CN104363233A - Safety cross-domain communication method for application servers in VPN gateways - Google Patents
Safety cross-domain communication method for application servers in VPN gateways Download PDFInfo
- Publication number
- CN104363233A CN104363233A CN201410664196.4A CN201410664196A CN104363233A CN 104363233 A CN104363233 A CN 104363233A CN 201410664196 A CN201410664196 A CN 201410664196A CN 104363233 A CN104363233 A CN 104363233A
- Authority
- CN
- China
- Prior art keywords
- application server
- vpn gateway
- strange land
- data
- vpn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a safety cross-domain communication method for application servers in VPN gateways. The method comprises the steps that network data from a local server to a remote application server are routed to a local VPN internal internet access; network data from a remote server to a local application server are routed to a remote VPN internal internet access; sequence numbering is conducted while network data packages of the application servers are sent, plaintext data, serial numbers and secrete keys are subjected to HMAC encryption, and the plaintext data and MAC values are subjected to symmetrical encryption; when the network data of the application servers are received, ciphertext data are decrypted first, and then the plaintext data obtained by decryption, the MAC values and the serial numbers are verified. The application servers can be in communication with application servers of a plurality of remote VPN gateways simultaneously without any modification work and without any additionally-arranged hardware or software. The confidentiality, the integrity and the non-reputation of the network data are guaranteed, and a replay attack and the like can be defended.
Description
Technical field
The present invention relates to the safe cross-domain means of communication in a kind of vpn gateway between application server, particularly relate to a kind of cross-domain communication that is applicable to, the safe cross-domain means of communication in vpn gateway between application server.
Background technology
Vpn gateway is that one is deployed in application server network boundary, the application system needed reinforcement by the mode protection of open circuit access control, and user only has could access shielded application service by vpn gateway; Vpn gateway, by various agent skill group, carries out transmission protection, access control to user's access application server network data.
Summary of the invention
Present vpn gateway on the market does not all consider the cross-domain communication such as cascade, data syn-chronization network service demand between shielded application system, causes the cross-domain communication application server that vpn gateway can not protect cascade to dispose.The mode that part vpn gateway takes route to penetrate, decontrols network communication between application server, but network communication between application server can be caused to transmit in unsafe network with clear-text way.
The technical problem to be solved in the present invention is to provide a kind of in vpn gateway, the method for cross-domain communication safety between protection application server.
The technical solution used in the present invention is as follows: the safe cross-domain means of communication in a kind of vpn gateway between application server, it is characterized in that, set up network data and transmit escape way: home server is routed to network interface in local VPN to the network data of strange land application server; Strange land server is routed to network interface in the VPN of strange land to the network data of local application server; Carrying out packet numbering when sending application server network packet, HMAC encryption being carried out to clear data, sequence number, key, symmetric cryptography is carried out to clear data, MAC value; When accepting application server network data, first decrypting ciphertext data, then verify deciphering the clear data, MAC value, the sequence number that obtain.
Concrete means of communication step is:
Step one, be local vpn gateway configuration local application server information and need exchange visits vpn gateway information;
Step 2, local vpn gateway initiatively connect all strange lands vpn gateway of configuration, obtain the incidence relation of strange land vpn gateway and strange land application server;
Step 3, local vpn gateway pass through the linked list of strange land vpn gateway and strange land application server, find the strange land VPN information needing access, and network data is sent to strange land vpn gateway by described escape way;
Step 4, strange land vpn gateway to receive after data by routing forwarding to application server;
Similarly, strange land vpn gateway foundation step one is that network data selects route to the same flow process of step 4.
Compared with prior art, the invention has the beneficial effects as follows: application server does not need to carry out any retrofit work and additionally installs any hardware and software, just can simultaneously with multiple application server communication by strange land vpn gateway; Vpn gateway, by the network communication between escape way protection application server and application server, can ensure the confidentiality of network data, integrality, non-repudiation, can defend the attacks such as playback.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with embodiment, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
Arbitrary feature disclosed in this specification (comprising any accessory claim, summary), unless specifically stated otherwise, all can be replaced by other equivalences or the alternative features with similar object.That is, unless specifically stated otherwise, each feature is an example in a series of equivalence or similar characteristics.
The Transparent Proxy technology of route Network Based: comprising reception, the forwarding operation of the network communication data to local application server, strange land application server, set up network data and transmit escape way: routing rule is set at local application server, home server is routed to network interface in local VPN to the network data of strange land application server; In strange land, application server arranges routing rule, and strange land server is routed to network interface in the VPN of strange land to the network data of local application server; Escape way technology based on cryptographic algorithm: to be encrypted comprising application server network data, the safeguard protection such as HMAC, packet numbering is carried out when sending application server network packet, HMAC encryption is carried out to clear data, sequence number, key, symmetric cryptography is carried out to clear data, MAC value; When accepting application server network data, first decrypting ciphertext data, then verify deciphering the clear data, MAC value, the sequence number that obtain.
Application server does not need to carry out any retrofit work and additionally installs any hardware and software, just can simultaneously with multiple application server communication by strange land vpn gateway; Based on the escape way technology of cryptographic algorithm, vpn gateway, by the network communication between escape way protection application server and application server, can ensure the confidentiality of network data, integrality, non-repudiation, can defend the attacks such as playback.
In this specific embodiment, the concrete means of communication are: the vpn gateway escape way route technology based on cascade: comprising the network data to the cross-domain exchanging visit of multiple application server, by different vpn gateways, be forwarded to the application server of specifying.Concrete means of communication step is:
Step one, be local vpn gateway configuration local application server information and need exchange visits vpn gateway information;
Step 2, local vpn gateway initiatively connect all strange lands vpn gateway of configuration, obtain the incidence relation of strange land vpn gateway and strange land application server;
Step 3, local vpn gateway pass through the linked list of strange land vpn gateway and strange land application server, find the strange land VPN information needing access, and network data is sent to strange land vpn gateway by described escape way;
Step 4, strange land vpn gateway to receive after data by routing forwarding to application server;
Similarly, strange land vpn gateway foundation step one is that network data selects route to the same flow process of step 4.
The secure transmission tunnel that the present invention program's application server is set up by local vpn gateway and strange land vpn gateway carries out network communication; Local vpn gateway, strange land vpn gateway are according to collocation strategy, and between application server, network communication conducts interviews control.Forward process is carried out to the network data having configured the application server allowing communication in strategy, the network data not having to configure in strategy is abandoned.
The present invention program supports cross-domain exchanging visit between all application servers based on ICP/IP protocol communication; Vpn gateway network communication can carry out control of authority between application server, and management can adjustable strategies at any time, carries out controlling flexibly, accurately for different demand; Support international algorithm, national tailor-made algorithm; Support connects simultaneously, obtains, safeguards that multiple strange lands vpn gateway sets up secure transmission tunnel; Without the need to application server safety any software, secure transmission tunnel is transparent for application server.
Claims (2)
1. the safe cross-domain means of communication in vpn gateway between application server, is characterized in that, set up network data and transmit escape way: home server is routed to network interface in local VPN to the network data of strange land application server; Strange land server is routed to network interface in the VPN of strange land to the network data of local application server; Carrying out packet numbering when sending application server network packet, HMAC encryption being carried out to clear data, sequence number, key, symmetric cryptography is carried out to clear data, MAC value; When accepting application server network data, first decrypting ciphertext data, then verify deciphering the clear data, MAC value, the sequence number that obtain.
2. the safe cross-domain means of communication in vpn gateway according to claim 1 between application server, is characterized in that, concrete means of communication step is:
Step one, be local vpn gateway configuration local application server information and need exchange visits vpn gateway information;
Step 2, local vpn gateway initiatively connect all strange lands vpn gateway of configuration, obtain the incidence relation of strange land vpn gateway and strange land application server;
Step 3, local vpn gateway pass through the linked list of strange land vpn gateway and strange land application server, find the strange land VPN information needing access, and network data is sent to strange land vpn gateway by described escape way;
Step 4, strange land vpn gateway to receive after data by routing forwarding to application server;
Similarly, strange land vpn gateway foundation step one is that network data selects route to the same flow process of step 4.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410664196.4A CN104363233A (en) | 2014-11-20 | 2014-11-20 | Safety cross-domain communication method for application servers in VPN gateways |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410664196.4A CN104363233A (en) | 2014-11-20 | 2014-11-20 | Safety cross-domain communication method for application servers in VPN gateways |
Publications (1)
Publication Number | Publication Date |
---|---|
CN104363233A true CN104363233A (en) | 2015-02-18 |
Family
ID=52530459
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410664196.4A Pending CN104363233A (en) | 2014-11-20 | 2014-11-20 | Safety cross-domain communication method for application servers in VPN gateways |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104363233A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105721432A (en) * | 2016-01-15 | 2016-06-29 | 国家电网公司 | TCP transparent agent realization method facing electric power IEC104 protocol |
US11005817B1 (en) * | 2013-12-31 | 2021-05-11 | Open Invention Network Llc | Optimizing connections over virtual private networks |
Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101083654A (en) * | 2007-07-04 | 2007-12-05 | 海南二十一世纪度假管理有限公司 | Vacation plan network managing method for B/S structure |
CN101471880A (en) * | 2007-12-27 | 2009-07-01 | 华为技术有限公司 | Method, system and routing device for processing data |
CN101552710A (en) * | 2008-03-31 | 2009-10-07 | ***通信集团公司 | Method, system and router for realizing virtual special network cross-domain |
CN101785257A (en) * | 2007-03-01 | 2010-07-21 | 极进网络有限公司 | Software control plane for switches and routers |
CN102316108A (en) * | 2011-09-09 | 2012-01-11 | 周伯生 | Device for establishing network isolated channel and method thereof |
US8117325B1 (en) * | 2008-04-29 | 2012-02-14 | Juniper Networks, Inc. | Policy-based cross-domain access control for SSL VPN |
CN102710605A (en) * | 2012-05-08 | 2012-10-03 | 重庆大学 | Information security management and control method under cloud manufacturing environment |
CN102891790A (en) * | 2012-09-21 | 2013-01-23 | 中国电信股份有限公司云计算分公司 | VPN (Virtual Private Network) virtualization method and system of visiting virtual private cloud |
CN103095543A (en) * | 2011-11-07 | 2013-05-08 | 华为技术有限公司 | Method and equipment for inter-domain virtual private network connection |
CN103312749A (en) * | 2012-03-13 | 2013-09-18 | 华为技术有限公司 | Discovery method, equipment and system for application layer flow optimization (ALTO) server |
CN103428204A (en) * | 2013-07-29 | 2013-12-04 | 杭州华三通信技术有限公司 | Data security implementation method capable of resisting timing attacks and devices |
CN103491088A (en) * | 2013-09-22 | 2014-01-01 | 成都卫士通信息产业股份有限公司 | Method for processing IPSec VPN gateway data |
CN103634217A (en) * | 2013-11-13 | 2014-03-12 | 华为技术有限公司 | Method for issuing route information, method and device for transmitting massage |
-
2014
- 2014-11-20 CN CN201410664196.4A patent/CN104363233A/en active Pending
Patent Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101785257A (en) * | 2007-03-01 | 2010-07-21 | 极进网络有限公司 | Software control plane for switches and routers |
CN101083654A (en) * | 2007-07-04 | 2007-12-05 | 海南二十一世纪度假管理有限公司 | Vacation plan network managing method for B/S structure |
CN101471880A (en) * | 2007-12-27 | 2009-07-01 | 华为技术有限公司 | Method, system and routing device for processing data |
CN101552710A (en) * | 2008-03-31 | 2009-10-07 | ***通信集团公司 | Method, system and router for realizing virtual special network cross-domain |
US20120110638A1 (en) * | 2008-04-29 | 2012-05-03 | Juniper Networks, Inc. | Policy-based cross-domain access control for ssl vpn |
US8117325B1 (en) * | 2008-04-29 | 2012-02-14 | Juniper Networks, Inc. | Policy-based cross-domain access control for SSL VPN |
CN102316108A (en) * | 2011-09-09 | 2012-01-11 | 周伯生 | Device for establishing network isolated channel and method thereof |
CN103095543A (en) * | 2011-11-07 | 2013-05-08 | 华为技术有限公司 | Method and equipment for inter-domain virtual private network connection |
CN103312749A (en) * | 2012-03-13 | 2013-09-18 | 华为技术有限公司 | Discovery method, equipment and system for application layer flow optimization (ALTO) server |
CN102710605A (en) * | 2012-05-08 | 2012-10-03 | 重庆大学 | Information security management and control method under cloud manufacturing environment |
CN102891790A (en) * | 2012-09-21 | 2013-01-23 | 中国电信股份有限公司云计算分公司 | VPN (Virtual Private Network) virtualization method and system of visiting virtual private cloud |
CN103428204A (en) * | 2013-07-29 | 2013-12-04 | 杭州华三通信技术有限公司 | Data security implementation method capable of resisting timing attacks and devices |
CN103491088A (en) * | 2013-09-22 | 2014-01-01 | 成都卫士通信息产业股份有限公司 | Method for processing IPSec VPN gateway data |
CN103634217A (en) * | 2013-11-13 | 2014-03-12 | 华为技术有限公司 | Method for issuing route information, method and device for transmitting massage |
Non-Patent Citations (2)
Title |
---|
唐黎等: "支持IPSEC VPN的负载均衡器涉及", 《计算机与信息技术》 * |
郭为斌等: "基于IPSec VPN硬件加密卡的远程加密通信技术", 《电力专栏》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11005817B1 (en) * | 2013-12-31 | 2021-05-11 | Open Invention Network Llc | Optimizing connections over virtual private networks |
CN105721432A (en) * | 2016-01-15 | 2016-06-29 | 国家电网公司 | TCP transparent agent realization method facing electric power IEC104 protocol |
CN105721432B (en) * | 2016-01-15 | 2019-08-30 | 国家电网公司 | A kind of TCP transparent proxy implementation towards electric power IEC104 specification |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Shah et al. | A survey on Classification of Cyber-attacks on IoT and IIoT devices | |
US10903987B2 (en) | Key configuration method, key management center, and network element | |
Fan et al. | Security analysis of zigbee | |
CN107018134B (en) | Power distribution terminal safety access platform and implementation method thereof | |
US9742738B2 (en) | Method and apparatus for enforcing storage encryption for data stored in a cloud | |
CN103067290B (en) | The VPN tunnel implementation of load balancing network is adapted to based on virtual network interface card | |
EP2329621B1 (en) | Key distribution to a set of routers | |
Charles et al. | Lightweight anonymous routing in NoC based SoCs | |
US10911581B2 (en) | Packet parsing method and device | |
US9015825B2 (en) | Method and device for network communication management | |
Adomnicai et al. | Hardware security threats against Bluetooth mesh networks | |
Fauri et al. | Encryption in ICS networks: A blessing or a curse? | |
CN108933763A (en) | A kind of data message sending method, the network equipment, control equipment and network system | |
Fujdiak et al. | Security in low-power wide-area networks: State-of-the-art and development toward the 5G | |
US10015208B2 (en) | Single proxies in secure communication using service function chaining | |
CN104363233A (en) | Safety cross-domain communication method for application servers in VPN gateways | |
CN105981028A (en) | Network element authentication in communication networks | |
Meier et al. | itap: In-network traffic analysis prevention using software-defined networks | |
CN107135226B (en) | Transport layer proxy communication method based on socks5 | |
CN103516574A (en) | Message encrypting method through virtual interfaces | |
Dakhnovich et al. | Approach for securing network communications modelling based on smart multipath routing | |
Baiocco et al. | Indirect synchronisation vulnerabilities in the iec 60870-5-104 standard | |
Lee et al. | Design of secure arp on MACsec (802.1 Ae) | |
Fuloria et al. | Towards a security architecture for substations | |
EP3082207A1 (en) | Method for transmitting a teleprotection command using sequence number |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150218 |