[go: up one dir, main page]

CN116566711A - A data transmission method, device, equipment and storage medium - Google Patents

A data transmission method, device, equipment and storage medium Download PDF

Info

Publication number
CN116566711A
CN116566711A CN202310615571.5A CN202310615571A CN116566711A CN 116566711 A CN116566711 A CN 116566711A CN 202310615571 A CN202310615571 A CN 202310615571A CN 116566711 A CN116566711 A CN 116566711A
Authority
CN
China
Prior art keywords
cloud security
security platform
online
preset
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310615571.5A
Other languages
Chinese (zh)
Other versions
CN116566711B (en
Inventor
范如
王润峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202310615571.5A priority Critical patent/CN116566711B/en
Publication of CN116566711A publication Critical patent/CN116566711A/en
Application granted granted Critical
Publication of CN116566711B publication Critical patent/CN116566711B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a data transmission method, a device, equipment and a storage medium, which relate to the field of data transmission and comprise the following steps: the target VPC collects data through the internal equipment and sends an online request message determined based on the encrypted IP address to the cloud security platform through a preset common port for verification; the preset shared port is a port shared by a plurality of VPCs; if the verification is successful, verifying the confirmed online message obtained from the cloud security platform, and after the verification is successful, transmitting an online establishment message determined based on the identification of the target VPC to the cloud security platform through a preset common port to perform verification operation; and if the verification is successful, transmitting the data to the cloud security platform through a preset shared port for processing. According to the method and the device, the plurality of VPCs share one port, the number of ports exposed to the outside is reduced, network resources are saved, the risk of being attacked is reduced, and the security of data transmission is ensured by encrypting the IP address of the internal device.

Description

一种数据传输方法、装置、设备及存储介质A data transmission method, device, equipment and storage medium

技术领域technical field

本发明涉及数据传输领域,特别涉及一种数据传输方法、装置、设备及存储介质。The present invention relates to the field of data transmission, in particular to a data transmission method, device, equipment and storage medium.

背景技术Background technique

在私有云网络建设过程中,网络安全服务SaaS(Software-as-a-Service,软件即服务)化逐步演进,云上提供网络安全服务可以给使用者带来便捷的体验,数据在不同维度聚合并通过大屏可以让使用者清晰直观地了解资产的安全状况,例如日志审计、数据库审计等安全产品能够采集大量基础数据用于安全运营。但由于VPC(Virtual Private Cloud,虚拟私有云)的存在,需要对租户网络进行业务上的区分,并且需要满足对数据安全性的保障,不同业务数据往往只能开放少数端口用于传输。In the process of private cloud network construction, the network security service SaaS (Software-as-a-Service, software as a service) is gradually evolving. Providing network security services on the cloud can bring users a convenient experience, and data is aggregated in different dimensions. And through the large screen, users can clearly and intuitively understand the security status of assets. For example, security products such as log audit and database audit can collect a large amount of basic data for security operations. However, due to the existence of VPC (Virtual Private Cloud, virtual private cloud), tenant networks need to be differentiated in terms of business, and data security needs to be met. Different business data often only open a few ports for transmission.

现有技术中内网向外网传输多种业务类型数据时,往往都是开放多个不同的IP和端口进行传输,使用多个IP和端口,意味着需要为每个IP和端口分配独立的网络资源,这会造成网络资源的浪费,导致网络拥堵和性能下降。并且每个IP和端口都需要进行独立的安全防护,一旦其中一个IP或端口出现安全漏洞,攻击者就可以利用这个漏洞攻击整个网络系统;另外,由于每个IP和端口都需要独立维护,增加了维护成本,特别是当对大量IP和端口进行维护时,会浪费大量的人力和时间。In the prior art, when the internal network transmits various types of business data to the external network, multiple different IPs and ports are often opened for transmission. Using multiple IPs and ports means that each IP and port needs to be assigned an independent Network resources, which will cause a waste of network resources, resulting in network congestion and performance degradation. And each IP and port needs independent security protection. Once a security hole occurs in one of the IP or ports, attackers can use this hole to attack the entire network system; in addition, since each IP and port need to be maintained independently, increasing Reduced maintenance costs, especially when maintaining a large number of IPs and ports, a lot of manpower and time will be wasted.

发明内容Contents of the invention

有鉴于此,本发明的目的在于提供一种数据传输方法、装置、设备及存储介质,能够通过多个VPC共用一个端口,减少对外暴露的端口数量,节省网络资源,降低被攻击的风险,并通过对内部设备的IP地址进行加密以保证数据传输的安全性。其具体方案如下:In view of this, the object of the present invention is to provide a data transmission method, device, device and storage medium, which can share one port through multiple VPCs, reduce the number of ports exposed to the outside, save network resources, reduce the risk of being attacked, and Encrypt the IP address of the internal device to ensure the security of data transmission. The specific plan is as follows:

第一方面,本申请提供了一种数据传输方法,应用于目标VPC,包括:In the first aspect, the present application provides a data transmission method applied to a target VPC, including:

通过内部设备采集负载数据,并通过预设共用端口将基于加密后的内部设备IP地址确定的联机请求报文发送至云安全平台,以便所述云安全平台对所述联机请求报文进行校验操作;所述预设共用端口为多个VPC共用的端口;Collect the load data through the internal device, and send the online request message determined based on the encrypted internal device IP address to the cloud security platform through the preset shared port, so that the cloud security platform can verify the online request message. Operation; the preset shared port is a port shared by multiple VPCs;

若所述云安全平台对所述联机请求报文校验成功,则对从所述云安全平台获取的确认联机报文进行校验,并在校验成功后,通过所述预设共用端口将基于所述目标VPC的标识确定的联机建立报文发送至所述云安全平台,以便所述云安全平台对所述联机建立报文进行校验操作;If the cloud security platform successfully verifies the online request message, it will verify the online confirmation message obtained from the cloud security platform, and after the verification is successful, send the The online establishment message determined based on the identifier of the target VPC is sent to the cloud security platform, so that the cloud security platform performs a verification operation on the online establishment message;

若所述云安全平台对所述联机建立报文校验成功,则通过所述预设共用端口将所述负载数据传输至所述云安全平台,以便所述云安全平台基于所述目标VPC的标识对所述负载数据进行处理。If the cloud security platform successfully verifies the online establishment message, the load data is transmitted to the cloud security platform through the preset shared port, so that the cloud security platform is based on the target VPC Indicates that the load data is processed.

可选的,所述通过预设共用端口将基于加密后的内部设备IP地址确定的联机请求报文发送至云安全平台,包括:Optionally, the online request message determined based on the encrypted internal device IP address is sent to the cloud security platform through the preset shared port, including:

获取与所述内部设备对应的内部设备IP地址,并利用密钥文件对所述内部设备IP地址进行对称加密,以得到加密后的内部设备IP地址;Obtain an internal device IP address corresponding to the internal device, and use a key file to symmetrically encrypt the internal device IP address to obtain an encrypted internal device IP address;

将所述加密后的内部设备IP地址添加至联机请求报文的第一预设字段中,并通过预设共用端口将添加后的联机请求报文发送至云安全平台。Add the encrypted internal device IP address to the first preset field of the online request message, and send the added online request message to the cloud security platform through the preset shared port.

可选的,所述利用密钥文件对所述内部设备IP地址进行对称加密之前,还包括:Optionally, before performing symmetric encryption on the IP address of the internal device using the key file, the method further includes:

获取所述云安全平台生成并下发的密钥文件。Obtain the key file generated and issued by the cloud security platform.

可选的,所述云安全平台对所述联机请求报文进行校验操作,包括:Optionally, the cloud security platform performs a verification operation on the online request message, including:

所述云安全平台利用所述密钥文件对所述添加后的联机请求报文的第一预设字段中的所述加密后的内部设备IP地址进行对称解密,以得到解密后的内部设备IP地址;The cloud security platform uses the key file to symmetrically decrypt the encrypted internal device IP address in the first preset field of the added online request message to obtain the decrypted internal device IP address. address;

所述云安全平台判断所述解密后的内部设备IP地址与所述添加后的联机请求报文的源地址是否一致,若一致,则发送确认联机报文至所述目标VPC。The cloud security platform judges whether the decrypted internal device IP address is consistent with the source address of the added connection request message, and if they are consistent, sends a connection confirmation message to the target VPC.

可选的,所述通过所述预设共用端口将基于所述目标VPC的标识确定的联机建立报文发送至所述云安全平台,包括:Optionally, sending the connection establishment message determined based on the identity of the target VPC to the cloud security platform through the preset shared port includes:

将所述目标VPC的标识添加至联机建立报文的第二预设字段,以得到添加后的联机建立报文;Add the identifier of the target VPC to the second preset field of the connection establishment message to obtain the added connection establishment message;

通过所述预设共用端口将所述添加后的联机建立报文发送至所述云安全平台。Send the added connection establishment message to the cloud security platform through the preset shared port.

可选的,所述通过所述预设共用端口将所述负载数据传输至所述云安全平台,包括:Optionally, the transmitting the load data to the cloud security platform through the preset shared port includes:

基于所述负载数据对应的业务数据类型确定特性字段,并利用所述特性字段和分隔符对所述负载数据进行处理,以得到处理后负载数据;determining a characteristic field based on the business data type corresponding to the load data, and processing the load data by using the characteristic field and a delimiter to obtain processed load data;

通过所述预设共用端口将所述处理后负载数据传输至所述云安全平台。The processed payload data is transmitted to the cloud security platform through the preset common port.

可选的,所述云安全平台基于所述目标VPC的标识对所述负载数据进行处理,包括:Optionally, the cloud security platform processes the load data based on the identifier of the target VPC, including:

所述云安全平台获取所述添加后的联机建立报文的第二预设字段中的所述目标VPC的标识,以便基于所述标识确定所述处理后负载数据对应的目标VPC,以及对所述处理后负载数据进行解析得到所述负载数据和所述特性字段,然后确定与所述特性字段对应的所述业务数据类型;The cloud security platform obtains the identifier of the target VPC in the second preset field of the added connection establishment message, so as to determine the target VPC corresponding to the processed load data based on the identifier, and Analyzing the processed load data to obtain the load data and the characteristic field, and then determining the business data type corresponding to the characteristic field;

所述云安全平台对所述负载数据进行与所述业务数据类型对应的处理操作以得到处理结果,并将所述处理结果进行聚合展示。The cloud security platform performs a processing operation corresponding to the business data type on the load data to obtain a processing result, and aggregates and displays the processing result.

第二方面,本申请提供了一种数据传输装置,应用于目标VPC,包括:In a second aspect, the present application provides a data transmission device applied to a target VPC, including:

请求报文发送模块,用于通过内部设备采集负载数据,并通过预设共用端口将基于加密后的内部设备IP地址确定的联机请求报文发送至云安全平台,以便所述云安全平台对所述联机请求报文进行校验操作;所述预设共用端口为多个VPC共用的端口;The request message sending module is used to collect load data through the internal device, and send the online request message determined based on the encrypted internal device IP address to the cloud security platform through a preset shared port, so that the cloud security platform can The online request message is verified; the preset shared port is a port shared by multiple VPCs;

建立报文发送模块,用于若所述云安全平台对所述联机请求报文校验成功,则对从所述云安全平台获取的确认联机报文进行校验,并在校验成功后,通过所述预设共用端口将基于所述目标VPC的标识确定的联机建立报文发送至所述云安全平台,以便所述云安全平台对所述联机建立报文进行校验操作;Establishing a message sending module, used to verify the online confirmation message obtained from the cloud security platform if the cloud security platform successfully verifies the online request message, and after the verification is successful, Send the connection establishment message determined based on the identity of the target VPC to the cloud security platform through the preset common port, so that the cloud security platform can verify the connection establishment message;

数据传输模块,用于若所述云安全平台对所述联机建立报文校验成功,则通过所述预设共用端口将所述负载数据传输至所述云安全平台,以便所述云安全平台基于所述目标VPC的标识对所述负载数据进行处理。A data transmission module, configured to transmit the load data to the cloud security platform through the preset shared port if the cloud security platform successfully verifies the online establishment message, so that the cloud security platform The load data is processed based on the identifier of the target VPC.

第三方面,本申请提供了一种电子设备,包括:In a third aspect, the present application provides an electronic device, including:

存储器,用于保存计算机程序;memory for storing computer programs;

处理器,用于执行所述计算机程序以实现前述的数据传输方法。A processor, configured to execute the computer program to implement the aforementioned data transmission method.

第四方面,本申请提供了一种计算机可读存储介质,用于保存计算机程序,所述计算机程序被处理器执行时实现前述的数据传输方法。In a fourth aspect, the present application provides a computer-readable storage medium for storing a computer program, and when the computer program is executed by a processor, the aforementioned data transmission method is implemented.

本申请中,通过内部设备采集负载数据,并通过预设共用端口将基于加密后的内部设备IP地址确定的联机请求报文发送至云安全平台,以便所述云安全平台对所述联机请求报文进行校验操作;所述预设共用端口为多个VPC共用的端口;若所述云安全平台对所述联机请求报文校验成功,则对从所述云安全平台获取的确认联机报文进行校验,并在校验成功后,通过所述预设共用端口将基于所述目标VPC的标识确定的联机建立报文发送至所述云安全平台,以便所述云安全平台对所述联机建立报文进行校验操作;若所述云安全平台对所述联机建立报文校验成功,则通过所述预设共用端口将所述负载数据传输至所述云安全平台,以便所述云安全平台基于所述目标VPC的标识对所述负载数据进行处理。由此可见,本申请通过多个VPC共用一个端口进行报文和数据的传输,减少对外暴露的端口数量,节省网络资源以及维护成本,降低被攻击的风险,并且本申请通过对内部设备IP地址进行加密,从而保证数据传输的安全性;另外,本申请通过在报文中插入VPC标识,从而可以根据VPC标识对来自不同VPC的数据进行区分。In this application, the load data is collected by the internal device, and the online request message determined based on the encrypted internal device IP address is sent to the cloud security platform through the preset shared port, so that the cloud security platform can report the online request. The document is checked and operated; the preset shared port is a port shared by multiple VPCs; if the cloud security platform successfully checks the online request message, the confirmation online report obtained from the cloud security platform The text is verified, and after the verification is successful, the online establishment message determined based on the identity of the target VPC is sent to the cloud security platform through the preset common port, so that the cloud security platform can Perform a verification operation on the online establishment message; if the cloud security platform successfully verifies the online establishment message, then transmit the load data to the cloud security platform through the preset shared port, so that the The cloud security platform processes the load data based on the identifier of the target VPC. It can be seen that this application uses multiple VPCs to share one port for message and data transmission, reducing the number of ports exposed to the outside world, saving network resources and maintenance costs, and reducing the risk of being attacked. Encryption is performed to ensure the security of data transmission; in addition, this application inserts the VPC identifier into the message, so that data from different VPCs can be distinguished according to the VPC identifier.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present invention, and those skilled in the art can also obtain other drawings according to the provided drawings without creative work.

图1为本申请公开的一种数据传输方法流程图;Fig. 1 is a flow chart of a data transmission method disclosed in the present application;

图2为本申请公开的一种数据传输通道建立结构图;FIG. 2 is a structural diagram for establishing a data transmission channel disclosed in the present application;

图3为本申请公开的一种TCP syn报文传输逻辑图;Fig. 3 is a kind of TCP syn message transmission logic diagram disclosed by the application;

图4为本申请公开的一种具体的数据传输方法流程图;FIG. 4 is a flow chart of a specific data transmission method disclosed in the present application;

图5为本申请公开的一种数据传输装置结构示意图;FIG. 5 is a schematic structural diagram of a data transmission device disclosed in the present application;

图6为本申请公开的一种电子设备结构图。FIG. 6 is a structural diagram of an electronic device disclosed in the present application.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

现有技术中内网向外网传输多种业务类型数据时,往往都是开放多个不同的IP和端口进行传输,需要为每个IP和端口分配独立的网络资源以及进行独立的安全防护。为此,本申请提供了一种数据传输方法,能够通过多个VPC共用一个端口,减少对外暴露的端口数量,节省网络资源,降低被攻击的风险,并通过对内部设备的IP地址进行加密以保证数据传输的安全性。In the prior art, when the internal network transmits various types of business data to the external network, multiple different IPs and ports are often opened for transmission, and independent network resources and independent security protection need to be allocated for each IP and port. To this end, this application provides a data transmission method that can share one port through multiple VPCs, reduce the number of ports exposed to the outside world, save network resources, and reduce the risk of being attacked, and encrypt the IP address of the internal device to Ensure the security of data transmission.

参见图1所示,本发明实施例公开了一种数据传输方法,应用于目标VPC,包括:Referring to Fig. 1, the embodiment of the present invention discloses a data transmission method applied to a target VPC, including:

步骤S11、通过内部设备采集负载数据,并通过预设共用端口将基于加密后的内部设备IP地址确定的联机请求报文发送至云安全平台,以便所述云安全平台对所述联机请求报文进行校验操作;所述预设共用端口为多个VPC共用的端口。Step S11, collect the load data through the internal device, and send the online request message determined based on the encrypted internal device IP address to the cloud security platform through the preset shared port, so that the cloud security platform can process the online request message Perform a verification operation; the preset shared port is a port shared by multiple VPCs.

本实施例中,一个VPC内部包含多台PC设备,并且每台PC设备上均安装了采集插件,以用于采集数据,如果想要将VPC内部设备采集的数据传输至云安全平台SaaS服务,则需要建立一个可靠的数据传输通道。如图2所示,VPC通过通道建立模块的近源侧将所有报文以及采集插件收集到的数据传输至通道建立模块的近安全产品侧,进而送入云安全平台,其中,通道建立模块本质上相当于设立了一个预设共用端口来统一转发所有报文以及采集插件收集到的数据,需要说明的是,该预设共用端口为多个VPC共用的端口。这样一来,便可以减少开放端口的数量,节省网络资源。另外,预设共用端口提供了TCP(TransmissionControl Protocol,传输控制协议)和UDP(User Datagram Protocol,用户数据报协议)用于传输数据;并且,预设共用端口只有指定的设备可以连接,其他设备即使知道该端口,也无法随意进行连接。具体的,可以通过在nginx配置文件中设定通讯协议和端口支持TCP和UDP连接的建立。In this embodiment, a VPC contains multiple PC devices, and a collection plug-in is installed on each PC device to collect data. If you want to transmit the data collected by the internal devices of the VPC to the cloud security platform SaaS service, A reliable data transmission channel needs to be established. As shown in Figure 2, the VPC transmits all messages and data collected by the collection plug-in to the near-security product side of the channel establishment module through the near-source side of the channel establishment module, and then sends them to the cloud security platform. The essence of the channel establishment module is It is equivalent to setting up a preset shared port to uniformly forward all messages and collect data collected by plug-ins. It should be noted that the preset shared port is a port shared by multiple VPCs. In this way, the number of open ports can be reduced and network resources can be saved. In addition, the default shared port provides TCP (Transmission Control Protocol, Transmission Control Protocol) and UDP (User Datagram Protocol, User Datagram Protocol) for data transmission; and, only designated devices can be connected to the preset shared port, even if other devices Knowing the port, it is not possible to connect at will. Specifically, the establishment of TCP and UDP connections can be supported by setting the communication protocol and port in the nginx configuration file.

本实施例中,所述通过预设共用端口将基于加密后的内部设备IP地址确定的联机请求报文发送至云安全平台,可以包括获取与所述内部设备对应的内部设备IP地址,并利用密钥文件对所述内部设备IP地址进行对称加密,以得到加密后的内部设备IP地址;将所述加密后的内部设备IP地址添加至联机请求报文的第一预设字段中,并通过预设共用端口将添加后的联机请求报文发送至云安全平台。进一步的,在利用密钥文件对所述内部设备IP地址进行对称加密之前,还包括获取所述云安全平台生成并下发的密钥文件。可以理解的是,如图3所示,为了保证数据传输的安全性以及联机建立的合法性,由云安全平台的安全认证模块生成并下发密钥文件给目标VPC,其中,目标VPC为多个VPC中的任意一个,云安全平台纳管所有的SaaS安全产品。目标VPC在获取到密钥文件之后,利用密钥文件对内部设备IP地址进行对称加密,得到加密后的内部设备IP地址,将加密后的内部设备IP地址放到TCP syn联机请求报文的Options字段中,然后再通过预设共用端口将TCP syn联机请求报文发送给云安全平台。In this embodiment, the sending the online request message determined based on the encrypted internal device IP address to the cloud security platform through the preset shared port may include obtaining the internal device IP address corresponding to the internal device, and using The key file symmetrically encrypts the internal device IP address to obtain the encrypted internal device IP address; adds the encrypted internal device IP address to the first preset field of the online request message, and passes The preset shared port sends the added connection request message to the cloud security platform. Further, before using the key file to symmetrically encrypt the IP address of the internal device, it also includes obtaining the key file generated and issued by the cloud security platform. It can be understood that, as shown in Figure 3, in order to ensure the security of data transmission and the legitimacy of online establishment, the security authentication module of the cloud security platform generates and issues a key file to the target VPC, where the target VPC is multiple Any one of the VPCs, the cloud security platform manages all SaaS security products. After the target VPC obtains the key file, it uses the key file to symmetrically encrypt the IP address of the internal device to obtain the encrypted IP address of the internal device, and puts the encrypted IP address of the internal device in the Options of the TCP syn connection request message. field, and then send the TCP syn connection request message to the cloud security platform through the preset shared port.

本实施例中,所述云安全平台对所述联机请求报文进行校验操作,可以包括所述云安全平台利用所述密钥文件对所述添加后的联机请求报文的第一预设字段中的所述加密后的内部设备IP地址进行对称解密,以得到解密后的内部设备IP地址;所述云安全平台判断所述解密后的内部设备IP地址与所述添加后的联机请求报文的源地址是否一致,若一致,则发送确认联机报文至所述目标VPC。可以理解的是,如图3所示,云安全平台获取到目标VPC发送的TCP syn联机请求报文之后,利用密钥文件对Options字段中的加密后的内部设备IP地址进行对称解密,得到解密后的内部设备IP地址。将解密后的内部设备IP地址与TCP syn联机请求报文的源地址进行对比,若一致,则判定连接发起方也即目标VPC是合法的,并发送TCP ack确认联机报文给目标VPC;若不一致,则判定连接发起方是非法的,并回复reset以拒绝连接。这样一来,本申请通过对VPC内部设备的IP地址进行加密,并通过云安全平台对解密后的IP地址和报文源地址进行对比,从而保证了联机建立的合法性,以及保证了数据传输的安全性。In this embodiment, the cloud security platform performs a verification operation on the online request message, which may include the first preset of the added online request message by the cloud security platform using the key file The encrypted internal device IP address in the field is symmetrically decrypted to obtain the decrypted internal device IP address; the cloud security platform judges that the decrypted internal device IP address is consistent with the added online request report Check whether the source addresses of the messages are consistent, and if they are consistent, send a confirmation message to the target VPC. It is understandable that, as shown in Figure 3, after the cloud security platform obtains the TCP syn connection request message sent by the target VPC, it uses the key file to symmetrically decrypt the encrypted internal device IP address in the Options field to obtain the decrypted followed by the IP address of the internal device. Compare the decrypted IP address of the internal device with the source address of the TCP syn connection request message. If they are consistent, it is determined that the connection initiator, that is, the target VPC, is legal, and a TCP ack confirmation message is sent to the target VPC; if If they are inconsistent, it is determined that the connection initiator is illegal, and reply reset to refuse the connection. In this way, this application encrypts the IP address of the internal device of the VPC, and compares the decrypted IP address with the source address of the message through the cloud security platform, thereby ensuring the legitimacy of the connection establishment and data transmission security.

步骤S12、若所述云安全平台对所述联机请求报文校验成功,则对从所述云安全平台获取的确认联机报文进行校验,并在校验成功后,通过所述预设共用端口将基于所述目标VPC的标识确定的联机建立报文发送至所述云安全平台,以便所述云安全平台对所述联机建立报文进行校验操作。Step S12, if the cloud security platform successfully verifies the online request message, then verify the connection confirmation message obtained from the cloud security platform, and after the verification is successful, pass the preset The common port sends the connection establishment message determined based on the identifier of the target VPC to the cloud security platform, so that the cloud security platform can verify the connection establishment message.

本实施例中,如果云安全平台对TCP syn联机请求报文校验成功,则云安全平台会发送TCP ack确认联机报文给目标VPC,目标VPC会进一步对TCP ack确认联机报文进行校验。若目标VPC对TCP ack确认联机报文校验成功,则会通过预设共用端口将基于目标VPC的标识确定的TCP syn+ack联机建立报文发送至云安全平台。具体的,所述通过所述预设共用端口将基于所述目标VPC的标识确定的联机建立报文发送至所述云安全平台,可以包括将所述目标VPC的标识添加至联机建立报文的第二预设字段,以得到添加后的联机建立报文;通过所述预设共用端口将所述添加后的联机建立报文发送至所述云安全平台。可以理解的是,由于多个VPC通过均是预设共用端口进行报文和数据的传输,为了对来自不同VPC的数据进行区分,则可以将目标VPC的标识添加到TCP syn+ack联机建立报文的Options字段中,然后再将TCP syn+ack联机建立报文通过预设共用端口发送给云安全平台。云安全平台在获取到TCP syn+ack联机建立报文之后,对TCP syn+ack联机建立报文进行校验,若校验失败,则无法建立目标VPC与云安全平台之间的连接。In this embodiment, if the cloud security platform successfully verifies the TCP syn online request message, the cloud security platform will send a TCP ack confirmation message to the target VPC, and the target VPC will further verify the TCP ack confirmation message . If the target VPC confirms to the TCP ack that the verification of the connection message is successful, it will send the TCP syn+ack connection establishment message determined based on the identity of the target VPC to the cloud security platform through the preset shared port. Specifically, the sending the online establishment message determined based on the target VPC identifier to the cloud security platform through the preset common port may include adding the target VPC identifier to the online establishment message. The second preset field is to obtain the added connection establishment message; and send the added connection establishment message to the cloud security platform through the preset shared port. It is understandable that since multiple VPCs transmit messages and data through preset shared ports, in order to distinguish data from different VPCs, the target VPC identifier can be added to the TCP syn+ack connection establishment report In the Options field of the file, the TCP syn+ack connection establishment message is sent to the cloud security platform through the preset shared port. After the cloud security platform obtains the TCP syn+ack connection establishment message, it verifies the TCP syn+ack connection establishment message. If the verification fails, the connection between the target VPC and the cloud security platform cannot be established.

步骤S13、若所述云安全平台对所述联机建立报文校验成功,则通过所述预设共用端口将所述负载数据传输至所述云安全平台,以便所述云安全平台基于所述目标VPC的标识对所述负载数据进行处理。Step S13: If the cloud security platform successfully verifies the connection establishment message, transmit the load data to the cloud security platform through the preset shared port, so that the cloud security platform can The identifier of the target VPC processes the load data.

本实施例中,如果云安全平台对TCP syn+ack联机建立报文校验成功,则完成对目标VPC与云安全平台之间的连接,然后目标VPC通过预设共用端口将负载数据传输至云安全平台。具体的,所述通过所述预设共用端口将所述负载数据传输至所述云安全平台,可以包括基于所述负载数据对应的业务数据类型确定特性字段,并利用所述特性字段和分隔符对所述负载数据进行处理,以得到处理后负载数据;通过所述预设共用端口将所述处理后负载数据传输至所述云安全平台。可以理解的是,一个VPC内的多个设备采集的数据也可能对应着不同的业务数据类型,例如日志审计数据和数据库审计数据,为了对不同业务数据类型的数据进行区分,可以先通过内部设备采集的负载数据对应的业务数据类型确定特性字段,然后在负载数据的头部加入特性字段,并加入分隔符以用于区分特性字段和负载数据,从而得到处理后负载数据。例如,负载数据为123,对应的业务数据类型为日志审计数据,进而确定出特性字段为logaudit,分隔符为===,则处理后负载数据为logaudit===123,然后通过预设共用端口将处理后负载数据logaudit===123传输给云安全平台。这样一来,通过对VPC内部设备采集的数据增加特性字段和分隔符,再发送给云安全平台,可以实现对不同业务类型数据的区分。In this embodiment, if the cloud security platform successfully verifies the TCP syn+ack online establishment message, the connection between the target VPC and the cloud security platform is completed, and then the target VPC transmits the load data to the cloud through a preset shared port. secure platform. Specifically, the transmitting the load data to the cloud security platform through the preset shared port may include determining a characteristic field based on the business data type corresponding to the load data, and using the characteristic field and the delimiter Process the load data to obtain processed load data; transmit the processed load data to the cloud security platform through the preset shared port. It is understandable that the data collected by multiple devices in a VPC may also correspond to different types of business data, such as log audit data and database audit data. In order to distinguish data of different business data types, you can first pass the internal device The business data type corresponding to the collected load data determines the characteristic field, and then adds the characteristic field to the head of the load data, and adds a separator to distinguish the characteristic field and the load data, so as to obtain the processed load data. For example, the load data is 123, the corresponding business data type is log audit data, and then the characteristic field is determined to be logaudit, and the delimiter is ===, then the processed load data is logaudit===123, and then through the preset shared port Transmit the processed load data logaudit===123 to the cloud security platform. In this way, by adding characteristic fields and delimiters to the data collected by the internal devices of the VPC, and then sending it to the cloud security platform, it is possible to distinguish different business types of data.

本实施例中,所述云安全平台基于所述目标VPC的标识对所述负载数据进行处理,可以包括所述云安全平台获取所述添加后的联机建立报文的第二预设字段中的所述目标VPC的标识,以便基于所述标识确定所述处理后负载数据对应的目标VPC,以及对所述处理后负载数据进行解析得到所述负载数据和所述特性字段,然后确定与所述特性字段对应的所述业务数据类型;所述云安全平台对所述负载数据进行与所述业务数据类型对应的处理操作以得到处理结果,并将所述处理结果进行聚合展示。可以理解的是,云安全平台在获取到处理后负载数据之后,基于TCP syn+ack联机建立报文的Options字段中的目标VPC的标识便可以确定该处理后负载数据的来源。进一步的,云安全平台对处理后负载数据进行解析,得到真实的负载数据和特性字段,以及与特性字段对应的业务数据类型,从而对真实的负载数据进行相应的处理,并将处理结果进行聚合展示,以便用户查看。In this embodiment, the cloud security platform processes the load data based on the identifier of the target VPC, which may include the cloud security platform obtaining the second preset field of the added connection establishment message. The identification of the target VPC, so as to determine the target VPC corresponding to the processed load data based on the identification, and analyze the processed load data to obtain the load data and the characteristic field, and then determine the The business data type corresponding to the characteristic field; the cloud security platform performs a processing operation corresponding to the business data type on the load data to obtain a processing result, and aggregates and displays the processing result. It can be understood that after the cloud security platform obtains the processed load data, it can determine the source of the processed load data based on the identifier of the target VPC in the Options field of the TCP syn+ack connection establishment message. Furthermore, the cloud security platform analyzes the processed load data to obtain the real load data and characteristic fields, as well as the business data type corresponding to the characteristic fields, so as to process the real load data accordingly and aggregate the processing results displayed for the user to view.

由此可见,一方面,本申请通过多个VPC共用一个端口进行报文和数据的传输,减少对外暴露的端口数量,节省网络资源以及维护成本,降低被攻击的风险;另一方面,本申请通过对内部设备IP地址进行加密,以及云安全平台对加密IP地址进行解密并与联机请求报文源地址进行对比,从而保证数据传输的安全性和联机建立的合法性;再一方面,本申请通过在联机建立报文的字段中插入VPC标识,从而可以根据VPC标识对来自不同VPC的数据进行区分,并且,本申请通过对负载数据增加特性字段和分隔符,再发送给云安全平台,可以实现对不同业务类型数据的区分。It can be seen that, on the one hand, this application transmits messages and data through multiple VPCs sharing one port, reducing the number of exposed ports, saving network resources and maintenance costs, and reducing the risk of being attacked; on the other hand, this application By encrypting the IP address of the internal device, and the cloud security platform decrypts the encrypted IP address and compares it with the source address of the online request message, thereby ensuring the security of data transmission and the legality of online establishment; on the other hand, the application By inserting the VPC identifier into the field of the online establishment message, the data from different VPCs can be distinguished according to the VPC identifier, and this application adds a characteristic field and a delimiter to the load data, and then sends it to the cloud security platform. Realize the distinction of data of different business types.

参见图4所示,本发明实施例公开了一种数据传输方法,其中,VPC1和VPC2通过各自内部设备中安装的采集插件采集负载数据,并分别获取云安全平台的安全认证模块生成并下发的密钥文件,利用密钥文件对各自的内部设备IP地址进行对称加密,以得到加密后的内部设备IP地址,将加密后的内部设备IP地址放到各自的TCP syn联机请求报文的Options字段中,然后再通过预设共用端口将各自的TCP syn联机请求报文发送给云安全平台。云安全平台利用密钥文件分别对两个Options字段中的加密后的内部设备IP地址进行对称解密,得到解密后的内部设备IP地址,然后将解密后的内部设备IP地址与相应的TCPsyn联机请求报文的源地址进行对比,若均一致,则判定连接发起方VPC1和VPC2是合法的,并分别发送TCP ack确认联机报文给VPC1和VPC2。As shown in Figure 4, the embodiment of the present invention discloses a data transmission method, wherein, VPC1 and VPC2 collect load data through the collection plug-ins installed in their respective internal devices, and respectively obtain the security authentication module of the cloud security platform to generate and issue Use the key file to symmetrically encrypt the IP addresses of the respective internal devices to obtain the encrypted internal device IP addresses, and put the encrypted internal device IP addresses in the Options of the respective TCP syn connection request messages field, and then send respective TCP syn connection request messages to the cloud security platform through the preset shared port. The cloud security platform uses the key file to symmetrically decrypt the encrypted internal device IP addresses in the two Options fields to obtain the decrypted internal device IP addresses, and then compares the decrypted internal device IP addresses with the corresponding TCPsyn online request The source addresses of the packets are compared, and if they are consistent, it is determined that the connection initiators VPC1 and VPC2 are legitimate, and TCP ack confirmation packets are sent to VPC1 and VPC2 respectively.

VPC1和VPC2会进一步对各自获取到的TCP ack确认联机报文进行校验,若对TCPack确认联机报文校验成功,则将各自的VPC标识添加到TCP syn+ack联机建立报文的Options字段中,然后再将TCP syn+ack联机建立报文通过预设共用端口发送给云安全平台。云安全平台对两个TCP syn+ack联机建立报文进行校验,若校验成功,则完成对VPC1与云安全平台之间的连接和VPC2与云安全平台之间的连接。然后VPC1和VPC2会通过各自的负载数据对应的业务数据类型确定特性字段,并在各自的负载数据的头部分别加入特性字段,以及加入分隔符以用于区分特性字段和负载数据,从而得到处理后负载数据data1和data2。VPC1和VPC2通过预设共用端口分别将处理后负载数据data1和data2传输至云安全平台,云安全平台在获取到处理后负载数据data1和data2之后,通过来自VPC1和VPC2的TCPsyn+ack联机建立报文的Options字段中的标识即可确定处理后负载数据data1和data2分别对应的来源,然后将VPC1的标识和data1以及VPC2的标识和data2送入云安全平台的业务属性处理模块,以对处理后负载数据data1和data2分别进行解析,得到真实的负载数据和特性字段,以及与特性字段对应的业务数据类型,从而对真实的负载数据分别进行与各自的业务数据类型对应的处理,并将处理结果进行聚合展示,以便用户查看。VPC1 and VPC2 will further verify the TCP ack confirmation message obtained by them. If the verification of the TCP ack confirmation message is successful, the respective VPC identifiers will be added to the Options field of the TCP syn+ack connection establishment message , and then send the TCP syn+ack connection establishment message to the cloud security platform through the preset shared port. The cloud security platform verifies the two TCP syn+ack connection establishment messages. If the verification is successful, the connection between VPC1 and the cloud security platform and the connection between VPC2 and the cloud security platform are completed. Then VPC1 and VPC2 will determine the characteristic field according to the business data type corresponding to the respective payload data, and add the characteristic field and separator to the header of the respective payload data to distinguish the characteristic field and the payload data, so as to be processed After load data data1 and data2. VPC1 and VPC2 respectively transmit the processed load data data1 and data2 to the cloud security platform through the preset shared port. The identifiers in the Options field of the document can determine the corresponding sources of the processed load data data1 and data2, and then send the identifiers of VPC1 and data1 and the identifiers of VPC2 and data2 to the business attribute processing module of the cloud security platform to The load data data1 and data2 are analyzed separately to obtain the real load data and characteristic fields, as well as the business data types corresponding to the characteristic fields, so that the real load data are respectively processed corresponding to their respective business data types, and the processing results are Aggregated display for users to view.

由此可见,一方面,本申请通过多个VPC共用一个端口进行报文和数据的传输,减少对外暴露的端口数量,节省网络资源以及维护成本,降低被攻击的风险;另一方面,本申请通过对内部设备IP地址进行加密,以及云安全平台对加密IP地址进行解密并与联机请求报文源地址进行对比,从而保证数据传输的安全性和联机建立的合法性;再一方面,本申请通过在联机建立报文的字段中插入VPC标识,从而可以根据VPC标识对来自不同VPC的数据进行区分,并且,本申请通过对负载数据增加特性字段和分隔符,再发送给云安全平台,可以实现对不同业务类型数据的区分。It can be seen that, on the one hand, this application transmits messages and data through multiple VPCs sharing one port, reducing the number of exposed ports, saving network resources and maintenance costs, and reducing the risk of being attacked; on the other hand, this application By encrypting the IP address of the internal device, and the cloud security platform decrypts the encrypted IP address and compares it with the source address of the online request message, thereby ensuring the security of data transmission and the legality of online establishment; on the other hand, the application By inserting the VPC identifier into the field of the online establishment message, the data from different VPCs can be distinguished according to the VPC identifier, and this application adds a characteristic field and a delimiter to the load data, and then sends it to the cloud security platform. Realize the distinction of data of different business types.

参见图5所示,本发明实施例公开了一种数据传输装置,应用于目标VPC,包括:Referring to Fig. 5, the embodiment of the present invention discloses a data transmission device, which is applied to the target VPC, including:

请求报文发送模块11,用于通过内部设备采集负载数据,并通过预设共用端口将基于加密后的内部设备IP地址确定的联机请求报文发送至云安全平台,以便所述云安全平台对所述联机请求报文进行校验操作;所述预设共用端口为多个VPC共用的端口;The request message sending module 11 is used for collecting load data by the internal equipment, and sends the online request message determined based on the encrypted internal equipment IP address to the cloud security platform through a preset shared port, so that the cloud security platform can The online request message is verified; the preset shared port is a port shared by multiple VPCs;

建立报文发送模块12,用于若所述云安全平台对所述联机请求报文校验成功,则对从所述云安全平台获取的确认联机报文进行校验,并在校验成功后,通过所述预设共用端口将基于所述目标VPC的标识确定的联机建立报文发送至所述云安全平台,以便所述云安全平台对所述联机建立报文进行校验操作;Set up message sending module 12, be used for if described cloud security platform checks successfully to described online request message, then check the confirmation online message that obtains from described cloud security platform, and after the check is successful , sending the connection establishment message determined based on the identity of the target VPC to the cloud security platform through the preset shared port, so that the cloud security platform performs a verification operation on the connection establishment message;

数据传输模块13,用于若所述云安全平台对所述联机建立报文校验成功,则通过所述预设共用端口将所述负载数据传输至所述云安全平台,以便所述云安全平台基于所述目标VPC的标识对所述负载数据进行处理。The data transmission module 13 is used to transmit the load data to the cloud security platform through the preset shared port if the cloud security platform successfully verifies the online establishment message, so that the cloud security The platform processes the load data based on the identifier of the target VPC.

由此可见,本申请通过多个VPC共用一个端口进行报文和数据的传输,减少对外暴露的端口数量,节省网络资源以及维护成本,降低被攻击的风险,并且本申请通过对内部设备IP地址进行加密,从而保证数据传输的安全性;另外,本申请通过在报文中插入VPC标识,从而可以根据VPC标识对来自不同VPC的数据进行区分。It can be seen that this application uses multiple VPCs to share one port for message and data transmission, reducing the number of ports exposed to the outside world, saving network resources and maintenance costs, and reducing the risk of being attacked. Encryption is performed to ensure the security of data transmission; in addition, this application inserts the VPC identifier into the message, so that data from different VPCs can be distinguished according to the VPC identifier.

在一些具体实施例中,所述请求报文发送模块11,具体可以包括:In some specific embodiments, the request message sending module 11 may specifically include:

IP地址加密单元,用于获取与所述内部设备对应的内部设备IP地址,并利用密钥文件对所述内部设备IP地址进行对称加密,以得到加密后的内部设备IP地址;An IP address encryption unit, configured to obtain an internal device IP address corresponding to the internal device, and use a key file to symmetrically encrypt the internal device IP address to obtain an encrypted internal device IP address;

第一报文发送单元,用于将所述加密后的内部设备IP地址添加至联机请求报文的第一预设字段中,并通过预设共用端口将添加后的联机请求报文发送至云安全平台。The first message sending unit is used to add the encrypted internal device IP address to the first preset field of the online request message, and send the added online request message to the cloud through the preset shared port secure platform.

在一些具体实施例中,所述数据传输装置,还可以包括:In some specific embodiments, the data transmission device may further include:

密钥文件获取单元,用于获取所述云安全平台生成并下发的密钥文件。The key file obtaining unit is configured to obtain the key file generated and issued by the cloud security platform.

在一些具体实施例中,所述建立报文发送模块12,具体可以包括:In some specific embodiments, the establishment of the message sending module 12 may specifically include:

标识添加单元,用于将所述目标VPC的标识添加至联机建立报文的第二预设字段,以得到添加后的联机建立报文;An identification adding unit, configured to add the identification of the target VPC to the second preset field of the connection establishment message, so as to obtain the added connection establishment message;

第二报文发送单元,用于通过所述预设共用端口将所述添加后的联机建立报文发送至所述云安全平台。A second message sending unit, configured to send the added connection establishment message to the cloud security platform through the preset shared port.

在一些具体实施例中,所述数据传输模块13,具体可以包括:In some specific embodiments, the data transmission module 13 may specifically include:

数据处理单元,用于基于所述负载数据对应的业务数据类型确定特性字段,并利用所述特性字段和分隔符对所述负载数据进行处理,以得到处理后负载数据;A data processing unit, configured to determine a characteristic field based on the business data type corresponding to the load data, and process the load data by using the characteristic field and a delimiter to obtain processed load data;

数据传输单元,用于通过所述预设共用端口将所述处理后负载数据传输至所述云安全平台。A data transmission unit, configured to transmit the processed payload data to the cloud security platform through the preset shared port.

进一步的,本申请实施例还公开了一种电子设备,图6是根据一示例性实施例示出的电子设备20结构图,图中的内容不能认为是对本申请的使用范围的任何限制。Further, the embodiment of the present application also discloses an electronic device. FIG. 6 is a structural diagram of an electronic device 20 according to an exemplary embodiment. The content in the figure should not be regarded as any limitation on the application scope of the present application.

图6为本申请实施例提供的一种电子设备20的结构示意图。该电子设备20,具体可以包括:至少一个处理器21、至少一个存储器22、电源23、通信接口24、输入输出接口25和通信总线26。其中,所述存储器22用于存储计算机程序,所述计算机程序由所述处理器21加载并执行,以实现前述任一实施例公开的数据传输方法中的相关步骤。另外,本实施例中的电子设备20具体可以为电子计算机。FIG. 6 is a schematic structural diagram of an electronic device 20 provided by an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 21 , at least one memory 22 , a power supply 23 , a communication interface 24 , an input/output interface 25 and a communication bus 26 . Wherein, the memory 22 is used to store a computer program, and the computer program is loaded and executed by the processor 21, so as to implement relevant steps in the data transmission method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in this embodiment may specifically be an electronic computer.

本实施例中,电源23用于为电子设备20上的各硬件设备提供工作电压;通信接口24能够为电子设备20创建与外界设备之间的数据传输通道,其所遵循的通信协议是能够适用于本申请技术方案的任意通信协议,在此不对其进行具体限定;输入输出接口25,用于获取外界输入数据或向外界输出数据,其具体的接口类型可以根据具体应用需要进行选取,在此不进行具体限定。In this embodiment, the power supply 23 is used to provide working voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and external devices, and the communication protocol it follows is applicable Any communication protocol in the technical solution of the present application is not specifically limited here; the input and output interface 25 is used to obtain external input data or output data to the external, and its specific interface type can be selected according to specific application needs, here Not specifically limited.

另外,存储器22作为资源存储的载体,可以是只读存储器、随机存储器、磁盘或者光盘等,其上所存储的资源可以包括操作系统221、计算机程序222等,存储方式可以是短暂存储或者永久存储。In addition, the memory 22, as a resource storage carrier, can be a read-only memory, random access memory, magnetic disk or optical disk, etc., and the resources stored thereon can include operating system 221, computer program 222, etc., and the storage method can be temporary storage or permanent storage. .

其中,操作系统221用于管理与控制电子设备20上的各硬件设备以及计算机程序222,其可以是Windows Server、Netware、Unix、Linux等。计算机程序222除了包括能够用于完成前述任一实施例公开的由电子设备20执行的数据传输方法的计算机程序之外,还可以进一步包括能够用于完成其他特定工作的计算机程序。Wherein, the operating system 221 is used to manage and control various hardware devices and computer programs 222 on the electronic device 20 , which may be Windows Server, Netware, Unix, Linux, etc. In addition to the computer program 222 that can be used to complete the data transmission method performed by the electronic device 20 disclosed in any of the foregoing embodiments, the computer program 222 can further include a computer program that can be used to complete other specific tasks.

进一步的,本申请还公开了一种计算机可读存储介质,用于存储计算机程序;其中,所述计算机程序被处理器执行时实现前述公开的数据传输方法。关于该方法的具体步骤可以参考前述实施例中公开的相应内容,在此不再进行赘述。Further, the present application also discloses a computer-readable storage medium for storing a computer program; wherein, when the computer program is executed by a processor, the aforementioned disclosed data transmission method is realized. Regarding the specific steps of the method, reference may be made to the corresponding content disclosed in the foregoing embodiments, and details are not repeated here.

本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其它实施例的不同之处,各个实施例之间相同或相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。Each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same or similar parts of each embodiment can be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and for relevant details, please refer to the description of the method part.

专业人员还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Professionals can further realize that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, computer software or a combination of the two. In order to clearly illustrate the possible For interchangeability, in the above description, the composition and steps of each example have been generally described according to their functions. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.

结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of the methods or algorithms described in connection with the embodiments disclosed herein may be directly implemented by hardware, software modules executed by a processor, or a combination of both. Software modules can be placed in random access memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other Any other known storage medium.

最后,还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。Finally, it should also be noted that in this text, relational terms such as first and second etc. are only used to distinguish one entity or operation from another, and do not necessarily require or imply that these entities or operations, any such actual relationship or order exists. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

以上对本申请所提供的技术方案进行了详细介绍,本文中应用了具体个例对本申请的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本申请的方法及其核心思想;同时,对于本领域的一般技术人员,依据本申请的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本申请的限制。The technical solution provided by this application has been introduced in detail above, and specific examples have been used in this paper to illustrate the principle and implementation of this application. The description of the above embodiments is only used to help understand the method and core idea of this application; At the same time, for those skilled in the art, based on the idea of this application, there will be changes in the specific implementation and application scope. In summary, the content of this specification should not be construed as limiting the application.

Claims (10)

1. A data transmission method, applied to a target VPC, comprising:
load data are collected through the internal equipment, and an online request message determined based on the encrypted IP address of the internal equipment is sent to a cloud security platform through a preset shared port, so that the Yun Anquan platform performs verification operation on the online request message; the preset shared port is a port shared by a plurality of VPCs;
if the Yun Anquan platform checks the online request message successfully, checking the confirmed online message obtained from the cloud security platform, and after the verification is successful, sending an online establishment message determined based on the identification of the target VPC to the cloud security platform through the preset common port, so that the Yun Anquan platform performs a verification operation on the online establishment message;
and if the Yun Anquan platform successfully checks the online establishment message, transmitting the load data to the cloud security platform through the preset common port so that the cloud security platform processes the load data based on the identification of the target VPC.
2. The method for transmitting data according to claim 1, wherein the sending, through the preset common port, the online request message determined based on the encrypted IP address of the internal device to the cloud security platform includes:
acquiring an internal equipment IP address corresponding to the internal equipment, and symmetrically encrypting the internal equipment IP address by utilizing a key file to obtain an encrypted internal equipment IP address;
and adding the encrypted IP address of the internal equipment to a first preset field of the online request message, and sending the added online request message to a cloud security platform through a preset shared port.
3. The data transmission method according to claim 2, wherein before the symmetric encryption of the IP address of the internal device using the key file, further comprising:
and acquiring a key file generated and issued by the cloud security platform.
4. The data transmission method according to claim 2, wherein the verifying the online request message by the Yun Anquan platform includes:
the cloud security platform symmetrically decrypts the encrypted internal equipment IP address in the first preset field of the added online request message by utilizing the key file so as to obtain the decrypted internal equipment IP address;
and the cloud security platform judges whether the decrypted IP address of the internal device is consistent with the source address of the added online request message, and if so, sends a confirmation online message to the target VPC.
5. The method according to any one of claims 1 to 4, wherein the sending, through the preset common port, the online establishment message determined based on the identification of the target VPC to the cloud security platform includes:
adding the identification of the target VPC to a second preset field of the online establishment message to obtain an added online establishment message;
and sending the added online establishment message to the cloud security platform through the preset shared port.
6. The data transmission method according to claim 5, wherein the transmitting the load data to the cloud security platform through the preset common port includes:
determining a characteristic field based on the service data type corresponding to the load data, and processing the load data by utilizing the characteristic field and the separator to obtain processed load data;
and transmitting the processed load data to the cloud security platform through the preset shared port.
7. The data transmission method according to claim 6, wherein the cloud security platform processes the load data based on the identity of the target VPC, comprising:
the cloud security platform obtains the identification of the target VPC in a second preset field of the added online establishment message so as to determine the target VPC corresponding to the processed load data based on the identification, analyzes the processed load data to obtain the load data and the characteristic field, and then determines the service data type corresponding to the characteristic field;
and the Yun Anquan platform performs processing operation corresponding to the service data type on the load data to obtain a processing result, and aggregates and displays the processing result.
8. A data transmission apparatus for application to a target VPC, comprising:
the request message sending module is used for acquiring load data through the internal equipment, and sending an online request message determined based on the encrypted IP address of the internal equipment to the cloud security platform through a preset common port so that the Yun Anquan platform can verify the online request message; the preset shared port is a port shared by a plurality of VPCs;
the establishment message sending module is used for verifying the confirmation online message obtained from the cloud security platform if the Yun Anquan platform verifies the online request message successfully, and sending an online establishment message determined based on the identification of the target VPC to the cloud security platform through the preset common port after the verification is successful, so that the Yun Anquan platform verifies the online establishment message;
and the data transmission module is used for transmitting the load data to the cloud security platform through the preset shared port if the Yun Anquan platform successfully verifies the online establishment message, so that the cloud security platform processes the load data based on the identification of the target VPC.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the data transmission method according to any one of claims 1 to 7.
10. A computer-readable storage medium for storing a computer program which, when executed by a processor, implements the data transmission method according to any one of claims 1 to 7.
CN202310615571.5A 2023-05-29 2023-05-29 A data transmission method, apparatus, device, and storage medium Active CN116566711B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310615571.5A CN116566711B (en) 2023-05-29 2023-05-29 A data transmission method, apparatus, device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310615571.5A CN116566711B (en) 2023-05-29 2023-05-29 A data transmission method, apparatus, device, and storage medium

Publications (2)

Publication Number Publication Date
CN116566711A true CN116566711A (en) 2023-08-08
CN116566711B CN116566711B (en) 2025-12-12

Family

ID=87486092

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310615571.5A Active CN116566711B (en) 2023-05-29 2023-05-29 A data transmission method, apparatus, device, and storage medium

Country Status (1)

Country Link
CN (1) CN116566711B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108462752A (en) * 2018-03-26 2018-08-28 深信服科技股份有限公司 It is a kind of to access method, system and the VPC management equipments and readable storage medium storing program for executing for sharing network
US20180302243A1 (en) * 2016-12-19 2018-10-18 Huawei Technologies Co., Ltd. Data Packet Processing Method, Host, and System
CN109831468A (en) * 2017-11-23 2019-05-31 北京金山云网络技术有限公司 Load-balancing method, device, electronic equipment and storage medium
CN114499935A (en) * 2021-12-17 2022-05-13 阿里巴巴(中国)有限公司 Cloud platform access method, device, equipment and storage medium
CN115604103A (en) * 2022-10-09 2023-01-13 中国工商银行股份有限公司(Cn) Configuration method, device, storage medium and electronic equipment of cloud computing system
CN115987574A (en) * 2022-12-06 2023-04-18 中国联合网络通信集团有限公司 Virtual private cloud security detection method, device, equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180302243A1 (en) * 2016-12-19 2018-10-18 Huawei Technologies Co., Ltd. Data Packet Processing Method, Host, and System
CN109831468A (en) * 2017-11-23 2019-05-31 北京金山云网络技术有限公司 Load-balancing method, device, electronic equipment and storage medium
CN108462752A (en) * 2018-03-26 2018-08-28 深信服科技股份有限公司 It is a kind of to access method, system and the VPC management equipments and readable storage medium storing program for executing for sharing network
CN114499935A (en) * 2021-12-17 2022-05-13 阿里巴巴(中国)有限公司 Cloud platform access method, device, equipment and storage medium
CN115604103A (en) * 2022-10-09 2023-01-13 中国工商银行股份有限公司(Cn) Configuration method, device, storage medium and electronic equipment of cloud computing system
CN115987574A (en) * 2022-12-06 2023-04-18 中国联合网络通信集团有限公司 Virtual private cloud security detection method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN116566711B (en) 2025-12-12

Similar Documents

Publication Publication Date Title
US11652637B2 (en) Enforcing a segmentation policy using cryptographic proof of identity
US6874084B1 (en) Method and apparatus for establishing a secure communication connection between a java application and secure server
US9288234B2 (en) Security policy enforcement
CN109309685B (en) Information transmission method and device
US9876773B1 (en) Packet authentication and encryption in virtual networks
CN108566361B (en) Security parameter negotiation method and system based on SSL/TLS protocol
EP3036643B1 (en) Method and system for distributing secrets
JPH09270788A (en) Secure network protocol system and method
US10257171B2 (en) Server public key pinning by URL
CN101610150B (en) Third-party digital signature method and data transmission system
CN107547559B (en) Message processing method and device
US20140331287A1 (en) Authentication policy enforcement
CN114679323B (en) Network connection methods, devices, equipment and storage media
WO2023151479A1 (en) Data processing method, and device
Ranjan et al. Security analysis of TLS authentication
CN111756528A (en) A quantum session key distribution method, device and communication architecture
CN114172645A (en) Communication bypass auditing method and device, electronic equipment and storage medium
CN114244569B (en) SSL VPN remote access method, system and computer equipment
US11689517B2 (en) Method for distributed application segmentation through authorization
KR101971995B1 (en) Method for decryping secure sockets layer for security
CN116566711A (en) A data transmission method, device, equipment and storage medium
CN113992734A (en) Session connection method, device and equipment
CN116264649B (en) Data acquisition methods, data management systems, data acquisition devices and computer equipment
Lorenzo et al. Pk-IOTA: Blockchain empowered Programmable Data Plane to secure OPC UA communications in Industry 4.0
CN118432894A (en) Method and device for remote service trust of iOS system based on TCP

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant