[go: up one dir, main page]

CN110830246B - Intranet and extranet secure transmission control method and device, computer equipment and storage medium - Google Patents

Intranet and extranet secure transmission control method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN110830246B
CN110830246B CN201911052636.XA CN201911052636A CN110830246B CN 110830246 B CN110830246 B CN 110830246B CN 201911052636 A CN201911052636 A CN 201911052636A CN 110830246 B CN110830246 B CN 110830246B
Authority
CN
China
Prior art keywords
target data
rule
target
preset
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911052636.XA
Other languages
Chinese (zh)
Other versions
CN110830246A (en
Inventor
陈石成
葛祥平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wanghai Kangxin Beijing Technology Co ltd
Original Assignee
Wanghai Kangxin Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wanghai Kangxin Beijing Technology Co ltd filed Critical Wanghai Kangxin Beijing Technology Co ltd
Priority to CN201911052636.XA priority Critical patent/CN110830246B/en
Publication of CN110830246A publication Critical patent/CN110830246A/en
Application granted granted Critical
Publication of CN110830246B publication Critical patent/CN110830246B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and a device for controlling secure transmission of an internal network and an external network, computer equipment and a storage medium, wherein the method comprises the following steps: acquiring a target field of first target data to be transferred, wherein the first target data is data sent to an external network system by a preset internal service cluster, and the target field is field information representing the data type of the first target data; extracting a first safety rule mapped by a target field from a preset first rule database, wherein the first rule database is a set of first safety rules mapped by a plurality of preset target fields; and carrying out safety control processing on the first target data according to the first safety rule. The application carries out unified safety monitoring and management on the target data sent by a plurality of different internal processing systems, so that the internal data transmission of enterprises or organizations is more standard, and unified management of different internal business systems is facilitated through unified management of gateways.

Description

Intranet and extranet secure transmission control method and device, computer equipment and storage medium
Technical Field
The present application relates to the field of internet technologies, and in particular, to a method and an apparatus for controlling secure transmission between an internal network and an external network, a computer device, and a storage medium.
Background
With the development of computer technology, enterprises and organizations usually adopt management systems to manage internal data, such as personnel information, work archive information, research and development information, and with the development of big data, if better management and data acquisition are to be performed, the management systems inside the enterprises or organizations need to be correlated with each other, and the internal management systems and external servers or clients also need to perform real-time interaction to perform data interaction, implement interconnection and intercommunication, and share data.
However, for some enterprises or organizations, the security level of the internally acquired work information is high, and data security should be ensured, for example, in a hospital management system, there are various service systems such as a fine operation system, a financial system, an HIS, a fixed asset system, a human resource system, an EMR, and the like, and there are various docking modes among the systems, which well supports aspects related to the internal operation of the hospital. Among the businesses involved in interacting with the out-of-hospital system are financial docking banks, payment docking social security, and the like. During use, it is found that the interfacing between these systems is usually to secure data and network security via a private network, and the interfacing between systems inside and outside a hospital related to medical supply chain business is not provided with a private network condition. At present, network security is monitored through a firewall or a gatekeeper, so that the network in a hospital is protected from being attacked as much as possible, but the security of service data cannot be guaranteed. The medical supply chain business system realizes the online collaboration of businesses such as purchase orders, consumable price, delivery, acceptance and warehousing, invoices, supply chain finance and the like by butting the SAAS system of a supplier, and the safety of core business data is also urgently needed to be ensured by hospitals.
Disclosure of Invention
Based on the above problems, the application discloses an internal and external network secure transmission control method, an internal and external network secure transmission control device, a computer device and a storage medium, wherein the transmission control is performed on the data to and from the internal and external networks in a rule-defined manner, so that the data transmission is more standard and the data is safer.
According to a first aspect, an embodiment of the present application discloses an internal and external network secure transmission control method, including:
acquiring a target field of first target data to be transferred, wherein the first target data is data sent to an external network system by a preset internal service cluster, and the target field is field information representing the data type of the first target data;
extracting a first safety rule mapped by the target field from a preset first rule database, wherein the first rule database is a set of first safety rules mapped by a plurality of preset target fields;
and carrying out safety control processing on the first target data according to the first safety rule.
Optionally, the internal service cluster includes a plurality of internal service systems, the first target data includes identity information representing attribution of the first target data, and after performing security control on the first target data according to the first security rule, the method further includes:
acquiring identity information for representing each internal service system in the first target data;
identifying whether the identity information is mapped with a second security rule in a second rule database, wherein the second rule database is a set of the second security rules mapped by the identity information of the internal business system;
and when the identity information is mapped with a second safety rule in a second rule database, carrying out transmission limitation on the first target data according to the second safety rule.
Optionally, the first security rule includes: and carrying out hiding desensitization treatment on the information mapped by the target field.
Optionally, the second security rule is a preset rule that limits transmission of the first target data according to the acquired real-time information of the internal service system associated with the target field, and the method for limiting transmission of the first target data according to the second security rule includes:
capturing real-time information in one or more associated internal business systems according to the target field;
identifying whether the first target data is within a preset range of the real-time information;
and when the first target data is not within the preset threshold value, the transmission of the first target data is interrupted, and alarm information is generated to carry out abnormal reminding.
Optionally, the method further includes:
acquiring second target data to be transferred, wherein the second target data is data sent by an external network system to a preset internal service cluster;
acquiring a third safety rule, wherein the third safety rule is a preset rule for limiting the transmission of the second target data;
and carrying out safety control processing on the second target data according to the third safety rule.
Optionally, the third security rule is: according to a preset threshold value of a preset target number of the internal service system, and a preset rule for transmitting the second target data according to a priority level, the method for performing security control processing on the second target data according to the third security rule comprises the following steps:
acquiring the target quantity of the second target data transmitted to the internal service system;
when the target number exceeds a preset threshold value, acquiring a priority queue of the identity information of the internal service system;
and transmitting the second target data according to the priority queue.
Optionally, the third security rule is a preset rule for intercepting the second target data according to the identity information of the extranet system, and the method for performing security control processing on the second target data according to the third security rule includes:
acquiring identity information of the extranet system recorded in the second target data;
identifying whether the identity information of the external network system is in a white list or not;
and when the target data is not in the white list, intercepting the second target data, and generating alarm information to perform abnormal reminding.
Optionally, the third security rule further includes: and transmitting the second target data according to whether the transmission time of the second target data is within a preset time limit, and whether the network transmission speed and/or the network flow value are within a preset threshold value.
Optionally, the method further includes:
packaging a random array for the first target data or the second target data;
after the first target data or the second target data are transmitted, correspondingly sending the packaged random array again;
acquiring feedback information of the random array, and identifying whether the feedback information comprises existing data of the random array;
and when the data of the random array does not exist, retransmitting the first target data or the second target data encapsulated with the random array.
According to a second aspect, an embodiment of the present application further provides an intranet and extranet secure transmission control apparatus, including:
a first obtaining module: the method comprises the steps that a target field for acquiring first target data to be transferred is configured to be executed, wherein the first target data is data sent to an external network system by a preset internal service cluster, and the target field is field information representing the data category of the first target data;
a first mapping module: the system comprises a first rule database, a second rule database and a third rule database, wherein the first rule database is configured to extract first safety rules mapped by target fields from a preset first rule database, and the first rule database is a set of first safety rules mapped by all preset target fields;
a first control module: configured to perform security control processing on the first target data according to the first security rule.
Optionally, the internal service cluster includes a plurality of internal service systems, and the first target data includes identity information that characterizes attribution of the first target data, and further includes:
a second obtaining module: configured to perform obtaining identity information characterizing the internal business system in the first target data;
a second mapping module: the identity information is configured to identify whether a second security rule is mapped in a second rule database, wherein the second rule database is a set of second security rules mapped by the identity information of each internal business system;
a second control module: and the system is configured to perform transmission limitation on the first target data according to a second security rule when the identity information is mapped with the second security rule in a second rule database.
Optionally, the first security rule includes: and carrying out hiding desensitization treatment on the information mapped by the target field.
Optionally, the second security rule is a preset rule that limits transmission of the first target data according to the obtained real-time information of the internal service system associated with the target field, and the second control module further includes:
a grabbing module: configured to perform crawling of real-time information in one or more associated internal business systems according to the target field;
a first threshold matching module: configured to perform identifying whether the first target data is within a preset range of the real-time information;
a first interrupt module: and the data transmission device is configured to interrupt the transmission of the first target data when the data transmission device is not in the preset range, and generate alarm information to carry out abnormity reminding.
Optionally, the method further includes:
a third obtaining module: the data forwarding method comprises the steps of obtaining second target data to be forwarded, wherein the second target data is data sent to a preset internal service cluster by an external network system;
a rule acquisition module: the system is configured to execute obtaining a third safety rule, wherein the third safety rule is a preset rule limiting transmission of the second target data;
a third control module: is configured to perform security control processing on the second target data according to the third security rule.
Optionally, the third security rule is: according to a preset threshold of a preset target number of the internal service system, and according to a preset rule of a priority level, transmitting the second target data, the third control module includes:
a target number acquisition module: a target number configured to perform obtaining the second target data for transmission to the internal business system;
a priority acquisition module: a priority queue configured to perform, when the target number exceeds a preset threshold, acquiring identity information of the internal service system;
a transmission module: configured to perform transmitting the second target data according to the priority queue.
Optionally, the third security rule is a preset rule for intercepting the second target data according to the identity information of the extranet system, and the third control module further includes:
a fourth obtaining module: configured to perform obtaining identity information of an extranet system recited in the second target data;
a white list identification module: configured to perform identifying whether the extranet system identity information is in a whitelist;
a second interrupt module: is configured to perform interception of the second target data when not in the white list and generate alarm information for exception reminding
Optionally, the third security rule further includes: and transmitting the second target data according to whether the transmission time of the second target data is within a preset time limit, and whether the network transmission speed and/or the network flow value are within a preset threshold value.
Optionally, the method further includes:
packaging the module: configured to perform packing a random array of the first target data or the second target data;
a first sending module: configured to perform corresponding sending of the encapsulated random array again after transmission of the first target data or the second target data;
a feedback information identification module: the random array generating device is configured to execute feedback information acquisition of the random array, and identify whether the feedback information includes existing data of the random array;
a second sending module: and the random number group sending unit is configured to resend the first target data or the second target data packaged with the random number group when the data already existing in the random number group does not exist.
According to the third aspect, embodiments of the present application further provide a computer device, including a memory and a processor, where the memory stores computer-readable instructions, and the computer-readable instructions, when executed by the processor, cause the processor to execute the steps of the intranet and extranet secure transmission control method.
Embodiments of the present application also provide a storage medium storing computer-readable instructions, which when executed by one or more processors, cause the one or more processors to perform the steps of the intra-extranet secure transmission control method described above.
The beneficial effects of the embodiment of the application are that: the application discloses a method, a device, a computer device and a storage medium for controlling internal and external network safe transmission, which are characterized in that target data to be transmitted are obtained at a gateway, a target field of the target data is analyzed, a safety rule mapped by the target field is obtained in a rule database, and the target data sent by a plurality of different internal processing systems are uniformly and safely monitored and managed, so that internal data transmission of enterprises or organizations is more standard, and uniform management of different internal business systems is facilitated through uniform management at the gateway. In addition, based on the rule of target field mapping, a multiple rule monitoring mode is set, transmission limitation is performed on transmitted data again according to the characteristics of different internal business processing, and the safety of data transmission is improved.
Drawings
The foregoing and/or additional aspects and advantages of the present application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
fig. 1 is a flowchart of a first target data transmission control method according to an embodiment of the present application;
fig. 2 is a flowchart of a method for controlling secure transmission between an internal network and an external network according to an embodiment of the present application;
FIG. 3 is a flow chart illustrating data transmission according to a second rule according to an embodiment of the present application;
FIG. 4 is a flowchart illustrating a second method for controlling target data transmission according to an embodiment of the present application;
FIG. 5 is a flowchart of a method for processing data according to a third security rule according to an embodiment of the present application;
FIG. 6 is a diagram illustrating a method for processing data according to a third security rule according to another embodiment of the present application;
FIG. 7 is a flowchart of a method for determining whether a message is transmitted normally according to an embodiment of the present application;
fig. 8 is a schematic diagram of an intranet and extranet secure transmission control apparatus according to an embodiment of the present application;
FIG. 9 is a block diagram of the basic structure of a computer device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to embodiments of the present application, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are exemplary only for the purpose of explaining the present application and are not to be construed as limiting the present application.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It will be understood by those within the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
The application discloses a method for controlling secure transmission of an intranet and an extranet, please refer to fig. 1, which specifically includes:
s1000, obtaining a target field of first target data to be transferred, wherein the first target data is data sent to an external network system by a preset internal service cluster, and the target field is field information representing the data type of the first target data;
the method is mainly applied to gateways, all preset internal business systems and external network systems carry out data transmission, and the external network systems and one or more internal business systems carry out data transmission communication through the gateways, and one or more data transmission business rules are matched on the gateways to carry out safety control and transmission control on data.
The preset internal business cluster in the application is a set of internal business systems built in enterprises or organizations for managing different businesses, taking hospitals as an example, and comprises a plurality of internal business systems such as a refined operation system, a financial system, a HIS (health information system), a fixed asset system, a human resource system and an EMR (electronic management system), wherein different internal business systems manage different businesses respectively, and because the names and the set rules of the different internal business systems are possibly different for the same subject in the development process, the transmission rules and the transmission contents of data in the transmission process of the external network system of the different business systems are different, for example, in the financial system, when the names of people are involved, the subject information is the name, when the amount data is involved, the subject information is the amount, and when the names of people are involved in the human resource system, the subject information may be the name, when the amount data is referred to, the subject information is "price". The title is different from the name, the amount is different from the price in different internal business systems, but the essential contents are the same, for example, the wages of doctors.
In order to enable an enterprise or an organization to carry out transmission management on one or more internal business system data, unified management on data output to an external network is needed, in the application, data sent to the external network system by an internal business system preset by the enterprise or the organization is called first target data, when the first target data passes through a gateway, the first target data is directly obtained, and a target field of the first target data is extracted, wherein the target field is field information representing the data category of the first target data, such as the above subject information of "name", "amount", and the like, and belongs to the target field disclosed in the application. In this embodiment, after the target field is identified, it is further necessary to perform related word mapping on the target field in the field database, that is, the target field searches for corresponding synonyms and near-synonyms in the field database, and associates the synonyms and near-synonyms with the target field, so that they are mapped together with corresponding security control rules.
S2000, extracting a first safety rule mapped by the target field from a preset first rule database, wherein the first rule database is a set of first safety rules mapped by a plurality of preset target fields;
the first rule database stores a plurality of first security rules, the target fields are mapped with the first security rules one by one, and it should be noted that, in an embodiment, the target fields are mapped one by one with the first security rules, and the target fields also include words having relevance, such as synonyms and synonyms of the target fields, so as to map the same type of data to the same security rules, and facilitate uniform monitoring and uniform management of data output.
S3000, safety control processing is carried out on the first target data according to the first safety rule.
In an embodiment, the first security rule includes performing a hidden desensitization process on information mapped by the target field. The hiding desensitization treatment is to hide data or some content in the data, so that the data is sent to an external network system in a desensitization mode in the gateway process, and external network users cannot completely acquire all information of the data, so as to ensure the safety of data output.
In an embodiment, referring to fig. 2, the first target data includes identity information characterizing that the first target data belongs to, and after performing security control on the first target data according to the first security rule, the method further includes:
s4000, acquiring identity information which is used for representing the internal business system in the first target data;
s5000, identifying whether the identity information is mapped with a second safety rule in a second rule database, wherein the second rule database is a set of the second safety rules mapped by the identity information of each internal business system;
and S6000, when the identity information is mapped with a second safety rule in a second rule database, carrying out transmission limitation on the first target data according to the second safety rule.
The first target data is data sent to the external network system by the internal service system, wherein the data comprises identity information of the internal service system, and a corresponding second security rule can be matched in the second rule database according to the identity information. In this application, the second rule database is a set of second security rules mapped by the identity information of the internal service system, and it should be noted that, in an embodiment, one second security rule may be mapped to all the identity information of the internal service system, or a second security rule may be mapped to part of the identity information of the internal service system, and the determination is made according to the characteristics of the specific internal service system.
When the identity information of the internal service system can be mapped with the second security rule in the second rule database, the first target data also needs to be transmitted by the restriction party of the second security rule, that is, after the security control of the first security rule, the transmission restriction of the corresponding second security rule is required.
In one embodiment, the second security rule is a rule for performing transmission restriction again after security control is performed according to the first security rule, and is generally used for supplementary monitoring of data to be transmitted to the outside, for example, for A, B, C, three different internal business systems, which have the same or similar target fields, have different security levels for data to be transmitted to the outside, although the data to be transmitted to the outside of the relevant internal business system is uniformly managed and restricted by the first security rule, for the a system, it is also necessary to monitor the authority of the data sender, and therefore, it is also necessary to acquire account information that logs in the a system and transmits the first target data, and when the account information has an information transmission authority, the first target data is transmitted, but when the user has no information transmission authority, the transmission of the first target data is restricted.
In another embodiment, the second security rule is a preset rule for limiting transmission of the first target data according to the obtained real-time information of the internal service system associated with the target field, please refer to fig. 3, where the method for limiting transmission of the first target data according to the second security rule includes:
s6100, capturing real-time information in one or more associated internal business systems according to the target field;
s6200, identifying whether the first target data is in a preset range of the real-time information;
and S6300, interrupting the transmission of the first target data when the first target data is not in the preset range, and generating alarm information to remind an abnormality.
The real-time information is the latest data stored in the internal business system, the target field is a purchase order as an example, inventory information related to the purchase order can be preset, therefore, when the first target data needing to be output is purchase type information, the inventory business system related to the purchase also needs to be grabbed, the inventory quantity of the products needing to be purchased in the inventory business system is obtained, a preset threshold value is set to be K, when the inventory quantity of the current products grabbed in the inventory business system is smaller than or equal to K, the first target data is released to enable the purchasing to be carried out smoothly, when the inventory data of the current products grabbed in the inventory business system is larger than the K value, the current inventory is sufficient, the purchase is not needed, the transmission of the represented first target data is interrupted, and the outflow of the purchase order is limited. When necessary, an alarm or abnormal information can be generated to note the reason of failing to pass so as to remind the user of the internal business system. By setting the second safety rule, each internal service system is further managed, the purpose of unified management is achieved, and the management mode is simpler and more convenient.
In the present application, different second security rules may be formulated according to the nature of a specific service system, and the specific operation mode and logic are not changed.
The first target data disclosed above is data sent by the internal service system to the external network system through the gateway, and in the interaction process between the internal service system and the external network system, the first target data further includes a form in which the external network system sends data to the internal service system. Referring to fig. 4, when the second target data is transmitted, the method further includes:
s7000, obtaining second target data to be transferred, wherein the second target data is data sent by the external network system to a preset internal service cluster;
s8000, obtaining a third safety rule, wherein the third safety rule is a preset rule for limiting the transmission of the second target data;
and S9000, performing security control processing on the second target data according to the third security rule.
The third security rule is a preset rule for limiting the transmission of the second target data, and the third security rule is limited according to the specific use condition of the internal business system, for example, the third security rule may be a preset time limit, when the time for transmitting the second target data to the internal business system is within the preset time limit, the second target data may be allowed to be transmitted to the corresponding internal business system, and when the time for transmitting the second target data to the internal business system is not within the preset time limit, the second target data cannot be transmitted. The preset time period here has two cases, one case is to obtain whether the time difference between the time when the second target data is sent from the external network system and the time when the second target data is received by the gateway is within a preset time limit, when the time difference is within the preset time limit, the data is safe, the middle of the data is not hijacked maliciously, and no security risk exists, and when the transmission time exceeds the preset time limit, the second target data is sent from the external network system to the time when the gateway receives the second target data, a problem may occur, the second target data may be hijacked, and the information may be tampered, so that in consideration of security, the access of the second target data may be prohibited. Alternatively, the preset time limit is a time period for accessing the second target data sent by the extranet system, for example, the preset time limit is from 7 am to 22 pm, so that the extranet system can only send the second target data from 7 am to 22 pm to be received by the gateway and transferred to the corresponding internal service system, and beyond this time limit, the second target data cannot be received.
In another embodiment, the third security rule may also be that the network transmission speed and/or the network traffic value is within a preset threshold, for example, the gateway detects the current network transmission speed in real time, the preset threshold is set to be that the network transmission speed is greater than or equal to K1, when the current network transmission speed is greater than a K1 value, the second target data sent by the extranet system is allowed to be transmitted to the corresponding internal service system through the gateway, otherwise, the second target data is intercepted, or the preset threshold is that the network traffic value is less than or equal to K2, when the current network traffic value is less than or equal to K2, the second target data is allowed to be transmitted to the internal service system, otherwise, the second target data is intercepted; or, the preset threshold is preset such that the network transmission speed is greater than or equal to K1, the network traffic value is less than or equal to K2, and the second target data is transmitted to the corresponding internal service system only when both are satisfied, otherwise, the second target data is intercepted.
In another embodiment, the third security rule is a preset rule for transmitting the second target data according to a preset threshold of a target quantity preset by the internal service system and a priority level, referring to fig. 5, the method for performing security control processing on the second target data according to the third security rule includes:
s9100, acquiring the target quantity of the second target data transmitted to the internal business system;
s9200, when the target number exceeds a preset threshold value, acquiring a priority queue of the identity information of the internal service system;
s9300, transmitting the second target data according to the priority queue.
The third security rule is a transmission rule when the same second target data needs to be sent to a plurality of different internal service systems at the same time, in order to better transmit the data, in an embodiment, the target quantity value of the internal service system to be transmitted can be obtained, when the target quantity value is larger, if the simultaneous transmission is adopted, the network transmission quantity can be caused to be overlarge in the same time period, so that the internal service systems can be processed in batches sequentially, and in order to reach the data more timely, the internal service systems are prioritized according to the corresponding identity information and the order of importance degree to divide the data delivery sequence, namely, the priority level is set and stored in a priority level queue, when the target quantity value exceeds a preset threshold value, when the gateway obtains the second target data, the identity information of the internal service system corresponding to the second target data is extracted at the same time, and acquiring the priority level of the identity information in the priority queue, and sequentially transmitting the second target data to the corresponding internal service system according to the corresponding priority level.
In another embodiment, the third security rule is: referring to fig. 6, the preset rule for intercepting the second target data according to the identity information of the extranet system includes that:
s9400, acquiring identity information of the extranet system recorded in the second target data;
s9500, identifying whether the identity information of the external network system is in a white list or not;
s9600, intercepting the second target data when the second target data is not in the white list, and generating alarm information to remind an abnormality.
In this embodiment, the white list is a set of identity information of an external network system that allows data communication with the internal service system, and the white list is set to limit access to the external network system of the internal service system, so that a secure external network system user can access the internal service system, thereby ensuring the security of the internal service system. And if the external network system sending the second target data is not in the white list, intercepting the second target data, generating alarm information and performing exception reminding.
It should be noted that, the white list is set, and a black list may also be further set, that is, a set of identity information of an external network system user who is prohibited from accessing is listed in the external network system which is regarded as unsafe, and data access of the external network system is prohibited, so as to ensure security of internal data.
In the present application, different third security rules may be formulated according to the nature of a specific service system, and the specific operation mode and logic are not changed.
In an embodiment, whether the first target data or the second target data is the first target data or the second target data, during the process of sending the previous transmission node to the next transmission node, if there is no feedback information, the previous transmission node does not know whether the sending is successful, and therefore, a preferable scheme is that, after the next transmission node receives the information, a feedback information is sent to the previous node to ensure normal data transmission.
In an embodiment, referring to fig. 7, another method for determining whether the message is normally transmitted includes:
s1100, packaging a random array for the first target data or the second target data;
s1200, after the first target data or the second target data are transmitted, correspondingly sending the packaged random array again;
s1300, obtaining feedback information of the random array, and identifying whether the feedback information comprises the existing data of the random array;
and S1400, when the existing data of the random array does not exist, retransmitting the first target data or the second target data encapsulated with the random array.
The random array is generated according to a preset rule, the preset rule can limit the type of the array and the number of characters, such as numbers or letters, or combination of the array and the letters, the array comprises 4 bits or 6 bits, the same random array and different contents are adopted for the same first target data or second target data, and the first target data or the second target data sent in different time periods are packaged by adopting different random arrays. A technical solution of this embodiment is that, after a first target data is encapsulated into a random array, the data is sent to a next transmission node, the random array is read in the next transmission node, and the random array is stored and mapped with corresponding content, at this time, a transmission node that receives the first target data does not actively send feedback information to a previous transmission node, but the previous transmission node actively sends the random array encapsulated with the first target data to the transmission node, the transmission node feeds back feedback information indicating whether the random array already exists, when information received by the previous transmission node is that the random array already exists, it indicates that the first target data is successfully transmitted, and when feedback information received by a clothing transmission node is that the random array does not exist, it indicates that the first target data is not successfully transmitted, and if the data needs to be sent again, the jacket transmission node sends the first target data encapsulated with the random array to the next target data again, so that the data transmission on each transmission node is normal. The method is called as asynchronous compensation mechanism and non-business rule power rule, and by adopting the rule, when data transmitted by a plurality of previous nodes are received at the same time, the correct delivery of the data can be ensured. The transmission method for the second object data is also the same as the transmission method for the first object data disclosed above.
In all the steps disclosed above, as long as data passes through the gateway, no matter the data is sent from the external network system to the internal service system or from the internal service system to the external network system, each step generates a service log to record the running condition of the data and store the service log, so that the abnormal condition can be conveniently searched and processed when the transmission is abnormal.
According to a second aspect, please refer to fig. 8, an embodiment of the present application further provides an intranet and extranet secure transmission control apparatus, including:
the first obtaining module 1000: the method comprises the steps that a target field for acquiring first target data to be transferred is configured to be executed, wherein the first target data is data sent to an external network system by a preset internal service cluster, and the target field is field information representing the data category of the first target data;
the first mapping module 2000: the system comprises a first rule database, a second rule database and a third rule database, wherein the first rule database is configured to extract first safety rules mapped by target fields from a preset first rule database, and the first rule database is a set of first safety rules mapped by all preset target fields;
the first control module 3000: configured to perform security control processing on the first target data according to the first security rule.
Optionally, the internal service cluster includes a plurality of internal service systems, and the first target data includes identity information that characterizes attribution of the first target data, and further includes:
a second obtaining module: configured to perform obtaining identity information characterizing the internal business system in the first target data;
a second mapping module: the identity information is configured to identify whether a second security rule is mapped in a second rule database, wherein the second rule database is a set of second security rules mapped by the identity information of each internal business system;
a second control module: and the system is configured to perform transmission limitation on the first target data according to a second security rule when the identity information is mapped with the second security rule in a second rule database.
Optionally, the first security rule includes: and carrying out hiding desensitization treatment on the information mapped by the target field.
Optionally, the second security rule is a preset rule that limits transmission of the first target data according to the obtained real-time information of the internal service system associated with the target field, and the second control module further includes:
a grabbing module: configured to perform crawling of real-time information in one or more associated internal business systems according to the target field;
a first threshold matching module: configured to perform identifying whether the first target data is within a preset range of the real-time information;
a first interrupt module: and the data transmission device is configured to interrupt the transmission of the first target data when the data transmission device is not in the preset range, and generate alarm information to carry out abnormity reminding.
Optionally, the method further includes:
a third obtaining module: the data forwarding method comprises the steps of obtaining second target data to be forwarded, wherein the second target data is data sent to a preset internal service cluster by an external network system;
a rule acquisition module: the system is configured to execute obtaining a third safety rule, wherein the third safety rule is a preset rule limiting transmission of the second target data;
a third control module: is configured to perform security control processing on the second target data according to the third security rule.
Optionally, the third security rule is: according to a preset threshold of a preset target number of the internal service system, and according to a preset rule of a priority level, transmitting the second target data, the third control module includes:
a target number acquisition module: a target number configured to perform obtaining the second target data for transmission to the internal business system;
a priority acquisition module: a priority queue configured to perform, when the target number exceeds a preset threshold, acquiring identity information of the internal service system;
a transmission module: configured to perform transmitting the second target data according to the priority queue.
Optionally, the third security rule is a preset rule for intercepting the second target data according to the identity information of the extranet system, and the third control module further includes:
a fourth obtaining module: configured to perform obtaining identity information of an extranet system recited in the second target data;
a white list identification module: configured to perform identifying whether the extranet system identity information is in a whitelist;
a second interrupt module: is configured to perform interception of the second target data when not in the white list and generate alarm information for exception reminding
Optionally, the third security rule further includes: and transmitting the second target data according to whether the transmission time of the second target data is within a preset time limit, and whether the network transmission speed and/or the network flow value are within a preset threshold value.
Optionally, the method further includes:
packaging the module: configured to perform packing a random array of the first target data or the second target data;
a first sending module: configured to perform corresponding sending of the encapsulated random array again after transmission of the first target data or the second target data;
a feedback information identification module: the random array generating device is configured to execute feedback information acquisition of the random array, and identify whether the feedback information includes existing data of the random array;
a second sending module: and the random number group sending unit is configured to resend the first target data or the second target data packaged with the random number group when the data already existing in the random number group does not exist.
Since the internal and external network secure transmission control device is a device in which the internal and external network secure transmission control methods are in one-to-one correspondence, the implementation principle is the same as that of the internal and external network secure transmission control methods, and details are not repeated here.
FIG. 9 is a block diagram of a basic structure of a computer device according to an embodiment of the present invention.
The computer device includes a processor, a non-volatile storage medium, a memory, and a network interface connected by a system bus. The non-volatile storage medium of the computer device stores an operating system, a database and computer readable instructions, the database can store control information sequences, and the computer readable instructions can enable the processor to realize an internal and external network secure transmission control method when being executed by the processor. The processor of the computer device is used for providing calculation and control capability and supporting the operation of the whole computer device. The memory of the computer device may have computer readable instructions stored therein, which when executed by the processor, may cause the processor to perform a method for intranet and extranet secure transmission control. The network interface of the computer device is used for connecting and communicating with the terminal. Those skilled in the art will appreciate that the architecture shown in fig. 9 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
The computer equipment receives the state information of the prompt behavior sent by the associated client, namely whether the associated terminal starts the prompt or not and whether the borrower closes the prompt task or not. And the relevant terminal can execute corresponding operation according to the preset instruction by verifying whether the task condition is achieved or not, so that the relevant terminal can be effectively supervised. Meanwhile, when the prompt information state is different from the preset state instruction, the server side controls the associated terminal to ring continuously so as to prevent the problem that the prompt task of the associated terminal is automatically terminated after being executed for a period of time.
The present invention also provides a storage medium storing computer-readable instructions, which, when executed by one or more processors, cause the one or more processors to execute the intranet and extranet secure transmission control method according to any one of the above embodiments.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and can include the processes of the embodiments of the methods described above when the computer program is executed. The storage medium may be a non-volatile storage medium such as a magnetic disk, an optical disk, a Read-Only Memory (ROM), or a Random Access Memory (RAM).
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless explicitly stated herein. Moreover, at least a portion of the steps in the flow chart of the figure may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
The foregoing is only a partial embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims (9)

1. A method for controlling secure transmission of an internal network and an external network is characterized by comprising the following steps:
acquiring a target field of first target data to be transferred, wherein the first target data is data sent to an external network system by a preset internal service cluster, and the target field is field information representing the data type of the first target data;
extracting a first safety rule mapped by the target field from a preset first rule database, wherein the first rule database is a set of first safety rules mapped by a plurality of preset target fields;
performing security control processing on the first target data according to the first security rule;
wherein the method further comprises:
acquiring second target data to be transferred, wherein the second target data is data sent by an external network system to a preset internal service cluster;
acquiring a third safety rule, wherein the third safety rule is a preset rule for limiting the transmission of the second target data;
performing security control processing on the second target data according to the third security rule;
the third safety rule is as follows: according to a preset threshold value of a preset target number of the internal service system, and a preset rule for transmitting the second target data according to a priority level, the method for performing security control processing on the second target data according to the third security rule comprises the following steps:
acquiring the target quantity of the second target data transmitted to the internal service system;
when the target number exceeds a preset threshold value, acquiring a priority queue of the identity information of the internal service system;
and transmitting the second target data according to the priority queue.
2. The intranet and extranet secure transmission control method according to claim 1, wherein the intranet service cluster includes a plurality of intranet service systems, the first target data includes identity information indicating that the first target data belongs to, and after performing security control on the first target data according to the first security rule, the method further includes:
acquiring identity information which is used for representing the internal business system in the first target data;
identifying whether the identity information is mapped with a second safety rule in a second rule database, wherein the second rule database is a set of the second safety rules mapped by the identity information of each internal service system;
and when the identity information is mapped with a second safety rule in a second rule database, carrying out transmission limitation on the first target data according to the second safety rule.
3. The intranet and extranet secure transmission control method according to claim 1, wherein the first security rule comprises: and carrying out hiding desensitization treatment on the information mapped by the target field.
4. The intranet and extranet secure transmission control method according to claim 2, wherein the second security rule is a preset rule that restricts transmission of the first target data according to the acquired real-time information of the internal business system associated with the target field, and the method of restricting transmission of the first target data according to the second security rule includes:
capturing real-time information in one or more associated internal business systems according to the target field;
identifying whether the first target data is within a preset range of the real-time information;
and when the first target data is not in the preset range, the transmission of the first target data is interrupted, and alarm information is generated to carry out abnormal reminding.
5. The intranet and extranet secure transmission control method according to claim 1, wherein the third security rule is a preset rule for intercepting the second target data according to the identity information of the extranet system, and the method for performing the secure control processing on the second target data according to the third security rule includes:
acquiring identity information of the extranet system recorded in the second target data;
identifying whether the identity information of the external network system is in a white list or not;
and when the target data is not in the white list, intercepting the second target data, and generating alarm information to perform abnormal reminding.
6. The intranet and extranet secure transmission control method according to claim 1, further comprising:
packaging a random array for the first target data or the second target data;
after the first target data or the second target data are transmitted, correspondingly sending the packaged random array again;
acquiring feedback information of the random array, and identifying whether the feedback information comprises existing data of the random array;
and when the data of the random array does not exist, retransmitting the first target data or the second target data encapsulated with the random array.
7. A computer device comprising a memory and a processor, the memory having stored therein computer readable instructions which, when executed by the processor, cause the processor to perform the steps of the intranet secure transmission control method according to any one of claims 1 to 6.
8. A storage medium storing computer readable instructions which, when executed by one or more processors, cause the one or more processors to perform the steps of the intranet and extranet secure transmission control method according to any one of claims 1 to 6.
9. An intranet and extranet secure transmission control apparatus, comprising:
a first obtaining module, configured to perform obtaining of a target field of first target data to be forwarded, where the first target data is data sent by a preset internal service cluster to an external network system, and the target field is field information representing a data category of the first target data;
the first mapping module is configured to extract a first safety rule mapped by the target field from a preset first rule database, wherein the first rule database is a set of first safety rules mapped by a plurality of preset target fields;
a first control module configured to perform security control processing on the first target data according to the first security rule;
wherein the apparatus further comprises:
a third obtaining module, configured to perform obtaining of second target data to be forwarded, where the second target data is data sent by an external network system to a preset internal service cluster;
the rule obtaining module is configured to execute obtaining of a third safety rule, wherein the third safety rule is a preset rule limiting transmission of the second target data;
a third null module configured to perform security control processing on the second target data according to the third security rule;
the third safety rule is as follows: a preset rule for transmitting the second target data according to the priority level and a preset threshold value of the target quantity preset by the internal service system,
the third control module includes:
a target quantity obtaining module configured to perform obtaining of a target quantity of the second target data transmitted to the internal service system;
a priority acquisition module configured to perform a priority queue for acquiring the identity information of the internal service system when the target number exceeds a preset threshold
A transmission module configured to perform transmission of the second target data according to the priority queue.
CN201911052636.XA 2019-10-31 2019-10-31 Intranet and extranet secure transmission control method and device, computer equipment and storage medium Active CN110830246B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911052636.XA CN110830246B (en) 2019-10-31 2019-10-31 Intranet and extranet secure transmission control method and device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911052636.XA CN110830246B (en) 2019-10-31 2019-10-31 Intranet and extranet secure transmission control method and device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN110830246A CN110830246A (en) 2020-02-21
CN110830246B true CN110830246B (en) 2020-11-17

Family

ID=69551711

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911052636.XA Active CN110830246B (en) 2019-10-31 2019-10-31 Intranet and extranet secure transmission control method and device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN110830246B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112565288B (en) * 2020-12-21 2023-05-09 南京南瑞信息通信科技有限公司 Method and system for executing intranet acquisition and control instruction in extranet
CN116578434B (en) * 2023-05-15 2023-10-20 合芯科技(苏州)有限公司 Information notification management system and method for IC design platform
CN119210739A (en) * 2023-06-20 2024-12-27 北京火山引擎科技有限公司 Data processing method, device, computer equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110210242A (en) * 2019-04-25 2019-09-06 深圳壹账通智能科技有限公司 A kind of method, apparatus, storage medium and the computer equipment of data desensitization
CN110321462A (en) * 2019-05-24 2019-10-11 平安银行股份有限公司 Information dynamic updating method, device, computer equipment and storage medium
CN110348239A (en) * 2019-06-13 2019-10-18 平安普惠企业管理有限公司 Desensitize regular configuration method and data desensitization method, system, computer equipment

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102004029506A1 (en) * 2004-06-18 2006-02-02 Circle Unlimitid Ag Method and apparatus for managing resources in a computer system
CN108154047A (en) * 2017-12-25 2018-06-12 网智天元科技集团股份有限公司 A kind of data desensitization method and device
CN109492423B (en) * 2018-09-26 2024-09-13 中国平安人寿保险股份有限公司 Method, device, computer equipment and storage medium for filtering sensitive information
CN110377442B (en) * 2019-06-19 2023-08-22 平安银行股份有限公司 Abnormality early warning method, abnormality early warning device, computer equipment and storage medium
CN110266713A (en) * 2019-06-28 2019-09-20 深圳市网心科技有限公司 Intranet communication method, device, system, proxy server and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110210242A (en) * 2019-04-25 2019-09-06 深圳壹账通智能科技有限公司 A kind of method, apparatus, storage medium and the computer equipment of data desensitization
CN110321462A (en) * 2019-05-24 2019-10-11 平安银行股份有限公司 Information dynamic updating method, device, computer equipment and storage medium
CN110348239A (en) * 2019-06-13 2019-10-18 平安普惠企业管理有限公司 Desensitize regular configuration method and data desensitization method, system, computer equipment

Also Published As

Publication number Publication date
CN110830246A (en) 2020-02-21

Similar Documents

Publication Publication Date Title
US11888863B2 (en) Maintaining user privacy via a distributed framework for security analytics
US10558684B2 (en) Auditing database access in a distributed medical computing environment
US9330376B2 (en) System and method for assigning a business value rating to documents in an enterprise
US20200028858A1 (en) Method, system, and storage medium for secure communication utilizing social networking sites
US8972511B2 (en) Methods and apparatus for analyzing social media for enterprise compliance issues
CN110830246B (en) Intranet and extranet secure transmission control method and device, computer equipment and storage medium
US8949137B2 (en) Managing patient consent in a master patient index
US20070261099A1 (en) Confidential content reporting system and method with electronic mail verification functionality
US20170193249A1 (en) System and method for securing personal data elements
WO2019004928A1 (en) Autonomic incident triage prioritization by performance modifier and temporal decay parameters
CN102916836B (en) A kind of method and system monitored terminal being carried out to security monitoring
US20220006769A1 (en) Systems and methods for electronically distributing information
US9015849B1 (en) Method and apparatus for preventing data leakage of e-discovery data items
CA2860851C (en) Managing patient consent in a master patient index
CN113691555B (en) Information resource sharing method facing business activity
CN102938760B (en) Terminal security method for supervising and device
CN115795556B (en) Data processing method, device, computer equipment and storage medium
CN108885603A (en) Pass through the unknowable data loss prevention of the printing interface technology of printing
Guinet How to protect a hospital against cyber attacks
CN119420574A (en) Data transmission method and related product
CN115617349A (en) Code processing method, device, storage medium and electronic equipment
CN119128988A (en) Cloud data management method, system, electronic device and medium based on machine learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
CB02 Change of applicant information

Address after: 801-2, floor 8, building 3, No. 22, Ronghua Middle Road, Beijing Economic and Technological Development Zone, Daxing District, Beijing

Applicant after: Wanghai Kangxin (Beijing) Technology Co., Ltd

Address before: Room 07, Room 2, Building B, 12 Hongda North Road, Beijing Daxing District, Beijing

Applicant before: Beijing Neusoft Wang Hai Technology Co., Ltd.

CB02 Change of applicant information
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant