WO2020248369A1 - Procédé de commutation de pare-feu et appareil associé - Google Patents

Procédé de commutation de pare-feu et appareil associé Download PDF

Info

Publication number
WO2020248369A1
WO2020248369A1 PCT/CN2019/102347 CN2019102347W WO2020248369A1 WO 2020248369 A1 WO2020248369 A1 WO 2020248369A1 CN 2019102347 W CN2019102347 W CN 2019102347W WO 2020248369 A1 WO2020248369 A1 WO 2020248369A1
Authority
WO
WIPO (PCT)
Prior art keywords
intranet
firewall
access device
mobile wireless
wireless access
Prior art date
Application number
PCT/CN2019/102347
Other languages
English (en)
Chinese (zh)
Inventor
王绪军
黄成尧
谢文
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020248369A1 publication Critical patent/WO2020248369A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent

Definitions

  • This application relates to the field of communications, and in particular to a firewall switching method and related devices.
  • VPN Virtual Private Network
  • This application provides a firewall switching method and related devices. Through this application, the efficiency of a user's access to a target intranet can be improved, and the network quality of the access to the target intranet can be guaranteed.
  • the first aspect of the embodiments of the present application provides a firewall switching method, including:
  • the intranet firewall distribution device obtains the status information of the access device connected to the mobile wireless access device and the first intranet firewall of the target intranet, and the first intranet firewall is the target device after receiving the mobile wireless access device After the intranet connection request of the target intranet, the firewall that matches the mobile wireless access device is determined from the multiple intranet firewalls deployed for the target intranet according to the intranet connection request, and the access
  • the device status information includes the real-time geographic location of the mobile wireless access device;
  • the intranet firewall distribution device determines based on the real-time geographic location that the mobile wireless access device satisfies the conditions for switching the connected firewall, it selects multiple devices deployed for the target intranet based on the access device status information. Determine the second intranet firewall matched by the mobile wireless access device in the intranet firewall;
  • the intranet firewall allocation device sends the second IP address of the second intranet firewall to the mobile wireless access device, so that the mobile wireless access device communicates with the first IP address according to the second IP address Second, the internal network firewall establishes a connection, and after the connection with the first internal network firewall is disconnected, the second internal network firewall transmits the internal network for the target internal network sent by the user terminal through the mobile wireless access device
  • the access request is routed to the intranet server of the target intranet, and the second intranet firewall also passes the intranet request response message returned by the intranet server in response to the intranet access request through the mobile wireless access device Sent to the user terminal.
  • the second aspect of the embodiments of the present application provides an intranet firewall distribution device, including:
  • the status acquiring unit is configured to acquire the status information of the access device connected to the first intranet firewall of the target intranet by the mobile wireless access device, and the first intranet firewall is configured to receive the information sent by the mobile wireless access device After the intranet connection request for the target intranet, the firewall that matches the mobile wireless access device is determined from the multiple intranet firewalls deployed for the target intranet according to the intranet connection request, and the connection
  • the incoming device status information includes the real-time geographic location of the mobile wireless access device;
  • the firewall determining unit is configured to, when it is determined according to the real-time geographic location that the mobile wireless access device meets the conditions for switching the connected firewall, select from multiple internal networks deployed for the target intranet according to the access device status information. Determine a second intranet firewall that matches the mobile wireless access device in the network firewall;
  • the address sending unit is configured to send the second IP address of the second intranet firewall to the mobile wireless access device, so that the mobile wireless access device communicates with the second IP address according to the second IP address.
  • the second intranet firewall After the intranet firewall establishes a connection and disconnects from the first intranet firewall, the second intranet firewall transmits the intranet access request for the target intranet sent by the user terminal through the mobile wireless access device Routed to the intranet server of the target intranet, the second intranet firewall also sends the intranet request response message returned by the intranet server in response to the intranet access request to the mobile wireless access device The user terminal.
  • the third aspect of the embodiments of the present application provides an intranet firewall distribution device, including a processor, a memory, and a communication interface.
  • the processor, the memory, and the communication interface are connected to each other, wherein the communication interface is used to receive and send data
  • the memory is used to store program code, and the processor is used to call the program code.
  • the program code is executed by a computer, the computer executes any of the above-mentioned first aspect and each possible implementation of the first aspect. Any method.
  • the fourth aspect of the embodiments of the present application provides a computer non-volatile readable storage medium
  • the computer non-volatile readable storage medium stores a computer program
  • the computer program includes program instructions
  • the program instructions are When executed by a computer, the computer is caused to execute any one of the foregoing first aspect and each possible implementation manner of the first aspect.
  • the user does not need to configure any parameters before accessing the target intranet, which improves the access efficiency for the target intranet.
  • the intranet firewall distribution device determines that the mobile wireless access device meets the requirement of switching the connected firewall based on the real-time geographic location.
  • the second intranet firewall is re-allocated for the mobile wireless access device to ensure that the intranet firewall connected to the mobile wireless access device is always the optimal intranet firewall that matches the status information of the access device, ensuring users The network quality of the terminal accessing the intranet.
  • FIG. 1 is a schematic diagram of a framework of an intranet access system provided by an embodiment of this application;
  • FIG. 2 is a schematic diagram of system interaction of a firewall switching method provided by an embodiment of this application.
  • FIG. 3 is a schematic diagram of system interaction of another firewall switching method provided by an embodiment of the application.
  • FIG. 4 is a schematic structural diagram of an intranet firewall distribution device provided by an embodiment of the application.
  • Fig. 5 is a schematic structural diagram of another intranet firewall distribution device provided by an embodiment of the application.
  • firewall switching method and related devices provided by the embodiments of the present application will be described with reference to FIGS. 1 to 5.
  • Figure 1 is a schematic diagram of the framework of an intranet access system provided by an embodiment of the application.
  • the intranet firewall 1, the intranet firewall 2, and the intranet firewall 3 are targeted Three intranet firewalls deployed in the intranet, mobile wireless access device 1 and mobile wireless access device 2 are respectively connected to the intranet firewall 1, the mobile wireless access device 3 is connected to the intranet firewall 3, and the user terminal 1 and The mobile wireless access device 2 is connected, and the user terminal 2 is connected with the mobile wireless access device.
  • the target intranet is a local communication network that interconnects various computers, servers, and databases in a local geographic area of a specific enterprise, a specific institution, a specific school, etc.
  • the terminal or server in the target intranet communicates with the terminal or server in the target intranet, it is realized through the data link layer, and the communication message does not need to be routed through the router; in the terminal or server outside the target intranet When communicating, it is achieved through the network layer.
  • the communication message sent by the terminal or server in the target intranet needs to be routed to the terminal or server outside the target intranet, the terminal or the terminal outside the target intranet, and
  • the communication message returned by the server needs to be routed to the terminal or server on the target intranet after the router undergoes network address translation.
  • the intranet firewall deployed for the target intranet can be a firewall deployed around the world for filtering data packets entering and leaving the target intranet.
  • the intranet firewall is connected to the router of the target intranet through the WAN, and then passes through the target intranet.
  • the router realizes the connection to the intranet server of the target intranet.
  • the mobile wireless access device is a mobile wireless access device that can transmit wireless network signals and has a routing function.
  • the mobile wireless access device will access the data network by inserting a SIM (Subscriber Identification Module) card. It can also access a wired network by inserting a network cable, and can also access a wireless network by connecting to WIFI.
  • the user terminal can access the wireless network transmitted by the mobile wireless access device to connect with the mobile wireless access device.
  • SIM Subscriber Identification Module
  • the intranet firewall distribution device may be a device that has a domain name resolution function for the target intranet, and stores the IP addresses and deployment locations of each intranet firewall deployed for the target intranet, such as GTM (Global Traffic Manager, global traffic manager) Management) equipment, etc.
  • GTM Global Traffic Manager, global traffic manager
  • the user terminal may be a terminal device with a wireless network receiving function, such as a notebook computer, a mobile phone, and a tablet computer.
  • Figure 2 is a schematic diagram of system interaction of a firewall switching method provided by an embodiment of the application. As shown in the figure, the method may include:
  • S201 The mobile wireless access device sends an intranet connection request for the target intranet to the intranet firewall distribution device.
  • the mobile wireless access device may send an intranet connection request to the intranet firewall distribution device after being triggered to start, or it may be after receiving a function start instruction sent by the user to access the target intranet Later, sending an intranet connection request to the intranet firewall distribution device, or when receiving an intranet access request for the target intranet sent by a connected user terminal, sending an intranet connection request to the intranet firewall distribution device Network connection request.
  • the intranet connection request may carry the intranet domain name of the target intranet, so that the intranet firewall distribution device determines the intranet connection request for the target intranet after analyzing the intranet domain name.
  • the intranet firewall distribution device determines the current geographic location of the mobile wireless access device according to the intranet connection request.
  • the intranet connection request may carry the geographic location of the mobile wireless access device, and the intranet firewall distribution device directly obtains the geographic location of the mobile wireless access device from the intranet connection request;
  • the intranet connection request may also carry the positioning information of the mobile wireless access device, and the intranet firewall distribution device may obtain the positioning information from the intranet connection request, and use positioning technology according to the positioning information , Determine the location of the mobile wireless access device, for example, the positioning information may be the IP address of the mobile wireless access device, GPS data, WIFI access point information, connection base station information, etc., the positioning technology It can be IP positioning technology, GPS positioning technology, WIFI positioning technology, base station positioning technology, etc.
  • the intranet connection request sent by the mobile wireless access device may carry the identity verification information of the mobile wireless access device, and the intranet firewall distribution device may send a check to the mobile according to the identity verification information in the intranet connection request.
  • the wireless access device performs identity verification. After the identity verification is passed, the current geographic location of the mobile wireless access device is determined.
  • the identity verification information carried in the intranet connection request may include the access device identification code, the user name and password entered by the user, or One of the digital certificates of mobile wireless access devices.
  • the intranet firewall allocation device determines a first intranet firewall matched by the mobile wireless access device from a plurality of intranet firewalls deployed for the target intranet according to the current geographic location.
  • the intranet firewall distribution device can store the IP addresses and deployment locations of the firewalls separately deployed for multiple intranets.
  • the mobile wireless access device of company M can simultaneously store the IP addresses and deployment locations of each internal network firewall for the deployment of subsidiary A’s internal network , And the IP addresses and deployment locations of each intranet firewall deployed for subsidiary B's intranet.
  • the intranet connection request may carry the intranet domain name of the target intranet, so that the intranet firewall distribution device, after receiving the intranet connection request, resolves the intranet domain name and determines the
  • the intranet connection request is an intranet connection request for the target intranet, and the IP addresses and deployment locations of multiple intranet firewalls deployed for the target intranet are obtained.
  • the intranet firewall distribution device may determine all the intranet firewalls according to the geographic location and the deployment position of each intranet firewall deployed for the target intranet. Among the multiple intranet firewalls deployed for the target intranet, the intranet firewall closest to the mobile wireless access device is determined to be the first intranet firewall.
  • all access areas for the target intranet are divided into intranet access sub-areas for each intranet firewall of the target intranet in advance, and A correspondence relationship between the intranet access sub-area and the intranet firewall of the target intranet is preset in the intranet firewall distribution device.
  • the intranet firewall distribution device determines the first intranet access subregion where the mobile wireless access device is located according to the geographic location of the mobile wireless access device, and then corresponds the first intranet access subregion to The internal firewall of is determined to be the first internal firewall.
  • the intranet firewall distribution device sends the first IP address of the first intranet firewall to the mobile wireless access device.
  • S205 The mobile wireless access device establishes a connection with the first intranet firewall according to the first IP address.
  • the mobile wireless access device sends a firewall connection request to the first intranet firewall according to the first IP address, so that the first intranet firewall sends a firewall connection request to the mobile device according to the firewall connection request.
  • a connection with the mobile wireless access device is established.
  • the firewall connection request carries the access device identification code of the mobile wireless access device, such as a MAC address, and the first intranet firewall determines that the access device identification code is preset When one of the identification codes of the access device is allowed to be connected, it is determined that the identity authentication of the mobile wireless access device is passed.
  • the firewall connection request carries the user name and password input by the user through the mobile wireless access device
  • the first intranet firewall determines that the user name and password are preset users allowed to connect When one of the name and password is set, it is determined that the identity authentication of the mobile wireless access device is passed.
  • the firewall connection request carries the digital certificate of the mobile wireless access device
  • the first intranet firewall is based on the access device digital certificate carried in the access device digital certificate.
  • the issuer information of the access device determines the certificate issuer of the digital certificate of the access device; after the first intranet firewall obtains the issuer digital certificate of the certificate issuer, it passes the issuer contained in the issuer’s digital certificate
  • the public key is used to decrypt the digital signature in the digital certificate of the access device using the public key of the issuing party to obtain the certificate fingerprint of the digital certificate of the access device.
  • the first intranet firewall will use the specified Ukraine
  • the Greek algorithm performs a hash calculation on the digital certificate of the access device to obtain the hash value of the digital certificate; the first intranet firewall determines that the hash value of the digital certificate obtained by the hash calculation of the first intranet firewall is When the fingerprints of the access device certificates are consistent, it is determined that the identity authentication of the mobile wireless access device is passed.
  • the mobile wireless access device initiates a three-way handshake to establish a connection based on the TCP/IP protocol with the first intranet firewall.
  • the specific steps are as follows: the mobile wireless access device sends a SYN to the first intranet firewall (Synchronize Sequence Numbers) data packet; after receiving the SYN data packet, the first intranet firewall sends a SYN+ACK (ACKnowledge Character) data packet to the mobile wireless access device; After receiving the SYN+ACK data packet, the mobile wireless access device feeds back an ACK data packet to the first intranet firewall; the first intranet firewall receives the ACK fed back by the mobile wireless access device After the data packet, the connection between the mobile wireless access device and the first intranet firewall is established.
  • the intranet firewall distribution device obtains state information of the access device connected to the mobile wireless access device and the first intranet firewall.
  • the access device status information may include the real-time geographic location of the mobile wireless access device when the access device status information is acquired, or it may include when the access device status information is acquired, the mobile
  • the network delay between the wireless access device and each intranet firewall deployed for the target intranet may be determined by the intranet firewall distribution device through IP positioning, GPS positioning, WIFI positioning, base station positioning, and other positioning methods according to the positioning information sent by the mobile wireless access device. , It may also be directly sent by the mobile wireless access device to the intranet firewall.
  • the network delay between the mobile wireless access device and each intranet firewall may be a one-way network delay between the mobile wireless access device and each intranet firewall, or it may be a round trip network delay.
  • the network delay between the mobile wireless access device and each intranet firewall may be determined by the intranet firewall distribution device, or may be determined by the mobile wireless access device or each intranet firewall. , Sent to the intranet firewall distribution device.
  • the intranet firewall distribution device may periodically obtain the current access device status information of the mobile wireless access device, and then periodically determine the mobile device based on the real-time geographic location contained in the access status information. Whether the wireless access device meets the conditions for switching the connected firewall in the current cycle; it can also obtain the access device status information of the mobile wireless access device when receiving the firewall switching request sent by the mobile wireless access device, and then According to the real-time geographic location included in the access status information, it is determined whether the mobile wireless access device does meet the conditions for switching the connected firewall, and the firewall switching request is that the mobile wireless access device is based on its geographic location, or The network status of the internal network accessed by oneself, etc., to determine that oneself meets the request to switch the connected firewall when the internal network firewall is replaced. For example, the mobile wireless access device monitors the packet loss rate of message transmission between itself and the first intranet firewall, and when it is determined that the packet loss rate is greater than a preset threshold, sends to the intranet firewall distribution device Firewall switch request.
  • the intranet firewall distribution device determines the mobile wireless access device Satisfying the condition for switching the connected firewall may include: In an implementation manner, the intranet firewall distribution device obtains the deployment positions of multiple intranet firewalls deployed for the target intranet, and the intranet firewall distribution device The real-time geographic location and the deployment positions of the multiple intranet firewalls deployed for the target intranet determine that the first intranet firewall is not among the multiple intranet firewalls deployed for the target intranet.
  • the intranet firewall distribution device is determining the mobile wireless access When the incoming device transfers from the first intranet access sub-area to the second intranet access sub-area for the target intranet, it is determined that the mobile wireless access device satisfies the conditions for switching the connected firewall.
  • An implementation manner in which the intranet firewall distribution device determines a second intranet firewall matched by the mobile wireless access device from a plurality of intranet firewalls deployed for the target intranet according to the access device status information It may be: the intranet firewall distribution device determines the mobile wireless access device corresponding to the mobile wireless access device from a plurality of intranet firewalls deployed for the target intranet according to the real-time geographic location included in the access device status information The second intranet firewall.
  • the intranet firewall distribution device determines the implementation manner of the second intranet firewall according to the real-time geographic location of the mobile wireless access device. For details, refer to the intranet firewall distribution device in step S203 for obtaining according to step S202 The geographic location of the mobile wireless access device determines the implementation manner of the first intranet firewall, which is not repeated here.
  • the intranet firewall distribution device sends the second IP address of the second intranet firewall to the mobile wireless access device.
  • S209 The mobile wireless access device establishes a connection with the second intranet firewall according to the second IP address.
  • the mobile wireless access device initiates a three-way handshake to establish a TCP/IP protocol-based connection with the second intranet firewall.
  • the mobile wireless access device initiates a three-way handshake to establish a TCP/IP protocol-based connection with the second intranet firewall.
  • the step S205 of the mobile wireless access device and the first intranet firewall The method of establishing a connection will not be described here.
  • S210 The mobile wireless access device disconnects from the first intranet firewall.
  • the mobile wireless access device initiates four waves to disconnect the TCP/IP connection with the first intranet firewall.
  • the specific steps are as follows: the mobile wireless access device sends a FIN (Finish) to the first intranet firewall. Character, the end character) data packet; after receiving the FIN data packet, the first intranet firewall sends an ACK data packet to the mobile wireless access device; the first intranet firewall sends an ACK data packet to the mobile wireless access device The incoming device sends a FIN data packet; after receiving the FIN data packet, the mobile wireless access device sends an ACK data packet to the first intranet firewall; the first intranet firewall distribution device receives the ACK After the data packet, the disconnection of the connection between the mobile wireless access device and the first intranet firewall is completed.
  • S211 The user terminal sends an intranet access request for the target intranet to the mobile wireless access device.
  • the user terminal may send a wireless network connection request to the mobile wireless access device, and the mobile wireless access device may directly establish a connection with the user terminal, or through the wireless network After the user terminal identity information carried in the connection request is verified, a connection with the user terminal is established.
  • the user terminal identity information may be the user name and password input by the user inputted by the user terminal to access the wireless network established by the mobile wireless access device, and may also be the biometric input received by the user terminal.
  • the information may also be terminal equipment identification information of the user terminal.
  • step S211 is performed after step S210, that is, the intranet access request of the user terminal in step S211 is that after the mobile wireless access device is disconnected from the second intranet firewall, the user terminal Intranet access request to the target intranet.
  • S212 The mobile wireless access device sends the intranet access request to the second intranet firewall.
  • S213 The second intranet firewall routes the intranet access request to the intranet server of the target intranet.
  • the intranet access request is an access request for a server in the target intranet, such as an access request for a Web server in the target intranet, an access request for an FTP server in the target intranet, and an access request for a server in the target intranet. State the access request of the mail server in the target intranet, etc.
  • the second intranet firewall After the second intranet firewall receives the intranet access request sent by the mobile wireless access device, it sends the intranet access request to the router of the target intranet through the external network. The router routes the intranet access request to the corresponding intranet server in the target intranet through the target intranet.
  • the intranet server returns an intranet request response message in response to the intranet access request to the second intranet firewall.
  • the intranet server After the intranet server generates an intranet request response message in response to the intranet access request, it sends the intranet request response message to the router of the target intranet through the target intranet, and the target The router of the internal network sends the internal network request response message to the second internal network firewall through the external network.
  • the intranet access request is a request to obtain a file in a file server in the target intranet
  • the intranet request response message may be the file sent by the file server.
  • S215 The second intranet firewall sends the intranet request response message to the mobile wireless access device.
  • S216 The mobile wireless access device sends the intranet request response message to the user terminal.
  • the intranet firewall distribution device receives the intranet connection request for the target intranet sent by the mobile wireless access device, according to the intranet connection request from multiple intranet firewalls deployed for the target intranet
  • the mobile wireless access device allocates a matching first intranet firewall to the mobile wireless access device.
  • the intranet firewall distribution device judges whether it is satisfied according to the real-time geographic location of the mobile wireless access device The conditions for switching firewalls.
  • the internal network firewall distribution device allocates the switched second internal network to the mobile wireless access device according to the status information of the access device connected to the first internal network firewall Firewall, after the mobile wireless access device establishes a connection with the second intranet firewall, it disconnects the connection with the first intranet firewall, and provides the user terminal with access to the target intranet service through the connection with the second intranet firewall.
  • the intranet firewall distribution device determines that the mobile wireless access device meets the requirement of switching the connected firewall based on the real-time geographic location.
  • the second intranet firewall is re-allocated for the mobile wireless access device to ensure that the intranet firewall connected to the mobile wireless access device is always the optimal intranet firewall that matches the status information of the access device, ensuring users The network quality of the terminal accessing the intranet.
  • FIG. 3 is a schematic diagram of system interaction of another firewall switching method provided by an embodiment of the application. As shown in the figure, the method may include:
  • S301 The mobile wireless access device sends an intranet connection request for the target intranet to the intranet firewall distribution device.
  • the intranet firewall distribution device determines the current network delay between the mobile wireless access device and each intranet firewall deployed for the target intranet according to the intranet connection request.
  • an implementation manner for the intranet firewall distribution device to determine the current network delay between the mobile wireless access device and each intranet firewall may be: the intranet firewall distribution device sends to each intranet firewall The access device IP address of the mobile wireless access device, each intranet firewall sends a network delay test message to the mobile wireless access device according to the access device IP address, and the mobile wireless access device will receive The network delay test message is forwarded to the intranet firewall distribution device, and the network delay test message received by the intranet firewall distribution device carries the network delay test message for each intranet firewall deployed in the target intranet.
  • the intranet firewall distribution device determines the current network delay between the mobile wireless access device and each intranet firewall may be: the intranet firewall distribution device directs the mobile wireless access device Send the firewall IP address of each intranet firewall deployed for the target intranet, the mobile wireless access device sends a network delay test message to each intranet firewall according to the firewall IP address, and each intranet firewall will receive The network delay test message is forwarded to the intranet firewall distribution device, and the network delay test message received by the intranet firewall distribution device carries the transmission time data for the mobile wireless access device to send the network delay test message, And the receiving time data of each intranet firewall deployed for the target intranet receiving the network delay test message; the intranet firewall distribution device according to the sending time data carried in each received network delay test message and The time data is received to determine the target network delay between the mobile wireless access device and each intranet firewall deployed for the target intranet.
  • An implementation manner for the mobile wireless access device to determine the current network delay between the mobile wireless access device and each intranet firewall may be: the intranet firewall distribution device sends to the mobile wireless access device For the firewall IP addresses of each intranet firewall deployed in the target intranet, the mobile wireless access device sends a network delay test message to each intranet firewall according to the IP address, and each intranet firewall receives the After the network delay test message, the network delay test message is returned to the mobile wireless access device; the mobile wireless access device sends the network delay test message to each intranet firewall according to the sending time data of the network delay test message, and receives The receiving time data of the network delay test message returned by each intranet firewall determines the network delay between the mobile wireless access device and each intranet firewall.
  • An implementation manner for determining the current network delay between the mobile wireless access device and each intranet firewall for each intranet firewall deployed in the target intranet may be: the intranet firewall distribution device sends to each intranet firewall The access device IP address of the mobile wireless access device, each intranet firewall sends a network delay test message to the mobile wireless access device according to the access device IP address, and the mobile wireless access device receives each After the network delay test message sent by the internal network firewall, the received network delay test message is returned to each internal network firewall, and each internal network firewall sends the network delay test message to the mobile wireless access device according to the sending time data of the network delay test message, and The receiving time data of the network delay test message returned by the mobile wireless access device is received, and the network delay between the mobile wireless access device and itself is determined.
  • the intranet firewall distribution device determines a first intranet firewall matched by the mobile wireless access device from among multiple intranet firewalls deployed for the target intranet according to the current network delay.
  • the intranet firewall distribution device determines that among the current network delays between the mobile wireless access device and each intranet firewall deployed for the target intranet, the smallest network delay corresponding to the intranet firewall is determined Describe the first intranet firewall.
  • the intranet firewall distribution device sends the first IP address of the first intranet firewall to the mobile wireless access device.
  • the mobile wireless access device establishes a connection with the first intranet firewall according to the first IP address.
  • the intranet firewall distribution device obtains the access device status information of the mobile wireless access device.
  • the access device status information includes the intranet firewall corresponding to the smallest network delay among the real-time network delays between the mobile wireless access device and each intranet firewall, and is determined to be the second intranet firewall.
  • the second IP address of the second intranet firewall is sent to the mobile wireless access device, so that the mobile wireless access device can connect to the connected intranet firewall
  • the first intranet firewall to the second intranet firewall for specific implementation steps, refer to the implementation manner of step S208 to step S216 in the embodiment corresponding to FIG. 2, and details are not described herein again.
  • the intranet firewall distribution device after the intranet firewall distribution device receives the intranet connection request for the target intranet sent by the mobile wireless access device, it will target one of the multiple intranet firewalls deployed on the target intranet and the mobile wireless access device.
  • the first intranet firewall with the smallest current network delay is assigned to the mobile wireless access device.
  • the intranet firewall determines that the first intranet firewall is not a distance
  • the internal network firewall with the smallest network delay between the mobile wireless access device and the mobile wireless access device is determined as the second internal network firewall assigned and switched by the mobile wireless access device.
  • the device After the device establishes a connection with the second intranet firewall, it disconnects the connection with the first intranet firewall, and provides the user terminal with the service of accessing the target intranet through the connection with the second intranet firewall.
  • the user does not need to configure any parameters before accessing the target intranet, which improves the access efficiency for the target intranet.
  • the intranet firewall distribution device determines that the mobile wireless access device meets the requirements of switching the connected intranet firewall. When the conditions are met, it is ensured that the mobile wireless access device is connected to the second intranet firewall with the smallest network delay between the mobile wireless access device and the mobile wireless access device, thereby ensuring the network quality of the user terminal accessing the intranet.
  • FIG. 4 is a schematic structural diagram of a mobile wireless access device provided by an embodiment of the application.
  • the intranet firewall distribution device 40 may at least include a state acquisition unit 401, a firewall determination unit 402, and Address sending unit 403, where:
  • the status obtaining unit 401 is configured to obtain status information of the access device connected to the first intranet firewall of the mobile wireless access device and the target intranet. After the intranet connection request for the target intranet, according to the intranet connection request, determine the firewall that matches the mobile wireless access device from among the multiple intranet firewalls deployed for the target intranet, the The access device status information includes the real-time geographic location of the mobile wireless access device;
  • the firewall determining unit 402 is configured to, when it is determined according to the real-time geographic location that the mobile wireless access device satisfies the conditions for switching the connected firewall, according to the status information of the access device, select the target intranet from multiple Determine the second intranet firewall matched by the mobile wireless access device in the intranet firewall;
  • the address sending unit 403 is configured to send the second IP address of the second intranet firewall to the mobile wireless access device, so that the mobile wireless access device compares the second IP address with the first 2.
  • the second internal network firewall transmits the user terminal’s internal network access to the target internal network sent by the user terminal through the mobile wireless access device
  • the request is routed to the intranet server of the target intranet, and the second intranet firewall also sends the intranet request response message returned by the intranet server in response to the intranet access request through the mobile wireless access device To the user terminal.
  • firewall determining unit 402 is specifically configured to:
  • the firewall Determining that the first intranet firewall is not among the multiple intranet firewalls deployed for the target intranet according to the real-time geographic location and the deployment positions of the multiple intranet firewalls deployed for the target intranet, When the firewall is closest to the mobile wireless access device, it is determined that the mobile wireless access device satisfies the condition of the firewall connected to the handover.
  • the state acquiring unit 401 is further configured to:
  • the first IP address of the first intranet firewall is sent to the mobile wireless access device, so that the mobile wireless access device establishes a connection with the first intranet firewall according to the first IP address.
  • the status obtaining unit 401 is specifically configured to:
  • the firewall determining unit is specifically configured to:
  • the mobile wireless access device When it is determined that the mobile wireless access device is transferred from the first intranet access subarea to the second intranet access subarea for the target intranet, it is determined that the mobile wireless access device satisfies the handover requirements. Conditions for connecting to the firewall.
  • the intranet firewall connection request carries identity verification information of the mobile wireless access device
  • the status obtaining unit 401 is specifically configured to:
  • the current geographic location of the mobile wireless access device is determined.
  • firewall determining unit 402 is specifically configured to:
  • a second intranet firewall matched by the mobile wireless access device is determined from a plurality of intranet firewalls deployed for the target intranet.
  • the access device state information includes the network delay between the mobile wireless access device and each intranet firewall deployed for the target intranet when the access device state information is acquired;
  • the firewall determining unit 402 is specifically configured to:
  • the firewall corresponding to the smallest network delay is determined as the second intranet firewall.
  • firewall determining unit 402 is further configured to:
  • the status obtaining unit 401 is specifically configured to:
  • the state information of the access device connected to the first intranet firewall of the incoming device and the target intranet, the firewall switching request is that the mobile wireless access device determines that the mobile wireless access device satisfies the need to replace the connected intranet firewall When sending a request to switch the connected firewall.
  • the intranet firewall distribution device can execute each step performed by the intranet firewall distribution device in the firewall switching method shown in Figures 2 to 3 through its built-in functional modules.
  • the intranet firewall distribution device can execute each step performed by the intranet firewall distribution device in the firewall switching method shown in Figures 2 to 3 through its built-in functional modules.
  • Figure 2 please refer to Figure 2.
  • the implementation details of each step in the embodiment corresponding to FIG. 3 will not be repeated here.
  • the state acquisition unit after the state acquisition unit receives the intranet connection request for the target intranet sent by the mobile wireless access device, the state acquisition unit is based on the intranet connection request from multiple intranet firewalls deployed for the target intranet.
  • the mobile wireless access device allocates a matching first intranet firewall.
  • the state obtaining unit obtains the real-time geographic location of the mobile wireless access device, and the firewall determining unit is based on The real-time geographic location of the mobile wireless access device determines whether the conditions for switching firewalls are met. When it is determined that the above conditions are met, it is the mobile wireless access device based on the status information of the access device connected to the first intranet firewall.
  • the address sending unit sends the second IP address of the second intranet firewall to the mobile wireless access device.
  • the mobile wireless access device After the mobile wireless access device establishes a connection with the second intranet firewall, it disconnects from The first intranet firewall is connected, and the service of accessing the target intranet is provided for the user terminal through the connection with the second intranet firewall.
  • the firewall determining unit determines based on the real-time geographic location that the mobile wireless access device meets the conditions for switching the connected firewall. When the mobile wireless access device is redistributed to the second intranet firewall to ensure that the intranet firewall connected to the mobile wireless access device is always the optimal intranet firewall that matches the status information of the access device, ensuring user terminal access The network quality of the intranet.
  • FIG. 5 is a schematic structural diagram of another intranet firewall distribution device provided by an embodiment of the application.
  • the intranet firewall distribution device 50 includes a processor 501, a memory 502, and a communication interface 503.
  • the processor 501 is connected to the memory 502 and the communication interface 503.
  • the processor 501 may be connected to the memory 502 and the communication interface 503 through a bus.
  • the processor 501 is configured to support the internal firewall distribution device to perform the corresponding functions of the internal firewall distribution device in the firewall switching method described in FIGS. 2 to 3.
  • the processor 501 may be a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), a hardware chip, or any combination thereof.
  • the foregoing hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (Programmable Logic Device, PLD), or a combination thereof.
  • the aforementioned PLD may be a complex programmable logic device (Complex Programmable Logic Device, CPLD), a field programmable logic gate array (Field-Programmable Gate Array, FPGA), a general array logic (Generic Array Logic, GAL) or any combination thereof.
  • CPLD Complex Programmable Logic Device
  • FPGA Field-Programmable Gate Array
  • GAL General array logic
  • the memory 502 is used to store program codes and the like.
  • the memory 502 includes internal memory, which may include at least one of the following: volatile memory (such as dynamic random access memory (DRAM), static RAM (SRAM), synchronous dynamic RAM (SDRAM), etc.) and non-volatile memory (For example, one-time programmable read-only memory (OTPROM), programmable ROM (PROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM).
  • volatile memory such as dynamic random access memory (DRAM), static RAM (SRAM), synchronous dynamic RAM (SDRAM), etc.
  • non-volatile memory for example, one-time programmable read-only memory (OTPROM), programmable ROM (PROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM).
  • OTPROM one-time programmable read-only memory
  • PROM programmable ROM
  • EPROM erasable programm
  • the memory 502 may also include external memory, external
  • the memory may include at least one of the following: Hard Disk Drive (HDD) or Solid-State Drive (SSD), flash drive, such as high-density flash (CF), secure digital (SD), micro SD, mini type SD, limit number (xD), memory stick, etc.
  • HDD Hard Disk Drive
  • SSD Solid-State Drive
  • flash drive such as high-density flash (CF), secure digital (SD), micro SD, mini type SD, limit number (xD), memory stick, etc.
  • the communication interface 503 is used to receive or send data.
  • the processor 501 may call the program code to perform the following operations:
  • the firewall that matches the mobile wireless access device is determined from multiple intranet firewalls deployed for the target intranet according to the intranet connection request, and the access device status information includes all State the real-time geographic location of the mobile wireless access device;
  • the mobile wireless access device When it is determined according to the real-time geographic location that the mobile wireless access device satisfies the conditions for switching the connected firewalls, it is determined from the multiple intranet firewalls deployed for the target intranet according to the access device status information The second intranet firewall matched by the mobile wireless access device;
  • the second intranet firewall sends the second IP address of the second intranet firewall to the mobile wireless access device, so that the mobile wireless access device establishes a connection with the second intranet firewall according to the second IP address, And after disconnecting from the first intranet firewall, the second intranet firewall routes the intranet access request for the target intranet sent by the user terminal through the mobile wireless access device to the target intranet
  • the second intranet firewall also sends the intranet request response message returned by the intranet server in response to the intranet access request to the user terminal through the mobile wireless access device.
  • each operation may also correspond to the corresponding description of the method embodiments shown in FIGS. 2 to 3; the processor 501 may also be used to perform other operations in the above method embodiments.
  • the embodiment of the present application also provides a computer non-volatile readable storage medium, the computer non-volatile readable storage medium stores a computer program, the computer program includes program instructions, and the program instructions are When the computer is caused to execute the method described in the foregoing embodiment, the computer may be a part of the aforementioned intranet firewall distribution device.
  • the program can be stored in a computer readable storage medium. During execution, it may include the procedures of the above-mentioned method embodiments.
  • the storage medium may be a magnetic disk, an optical disc, a read-only memory (Read-Only Memory, ROM), or a random access memory (Random Access Memory, RAM), etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Les modes de réalisation de la présente invention concernent un procédé de commutation de pare-feu et un appareil associé qui sont appropriés pour un contrôle d'accès dans le cadre d'une protection de sécurité. Le procédé comprend les étapes au cours desquelles : un dispositif de distribution de pare-feu intranet obtient des informations d'état d'un dispositif d'accès indiquant qu'un dispositif d'accès sans fil mobile est connecté à un premier pare-feu intranet d'un intranet cible ; lorsque le dispositif de distribution de pare-feu intranet détermine que le dispositif d'accès sans fil mobile satisfait des conditions de commutation du pare-feu connecté, le dispositif de distribution de pare-feu intranet détermine un second pare-feu intranet mis en correspondance par le dispositif d'accès sans fil mobile ; et, lorsque le dispositif d'accès sans fil mobile a établi une connexion au second pare-feu intranet et s'est déconnecté du premier pare-feu intranet au moyen d'une connexion au second pare-feu intranet, le dispositif d'accès sans fil mobile fournit un service d'accès à l'intranet cible à un terminal utilisateur. Grâce à la présente invention, l'efficacité avec laquelle des utilisateurs accèdent à l'intranet cible peut être améliorée et la qualité de l'accès à l'intranet cible est assurée.
PCT/CN2019/102347 2019-06-10 2019-08-23 Procédé de commutation de pare-feu et appareil associé WO2020248369A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910503676.5 2019-06-10
CN201910503676.5A CN110324826B (zh) 2019-06-10 2019-06-10 一种内网访问方法及相关装置

Publications (1)

Publication Number Publication Date
WO2020248369A1 true WO2020248369A1 (fr) 2020-12-17

Family

ID=68119495

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/102347 WO2020248369A1 (fr) 2019-06-10 2019-08-23 Procédé de commutation de pare-feu et appareil associé

Country Status (2)

Country Link
CN (1) CN110324826B (fr)
WO (1) WO2020248369A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112492602B (zh) * 2020-11-19 2023-08-01 武汉武钢绿色城市技术发展有限公司 5g终端安全接入装置、系统及设备

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101635759A (zh) * 2009-08-26 2010-01-27 深圳华为通信技术有限公司 一种移动终端防火墙的实现方法及装置
CN103051642A (zh) * 2013-01-18 2013-04-17 上海云和信息系统有限公司 基于vpn实现防火墙内局域网设备访问的方法及网络系统
US20140258448A1 (en) * 2013-03-11 2014-09-11 Xerox Corporation Customer Vetted Device Status Communication System And Method
CN106559304A (zh) * 2016-11-15 2017-04-05 乐视控股(北京)有限公司 一种虚拟专用网络的连接配置方法和装置

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100525307C (zh) * 2006-01-17 2009-08-05 北京邮电大学 一种在移动环境下穿越防火墙的方法
IL181427A0 (en) * 2007-02-19 2007-07-04 Deutsche Telekom Ag Novel dynamic firewall for nsp networks
CN104135461A (zh) * 2013-05-02 2014-11-05 中国移动通信集团河北有限公司 一种防火墙策略处理的方法及装置
US10341296B2 (en) * 2013-09-13 2019-07-02 Vmware, Inc. Firewall configured with dynamic collaboration from network services in a virtual network environment
CN106027463B (zh) * 2016-01-21 2019-10-01 李明 一种数据传输的方法
CN109660459B (zh) * 2017-10-10 2021-12-07 中国移动通信集团广东有限公司 一种物理网关及其复用ip地址的方法
CN108683632A (zh) * 2018-04-04 2018-10-19 山石网科通信技术有限公司 防火墙安全策略调整方法及装置
WO2019205133A1 (fr) * 2018-04-28 2019-10-31 深圳前海达闼云端智能科技有限公司 Procédé de transfert de ligne vpn, appareil et dispositif électronique

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101635759A (zh) * 2009-08-26 2010-01-27 深圳华为通信技术有限公司 一种移动终端防火墙的实现方法及装置
CN103051642A (zh) * 2013-01-18 2013-04-17 上海云和信息系统有限公司 基于vpn实现防火墙内局域网设备访问的方法及网络系统
US20140258448A1 (en) * 2013-03-11 2014-09-11 Xerox Corporation Customer Vetted Device Status Communication System And Method
CN106559304A (zh) * 2016-11-15 2017-04-05 乐视控股(北京)有限公司 一种虚拟专用网络的连接配置方法和装置

Also Published As

Publication number Publication date
CN110324826B (zh) 2022-08-16
CN110324826A (zh) 2019-10-11

Similar Documents

Publication Publication Date Title
US11659385B2 (en) Method and system for peer-to-peer enforcement
US8151336B2 (en) Devices and methods for secure internet transactions
CN105635084B (zh) 终端认证装置及方法
CN106878135B (zh) 一种连接方法及装置
WO2015101125A1 (fr) Procédé et dispositif de contrôle d'accès au réseau
WO2019017840A1 (fr) Procédé de vérification de réseau, dispositif et système pertinents
EP2633667B1 (fr) Système et procédé de conversion de protocole à la volée dans l'obtention d'informations de mise en application de politique
WO2022247751A1 (fr) Procédé, système et appareil pour accéder à distance à une application, dispositif, et support de stockage
CN110266674B (zh) 一种内网访问方法及相关装置
US11743724B2 (en) System and method for accessing a privately hosted application from a device connected to a wireless network
CN110830516B (zh) 一种网络访问方法、装置、网络控制设备及存储介质
WO2020248368A1 (fr) Procédé d'accès intranet, système, et dispositif associé
WO2017167249A1 (fr) Procédé, dispositif et système d'accès à un réseau privé
CN109936515B (zh) 接入配置方法、信息提供方法及装置
CN111132305A (zh) 5g用户终端接入5g网络的方法、用户终端设备及介质
CN110336793B (zh) 一种内网访问方法及相关装置
US20130100857A1 (en) Secure Hotspot Roaming
WO2020248369A1 (fr) Procédé de commutation de pare-feu et appareil associé
CN110311785B (zh) 一种内网访问方法及相关装置
CN110324318B (zh) 一种内网访问方法及相关装置
CN116566764A (zh) 一种接入虚拟专用网络的配置方法和装置
WO2020248367A1 (fr) Procédé de connexion de réseau et appareil associé
CN116938486A (zh) 一种访问控制的方法、装置、系统、设备及存储介质
CN111953798A (zh) 一种跨网络通信方法、装置、系统和代理服务器
US20190058689A1 (en) Remote network connection system, access equipment and connection method thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19933086

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19933086

Country of ref document: EP

Kind code of ref document: A1