CN112738095A - Method, device, system, storage medium and equipment for detecting illegal external connection - Google Patents
Method, device, system, storage medium and equipment for detecting illegal external connection Download PDFInfo
- Publication number
- CN112738095A CN112738095A CN202011593872.5A CN202011593872A CN112738095A CN 112738095 A CN112738095 A CN 112738095A CN 202011593872 A CN202011593872 A CN 202011593872A CN 112738095 A CN112738095 A CN 112738095A
- Authority
- CN
- China
- Prior art keywords
- host
- detected
- intranet
- server
- extranet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 230000006870 function Effects 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 abstract description 6
- 238000001514 detection method Methods 0.000 description 15
- 230000004044 response Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 8
- 238000012544 monitoring process Methods 0.000 description 7
- 238000002955 isolation Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present specification provides a method, an apparatus, a system, a storage medium and a device for detecting an illegal external connection, wherein the method is applied to a safety protection device, when a request message for accessing an intranet service sent by a host to be detected is monitored to exist in an intranet, the request message is hijacked, and the host to be detected is instructed to be redirected to an extranet server, so that the extranet server instructs the host to be detected to be redirected to an intranet management server after the host to be detected accesses, and the intranet management server can determine that the host to be detected is the external connection host if receiving the access of the host to be detected. Therefore, based on the redirection technology, the external connection can be accurately checked, and the host information of the external connection can be transmitted back to the intranet management server, so that the situation of misinformation is avoided.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method, an apparatus, a system, a storage medium, and a device for detecting an illegal external connection.
Background
In a network communication system with isolated intranet and extranet, the intranet is generally not allowed to connect to the extranet in order to avoid security threats such as viruses, denial of service attacks, and the like, which are introduced to the internet. However, some host devices in the intranet may access the internet by illegally setting up a third-party internet access channel (such as a private WIFI, a mobile hotspot, a private proxy server, and the like). The behavior is illegal external connection, and the illegal external connection behavior is easy to be utilized because the exposed surface is directly exposed to the internet, thereby bringing potential safety hazard to the internal network. Therefore, how to monitor illegal external connections is extremely important.
The illegal external connection monitoring method frequently used in the related art mainly comprises the following steps: an intranet scanning server is deployed in an intranet, an extranet server is deployed on the Internet, the intranet scanning server sends detection messages to all hosts in the intranet, the detection messages forge the scanning of source IP, and the forged source IP is the IP address of the extranet server so as to induce the hosts receiving the detection messages to try to send responses to the extranet server. Under normal conditions, the host computer is not connected with the Internet, and the response message cannot reach the external network server. Therefore, if the external network server receives the response message, the host of the illegal external connection can be identified according to the response message.
However, this method can only be used when the external network server monitors the data information of the illegal external connection, and since the external network server is deployed in the external network, the administrator of the internal network cannot obtain the data information of the illegal external connection in the internal network.
Disclosure of Invention
To overcome the problems in the related art, the present specification provides a method, apparatus, system, storage medium, and device for detecting an illegal external connection.
According to a first aspect of embodiments herein, there is provided a network system for detecting an illegal external connection, the network system including: the system comprises safety protection equipment deployed in an intranet, an intranet management server, a host to be detected and an extranet server deployed in an extranet; the safety device has a port mirroring function, wherein,
the safety shield apparatus is configured to: if the situation that a request message for accessing the intranet service, which is sent by a host to be detected, exists on the intranet link is monitored, the host to be detected is indicated to be redirected to the extranet server after the request message is hijacked;
the host to be detected is used for: redirecting to the extranet server under the direction of the security device;
the extranet server is configured to: after the host to be detected accesses, indicating the host to be detected to redirect to the intranet management server;
the host to be detected is further configured to: redirecting to the intranet management server under the instruction of the extranet server;
the intranet management server is used for: and determining the host to be detected as an external host after the host to be detected accesses.
According to a second aspect of the embodiments of the present specification, there is provided a method for detecting an illegal external connection, where the method is applied to a security protection device with a port mirroring function, and the security protection device is deployed in an intranet, and the method includes:
if the situation that a request message for accessing the intranet service sent by a host to be detected exists in the intranet is monitored, hijacking the request message;
and indicating the host to be detected to be redirected to an extranet server so that the extranet server indicates the host to be detected to be redirected to the intranet management server after the host to be detected accesses, and the intranet management server determines that the host to be detected is an external connection host after the host to be detected accesses.
In some examples, the request message includes identification information of the host to be detected, where the identification information includes an intranet IP address and an MAC address.
In some examples, the host to be detected is a host that accesses the intranet service for the first time.
In some examples, the above-mentioned security protection device records the access time of each host accessing the intranet service, and periodically clears the recorded information, and whether the host to be detected is the host accessing the intranet service for the first time is determined based on the recorded information.
In some examples, the instructing the host to be detected to redirect to the extranet server includes:
and sending a temporary redirection message to the host to be detected, wherein the temporary redirection message indicates that the redirection address is the address of the external network server.
In some examples, hijacking the request packet includes:
acquiring the request message;
and generating a reset message, and sending the reset message to the equipment pointed by the request message so as to enable the equipment to end the session with the host to be detected.
According to a third aspect of the embodiments of the present specification, there is provided an apparatus for detecting an illegal external connection, where the apparatus is applied to a security protection device with a port mirroring function, and the security protection device is deployed in an intranet, and the apparatus includes:
the hijacking module is used for hijacking the request message if the situation that the request message for accessing the intranet service, which is sent by the host to be detected, exists in the intranet is monitored;
the indication module is used for indicating the host to be detected to be redirected to an extranet server so that the extranet server indicates the host to be detected to be redirected to the intranet management server after the host to be detected accesses, and the intranet management server determines that the host to be detected is an external connection host after the host to be detected accesses.
According to a fourth aspect of embodiments of the present specification, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs any one of the methods of the embodiments of the specification.
According to a fifth aspect of embodiments herein, there is provided a computer apparatus comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements any of the methods in the embodiments herein when executing the program.
The technical scheme provided by the embodiment of the specification can have the following beneficial effects:
in the embodiment of the specification, a method, a device, a system, a storage medium and equipment for detecting illegal external connection are disclosed, wherein the method is applied to safety protection equipment, when a request message for accessing intranet services, which is sent by a host to be detected, is monitored to exist in an intranet, the request message is hijacked, and the host to be detected is instructed to be redirected to an extranet server, so that the extranet server instructs the host to be detected to be redirected to an intranet management server after the host to be detected accesses, and the intranet management server can determine that the host to be detected is the extranet host if receiving the access of the host to be detected. Therefore, based on the redirection technology, the external connection can be accurately checked, and the host information of the external connection can be transmitted back to the intranet management server, so that the situation of misinformation is avoided.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the specification.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present specification and together with the description, serve to explain the principles of the specification.
FIG. 1 is a schematic diagram of a topology of a network system for detecting illegitimate outreach, according to an example embodiment;
FIG. 2 is a flow chart illustrating a method of detecting an illegal external connection according to an exemplary embodiment of the present description;
FIG. 3 is a schematic diagram illustrating an interaction flow of a network system for detecting illegal external connections according to an exemplary embodiment;
FIG. 4 is a hardware configuration diagram of a computer device in which an apparatus for detecting illegal external connection according to an embodiment of the present disclosure is located;
fig. 5 is a block diagram illustrating an apparatus for detecting an illegal external connection according to an exemplary embodiment of the present disclosure.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the specification, as detailed in the appended claims.
The terminology used in the description herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present specification. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
At present, many scenarios have a need to isolate an internal network from an external network to ensure the security of the internal network, especially for enterprises with important business data, such as banks, technical enterprises, and the like. Generally, there are two methods of physical isolation and logical isolation for isolating an internal network and an external network, where physical isolation refers to that an internal network is not directly or indirectly connected to an external network, and is intended to protect hardware entities such as routers, workstations, network servers, etc. and communication links from natural disasters, artificial damage and wiretapping attacks, and devices for physical isolation mainly include gatekeepers, optical gates, etc.; logical isolation means that there is still a physical data channel connection between the two isolated ends, but it is ensured by technical means that there is no data channel between the two isolated ends, and the logically isolated devices mainly include firewalls, gateways, etc.
Extranet refers to a connection from an intranet to an extranet (the internet). In a network communication system with isolated intranet and extranet, the intranet generally does not allow connection to the extranet (internet) in order to avoid security threats such as viruses, denial of service attacks, and the like, which introduce the internet. However, some host devices in the intranet may access the internet by illegally setting up a third-party internet access channel (such as a private WIFI, a mobile hotspot, a private proxy server, and the like). The behavior is illegal external connection, and the illegal external connection behavior is easy to be utilized because the exposed surface is directly exposed to the internet, thereby bringing potential safety hazard to the internal network. Therefore, how to monitor illegal external connections is extremely important.
The following two methods are mainly used for monitoring illegal external connections in the related art:
one of them is to install the detection client on all host computer equipment of intranet, should detect the client and can real-time monitoring current host computer equipment whether connect the extranet to if monitor host computer equipment and connect the extranet, can in time report this host computer equipment's detailed information to the monitoring server on, however, this method requires all host computer equipment monitored must install the detection client, to the unknown user with this detection client uninstallation, or because newly network access and the host computer equipment who does not install this detection client can not play the effect of monitoring.
The other is that an intranet scanning server is deployed in an intranet, an extranet server is deployed on the internet, the intranet scanning server sends detection messages to all hosts in the intranet, the detection messages falsify the scanning of source IP, and the forged source IP is the IP address of the extranet server so as to induce the hosts receiving the detection messages to try to send responses to the extranet server. Under normal conditions, the host computer is not connected with the Internet, and the response message cannot reach the external network server. Therefore, if the external network server receives the response message, the host of the illegal external connection can be identified according to the response message. However, this method can only be used when the external network server monitors the data information of the illegal external connection, and since the external network server is deployed in the external network, the administrator of the internal network cannot obtain the data information of the illegal external connection in the internal network.
Based on this, the present specification provides a solution for detecting illegal external connections to solve the above-mentioned problems.
The following provides a detailed description of examples of the present specification.
As shown in fig. 1, fig. 1 is a schematic diagram illustrating a topology of a network system for detecting illegal external connections according to an exemplary embodiment, where the network system includes: the system comprises safety protection equipment 11 deployed in an intranet, an intranet management server 12, a host to be detected 13 and an extranet server 14 deployed in an extranet; the safety device 11 has a port mirroring function, wherein,
the safety shield apparatus 11 is configured to: if it is monitored that a request message for accessing the intranet service, which is sent by the host to be detected 13, exists on the intranet link, after the request message is hijacked, the host to be detected 13 is indicated to be redirected to the extranet server 14;
the host to be detected 13 is configured to: redirect to the extranet server 14 under the direction of the security device 11;
the extranet server 14 is configured to: after the host 13 to be detected accesses, indicating the host 13 to be detected to redirect to the intranet management server 12;
the host to be detected 13 is further configured to: redirect to the intranet management server 12 under direction of the extranet server 14;
the intranet management server 12 is configured to: and determining that the host to be detected 13 is an external host after the host to be detected 13 accesses.
It should be noted that, in other embodiments, the network system further includes several switches and/or routers, and other devices, such as OA servers, etc., and this description is not limited thereto.
In the network system according to the embodiment of the present description, when monitoring a request packet sent by a host to be detected, the security protection device hijacks the request packet and instructs the host to be detected to redirect to the extranet server, and under normal conditions, an access request of the host to be detected cannot reach the extranet server, so that if the extranet server receives an access of the host to be detected, the host to be detected can be determined as an extranet host, and meanwhile, in order to return data of the extranet to the intranet, the extranet server instructs the host to be detected to redirect to the intranet management server after the host to be detected accesses, so that the intranet management server can also determine the host to be detected as the extranet host after the host to be detected accesses. For the management personnel of the intranet, the data information of illegal external connection can be directly obtained in the intranet without waiting for the alarm of the external network server, so that the network management efficiency is improved.
Various details of aspects of embodiments of the present description are described in detail below. As shown in fig. 2, fig. 2 is a flowchart of a method for detecting an illegal external connection according to an exemplary embodiment, where the method is applied to a security protection device with a port mirroring function, and the security protection device is deployed in an intranet, and the method includes:
in step 201, if it is monitored that a request message for accessing an intranet service, which is sent by a host to be detected, exists in the intranet, hijacking the request message;
the method of the embodiment of the specification is a method for detecting illegal external connection, and the method is applied to safety protection equipment. The security protection device mentioned here has a port mirroring function, and it is understood that the port mirroring function is to implement snooping on the network by forwarding traffic information of one or more source ports to a certain specified port on a switch or a router. Specifically, the safety protection device may be a switch having a port mirroring function, or may be a device connected to the switch and capable of collecting traffic information of a device associated with the switch, and when the safety protection device is the latter, the safety protection device is deployed on the intranet link in a bypass manner.
The safety protection device in the embodiment of the present description is deployed in the intranet, so that a message on an intranet link can be monitored. The intranet can be provided with a plurality of host devices, and the host devices can be portable terminals such as smart phones and tablet computers, and can also be devices such as desktop computers and conference tablets. The host to be detected mentioned in this step may be any one host device in the intranet, or may be a specific one or more host devices. The host to be detected can initiate an HTTP request to a service server of the intranet (an OA server in the intranet, or other office system server) to request access to the intranet service. Typically, the HTTP request reaches the service server via the switch, and the service server responds after receiving the HTTP request. In this step, the security protection device hijacks the request message of the host to be detected, and performs the next step of processing according to the response of the request, so as to detect whether the host to be detected is connected externally.
In some examples, hijacking the request packet in this step may include: acquiring the request message; and generating a reset message, and sending the reset message to the equipment pointed by the request message so as to enable the equipment to end the session with the host to be detected. The reset message may be a reset data message, and the reset message is sent to a device (for convenience, hereinafter, referred to as a target device for short) to which the request message is directed, such as a service server of an intranet, so that the target device ends a session with the host to be detected, and the host to be detected can be prevented from receiving a normal response message. In addition, it should be noted that the request message mentioned in this step includes identification information of the host to be detected, where the identification information includes an intranet IP address and an MAC address. That is, based on the request packet, the host information of the host to be detected can be acquired. In other embodiments, the identification information may further include more information, such as a host name of the host to be detected, which is not limited in this specification. Of course, it can be known that the request message further includes an IP address of the target device, and the aforementioned destination IP of the reset message is the IP address.
In step 202, the host to be detected is instructed to be redirected to an extranet server, so that the extranet server instructs the host to be detected to be redirected to the intranet management server after the host to be detected accesses, and the intranet management server determines that the host to be detected is an extranet host after the host to be detected accesses.
After hijacking the request message of the host to be detected, the safety protection equipment indicates the host to be detected to be redirected to the extranet server. That is, the security protection device masquerades as the target device, and sends a response message to the host to be detected, where the response message indicates that the host to be detected is redirected to the extranet server. In order to avoid normal operation of the host to be detected at other times, in some examples, the instructing, to redirect the host to be detected to the extranet server includes: and sending a temporary redirection message to the host to be detected, wherein the temporary redirection message indicates that the redirection address is the address of the external network server. Temporary redirection, also called temporary transfer, is a redirection at the server side, the status code of which is 302, and this status code can tell the user, search engine, browser that the resource has been temporarily moved to another location, i.e. the old version page is temporarily redirected to the new version page, and this movement will not be regarded as permanent, and will restore the original location; the temporary redirection message further includes a location field, which is used to guide the response receiver to the resource corresponding to the redirection address. In this way, after receiving the temporary redirection message, the host to be detected may attempt to access the extranet server, but the redirection address in the temporary redirection message may not be used to replace the originally stored address of the target device, and then the host to be detected may still access the target device with the correct address.
The host to be detected tries to send a request message to the external network server according to the indication of the safety protection device, in order to distinguish the front and the back request messages, the request message sent by the host to be detected to the target device is recorded as a first request message, and the request message tried to send by the host to be detected to the external network server is recorded as a second request message. It can be understood that, if the extranet server receives the second request message, it indicates that the host to be detected can be connected to the extranet, and at this time, it can be determined that the host to be detected is an externally connected host, and the extranet server can store the host information of the host to be detected so as to facilitate checking.
Considering that an extranet server is deployed in an extranet and is not connected with an intranet management server, a user cannot obtain host information of an extranet in an intranet, and a mode that the extranet server reports detected extranet information to the intranet is prone to false alarm, therefore, the method of the embodiment of the specification increases data return on the basis of detecting the extranet: the extranet server indicates the host to be detected to be redirected to the intranet management server after the host to be detected is visited, so that the extranet server indicates the host to be detected to be redirected to the intranet management server after the host to be detected is visited, and the intranet management server determines that the host to be detected is an external connection host after the host to be detected is visited. Similarly, the request message sent by the host to be detected to the intranet management server is recorded as a third request message, because the third request message is sent under the instruction of the extranet server, that is, under normal conditions, the intranet management server cannot receive the third request message, and when the intranet management server receives the third request message sent by the host to be detected, it can be determined that the host to be detected can be connected to the extranet, and at this time, the intranet management server can compare the host information of the host to be detected with the set configuration information, and determine whether the host to be detected is an illegal extranet host. Similarly, the intranet management server can also store the host information of the host to be detected for a long time so as to be convenient for viewing.
In a specific implementation process, the address of the intranet management server may be configured in the extranet server, and when the extranet server indicates that the host to be detected is redirected to the intranet management server, the address of the intranet management server is used as a redirection address in the redirection message. In addition, the address of the intranet management server can also be recorded in a redirection message when the safety protection device indicates that the host to be detected is redirected to the extranet server, the redirection message carries the host information of the host to be detected, such as an intranet IP address and an MAC address, and carries the address of an intranet management server, of course, more other information may be carried, so that when the host to be detected parses the redirection message, it tries to send a request message to the extranet server, the intranet management server is carried to the extranet server, so that the extranet server responds to the redirection message based on the conversation with the host to be detected when receiving the request message of the host to be detected, the redirection address is the address of the intranet management server, and thus, the method can update the address of the intranet management server in real time according to the frequent change of the address, and improves the applicability of the scheme.
In addition, after confirming that the host to be detected is an external host, the intranet management server may send alarm information in the form of a mail or the like, and may also block the host to be detected, which is not limited in this specification.
It should be noted that the security protection device does not need to redirect each request message for accessing the intranet service, and in some examples, the aforementioned host to be detected is a host that accesses the intranet service for the first time. That is to say, the safety protection device can only detect the host accessing intranet service for the first time, when a new host is added, the safety protection device can also detect the new host, and for the subsequent request message for service access, the safety protection device is not hijacked within a certain time, so that the normal service access is prevented from being greatly influenced. It can be understood that the safety protection device records the access time of each host accessing the intranet service, whether the host to be detected is the host accessing the intranet service for the first time can be determined based on the recorded information, in order to perform stable detection on each host, the safety protection device can periodically clear the recorded information, for example, once every 10 minutes, after the recorded information is cleared, the access of each host to the intranet service is the first access, and the safety protection device can perform detection again. The period here can be set according to the needs of a specific scenario, and this specification does not limit this.
The method in the embodiment of the specification is based on the redirection technology, so that the host of the external connection actively accesses the external network server to realize accurate external connection detection, and the host information of the external connection can be retransmitted to the internal network management server to realize data return, so that the situation of misinformation is avoided, and the host does not need to install other software, so that the method is more convenient.
To describe aspects of embodiments of the present disclosure in more detail, a specific embodiment is described below.
As shown in fig. 3, fig. 3 is a schematic diagram illustrating an interaction flow of a network system for detecting illegal external connection according to an exemplary embodiment of the present specification, where the network system includes: the system comprises safety protection equipment 31 deployed in an intranet, an intranet management server 32, a host to be detected 33 and an extranet server 34 deployed in an extranet. In the embodiment of the present specification, the security device 31 is a switch having a port mirroring function, and the host 33 to be detected is connected to a port of the security device 31. The detection flow is as follows:
s301, the host to be detected 33 sends a first request message to request to access the intranet service;
in this embodiment, the host information of the host to be detected 33 includes: the intranet IP address is 10.121.12.100, and the MAC address is 11:22:33:44: 55;
s302, the safety protection device 31 acquires a first request message, the safety protection device 31 acquires and analyzes the first request message, host information of the host 33 to be detected is acquired, and the host 33 to be detected is determined to be the host which accesses the intranet service for the first time based on the access time of each host which is recorded by the safety protection device 31 and accesses the intranet service, so that a first redirection message is sent to the host 33 to be detected and the host 33 to be detected is instructed to be redirected to the extranet server 34;
in this embodiment, the status code of the first redirection packet is 302, and the redirection address in the location field is 45.45.18.20, which is the IP address of the extranet server 34, so as to indicate that the host 33 to be detected redirects to this IP address after receiving the first redirection packet; the location field also carries host information of the host 33 to be detected and an IP address of the intranet management server 32, which is 10.121.13.120, and certainly may also carry more other information, specifically, the location field may be http://45.45.18.20:8081/outcheckip ═ 10.121.12.100& mac ═ 11:22:33:44:55& man-agenip ═ 10.121.13.120;
s303, the host to be detected 33 analyzes the first redirection message and sends a second request message to the extranet server 34;
in this embodiment, the host 33 to be detected can be connected to an external network, and the external network server can receive an HTTP request from the host 33 to be detected;
s304, the extranet server 34 analyzes the second request message, sends a second redirection message to the host to be detected 33, and indicates the host to be detected 33 to redirect to the intranet management server 32;
in this embodiment, the status code of the second redirection packet is 302, and the location field may be http:// 10.121.13.120/outtcheckip ═ 10.121.12.100 ═ mac ═ 11:22:33:44:55 ═ outip ═ 45.45.18.20; as can be known from this location field, the redirection address is the IP address of the intranet management server 32, and the second redirection packet carries the host information of the host 33 to be detected;
s305, the host to be detected 33 analyzes the second redirection message and sends a third request message to the inner network management server 32;
s306, the intranet management server 32 analyzes the third request message, and determines that the host to be detected is an externally connected host.
According to the method, the host of the external connection can actively access the external network server, the external connection can be accurately checked, the host information of the external connection can be sent to the internal network management server, data return is achieved, the situation of false alarm is avoided, in addition, in the whole detection process, only the host is required to access the internal network service, the flow can be achieved through the internal network gateway, other software does not need to be installed on each host, the method is more convenient, and the host which is newly connected to the network can also play a monitoring role.
Corresponding to the embodiment of the method, the specification also provides an embodiment of a device for detecting illegal external connection and a terminal applied by the device.
The embodiment of the device for detecting illegal external connection in the specification can be applied to computer equipment, such as a server or safety protection equipment. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. The software implementation is taken as an example, and as a logical device, the device is formed by reading corresponding computer program instructions in the nonvolatile memory into the memory for operation through the processor in which the file processing is located. From a hardware aspect, as shown in fig. 4, a hardware structure diagram of a computer device in which an apparatus for detecting an illegal external connection in the embodiment of the present specification is located is shown in fig. 4, except for the processor 410, the memory 430, the network interface 420, and the nonvolatile memory 440 shown in fig. 4, a server or an electronic device in which the apparatus 431 is located in the embodiment may also include other hardware generally according to an actual function of the computer device, which is not described again.
Accordingly, the embodiments of the present specification also provide a computer storage medium, in which a program is stored, and the program, when executed by a processor, implements the method in any of the above embodiments.
Embodiments of the present description may take the form of a computer program product embodied on one or more storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having program code embodied therein. Computer-usable storage media include permanent and non-permanent, removable and non-removable media, and information storage may be implemented by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of the storage medium of the computer include, but are not limited to: phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technologies, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic tape storage or other magnetic storage devices, or any other non-transmission medium, may be used to store information that may be accessed by a computing device.
As shown in fig. 5, fig. 5 is a block diagram of an apparatus for detecting an illegal external connection according to an exemplary embodiment, where the apparatus is applied to a security protection device with a port mirroring function, and the security protection device is deployed in an intranet, and the apparatus includes:
a hijacking module 51, configured to hijack a request message for accessing an intranet service, sent by a host to be detected, if it is detected that the request message exists in the intranet;
the indicating module 52 is configured to indicate that the host to be detected is redirected to an extranet server, so that the extranet server indicates that the host to be detected is redirected to the intranet management server after the host to be detected accesses, and the intranet management server determines that the host to be detected is an extranet host after the host to be detected accesses.
The implementation process of the functions and actions of each module in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution in the specification. One of ordinary skill in the art can understand and implement it without inventive effort.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Other embodiments of the present description will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It will be understood that the present description is not limited to the precise arrangements described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.
The above description is only a preferred embodiment of the present disclosure, and should not be taken as limiting the present disclosure, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.
Claims (10)
1. A network system for detecting an illegal external connection, the network system comprising: the system comprises safety protection equipment deployed in an intranet, an intranet management server, a host to be detected and an extranet server deployed in an extranet; the safety device has a port mirroring function, wherein,
the safety shield apparatus is configured to: if the situation that a request message for accessing the intranet service, which is sent by a host to be detected, exists on the intranet link is monitored, the host to be detected is indicated to be redirected to the extranet server after the request message is hijacked;
the host to be detected is used for: redirecting to the extranet server under the direction of the security device;
the extranet server is configured to: after the host to be detected accesses, indicating the host to be detected to redirect to the intranet management server;
the host to be detected is further configured to: redirecting to the intranet management server under the instruction of the extranet server;
the intranet management server is used for: and determining the host to be detected as an external host after the host to be detected accesses.
2. A method for detecting illegal external connection is characterized in that the method is applied to safety protection equipment with a port mirroring function, the safety protection equipment is deployed in an intranet, and the method comprises the following steps:
if the situation that a request message for accessing the intranet service sent by a host to be detected exists in the intranet is monitored, hijacking the request message;
and indicating the host to be detected to be redirected to an extranet server so that the extranet server indicates the host to be detected to be redirected to the intranet management server after the host to be detected accesses, and the intranet management server determines that the host to be detected is an external connection host after the host to be detected accesses.
3. The method according to claim 2, wherein the request message includes identification information of the host to be detected, and the identification information includes an intranet IP address and a MAC address.
4. The method according to claim 2, wherein the host to be detected is a host that accesses an intranet service for the first time.
5. The method according to claim 4, wherein the safety protection device records the access time of each host accessing the intranet service, and periodically clears the recorded information, and whether the host to be detected is the host accessing the intranet service for the first time is determined based on the recorded information.
6. The method according to claim 2, wherein the instructing the host to be detected to redirect to an extranet server comprises:
and sending a temporary redirection message to the host to be detected, wherein the temporary redirection message indicates that the redirection address is the address of the external network server.
7. The method of claim 2, wherein hijacking the request packet comprises:
acquiring the request message;
and generating a reset message, and sending the reset message to the equipment pointed by the request message so as to enable the equipment to end the session with the host to be detected.
8. The utility model provides a detect device of illegal external connection which characterized in that is applied to the safety protection equipment who has the port mirror image function, safety protection equipment deploys in the intranet, the device includes:
the hijacking module is used for hijacking the request message if the situation that the request message for accessing the intranet service, which is sent by the host to be detected, exists in the intranet is monitored;
the indication module is used for indicating the host to be detected to be redirected to an extranet server so that the extranet server indicates the host to be detected to be redirected to the intranet management server after the host to be detected accesses, and the intranet management server determines that the host to be detected is an external connection host after the host to be detected accesses.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program implements the method of any of claims 2 to 7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method of any one of claims 2 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011593872.5A CN112738095A (en) | 2020-12-29 | 2020-12-29 | Method, device, system, storage medium and equipment for detecting illegal external connection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011593872.5A CN112738095A (en) | 2020-12-29 | 2020-12-29 | Method, device, system, storage medium and equipment for detecting illegal external connection |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112738095A true CN112738095A (en) | 2021-04-30 |
Family
ID=75607529
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011593872.5A Pending CN112738095A (en) | 2020-12-29 | 2020-12-29 | Method, device, system, storage medium and equipment for detecting illegal external connection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112738095A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114531485A (en) * | 2021-12-28 | 2022-05-24 | 望海康信(北京)科技股份公司 | Data transmission method, system and corresponding equipment and storage medium |
| CN114978942A (en) * | 2022-05-13 | 2022-08-30 | 深信服科技股份有限公司 | Router detection method and device, electronic equipment and storage medium |
| CN115296917A (en) * | 2022-08-09 | 2022-11-04 | 山东港口科技集团烟台有限公司 | Asset exposure surface information acquisition method, device, equipment and storage medium |
| CN115987675A (en) * | 2022-12-30 | 2023-04-18 | 北京明朝万达科技股份有限公司 | Illegal external connection detection method and device, mobile terminal and storage medium |
| CN116155549A (en) * | 2022-12-23 | 2023-05-23 | 武汉雨滴科技有限公司 | Terminal external connection detection method and device, electronic equipment and storage medium |
| CN116938570A (en) * | 2023-07-27 | 2023-10-24 | 北京天融信网络安全技术有限公司 | Detection method and device, storage medium and electronic equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1469651A2 (en) * | 2003-04-17 | 2004-10-20 | CC CompuNet Computer AG & Co. oHG | Computer network leakage detection |
| CN202050425U (en) * | 2010-11-16 | 2011-11-23 | 暨南大学 | Illegal external connection monitoring system for internal network equipment |
| CN109413097A (en) * | 2018-11-30 | 2019-03-01 | 深信服科技股份有限公司 | A kind of lawless exterior joint detecting method, device, equipment and storage medium |
| CN110365793A (en) * | 2019-07-30 | 2019-10-22 | 北京华赛在线科技有限公司 | Illegal external connection monitoring method, device, system and storage medium |
| CN111385376A (en) * | 2020-02-24 | 2020-07-07 | 杭州迪普科技股份有限公司 | Illegal external connection monitoring method, device, system and equipment for terminal |
| CN111917701A (en) * | 2020-03-31 | 2020-11-10 | 北京融汇画方科技有限公司 | Passive checking online violation external connection technology based on non-client mode |
| CN111970234A (en) * | 2020-06-30 | 2020-11-20 | 浙江远望信息股份有限公司 | Cookie-based evidence obtaining method for NAT private network access illegal external connection equipment |
-
2020
- 2020-12-29 CN CN202011593872.5A patent/CN112738095A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1469651A2 (en) * | 2003-04-17 | 2004-10-20 | CC CompuNet Computer AG & Co. oHG | Computer network leakage detection |
| CN202050425U (en) * | 2010-11-16 | 2011-11-23 | 暨南大学 | Illegal external connection monitoring system for internal network equipment |
| CN109413097A (en) * | 2018-11-30 | 2019-03-01 | 深信服科技股份有限公司 | A kind of lawless exterior joint detecting method, device, equipment and storage medium |
| CN110365793A (en) * | 2019-07-30 | 2019-10-22 | 北京华赛在线科技有限公司 | Illegal external connection monitoring method, device, system and storage medium |
| CN111385376A (en) * | 2020-02-24 | 2020-07-07 | 杭州迪普科技股份有限公司 | Illegal external connection monitoring method, device, system and equipment for terminal |
| CN111917701A (en) * | 2020-03-31 | 2020-11-10 | 北京融汇画方科技有限公司 | Passive checking online violation external connection technology based on non-client mode |
| CN111970234A (en) * | 2020-06-30 | 2020-11-20 | 浙江远望信息股份有限公司 | Cookie-based evidence obtaining method for NAT private network access illegal external connection equipment |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114531485A (en) * | 2021-12-28 | 2022-05-24 | 望海康信(北京)科技股份公司 | Data transmission method, system and corresponding equipment and storage medium |
| CN114978942A (en) * | 2022-05-13 | 2022-08-30 | 深信服科技股份有限公司 | Router detection method and device, electronic equipment and storage medium |
| CN114978942B (en) * | 2022-05-13 | 2024-05-24 | 深信服科技股份有限公司 | Router detection method and device, electronic equipment and storage medium |
| CN115296917A (en) * | 2022-08-09 | 2022-11-04 | 山东港口科技集团烟台有限公司 | Asset exposure surface information acquisition method, device, equipment and storage medium |
| CN116155549A (en) * | 2022-12-23 | 2023-05-23 | 武汉雨滴科技有限公司 | Terminal external connection detection method and device, electronic equipment and storage medium |
| CN116155549B (en) * | 2022-12-23 | 2023-12-29 | 武汉雨滴科技有限公司 | Terminal external connection detection method and device, electronic equipment and storage medium |
| CN115987675A (en) * | 2022-12-30 | 2023-04-18 | 北京明朝万达科技股份有限公司 | Illegal external connection detection method and device, mobile terminal and storage medium |
| CN115987675B (en) * | 2022-12-30 | 2024-03-19 | 北京明朝万达科技股份有限公司 | Illegal external connection detection method and device, mobile terminal and storage medium |
| CN116938570A (en) * | 2023-07-27 | 2023-10-24 | 北京天融信网络安全技术有限公司 | Detection method and device, storage medium and electronic equipment |
| CN116938570B (en) * | 2023-07-27 | 2024-05-28 | 北京天融信网络安全技术有限公司 | Detection method and device, storage medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112738095A (en) | Method, device, system, storage medium and equipment for detecting illegal external connection | |
| CN110365793B (en) | Illegal external connection monitoring method, device and system and storage medium | |
| US10637880B1 (en) | Classifying sets of malicious indicators for detecting command and control communications associated with malware | |
| CN108881211B (en) | Illegal external connection detection method and device | |
| US10200384B1 (en) | Distributed systems and methods for automatically detecting unknown bots and botnets | |
| US10587647B1 (en) | Technique for malware detection capability comparison of network security devices | |
| KR102580898B1 (en) | System and method for selectively collecting computer forensics data using DNS messages | |
| US8844034B2 (en) | Method and apparatus for detecting and defending against CC attack | |
| US20160381070A1 (en) | Protocol based detection of suspicious network traffic | |
| US20100235917A1 (en) | System and method for detecting server vulnerability | |
| CN107347057B (en) | Intrusion detection method, detection rule generation method, device and system | |
| CN109922062B (en) | Source code leakage monitoring method and related equipment | |
| JP2017502605A (en) | Proxy IP address identification method and apparatus | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| JP5980968B2 (en) | Information processing apparatus, information processing method, and program | |
| CN114244570B (en) | Illegal external connection monitoring method and device for terminal, computer equipment and storage medium | |
| CN110545277B (en) | Risk processing method and device applied to security system, computing equipment and medium | |
| JP4877145B2 (en) | Program for controlling communication device and communication device | |
| CN108259416B (en) | Method for detecting malicious webpage and related equipment | |
| CN105812324A (en) | Method, device and system for IDC information safety management | |
| US20040233849A1 (en) | Methodologies, systems and computer readable media for identifying candidate relay nodes on a network architecture | |
| CN116723020A (en) | Network service simulation method and device, electronic equipment and storage medium | |
| CN113098727A (en) | Data packet detection processing method and device | |
| CN111881384B (en) | Evidence obtaining method, system and storage medium for illegal external connection | |
| US11683337B2 (en) | Harvesting fully qualified domain names from malicious data packets |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210430 |
|
| RJ01 | Rejection of invention patent application after publication |