intranet firewall distribution device carries the respective internal Data of the sending time of the network firewall sending the network delay test message, and data of the receiving time of the mobile wireless access device receiving the network delay test message;
    所述内网防火墙分配设备根据接收到的各个网络延迟测试消息中携带的发送时间数据和接收时间数据,确定所述移动无线接入设备与所述各个内网防火墙之间的网络延迟。The intranet firewall distribution device determines the network delay between the mobile wireless access device and each intranet firewall according to the sending time data and the receiving time data carried in each received network delay test message.
  9. 如权利要求1~8任一所述的方法,其特征在于,所述内网防火墙分配设备获取移动无线接入设备与目标内网的第一内网防火墙连接的接入设备状态信息包括:The method according to any one of claims 1 to 8, wherein the acquiring, by the intranet firewall distribution device, the status information of the access device connected to the mobile wireless access device and the first intranet firewall of the target intranet comprises:
    所述内网防火墙分配设备周期性地获取移动无线接入设备与目标内网的第一内网防火墙连接的接入设备状态信息,或,在接收到所述移动无线接入设备发送的防火墙切换请求时,获取移动无线接入设备与目标内网的第一内网防火墙连接的接入设备状态信息,所述防火墙切换请求为所述移动无线接入设备在确定所述移动无线接入设备满足更换所连接的内网防火墙时,发送的切换所连接的防火墙的请求。The intranet firewall distribution device periodically obtains the status information of the access device connected to the mobile wireless access device and the first intranet firewall of the target intranet, or, after receiving the firewall switching sent by the mobile wireless access device When requested, the state information of the access device connected to the first intranet firewall of the mobile wireless access device and the target intranet is obtained, and the firewall switching request indicates that the mobile wireless access device determines that the mobile wireless access device satisfies When replacing the connected intranet firewall, a request to switch the connected firewall is sent.
  10. 一种内网防火墙分配设备,其特征在于,包括:An intranet firewall distribution device is characterized in that it includes:
    状态获取单元,用于获取移动无线接入设备与目标内网的第一内网防火墙连接的接入设备状态信息,所述第一内网防火墙为在接收到所述移动无线接入设备发送的针对目标内网的内网连接请求后,根据所述内网连接请求从针对所述目标内网部署的多个内网防火墙中,确定的所述移动无线接入设备匹配的防火墙,所述接入设备状态信息包含所述移动无线接入设备的实时地理位置;The status acquiring unit is configured to acquire the status information of the access device connected to the first intranet firewall of the target intranet by the mobile wireless access device, and the first intranet firewall is configured to receive the information sent by the mobile wireless access device After the intranet connection request for the target intranet, the firewall that matches the mobile wireless access device is determined from the multiple intranet firewalls deployed for the target intranet according to the intranet connection request, and the connection The incoming device status information includes the real-time geographic location of the mobile wireless access device;
    防火墙确定单元,用于在根据所述实时地理位置确定所述移动无线接入设备满足切换所连接防火墙的条件时,根据所述接入设备状态信息从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第二内网防火墙;The firewall determining unit is configured to, when it is determined according to the real-time geographic location that the mobile wireless access device meets the conditions for switching the connected firewall, select from multiple internal networks deployed for the target intranet according to the access device status information. Determine a second intranet firewall that matches the mobile wireless access device in the network firewall;
    地址发送单元,用于将所述第二内网防火墙的第二IP地址发送给所述移动无线接入设备,以使所述移动无线接入设备根据所述第二IP地址与所述第二内网防火墙建立连接,并断开与第一内网防火墙的连接后,所述第二内网防火墙将用户终端通过所述移动无线接入设备发送的针对所述目标内网的内网访问请求路由至所述目标内网的内网服务器,所述第二内网防火墙还将所述内网服务器响应所述内网访问请求返回的内网请求响应消息通过所述移动无线接入设备发送至所述用户终端。The address sending unit is configured to send the second IP address of the second intranet firewall to the mobile wireless access device, so that the mobile wireless access device communicates with the second IP address according to the second IP address. After the intranet firewall establishes a connection and disconnects from the first intranet firewall, the second intranet firewall transmits the intranet access request for the target intranet sent by the user terminal through the mobile wireless access device Routed to the intranet server of the target intranet, the second intranet firewall also sends the intranet request response message returned by the intranet server in response to the intranet access request to the mobile wireless access device The user terminal.
  11. 如权利要求10所述的设备,其特征在于,所述防火墙确定单元具体用于:The device according to claim 10, wherein the firewall determining unit is specifically configured to:
    获取针对所述目标内网部署的多个内网防火墙的部署位置;Acquiring deployment locations of multiple intranet firewalls deployed for the target intranet;
    在根据所述实时地理位置和针对所述目标内网部署的多个内网防火墙的部署位置,确定所述第一内网防火墙不为针对所述目标内网部署的多个内网防火墙中,距离所述移动无线接入设备最近的防火墙时,确定所述移动无线接入设备满足所述切换所连接防火墙的条件。Determining that the first intranet firewall is not among the multiple intranet firewalls deployed for the target intranet according to the real-time geographic location and the deployment positions of the multiple intranet firewalls deployed for the target intranet, When the firewall is closest to the mobile wireless access device, it is determined that the mobile wireless access device satisfies the condition of the firewall connected to the handover.
  12. 如权利要求10~11所述的设备,其特征在于,所述状态获取单元还用于:The device according to claims 10-11, wherein the state acquiring unit is further configured to:
    接收所述移动无线接入设备针对所述目标内网发送的内网连接请求;Receiving an intranet connection request sent by the mobile wireless access device for the target intranet;
    根据所述内网连接请求确定所述移动无线接入设备当前的地理位置;Determining the current geographic location of the mobile wireless access device according to the intranet connection request;
    根据所述当前的地理位置,从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第一内网防火墙;Determine the first intranet firewall matched by the mobile wireless access device from among the multiple intranet firewalls deployed for the target intranet according to the current geographic location;
    将所述第一内网防火墙的第一IP地址发送给所述移动无线接入设备,以使所述移动无线接入设备根据所述第一IP地址与所述第一内网防火墙建立连接。The first IP address of the first intranet firewall is sent to the mobile wireless access device, so that the mobile wireless access device establishes a connection with the first intranet firewall according to the first IP address.
  13. 如权利要求12所述的设备,其特征在于,所述状态获取单元具体用于:The device according to claim 12, wherein the state acquiring unit is specifically configured to:
    根据所述当前的地理位置,确定所述移动无线接入设备所处于的针对所述目标内网的第一内网访问子区域;Determine, according to the current geographic location, the first intranet access subregion for the target intranet where the mobile wireless access device is located;
    根据预设的内网访问子区域和所述目标内网的防火墙的对应关系,确定所述第一内网访问子区域对应的所述第一内网防火墙;Determine the first intranet firewall corresponding to the first intranet access subarea according to the preset correspondence between the intranet access subarea and the firewall of the target intranet;
    所述防火墙确定单元具体用于:The firewall determining unit is specifically configured to:
    在确定所述移动无线接入设备从所述第一内网访问子区域转移至针对所述目标内网的第二内网访问子区域时,确定所述移动无线接入设备满足所述切换所连接防火墙的条件。When it is determined that the mobile wireless access device is transferred from the first intranet access subarea to the second intranet access subarea for the target intranet, it is determined that the mobile wireless access device satisfies the handover requirements. Conditions for connecting to the firewall.
  14. 如权利要求12所述的设备,其特征在于,所述内网防火墙连接请求携带所述移动无线接入设备的身份验证信息;The device of claim 12, wherein the intranet firewall connection request carries identity verification information of the mobile wireless access device;
    所述状态获取单元具体用于:The status obtaining unit is specifically used for:
    根据所述身份验证信息对所述移动无线接入设备进行身份验证;Perform identity verification on the mobile wireless access device according to the identity verification information;
    在所述身份验证通过后,确定所述移动无线接入设备当前的地理位置。After the identity verification is passed, the current geographic location of the mobile wireless access device is determined.
  15. 如权利要求10~14任一所述的设备,其特征在于,所述防火墙确定单元具体用于:The device according to any one of claims 10 to 14, wherein the firewall determining unit is specifically configured to:
    根据所述实时地理位置,从针对所述目标内网部署的多个内网防火墙中确定所述移动无线接入设备匹配的第二内网防火墙。According to the real-time geographic location, a second intranet firewall matched by the mobile wireless access device is determined from a plurality of intranet firewalls deployed for the target intranet.
  16. 如权利要求10~15任一所述的设备,其特征在于,所述接入设备状态信息包含在所述接入设备状态信息被获取时,所述移动无线接入设备与针对所述目标内网部署的各个内网防火墙之间的网络延迟;The device according to any one of claims 10-15, wherein the access device status information is included when the access device status information is acquired, the mobile wireless access device and the target The network delay between the various intranet firewalls deployed on the network;
    所述防火墙确定单元,具体用于:The firewall determining unit is specifically used for:
    将所述移动无线接入设备与针对所述目标内网部署的各个内网防火墙之间的网络延迟中,最小的网络延迟对应的防火墙确定为所述第二内网防火墙。Among the network delays between the mobile wireless access device and each intranet firewall deployed for the target intranet, the firewall corresponding to the smallest network delay is determined as the second intranet firewall.
  17. 如权利要求16所述的设备,其特征在于,所述防火墙确定单元,还用于:The device according to claim 16, wherein the firewall determining unit is further configured to:
    向针对目标内网部署的各个内网防火墙发送所述移动无线接入设备的接入设备IP地址,以使所述各个内网防火墙根据所述接入设备IP地址向所述移动无线接入设备发送网络延迟测试消息;Send the access device IP address of the mobile wireless access device to each intranet firewall deployed for the target intranet, so that each intranet firewall sends the mobile wireless access device IP address to the mobile wireless access device according to the access device IP address. Send network delay test message;
    接收所述移动无线接入设备转发的所述各个内网防火墙发送的网络延迟测试消息,所述内网防火墙分配设备接收到的网络延迟测试消息中携带所述各个内网防火墙发送所述网络延迟测试消息的发送时间数据,以及所述移动无线接入设备接收所述网络延迟测试消息的接收时间数据;Receive the network delay test message sent by each intranet firewall forwarded by the mobile wireless access device, and the network delay test message received by the intranet firewall distribution device carries the network delay sent by each intranet firewall Sending time data of the test message, and receiving time data of the network delay test message received by the mobile wireless access device;
    根据接收到的各个网络延迟测试消息中携带的发送时间数据和接收时间数据,确定所述移动无线接入设备与所述各个内网防火墙之间的网络延迟。Determine the network delay between the mobile wireless access device and each intranet firewall according to the sending time data and the receiving time data carried in each received network delay test message.
  18. 如权利要求10~17任一所述的设备,其特征在于,所述状态获取单元具体用于:The device according to any one of claims 10-17, wherein the state acquiring unit is specifically configured to:
    周期性地获取移动无线接入设备与目标内网的第一内网防火墙连接的接入设备状态信息,或,在接收到所述移动无线接入设备发送的防火墙切换请求时,获取移动无线接入设备与目标内网的第一内网防火墙连接的接入设备状态信息,所述防火墙切换请求为所述移动无线接入设备在确定所述移动无线接入设备满足更换所连接的内网防火墙时,发送的切换所连接的防火墙的请求。Periodically obtain the access device status information of the mobile wireless access device connected to the first intranet firewall of the target intranet, or obtain the mobile wireless access device when the firewall switching request sent by the mobile wireless access device is received The state information of the access device connected to the first intranet firewall of the incoming device and the target intranet, the firewall switching request is that the mobile wireless access device determines that the mobile wireless access device satisfies the need to replace the connected intranet firewall When sending a request to switch the connected firewall.
  19. 一种内网防火墙分配设备,其特征在于,包括处理器、存储器以及通信接口,所述处理器、存储器和通信接口相互连接,其中,所述通信接口用于接收和发送数据,所述存储器用于存储程序代码,所述处理器用于调用所述程序代码,执行如权利要求1-9任一项所述的方法。An intranet firewall distribution device is characterized by comprising a processor, a memory, and a communication interface, the processor, the memory and the communication interface are connected to each other, wherein the communication interface is used for receiving and sending data, and the memory is used for In storing program code, the processor is used to call the program code to execute the method according to any one of claims 1-9.
  20. 一种计算机非易失性可读存储介质,其特征在于,所述计算机非易失性可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行如权利要求1-9任一项所述的方法。A computer nonvolatile readable storage medium, wherein the computer nonvolatile readable storage medium stores a computer program, the computer program includes program instructions, and the program instructions when executed by a processor The processor is caused to execute the method according to any one of claims 1-9.
PCT/CN2019/102347 2019-06-10 2019-08-23 Firewall switching method and related apparatus WO2020248369A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910503676.5 2019-06-10
CN201910503676.5A CN110324826B (en) 2019-06-10 2019-06-10 Intranet access method and related device

Publications (1)

Publication Number Publication Date
WO2020248369A1 true WO2020248369A1 (en) 2020-12-17

Family

ID=68119495

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/102347 WO2020248369A1 (en) 2019-06-10 2019-08-23 Firewall switching method and related apparatus

Country Status (2)

Country Link
CN (1) CN110324826B (en)
WO (1) WO2020248369A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112492602B (en) * 2020-11-19 2023-08-01 武汉武钢绿色城市技术发展有限公司 5G terminal safety access device, system and equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101635759A (en) * 2009-08-26 2010-01-27 深圳华为通信技术有限公司 Method and device for realizing mobile terminal firewall
CN103051642A (en) * 2013-01-18 2013-04-17 上海云和信息系统有限公司 Method for realizing accessing of local area network equipment in firewall based on VPN (Virtual Private Network) and network system
US20140258448A1 (en) * 2013-03-11 2014-09-11 Xerox Corporation Customer Vetted Device Status Communication System And Method
CN106559304A (en) * 2016-11-15 2017-04-05 乐视控股(北京)有限公司 A kind of connection configuration method and device of VPN

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100525307C (en) * 2006-01-17 2009-08-05 北京邮电大学 Method for crossing firewall under mobile environment
IL181427A0 (en) * 2007-02-19 2007-07-04 Deutsche Telekom Ag Novel dynamic firewall for nsp networks
CN104135461A (en) * 2013-05-02 2014-11-05 中国移动通信集团河北有限公司 Firewall policy processing method and device
US10341296B2 (en) * 2013-09-13 2019-07-02 Vmware, Inc. Firewall configured with dynamic collaboration from network services in a virtual network environment
CN106027463B (en) * 2016-01-21 2019-10-01 李明 A kind of method of data transmission
CN109660459B (en) * 2017-10-10 2021-12-07 中国移动通信集团广东有限公司 Physical gateway and method for multiplexing IP address
CN108683632A (en) * 2018-04-04 2018-10-19 山石网科通信技术有限公司 Firewall security policy method of adjustment and device
CN109076005B (en) * 2018-04-28 2021-02-09 深圳前海达闼云端智能科技有限公司 VPN line switching method and device and electronic equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101635759A (en) * 2009-08-26 2010-01-27 深圳华为通信技术有限公司 Method and device for realizing mobile terminal firewall
CN103051642A (en) * 2013-01-18 2013-04-17 上海云和信息系统有限公司 Method for realizing accessing of local area network equipment in firewall based on VPN (Virtual Private Network) and network system
US20140258448A1 (en) * 2013-03-11 2014-09-11 Xerox Corporation Customer Vetted Device Status Communication System And Method
CN106559304A (en) * 2016-11-15 2017-04-05 乐视控股(北京)有限公司 A kind of connection configuration method and device of VPN

Also Published As

Publication number Publication date
CN110324826A (en) 2019-10-11
CN110324826B (en) 2022-08-16

Similar Documents

Publication Publication Date Title
US11659385B2 (en) Method and system for peer-to-peer enforcement
US8151336B2 (en) Devices and methods for secure internet transactions
CN105635084B (en) Terminal authentication apparatus and method
CN106878135B (en) Connection method and device
WO2015101125A1 (en) Network access control method and device
WO2019017840A1 (en) Network verification method, and relevant device and system
EP2633667B1 (en) System and method for on the fly protocol conversion in obtaining policy enforcement information
WO2022247751A1 (en) Method, system and apparatus for remotely accessing application, device, and storage medium
CN110266674B (en) Intranet access method and related device
US11743724B2 (en) System and method for accessing a privately hosted application from a device connected to a wireless network
WO2017167249A1 (en) Private network access method, device and system
CN110830516B (en) Network access method, device, network control equipment and storage medium
WO2020248368A1 (en) Intranet accessing method, system, and related device
CN109936515B (en) Access configuration method, information providing method and device
CN111132305A (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
CN110336793B (en) Intranet access method and related device
US20150327149A9 (en) Secure Hotspot Roaming
WO2020248369A1 (en) Firewall switching method and related apparatus
CN110311785B (en) Intranet access method and related device
CN110324318B (en) Intranet access method and related device
CN116566764A (en) Configuration method and device for accessing virtual private network
WO2020248367A1 (en) Network connection method and related apparatus
CN116938486A (en) Access control method, device, system, equipment and storage medium
CN111953798A (en) Cross-network communication method, device and system and proxy server
US20190058689A1 (en) Remote network connection system, access equipment and connection method thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19933086

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19933086

Country of ref document: EP

Kind code of ref document: A1