CN104363233A - Safety cross-domain communication method for application servers in VPN gateways - Google Patents

Safety cross-domain communication method for application servers in VPN gateways Download PDF

Info

Publication number
CN104363233A
CN104363233A CN201410664196.4A CN201410664196A CN104363233A CN 104363233 A CN104363233 A CN 104363233A CN 201410664196 A CN201410664196 A CN 201410664196A CN 104363233 A CN104363233 A CN 104363233A
Authority
CN
China
Prior art keywords
application server
vpn gateway
strange land
data
vpn
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410664196.4A
Other languages
Chinese (zh)
Inventor
汪仕兵
方明睿
秦凯
刘小华
邢朝阳
原蓓蓓
吴荣政
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CHENGDU WESTONE INFORMATION SAFETY TECHNOLOGY Co Ltd
Original Assignee
CHENGDU WESTONE INFORMATION SAFETY TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CHENGDU WESTONE INFORMATION SAFETY TECHNOLOGY Co Ltd filed Critical CHENGDU WESTONE INFORMATION SAFETY TECHNOLOGY Co Ltd
Priority to CN201410664196.4A priority Critical patent/CN104363233A/en
Publication of CN104363233A publication Critical patent/CN104363233A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a safety cross-domain communication method for application servers in VPN gateways. The method comprises the steps that network data from a local server to a remote application server are routed to a local VPN internal internet access; network data from a remote server to a local application server are routed to a remote VPN internal internet access; sequence numbering is conducted while network data packages of the application servers are sent, plaintext data, serial numbers and secrete keys are subjected to HMAC encryption, and the plaintext data and MAC values are subjected to symmetrical encryption; when the network data of the application servers are received, ciphertext data are decrypted first, and then the plaintext data obtained by decryption, the MAC values and the serial numbers are verified. The application servers can be in communication with application servers of a plurality of remote VPN gateways simultaneously without any modification work and without any additionally-arranged hardware or software. The confidentiality, the integrity and the non-reputation of the network data are guaranteed, and a replay attack and the like can be defended.

Description

The safe cross-domain means of communication in a kind of vpn gateway between application server
Technical field
The present invention relates to the safe cross-domain means of communication in a kind of vpn gateway between application server, particularly relate to a kind of cross-domain communication that is applicable to, the safe cross-domain means of communication in vpn gateway between application server.
Background technology
Vpn gateway is that one is deployed in application server network boundary, the application system needed reinforcement by the mode protection of open circuit access control, and user only has could access shielded application service by vpn gateway; Vpn gateway, by various agent skill group, carries out transmission protection, access control to user's access application server network data.
Summary of the invention
Present vpn gateway on the market does not all consider the cross-domain communication such as cascade, data syn-chronization network service demand between shielded application system, causes the cross-domain communication application server that vpn gateway can not protect cascade to dispose.The mode that part vpn gateway takes route to penetrate, decontrols network communication between application server, but network communication between application server can be caused to transmit in unsafe network with clear-text way.
The technical problem to be solved in the present invention is to provide a kind of in vpn gateway, the method for cross-domain communication safety between protection application server.
The technical solution used in the present invention is as follows: the safe cross-domain means of communication in a kind of vpn gateway between application server, it is characterized in that, set up network data and transmit escape way: home server is routed to network interface in local VPN to the network data of strange land application server; Strange land server is routed to network interface in the VPN of strange land to the network data of local application server; Carrying out packet numbering when sending application server network packet, HMAC encryption being carried out to clear data, sequence number, key, symmetric cryptography is carried out to clear data, MAC value; When accepting application server network data, first decrypting ciphertext data, then verify deciphering the clear data, MAC value, the sequence number that obtain.
Concrete means of communication step is:
Step one, be local vpn gateway configuration local application server information and need exchange visits vpn gateway information;
Step 2, local vpn gateway initiatively connect all strange lands vpn gateway of configuration, obtain the incidence relation of strange land vpn gateway and strange land application server;
Step 3, local vpn gateway pass through the linked list of strange land vpn gateway and strange land application server, find the strange land VPN information needing access, and network data is sent to strange land vpn gateway by described escape way;
Step 4, strange land vpn gateway to receive after data by routing forwarding to application server;
Similarly, strange land vpn gateway foundation step one is that network data selects route to the same flow process of step 4.
Compared with prior art, the invention has the beneficial effects as follows: application server does not need to carry out any retrofit work and additionally installs any hardware and software, just can simultaneously with multiple application server communication by strange land vpn gateway; Vpn gateway, by the network communication between escape way protection application server and application server, can ensure the confidentiality of network data, integrality, non-repudiation, can defend the attacks such as playback.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with embodiment, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
Arbitrary feature disclosed in this specification (comprising any accessory claim, summary), unless specifically stated otherwise, all can be replaced by other equivalences or the alternative features with similar object.That is, unless specifically stated otherwise, each feature is an example in a series of equivalence or similar characteristics.
The Transparent Proxy technology of route Network Based: comprising reception, the forwarding operation of the network communication data to local application server, strange land application server, set up network data and transmit escape way: routing rule is set at local application server, home server is routed to network interface in local VPN to the network data of strange land application server; In strange land, application server arranges routing rule, and strange land server is routed to network interface in the VPN of strange land to the network data of local application server; Escape way technology based on cryptographic algorithm: to be encrypted comprising application server network data, the safeguard protection such as HMAC, packet numbering is carried out when sending application server network packet, HMAC encryption is carried out to clear data, sequence number, key, symmetric cryptography is carried out to clear data, MAC value; When accepting application server network data, first decrypting ciphertext data, then verify deciphering the clear data, MAC value, the sequence number that obtain.
Application server does not need to carry out any retrofit work and additionally installs any hardware and software, just can simultaneously with multiple application server communication by strange land vpn gateway; Based on the escape way technology of cryptographic algorithm, vpn gateway, by the network communication between escape way protection application server and application server, can ensure the confidentiality of network data, integrality, non-repudiation, can defend the attacks such as playback.
In this specific embodiment, the concrete means of communication are: the vpn gateway escape way route technology based on cascade: comprising the network data to the cross-domain exchanging visit of multiple application server, by different vpn gateways, be forwarded to the application server of specifying.Concrete means of communication step is:
Step one, be local vpn gateway configuration local application server information and need exchange visits vpn gateway information;
Step 2, local vpn gateway initiatively connect all strange lands vpn gateway of configuration, obtain the incidence relation of strange land vpn gateway and strange land application server;
Step 3, local vpn gateway pass through the linked list of strange land vpn gateway and strange land application server, find the strange land VPN information needing access, and network data is sent to strange land vpn gateway by described escape way;
Step 4, strange land vpn gateway to receive after data by routing forwarding to application server;
Similarly, strange land vpn gateway foundation step one is that network data selects route to the same flow process of step 4.
The secure transmission tunnel that the present invention program's application server is set up by local vpn gateway and strange land vpn gateway carries out network communication; Local vpn gateway, strange land vpn gateway are according to collocation strategy, and between application server, network communication conducts interviews control.Forward process is carried out to the network data having configured the application server allowing communication in strategy, the network data not having to configure in strategy is abandoned.
The present invention program supports cross-domain exchanging visit between all application servers based on ICP/IP protocol communication; Vpn gateway network communication can carry out control of authority between application server, and management can adjustable strategies at any time, carries out controlling flexibly, accurately for different demand; Support international algorithm, national tailor-made algorithm; Support connects simultaneously, obtains, safeguards that multiple strange lands vpn gateway sets up secure transmission tunnel; Without the need to application server safety any software, secure transmission tunnel is transparent for application server.

Claims (2)

1. the safe cross-domain means of communication in vpn gateway between application server, is characterized in that, set up network data and transmit escape way: home server is routed to network interface in local VPN to the network data of strange land application server; Strange land server is routed to network interface in the VPN of strange land to the network data of local application server; Carrying out packet numbering when sending application server network packet, HMAC encryption being carried out to clear data, sequence number, key, symmetric cryptography is carried out to clear data, MAC value; When accepting application server network data, first decrypting ciphertext data, then verify deciphering the clear data, MAC value, the sequence number that obtain.
2. the safe cross-domain means of communication in vpn gateway according to claim 1 between application server, is characterized in that, concrete means of communication step is:
Step one, be local vpn gateway configuration local application server information and need exchange visits vpn gateway information;
Step 2, local vpn gateway initiatively connect all strange lands vpn gateway of configuration, obtain the incidence relation of strange land vpn gateway and strange land application server;
Step 3, local vpn gateway pass through the linked list of strange land vpn gateway and strange land application server, find the strange land VPN information needing access, and network data is sent to strange land vpn gateway by described escape way;
Step 4, strange land vpn gateway to receive after data by routing forwarding to application server;
Similarly, strange land vpn gateway foundation step one is that network data selects route to the same flow process of step 4.
CN201410664196.4A 2014-11-20 2014-11-20 Safety cross-domain communication method for application servers in VPN gateways Pending CN104363233A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410664196.4A CN104363233A (en) 2014-11-20 2014-11-20 Safety cross-domain communication method for application servers in VPN gateways

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410664196.4A CN104363233A (en) 2014-11-20 2014-11-20 Safety cross-domain communication method for application servers in VPN gateways

Publications (1)

Publication Number Publication Date
CN104363233A true CN104363233A (en) 2015-02-18

Family

ID=52530459

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410664196.4A Pending CN104363233A (en) 2014-11-20 2014-11-20 Safety cross-domain communication method for application servers in VPN gateways

Country Status (1)

Country Link
CN (1) CN104363233A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105721432A (en) * 2016-01-15 2016-06-29 国家电网公司 TCP transparent agent realization method facing electric power IEC104 protocol
US11005817B1 (en) * 2013-12-31 2021-05-11 Open Invention Network Llc Optimizing connections over virtual private networks

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101083654A (en) * 2007-07-04 2007-12-05 海南二十一世纪度假管理有限公司 Vacation plan network managing method for B/S structure
CN101471880A (en) * 2007-12-27 2009-07-01 华为技术有限公司 Method, system and routing device for processing data
CN101552710A (en) * 2008-03-31 2009-10-07 ***通信集团公司 Method, system and router for realizing virtual special network cross-domain
CN101785257A (en) * 2007-03-01 2010-07-21 极进网络有限公司 Software control plane for switches and routers
CN102316108A (en) * 2011-09-09 2012-01-11 周伯生 Device for establishing network isolated channel and method thereof
US8117325B1 (en) * 2008-04-29 2012-02-14 Juniper Networks, Inc. Policy-based cross-domain access control for SSL VPN
CN102710605A (en) * 2012-05-08 2012-10-03 重庆大学 Information security management and control method under cloud manufacturing environment
CN102891790A (en) * 2012-09-21 2013-01-23 中国电信股份有限公司云计算分公司 VPN (Virtual Private Network) virtualization method and system of visiting virtual private cloud
CN103095543A (en) * 2011-11-07 2013-05-08 华为技术有限公司 Method and equipment for inter-domain virtual private network connection
CN103312749A (en) * 2012-03-13 2013-09-18 华为技术有限公司 Discovery method, equipment and system for application layer flow optimization (ALTO) server
CN103428204A (en) * 2013-07-29 2013-12-04 杭州华三通信技术有限公司 Data security implementation method capable of resisting timing attacks and devices
CN103491088A (en) * 2013-09-22 2014-01-01 成都卫士通信息产业股份有限公司 Method for processing IPSec VPN gateway data
CN103634217A (en) * 2013-11-13 2014-03-12 华为技术有限公司 Method for issuing route information, method and device for transmitting massage

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101785257A (en) * 2007-03-01 2010-07-21 极进网络有限公司 Software control plane for switches and routers
CN101083654A (en) * 2007-07-04 2007-12-05 海南二十一世纪度假管理有限公司 Vacation plan network managing method for B/S structure
CN101471880A (en) * 2007-12-27 2009-07-01 华为技术有限公司 Method, system and routing device for processing data
CN101552710A (en) * 2008-03-31 2009-10-07 ***通信集团公司 Method, system and router for realizing virtual special network cross-domain
US20120110638A1 (en) * 2008-04-29 2012-05-03 Juniper Networks, Inc. Policy-based cross-domain access control for ssl vpn
US8117325B1 (en) * 2008-04-29 2012-02-14 Juniper Networks, Inc. Policy-based cross-domain access control for SSL VPN
CN102316108A (en) * 2011-09-09 2012-01-11 周伯生 Device for establishing network isolated channel and method thereof
CN103095543A (en) * 2011-11-07 2013-05-08 华为技术有限公司 Method and equipment for inter-domain virtual private network connection
CN103312749A (en) * 2012-03-13 2013-09-18 华为技术有限公司 Discovery method, equipment and system for application layer flow optimization (ALTO) server
CN102710605A (en) * 2012-05-08 2012-10-03 重庆大学 Information security management and control method under cloud manufacturing environment
CN102891790A (en) * 2012-09-21 2013-01-23 中国电信股份有限公司云计算分公司 VPN (Virtual Private Network) virtualization method and system of visiting virtual private cloud
CN103428204A (en) * 2013-07-29 2013-12-04 杭州华三通信技术有限公司 Data security implementation method capable of resisting timing attacks and devices
CN103491088A (en) * 2013-09-22 2014-01-01 成都卫士通信息产业股份有限公司 Method for processing IPSec VPN gateway data
CN103634217A (en) * 2013-11-13 2014-03-12 华为技术有限公司 Method for issuing route information, method and device for transmitting massage

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
唐黎等: "支持IPSEC VPN的负载均衡器涉及", 《计算机与信息技术》 *
郭为斌等: "基于IPSec VPN硬件加密卡的远程加密通信技术", 《电力专栏》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11005817B1 (en) * 2013-12-31 2021-05-11 Open Invention Network Llc Optimizing connections over virtual private networks
CN105721432A (en) * 2016-01-15 2016-06-29 国家电网公司 TCP transparent agent realization method facing electric power IEC104 protocol
CN105721432B (en) * 2016-01-15 2019-08-30 国家电网公司 A kind of TCP transparent proxy implementation towards electric power IEC104 specification

Similar Documents

Publication Publication Date Title
Shah et al. A survey on Classification of Cyber-attacks on IoT and IIoT devices
US10903987B2 (en) Key configuration method, key management center, and network element
Fan et al. Security analysis of zigbee
CN107018134B (en) Power distribution terminal safety access platform and implementation method thereof
US9742738B2 (en) Method and apparatus for enforcing storage encryption for data stored in a cloud
CN103067290B (en) The VPN tunnel implementation of load balancing network is adapted to based on virtual network interface card
EP2329621B1 (en) Key distribution to a set of routers
Charles et al. Lightweight anonymous routing in NoC based SoCs
US10911581B2 (en) Packet parsing method and device
US9015825B2 (en) Method and device for network communication management
Adomnicai et al. Hardware security threats against Bluetooth mesh networks
Fauri et al. Encryption in ICS networks: A blessing or a curse?
CN108933763A (en) A kind of data message sending method, the network equipment, control equipment and network system
Fujdiak et al. Security in low-power wide-area networks: State-of-the-art and development toward the 5G
US10015208B2 (en) Single proxies in secure communication using service function chaining
CN104363233A (en) Safety cross-domain communication method for application servers in VPN gateways
CN105981028A (en) Network element authentication in communication networks
Meier et al. itap: In-network traffic analysis prevention using software-defined networks
CN107135226B (en) Transport layer proxy communication method based on socks5
CN103516574A (en) Message encrypting method through virtual interfaces
Dakhnovich et al. Approach for securing network communications modelling based on smart multipath routing
Baiocco et al. Indirect synchronisation vulnerabilities in the iec 60870-5-104 standard
Lee et al. Design of secure arp on MACsec (802.1 Ae)
Fuloria et al. Towards a security architecture for substations
EP3082207A1 (en) Method for transmitting a teleprotection command using sequence number

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20150218