Cross-network segment data link establishment and access method and systemTechnical Field
The present invention relates to the field of computer communications technologies, and in particular, to a method and system for establishing and accessing a data link across network segments.
Background
In general, when a cross-network access or service provision is required, for example, performing remote desktop connection, performing WEB access, providing database service, providing WEB service, providing other middleware access, etc., the service port is directly mapped to the public network port of the IPV4 for use, as shown in fig. 1, and in this way, the access source cannot be limited and the access user cannot be authenticated, so that the access user is easily damaged by actions such as DDOS attack, data theft, etc., resulting in a certain economic loss and a greater data security risk.
In the traditional solution, extremely complex security software such as firewall, honeypot, security audit software, WAF and HIDS must be deployed to safely, conveniently and quickly access or provide services across network segments, and even access to important systems by using VPN dial-in mode is required, which not only brings great inconvenience to use, but also brings extremely high cost to operation and maintenance, even if information leakage event still occurs.
Disclosure of Invention
Aiming at the problems existing in the prior art, the invention provides a method and a system for establishing and accessing a cross-network segment data link with low cost and high safety.
The invention provides a method for establishing a cross-network segment data link, which comprises the following steps:
When the jump-in port receives an access request initiated by a user, a link is established between the jump-in port and the user, and the link establishment request is sent to a control server;
after receiving the link establishment request, the control server generates a key, selects a plurality of hops to form an ad hoc network, sends an encryption key and an ad hoc network entrance to a jump entrance, and sends a decryption key and an ad hoc network exit to the jump exit;
After the jump-in port receives the encryption key and the Ad hoc network entry, the encryption key is stored, and a link is established between the jump-in port and the Ad hoc network entry;
After receiving the decryption key and the ad hoc network outlet, the jump outlet stores the decryption key, and respectively establishes links with the ad hoc network outlet and the target server to obtain links between the user and the target server, wherein the decryption key is used for decrypting data during data transmission.
Further, the selecting a plurality of hops to form an ad hoc network specifically includes:
Selecting and sorting a plurality of jumping points, wherein the first jumping point in the sorting is an ad hoc network entry, and the last jumping point in the sorting is an ad hoc network exit;
The sequenced jump points are sent to a transmission scheduling server;
The transmission scheduling server forms the self-organizing network with the jump points in sequence, the self-organizing network is a multi-jump link, and the transmission scheduling server is positioned at any position which is not from beginning to end in the multi-jump link.
Further, after receiving the link establishment request, the control server performs identity authentication on the jump-in port of the transmission request.
Further, after the identity authentication of the jump-in port is passed, the control server performs communication verification, including checking whether the jump-in port is online or not and whether an idle channel is provided, and if the verification is passed, regenerating a secret key.
Further, the method for selecting a plurality of jumping points comprises the following steps:
generating a random number n in a preset range, and randomly selecting n jumping points.
The invention provides a cross-network segment data access method, which comprises the steps of packaging and encrypting data at a jump-in port, transmitting the data by adopting a link established by the method, decrypting and restoring the data at the jump-out port, and transmitting the data to a target server for data access after restoring.
The invention also provides a system for establishing the cross-network segment data link, which comprises the following steps:
the access control system comprises a jump portal, a control server, an access control server, a control server and a self-organizing network portal, wherein the jump portal is used for establishing a link with the user when receiving an access request initiated by the user, sending the link establishment request to the control server, storing an encryption key and establishing a link with the self-organizing network portal after receiving the encryption key and the self-organizing network portal;
the control server is used for generating a key after receiving a link establishment request, selecting a plurality of jumping points to form an ad hoc network, transmitting an encryption key and an ad hoc network entrance to a jumping entrance, and transmitting a decryption key and an ad hoc network exit to the jumping exit;
And the jump outlet is used for storing the decryption key after receiving the decryption key and the Ad hoc network outlet, respectively establishing links with the Ad hoc network outlet and the target server to obtain the links between the user and the target server, wherein the decryption key is used for decrypting data during data transmission.
The system further comprises a transmission scheduling server, wherein the control server is further used for sequencing the selected plurality of hops, the first hop in the sequencing is an ad hoc network entrance, the last hop in the sequencing is an ad hoc network exit, the transmission scheduling server is used for forming the hop and the self into an ad hoc network in sequence, the ad hoc network is a multi-hop link, and the transmission scheduling server is positioned at any position which is not from beginning to end in the multi-hop link.
The invention also provides a cross-network section data access system, wherein the jump-in port is also used for carrying out data transmission by adopting the link established by the system after the data is encapsulated and encrypted, and the jump-out port is also used for decrypting and restoring the encapsulated and encrypted data and sending the decrypted and encrypted data to a target server.
Compared with the prior art, the method has the advantages that the target service conceals the actual access, deployment and request modes for users, the whole transmission process is encrypted data, the safety is high, the target service does not need to be opened to a wide area network, the threat of wide area network attack can be avoided, a control layer is separated from a data layer, the attack is prevented, the safety is further improved, the program deployment does not need to consider network equipment interference items (such as a firewall, a honeypot, complex network rules configured in security audit software and the like) among complex network segments, the access and link establishment methods are unified, the use environment of the users is not needed to be considered, the maintenance cost is low, any local area network segment can be connected across the wide area network, and the applicability is wide.
Drawings
FIG. 1 is a schematic diagram of a conventional data link;
fig. 2 is a flow chart of a method for establishing a cross-segment data link according to the present invention;
Fig. 3 is a schematic diagram of a data link established using the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Example 1
The embodiment provides a method for establishing a cross-network segment data link, as shown in fig. 2 and fig. 3, including the following steps:
S1, when a jump-in port receives an access request initiated by a user, a link is established between the jump-in port and the user, and the link establishment request is sent to a control server.
Wherein, the link established by the user and the jump-in port C0 is marked as L0.
S2, after receiving the link establishment request, the control server generates a key, selects a plurality of hops to form an ad hoc network, sends the encryption key and the ad hoc network entrance to the hop entrance, and sends the decryption key and the ad hoc network exit to the hop exit.
The encryption key and the decryption key generated by the control server S0 may or may not be identical. In order to improve the safety and the effectiveness, after receiving the link request, the control server firstly performs identity authentication on the jump-in port for sending the request after receiving the link establishment request, and after the identity authentication of the jump-in port is passed, performs communication verification, including checking whether the jump-in port is online or not and has an idle channel or not, and if the verification is passed, regenerating a secret key.
When selecting a hop, a random number n in a preset range is generated, and n hops are randomly selected, in this embodiment, n=6 is assumed, i.e. 6 hops are selected in total, and the hop-in port are not generally in one network segment, so that the establishment of a data link across the network segment can be realized, but the link establishment can also be realized according to the method of the invention when the hop is deployed in the same network segment, and the hop is generally an Internet random point, or can be a partial hop in a local area network or a partial hop outside the local area network. The method for forming the ad hoc network by n hops includes the steps of sorting n hops, wherein the sorting method can be random sorting or other sorting modes, the first hop after sorting is an ad hoc network entrance, the last hop after sorting is an ad hoc network exit, for example, 6 hops selected in the embodiment are sorted to be J0, J1, J2, J3, J4, J5, J0 are ad hoc network entrances, J5 is an ad hoc network exit, then a control server sends permission information of the sorted J0, J1, J2, J3, J4 and J5 to a transmission scheduling server S1, the transmission scheduling server S1 forms the hop and the self into the ad hoc network, namely a multi-hop link, the transmission scheduling server is located at any position, which is not the head and tail, in the multi-hop link, in the embodiment, the hop points J0 to J2 automatically establish links L2 and L3, the hop point J2 actively establish data links L4 with the transmission scheduling server S1, the transmission scheduling server S1 automatically establish links L2 and J3 to L5, and the hop links L7 and L5 form the ad hoc network.
S3, after the jump-in port receives the encryption key and the Ad hoc network entry, the encryption key is stored, and a link is established between the encryption key and the Ad hoc network entry, wherein the encryption key is used for encrypting data during data transmission.
The link between the jump portal C0 and the ad hoc network portal J0 is denoted by L1. The encryption key stored at the hop entry may encrypt the transmitted data, such as an access request and subsequent data transmissions.
S4, after receiving the decryption key and the self-networking exit, the jump exit stores the decryption key, and respectively establishes links with the self-networking exit and the target server to obtain links between the user and the target server.
The jump exit C1 establishes a link L8 with the ad hoc network after the jump exit, and establishes a link L9 with the target server D0. Thus, the link between the user U0 and the target server D0 is established, namely the links L0-L9, and the user can exchange data with the target server through the links. The decryption key is used for data decryption during data transmission.
Example two
The embodiment provides a cross-network segment data access method, which comprises the steps of carrying out data transmission by adopting a link established by the method of the embodiment after data encapsulation and encryption are carried out at a jump-in port, carrying out decryption and restoration at a jump-out port, and sending the restored data to a target server for data access.
Example III
The embodiment provides a system for establishing a cross-network segment data link, which comprises the following steps:
the access control system comprises a jump portal, a control server, an access control server, a control server and a self-organizing network portal, wherein the jump portal is used for establishing a link with the user when receiving an access request initiated by the user, sending the link establishment request to the control server, storing an encryption key and establishing a link with the self-organizing network portal after receiving the encryption key and the self-organizing network portal;
The control server is used for generating a secret key after receiving a link establishment request, selecting a plurality of jumping points and sequencing, wherein the first jumping point is an ad hoc network entrance, the last jumping point is an ad hoc network exit, sending the encryption secret key and the ad hoc network entrance to the jumping entrance, and sending the decryption secret key and the ad hoc network exit to the jumping exit;
the transmission scheduling server is used for forming an ad hoc network by the hop selected by the control server and the self in sequence, wherein the ad hoc network is a multi-hop link, and the transmission scheduling server is positioned at any position which is not from beginning to end in the multi-hop link;
And the jump outlet is used for storing the decryption key after receiving the decryption key and the Ad hoc network outlet, respectively establishing links with the Ad hoc network outlet and the target server to obtain the links between the user and the target server, wherein the decryption key is used for decrypting data during data transmission.
The system of the present embodiment corresponds to the link establishment method of the first embodiment one by one, and reference is not made to the first embodiment in detail, and details are not repeated.
Example IV
The embodiment provides a cross-network segment data access system, wherein a jump-in port is further used for carrying out data transmission by adopting a link established by the system of the third embodiment after data encapsulation and encryption, and the jump-out port is further used for decrypting and restoring encapsulation encrypted data and sending the encapsulation encrypted data to a target server, so that data access is realized.
The foregoing disclosure is illustrative of the present invention and is not to be construed as limiting the scope of the invention, which is defined by the appended claims.