[go: up one dir, main page]

CN116015872A - Data processing method and device between terminals in local area network - Google Patents

Data processing method and device between terminals in local area network Download PDF

Info

Publication number
CN116015872A
CN116015872A CN202211684590.5A CN202211684590A CN116015872A CN 116015872 A CN116015872 A CN 116015872A CN 202211684590 A CN202211684590 A CN 202211684590A CN 116015872 A CN116015872 A CN 116015872A
Authority
CN
China
Prior art keywords
terminal
access request
access
address
terminals
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211684590.5A
Other languages
Chinese (zh)
Inventor
彭国洲
郭超
李慧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electronics Industry Engineering Co ltd
Secworld Information Technology Beijing Co Ltd
Original Assignee
China Electronics Industry Engineering Co ltd
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electronics Industry Engineering Co ltd, Secworld Information Technology Beijing Co Ltd filed Critical China Electronics Industry Engineering Co ltd
Priority to CN202211684590.5A priority Critical patent/CN116015872A/en
Publication of CN116015872A publication Critical patent/CN116015872A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a data processing method and a device between terminals in a local area network, wherein the local area network is provided with a first terminal and a second terminal directly connected with the first terminal; and when the access request meets the access condition of accessing the second terminal, sending the access request to the second terminal. When the first terminal and the second terminal have the same security program, the access request of the first terminal is sent to the second terminal, so that the network transmission flow between the first terminal and the second terminal can be realized, namely, only the terminals meeting the access condition can copy the data mutually, the illegally accessed terminals are prevented from copying the divulged data, and the data security of the terminals in the local area network is further effectively ensured.

Description

局域网中终端之间的数据处理方法及装置Data processing method and device between terminals in local area network

技术领域technical field

本申请涉及数据安全处理技术领域,尤其涉及局域网中终端之间的数据处理方法及装置。The present application relates to the technical field of data security processing, in particular to a data processing method and device between terminals in a local area network.

背景技术Background technique

相关技术中,局域网多台终端可以互相访问拷贝数据或通过网线直连互相拷贝数据,存在数据泄露等安全隐患,进而给企业数据安全带来很多风险。In the related technology, multiple terminals in the local area network can access and copy data from each other or copy data from each other directly through a network cable. There are security risks such as data leakage, which in turn brings many risks to enterprise data security.

发明内容Contents of the invention

为克服相关技术中存在的问题,本申请提供一种局域网终端之间的数据处理方法及装置,能够有效保障局域网中终端数据安全。In order to overcome the problems existing in the related technologies, the present application provides a data processing method and device between LAN terminals, which can effectively guarantee terminal data security in the LAN.

本申请第一方面提供一种局域网终端之间的数据处理方法,局域网中具有第一终端,与所述第一终端直连的第二终端,该方法应用于所述第一终端,所述方法包括:The first aspect of the present application provides a method for processing data between terminals in a local area network. The local area network has a first terminal and a second terminal directly connected to the first terminal. This method is applied to the first terminal. The method include:

接收用于访问所述第二终端的访问请求;receiving an access request for accessing the second terminal;

判断所述访问请求是否满足访问所述第二终端的访问条件,所述访问条件用于表征所述第一终端和所述第二终端具有相同的安全程序;judging whether the access request satisfies an access condition for accessing the second terminal, where the access condition is used to indicate that the first terminal and the second terminal have the same security program;

当所述访问请求满足访问所述第二终端的访问条件时,将所述访问请求发送给所述第二终端。When the access request meets the access condition for accessing the second terminal, the access request is sent to the second terminal.

本申请第二方面提供一种局域网终端之间的数据处理装置,局域网中具有第一终端,与所述第一终端直连的第二终端,该方法应用于所述第一终端,所述方法包括:The second aspect of the present application provides a data processing device between local area network terminals. The local area network has a first terminal and a second terminal directly connected to the first terminal. The method is applied to the first terminal. The method include:

第一处理单元,用于接收用于访问所述第二终端的访问请求;a first processing unit, configured to receive an access request for accessing the second terminal;

第二处理单元,用于判断所述访问请求是否满足访问所述第二终端的访问条件,所述访问条件用于表征所述第一终端和所述第二终端具有相同的安全程序;A second processing unit, configured to determine whether the access request satisfies an access condition for accessing the second terminal, where the access condition is used to indicate that the first terminal and the second terminal have the same security program;

第三处理单元,用于当所述访问请求满足访问所述第二终端的访问条件时,将所述访问请求发送给所述第二终端。A third processing unit, configured to send the access request to the second terminal when the access request meets an access condition for accessing the second terminal.

本申请第三方面提供一种电子设备,包括:The third aspect of the present application provides an electronic device, including:

处理器;以及processor; and

存储器,其上存储有可执行代码,当所述可执行代码被所述处理器执行时,使所述处理器执行如上所述的局域网终端之间的数据处理方法。A memory on which executable codes are stored, and when the executable codes are executed by the processor, the processor is made to execute the above-mentioned method for processing data between LAN terminals.

本申请第四方面提供一种非暂时性机器可读存储介质,其上存储有可执行代码,当所述可执行代码被电子设备的处理器执行时,使所述处理器执行如上所述的局域网终端之间的数据处理方法。The fourth aspect of the present application provides a non-transitory machine-readable storage medium, on which executable code is stored, and when the executable code is executed by a processor of an electronic device, the processor executes the above-mentioned A data processing method between LAN terminals.

本申请提供的技术方案可以包括以下有益效果:在局域网中具有第一终端,与第一终端直连的第二终端,该方法应用于第一终端,该方法通过判断用于访问第二终端的访问请求是否满足访问第二终端的访问条件(用于表征第一终端和第二终端具有相同的安全程序);当访问请求满足访问第二终端的访问条件时,将访问请求发送给第二终端。本申请在第一终端和第二终端具有相同的安全程序时,再将第一终端的访问请求发送给第二终端,才能实现第一终端和第二终端之间的网络传输流量,即只有满足访问条件的终端才能互相拷贝数据,防止非法接入的终端拷贝泄密数据,进而有效保障局域网中终端数据安全。The technical solution provided by this application may include the following beneficial effects: there is a first terminal in the local area network and a second terminal directly connected to the first terminal, the method is applied to the first terminal, and the method judges the method used to access the second terminal Whether the access request meets the access conditions for accessing the second terminal (used to indicate that the first terminal and the second terminal have the same security program); when the access request meets the access conditions for accessing the second terminal, send the access request to the second terminal . In this application, when the first terminal and the second terminal have the same security program, the access request of the first terminal is sent to the second terminal, so that the network transmission traffic between the first terminal and the second terminal can be realized, that is, only if the Only terminals with access conditions can copy data to each other, preventing illegally accessed terminals from copying and leaking data, and thus effectively ensuring the security of terminal data in the LAN.

应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本申请。It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.

附图说明Description of drawings

通过结合附图对本申请示例性实施方式进行更详细的描述,本申请的上述以及其它目的、特征和优势将变得更加明显,其中,在本申请示例性实施方式中,相同的参考标号通常代表相同部件。The above and other objects, features and advantages of the present application will become more apparent by describing the exemplary embodiments of the present application in more detail with reference to the accompanying drawings, wherein, in the exemplary embodiments of the present application, the same reference numerals generally represent same parts.

图1是本申请实施例示出的局域网结构示意图;Fig. 1 is a schematic diagram of the local area network structure shown in the embodiment of the present application;

图2是本申请实施例示出的局域网终端之间的数据处理方法的另一流程示意图;FIG. 2 is another schematic flowchart of a data processing method between LAN terminals shown in an embodiment of the present application;

图3是本申请实施例示出的局域网终端之间的数据处理整体流程图;FIG. 3 is an overall flow chart of data processing between LAN terminals shown in the embodiment of the present application;

图4是本申请实施例示出的局域网终端之间的数据处理装置的结构示意图;FIG. 4 is a schematic structural diagram of a data processing device between LAN terminals shown in an embodiment of the present application;

图5是本申请实施例示出的电子设备的结构示意图。FIG. 5 is a schematic structural diagram of an electronic device shown in an embodiment of the present application.

具体实施方式Detailed ways

下面将参照附图更详细地描述本申请的优选实施方式。虽然附图中显示了本申请的优选实施方式,然而应该理解,可以以各种形式实现本申请而不应被这里阐述的实施方式所限制。相反,提供这些实施方式是为了使本申请更加透彻和完整,并且能够将本申请的范围完整地传达给本领域的技术人员。Preferred embodiments of the present application will be described in more detail below with reference to the accompanying drawings. Although preferred embodiments of the present application are shown in the drawings, it should be understood that the present application may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this application will be thorough and complete, and will fully convey the scope of this application to those skilled in the art.

在本申请使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本申请。在本申请和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。还应当理解,本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。The terminology used in this application is for the purpose of describing particular embodiments only, and is not intended to limit the application. As used in this application and the appended claims, the singular forms "a", "the", and "the" are intended to include the plural forms as well, unless the context clearly dictates otherwise. It should also be understood that the term "and/or" as used herein refers to and includes any and all possible combinations of one or more of the associated listed items.

应当理解,尽管在本申请可能采用术语“第一”、“第二”、“第三”等来描述各种信息,但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如,在不脱离本申请范围的情况下,第一信息也可以被称为第二信息,类似地,第二信息也可以被称为第一信息。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括一个或者更多个该特征。在本申请的描述中,“多个”的含义是两个或两个以上,除非另有明确具体的限定。It should be understood that although the terms "first", "second", "third" and so on may be used in this application to describe various information, such information should not be limited to these terms. These terms are only used to distinguish information of the same type from one another. For example, without departing from the scope of the present application, first information may also be called second information, and similarly, second information may also be called first information. Thus, a feature defined as "first" and "second" may explicitly or implicitly include one or more of these features. In the description of the present application, "plurality" means two or more, unless otherwise specifically defined.

本申请提供一种局域网终端之间的数据处理方法及装置,用于实现局域网内终端之间的数据传输,应用于如图1所示的局域网,该局域网包括:第一终端10、与第一终端10直连的第二终端20,其中,第一终端10为具有横向防护的安全程序的终端,第二终端20可以为未安装横向防护的安全程序的终端、例外未安装横向防护的安全程序的终端、例外IP或者DHCP服务器、域名系统服务器、控制台服务器等特殊访问终端,当第一终端10访问第二终端20时,只有安装有横向防护的安全程序的终端、例外未安装横向防护的安全程序的终端、例外IP或者DHCP服务器、域名系统服务器、控制台服务器等特殊访问终端才能实现局域网内终端之间的数据传输。This application provides a data processing method and device between terminals in a local area network, which is used to realize data transmission between terminals in a local area network, and is applied to a local area network as shown in Figure 1. The local area network includes: a first terminal 10, and a first The second terminal 20 directly connected to the terminal 10, wherein the first terminal 10 is a terminal with a security program for horizontal protection, and the second terminal 20 can be a terminal for which a security program for horizontal protection is not installed, except for a security program for which horizontal protection is not installed When the first terminal 10 accesses the second terminal 20, only the terminals with security programs for horizontal protection installed, and the exceptions for terminals without horizontal protection Only special access terminals such as security program terminals, exception IP or DHCP servers, domain name system servers, and console servers can realize data transmission between terminals in the LAN.

本申请提供的一种局域网终端之间的数据处理方法及装置,其目的在于:在进行局域网终端之间的数据传输时,如何有效保障数据安全。The present application provides a data processing method and device between LAN terminals, the purpose of which is to effectively ensure data security during data transmission between LAN terminals.

针对上述问题,本申请实施例提供一种局域网终端之间的数据处理方法,能够有效保障数据安全。In view of the above problems, the embodiment of the present application provides a data processing method between LAN terminals, which can effectively guarantee data security.

以下结合附图详细描述本申请实施例的技术方案。The technical solutions of the embodiments of the present application are described in detail below with reference to the accompanying drawings.

图2是本申请实施例示出的局域网终端之间的数据处理方法的流程示意图。FIG. 2 is a schematic flowchart of a data processing method between LAN terminals shown in an embodiment of the present application.

参见图2,本申请实施例提供一种局域网终端之间的数据处理方法,应用于如图1所示的局域网,该局域网中具有第一终端,与第一终端直连的第二终端,该方法应用于第一终端,该方法具体包括如下步骤:Referring to FIG. 2 , an embodiment of the present application provides a data processing method between LAN terminals, which is applied to the LAN shown in FIG. 1 . The LAN has a first terminal and a second terminal directly connected to the first terminal. The method is applied to the first terminal, and the method specifically includes the following steps:

S201:接收用于访问第二终端的访问请求。S201: Receive an access request for accessing a second terminal.

本申请实施例中,第一终端10为具有横向防护的安全程序的终端,第二终端20可以为未安装横向防护的安全程序的终端、例外未安装横向防护的安全程序的终端、例外IP或者DHCP服务器、域名系统服务器、控制台服务器等特殊访问终端。In the embodiment of the present application, the first terminal 10 is a terminal with a security program for horizontal protection, and the second terminal 20 can be a terminal without a security program for horizontal protection installed, an exception terminal for which a security program for horizontal protection is not installed, an exception IP or DHCP server, domain name system server, console server and other special access terminals.

其中,访问请求是用户发送的由第一终端访问第二终端的访问请求,该访问请求中至少包含第一终端的IP地址和第二终端的IP地址,以及是否安装有安全程序的标识。Wherein, the access request is an access request sent by the user for the first terminal to access the second terminal, and the access request includes at least the IP addresses of the first terminal and the second terminal, and an identification of whether a security program is installed.

需要说明的是,局域网是一种在有限的地理范围内将计算机及各种设备互连在一起,以实现数据传输和资源共享的计算机网络。社会对信息资源的广泛需求以及计算机技术的广泛普及促进了局域网技术的迅猛发展。在当今的计算机网络技术中,局域网技术已经占据了十分重要的地位。It should be noted that a local area network is a computer network that interconnects computers and various devices within a limited geographical range to achieve data transmission and resource sharing. The society's extensive demand for information resources and the widespread popularization of computer technology have promoted the rapid development of LAN technology. In today's computer network technology, LAN technology has occupied a very important position.

本申请实施例中,局域网是在一个较小的范围(一个办公室、一幢楼、一所学校等)内,利用通信线路将众多的计算机及外部设备连接起来,以达到资源共享、信息传递和远程数据通信的目的,如文件管理、应用软件共享、打印机共享、扫描仪共享、工作组内的日程安排、电子邮件和传真通信服务等功能。In the embodiment of this application, the local area network is within a relatively small area (an office, a building, a school, etc.), using communication lines to connect numerous computers and external devices to achieve resource sharing, information transfer and The purpose of remote data communication, such as file management, application software sharing, printer sharing, scanner sharing, scheduling within the workgroup, e-mail and fax communication services and other functions.

S202:判断访问请求是否满足访问第二终端的访问条件,若是,则执行S203。S202: Determine whether the access request satisfies the access condition for accessing the second terminal, and if yes, perform S203.

其中,上述访问条件用于表征第一终端和第二终端具有相同的安全程序。Wherein, the above access condition is used to indicate that the first terminal and the second terminal have the same security program.

S203:将访问请求发送给第二终端。S203: Send the access request to the second terminal.

本申请实施例中,第一终端和第二终端只有在具有相同的安全程序时,才能实现局域网内终端之间的数据传输,用于终端与终端之间不经过网络安全设备的场景下,限制已经安装横向防护的终端与未安装的终端中间通过直连线、hub等方式直接网络数据传输的功能。In the embodiment of this application, only when the first terminal and the second terminal have the same security program, can the data transmission between the terminals in the local area network be realized, which is used in the scenario where the network security device is not used between the terminals to limit the The function of direct network data transmission between terminals that have installed horizontal protection and terminals that have not been installed through direct connections, hubs, etc.

需要说明的是,本申请实施例限制已安装安全程序的终端与未安装安全程序的终端之间的网络传输流量,即只有均安装安全程序的访问终端和被访问终端才能实现互相拷贝数据,防止非法接入的终端拷贝泄密数据。It should be noted that the embodiment of the present application restricts the network transmission traffic between terminals with security programs installed and terminals without security programs installed, that is, only the access terminal and the accessed terminal with security programs installed can copy data to each other, preventing Illegally accessed terminals copy leaked data.

本申请实施例提供一种局域网中终端之间的数据处理方法,在局域网中具有第一终端,与第一终端直连的第二终端,该方法应用于第一终端,该方法通过判断用于访问第二终端的访问请求是否满足访问第二终端的访问条件(用于表征第一终端和第二终端具有相同的安全程序);当访问请求满足访问第二终端的访问条件时,将访问请求发送给第二终端。本申请实施例在第一终端和第二终端具有相同的安全程序时,再将第一终端的访问请求发送给第二终端,才能实现第一终端和第二终端之间的网络传输流量,即只有满足访问条件的终端才能互相拷贝数据,防止非法接入的终端拷贝泄密数据,进而有效保障局域网中终端数据安全。An embodiment of the present application provides a method for processing data between terminals in a local area network. In the local area network, there is a first terminal and a second terminal directly connected to the first terminal. The method is applied to the first terminal, and the method is used for Whether the access request for accessing the second terminal satisfies the access conditions for accessing the second terminal (used to indicate that the first terminal and the second terminal have the same security program); when the access request meets the access conditions for accessing the second terminal, the access request sent to the second terminal. In this embodiment of the present application, when the first terminal and the second terminal have the same security program, the access request of the first terminal is sent to the second terminal, so that the network transmission traffic between the first terminal and the second terminal can be realized, that is, Only terminals that meet the access conditions can copy data to each other, preventing illegal access terminals from copying and leaking data, and effectively ensuring the security of terminal data in the LAN.

进一步的,为了扩展本申请的使用范围,本申请实施例还允许已安装横向防护的终端与例外未安横向防护的终端之间的网络传输流量以及例外IP的访问,即访问终端的IP地址或者被访问终端的IP地址存在于白名单中,则可以允许终端之间的网络传输流量。Further, in order to expand the application scope of the present application, the embodiment of the present application also allows the network transmission traffic and the access of the exception IP between the terminal with the horizontal protection installed and the terminal without the horizontal protection, that is, the IP address of the access terminal or If the IP address of the accessed terminal exists in the white list, the network transmission traffic between the terminals can be allowed.

如图2所示,当所述访问请求不满足访问所述第二终端的访问条件时,该方法还包括如下步骤:As shown in Figure 2, when the access request does not meet the access conditions for accessing the second terminal, the method further includes the following steps:

S204:判断所述第二终端的IP地址是否存在于所述第一终端的白名单中,若是,则将所述访问请求发送给所述第二终端;若否,则执行S205。S204: Determine whether the IP address of the second terminal exists in the white list of the first terminal, if yes, send the access request to the second terminal; if not, perform S205.

本申请实施例中,访问权限用于表征第二终端的IP存在于第一终端的白名单。In this embodiment of the present application, the access right is used to indicate that the IP of the second terminal exists in the whitelist of the first terminal.

需要说明的是,白名单(White List)是设置能通过的用户,白名单以外的用户都不能通过。如果设立了白名单,则在白名单中的用户(或IP地址、IP包、邮件等)会优先通过,不会被当成垃圾邮件拒收,安全性和快捷性都大大提高。白名单可以帮助抵御高级内存注入攻击;该技术提供了功能来验证内存中运行的所有经批准的进程,并确保这些进程在运行时没有被修改,从而抵御高级内存漏洞利用。It should be noted that the white list (White List) is set to allow users to pass, and users outside the white list cannot pass. If a white list is set up, users (or IP addresses, IP packets, emails, etc.) in the white list will pass through first, and will not be rejected as spam, and the security and speed are greatly improved. Whitelisting can help defend against advanced memory injection attacks; the technology provides functionality to verify all approved processes running in memory and ensure those processes have not been modified while running, thereby defending against advanced memory exploits.

S205:向第二终端发起加白打点连接,判断是否将第二终端的IP地址添加至第一终端的白名单。S205: Initiate a whitelist connection to the second terminal, and determine whether to add the IP address of the second terminal to the whitelist of the first terminal.

S206:当第一终端和第二终端加白打点连接成功时,则将第二终端的IP地址添加至所述第一终端的白名单。S206: Add the IP address of the second terminal to the white list of the first terminal when the first terminal and the second terminal are successfully connected with the white mark.

具体的,上述将第二终端的IP地址添加至第一终端的白名单包括:Specifically, adding the IP address of the second terminal to the whitelist of the first terminal includes:

向第二终端发送打点数据;Send dotted data to the second terminal;

判断是否收到第二终端反馈的打点数据包;judging whether the dot data packet fed back by the second terminal is received;

若收到第二终端反馈的打点数据包,则将第二终端的访问IP地址添加至第一终端的白名单,并将访问请求发送给第二终端。If the dotted data packet fed back by the second terminal is received, the access IP address of the second terminal is added to the white list of the first terminal, and the access request is sent to the second terminal.

S207:当第一终端和第二终端加白打点连接不成功时,则禁止访问请求发送给第二终端。S207: When the connection between the first terminal and the second terminal is unsuccessful by adding dots, prohibiting the access request from being sent to the second terminal.

需要说明的是,本申请实施例允许已安装安全程序的终端与例外未安装安全程序的终端、例外IP之间的网络传输流量,即只有IP地址在白名单中的访问终端和被访问终端才能实现互相拷贝数据,防止非法接入的终端拷贝泄密数据。It should be noted that the embodiment of this application allows network transmission traffic between terminals with security programs installed, terminals without security programs installed, and exception IPs, that is, only access terminals and visited terminals whose IP addresses are in the whitelist can Realize mutual copying of data and prevent illegally accessed terminals from copying and leaking data.

本申请实施例提供一种局域网中终端之间的数据处理方法,在局域网中具有第一终端,与第一终端直连的第二终端,该方法应用于第一终端,该方法通过判断第一终端和第二终端加白打点连接成功时,将第二终端的访问IP添加至第一终端的白名单,在白名单中的终端可以实现网络流量传输。本申请实施例允许已安装横向防护的终端与例外未安横向防护的终端之间的网络传输流量以及例外IP的访问,即访问终端的IP地址或者被访问终端的IP地址存在于白名单中,则可以允许终端之间的网络传输流量,防止非法接入的终端拷贝泄密数据,进而有效保障局域网中终端数据安全。The embodiment of the present application provides a data processing method between terminals in a local area network. There is a first terminal in the local area network and a second terminal directly connected to the first terminal. The method is applied to the first terminal. The method judges the first terminal When the connection between the terminal and the second terminal is successfully added, the access IP of the second terminal is added to the white list of the first terminal, and the terminals in the white list can realize network traffic transmission. The embodiment of the present application allows the network transmission traffic and the access of the exception IP between the terminal with the horizontal protection installed and the terminal without the horizontal protection, that is, the IP address of the access terminal or the IP address of the accessed terminal exists in the white list, Then it can allow the network transmission traffic between terminals, prevent illegally accessed terminals from copying and leaking data, and thus effectively ensure the security of terminal data in the LAN.

在具体实施例中,如图3所示,本申请采用的基本设计方案包括如下步骤:In a specific embodiment, as shown in Figure 3, the basic design scheme adopted by the present application includes the following steps:

S1:终端A发起TCP/UDP访问请求时,如果终端B的IP地址不在预设给驱动的白IP地址范围内,则提取该请求包,同步发送到终端A的R3层。S1: When terminal A initiates a TCP/UDP access request, if the IP address of terminal B is not within the range of white IP addresses preset for the driver, the request packet is extracted and sent to the R3 layer of terminal A synchronously.

S2:终端A的R3发一个带指定格式的包给终端B,该端口是控制中心预设的x端口,即发起打点。S2: R3 of terminal A sends a packet with a specified format to terminal B. This port is the x port preset by the control center, that is, initiates RBI.

S3:终端B驱动拿到预设端口x同时带指定格式的包,把包拿走送给终端A的R3层,即接收打点。S3: The driver of terminal B gets the package with the specified format at the preset port x, takes the package away and sends it to the R3 layer of terminal A, that is, receives and manages it.

S4:终端B的R3把终端A的IP地址加到动态白IP范围,同时更新entbw里的动态白IP范围,即终端A加白。S4: R3 of terminal B adds the IP address of terminal A to the dynamic white IP range, and at the same time updates the dynamic white IP range in entbw, that is, terminal A adds white.

S5:终端B的R3发一个带指定格式的包给终端A,端口是控制中心预设的x端口,即反向打点。S5: R3 of terminal B sends a packet with a specified format to terminal A, and the port is the x port preset by the control center, that is, reverse RBI.

S6:终端A驱动拿到预设端口x同时带指定格式的包,把包拿走送给终端A的R3层,即接收打点。S6: The driver of terminal A gets the package with the specified format at the preset port x, and takes the package away and sends it to the R3 layer of terminal A, that is, receives and manages it.

S7:终端A的R3把终端B的IP加到动态白IP范围,同时更新entbw里的动态白IP范围,即终端A加白。S7: R3 of terminal A adds the IP of terminal B to the dynamic white IP range, and at the same time updates the dynamic white IP range in entbw, that is, adds white to terminal A.

S8:终端A的R3层把一开始拿住的真实网络包放开,后续就是正常通讯,即放行真实包。S8: The R3 layer of terminal A releases the real network packet held at the beginning, and the follow-up is normal communication, that is, the real packet is released.

进一步的,为了扩展本申请的使用范围,本申请实施例还可以对特殊访问终端进行放行处理,即访问终端或者被访问终端为特殊访问终端时,可以允许终端之间的网络传输流量。Further, in order to expand the application scope of the present application, the embodiment of the present application can also perform release processing on special access terminals, that is, when the access terminal or the accessed terminal is a special access terminal, the network transmission traffic between terminals can be allowed.

当所述访问请求不满足访问所述第二终端的访问条件时,该方法还包括:When the access request does not meet the access conditions for accessing the second terminal, the method further includes:

判断所述第一终端是否为特殊访问终端,所述特殊访问终端包括:DHCP服务器、域名系统服务器以及控制台服务器;judging whether the first terminal is a special access terminal, where the special access terminal includes: a DHCP server, a domain name system server, and a console server;

若所述第一终端为所述特征访问终端中的任一种,则将所述访问请求发送给所述第二终端。If the first terminal is any one of the feature access terminals, sending the access request to the second terminal.

需要说明的是,本申请实施例允许特殊访问终端实现互相拷贝数据,防止非法接入的终端拷贝泄密数据。It should be noted that the embodiments of the present application allow special access terminals to copy data from each other, preventing unauthorized access terminals from copying leaked data.

本申请实施例提供一种局域网中终端之间的数据处理方法,在局域网中具有第一终端,与第一终端直连的第二终端,该方法允许特殊访问终端之间的网络传输流量,防止非法接入的终端拷贝泄密数据,进而有效保障局域网中终端数据安全。The embodiment of the present application provides a method for processing data between terminals in a local area network. In the local area network, there is a first terminal and a second terminal directly connected to the first terminal. The method allows network transmission traffic between special access terminals to prevent Illegally accessed terminals copy the leaked data, thereby effectively ensuring the security of terminal data in the LAN.

与前述应用功能实现方法实施例相对应,本申请还提供了一种局域网中终端之间的数据处理装置、电子设备及相应的实施例。Corresponding to the aforementioned embodiments of the method for implementing application functions, the present application also provides a data processing device between terminals in a local area network, electronic equipment, and corresponding embodiments.

图4是本申请实施例示出的局域网中终端之间的数据处理装置的结构示意图。Fig. 4 is a schematic structural diagram of a data processing device between terminals in a local area network shown in an embodiment of the present application.

参见图4,本申请实施例提供一种局域网中终端之间的数据处理装置,局域网中具有第一终端,与所述第一终端直连的第二终端,该装置应用于所述第一终端,所述装置包括:Referring to FIG. 4 , an embodiment of the present application provides a data processing device between terminals in a local area network. The local area network has a first terminal and a second terminal directly connected to the first terminal. The device is applied to the first terminal , the device includes:

第一处理单元401,用于接收用于访问所述第二终端的访问请求;The first processing unit 401 is configured to receive an access request for accessing the second terminal;

第二处理单元402,用于判断所述访问请求是否满足访问所述第二终端的访问条件,所述访问条件用于表征所述第一终端和所述第二终端具有相同的安全程序;The second processing unit 402 is configured to determine whether the access request satisfies an access condition for accessing the second terminal, where the access condition is used to indicate that the first terminal and the second terminal have the same security program;

第三处理单元403,用于当所述访问请求满足访问所述第二终端的访问条件时,将所述访问请求发送给所述第二终端。The third processing unit 403 is configured to send the access request to the second terminal when the access request meets an access condition for accessing the second terminal.

进一步的,当所述访问请求不满足访问所述第二终端的访问条件时,该装置还包括:Further, when the access request does not meet the access conditions for accessing the second terminal, the device further includes:

第四处理单元404,用于判断所述第二终端的IP地址是否存在于所述第一终端的白名单中;A fourth processing unit 404, configured to determine whether the IP address of the second terminal exists in the white list of the first terminal;

当所述第二终端的IP地址存在于所述第一终端的白名单中时,则将所述访问请求发送给所述第二终端。When the IP address of the second terminal exists in the white list of the first terminal, the access request is sent to the second terminal.

进一步的,当所述第二终端的IP地址不存在于所述第一终端的白名单中时,该装置还包括:Further, when the IP address of the second terminal does not exist in the white list of the first terminal, the device further includes:

第五处理单元405,用于向所述第二终端发起加白打点连接,判断是否将所述第二终端的IP地址添加至所述第一终端的白名单;The fifth processing unit 405 is configured to initiate a whitelist connection to the second terminal, and determine whether to add the IP address of the second terminal to the whitelist of the first terminal;

当所述第一终端和所述第二终端加白打点连接成功时,则将所述第二终端的IP地址添加至所述第一终端的白名单;When the connection between the first terminal and the second terminal is successfully added, add the IP address of the second terminal to the white list of the first terminal;

当所述第一终端和所述第二终端加白打点连接不成功时,则禁止所述访问请求发送给所述第二终端。When the white mark connection between the first terminal and the second terminal fails, the access request is prohibited from being sent to the second terminal.

关于上述实施例中的装置,其中各个模块执行操作的具体方式已经在有关该方法的实施例中进行了详细描述,此处将不再做详细阐述说明。Regarding the apparatus in the above embodiments, the specific manner in which each module executes operations has been described in detail in the embodiments related to the method, and will not be described in detail here.

图5是本申请实施例示出的电子设备的结构示意图。FIG. 5 is a schematic structural diagram of an electronic device shown in an embodiment of the present application.

参见图5,电子设备500包括存储器510和处理器520。Referring to FIG. 5 , an electronic device 500 includes a memory 510 and a processor 520 .

处理器520可以是中央处理单元(Central Processing Unit,CPU),还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。The processor 520 can be a central processing unit (Central Processing Unit, CPU), and can also be other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), on-site Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.

存储器510可以包括各种类型的存储单元,例如系统内存、只读存储器(ROM),和永久存储装置。其中,ROM可以存储处理器520或者计算机的其他模块需要的静态数据或者指令。永久存储装置可以是可读写的存储装置。永久存储装置可以是即使计算机断电后也不会失去存储的指令和数据的非易失性存储设备。在一些实施方式中,永久性存储装置采用大容量存储装置(例如磁或光盘、闪存)作为永久存储装置。另外一些实施方式中,永久性存储装置可以是可移除的存储设备(例如软盘、光驱)。系统内存可以是可读写存储设备或者易失性可读写存储设备,例如动态随机访问内存。系统内存可以存储一些或者所有处理器在运行时需要的指令和数据。此外,存储器510可以包括任意计算机可读存储媒介的组合,包括各种类型的半导体存储芯片(DRAM,SRAM,SDRAM,闪存,可编程只读存储器),磁盘和/或光盘也可以采用。在一些实施方式中,存储器510可以包括可读和/或写的可移除的存储设备,例如激光唱片(CD)、只读数字多功能光盘(例如DVD-ROM,双层DVD-ROM)、只读蓝光光盘、超密度光盘、闪存卡(例如SD卡、min SD卡、Micro-SD卡等等)、磁性软盘等等。计算机可读存储媒介不包含载波和通过无线或有线传输的瞬间电子信号。The memory 510 may include various types of storage units, such as system memory, read only memory (ROM), and persistent storage. Wherein, the ROM can store static data or instructions required by the processor 520 or other modules of the computer. The persistent storage device may be a readable and writable storage device. Persistent storage may be a non-volatile storage device that does not lose stored instructions and data even if the computer is powered off. In some embodiments, the permanent storage device adopts a large-capacity storage device (such as a magnetic or optical disk, flash memory) as the permanent storage device. In some other implementations, the permanent storage device may be a removable storage device (such as a floppy disk, an optical drive). The system memory can be a readable and writable storage device or a volatile readable and writable storage device, such as dynamic random access memory. System memory can store some or all of the instructions and data that the processor needs at runtime. In addition, memory 510 may include any combination of computer-readable storage media, including various types of semiconductor memory chips (DRAM, SRAM, SDRAM, flash memory, programmable read-only memory), and magnetic and/or optical disks may also be used. In some embodiments, memory 510 may include a readable and/or writable removable storage device, such as a compact disc (CD), a read-only digital versatile disc (e.g., DVD-ROM, dual-layer DVD-ROM), Read-Only Blu-ray Disc, Super Density Disc, Flash memory card (such as SD card, min SD card, Micro-SD card, etc.), magnetic floppy disk, etc. Computer-readable storage media do not contain carrier waves and transient electronic signals transmitted by wireless or wire.

存储器510上存储有可执行代码,当可执行代码被处理器520处理时,可以使处理器520执行上文述及的方法中的部分或全部。Executable codes are stored in the memory 510 , and when the executable codes are processed by the processor 520 , the processor 520 can be made to execute part or all of the methods mentioned above.

上文中已经参考附图详细描述了本申请的方案。在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详细描述的部分,可以参见其他实施例的相关描述。本领域技术人员也应该知悉,说明书中所涉及的动作和模块并不一定是本申请所必须的。另外,可以理解,本申请实施例方法中的步骤可以根据实际需要进行顺序调整、合并和删减,本申请实施例装置中的模块可以根据实际需要进行合并、划分和删减。The solution of the present application has been described in detail above with reference to the accompanying drawings. In the foregoing embodiments, the descriptions of each embodiment have their own emphases, and for parts not described in detail in a certain embodiment, reference may be made to relevant descriptions of other embodiments. Those skilled in the art should also know that the actions and modules involved in the description are not necessarily required by the present application. In addition, it can be understood that the order of the steps in the method of the embodiment of the present application can be adjusted, combined and deleted according to actual needs, and the modules in the device of the embodiment of the present application can be combined, divided and deleted according to actual needs.

此外,根据本申请的方法还可以实现为一种计算机程序或计算机程序产品,该计算机程序或计算机程序产品包括用于执行本申请的上述方法中部分或全部步骤的计算机程序代码指令。In addition, the method according to the present application can also be implemented as a computer program or computer program product, which includes computer program code instructions for executing some or all of the steps in the above-mentioned method of the present application.

或者,本申请还可以实施为一种非暂时性机器可读存储介质(或计算机可读存储介质、或机器可读存储介质),其上存储有可执行代码(或计算机程序、或计算机指令代码),当所述可执行代码(或计算机程序、或计算机指令代码)被电子设备(或电子设备、服务器等)的处理器执行时,使所述处理器执行根据本申请的上述方法的各个步骤的部分或全部。Alternatively, the present application may also be implemented as a non-transitory machine-readable storage medium (or computer-readable storage medium, or machine-readable storage medium), on which executable code (or computer program, or computer instruction code) is stored. ), when the executable code (or computer program, or computer instruction code) is executed by the processor of the electronic device (or electronic device, server, etc.), causing the processor to perform the steps of the above method according to the present application part or all of .

本领域技术人员还将明白的是,结合这里的申请所描述的各种示例性逻辑块、模块、电路和算法步骤可以被实现为电子硬件、计算机软件或两者的组合。Those of skill would also appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the applications herein may be implemented as electronic hardware, computer software, or combinations of both.

附图中的流程图和框图显示了根据本申请的多个实施例的系统和方法的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段或代码的一部分,所述模块、程序段或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标记的功能也可以以不同于附图中所标记的顺序发生。例如,两个连续的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the figures show the architecture, functions and operations of possible implementations of systems and methods according to various embodiments of the present application. In this regard, each block in a flowchart or block diagram may represent a module, program segment, or part of code that includes one or more Executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved. It should also be noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by a dedicated hardware-based system that performs the specified functions or operations , or may be implemented by a combination of dedicated hardware and computer instructions.

以上已经描述了本申请的各实施例,上述说明是示例性的,并非穷尽性的,并且也不限于所披露的各实施例。在不偏离所说明的各实施例的范围和精神的情况下,对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。本文中所用术语的选择,旨在最好地解释各实施例的原理、实际应用或对市场中的技术的改进,或者使本技术领域的其它普通技术人员能理解本文披露的各实施例。Having described various embodiments of the present application above, the foregoing description is exemplary, not exhaustive, and is not limited to the disclosed embodiments. Many modifications and alterations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen to best explain the principle of each embodiment, practical application or improvement of technology in the market, or to enable other ordinary skilled in the art to understand each embodiment disclosed herein.

Claims (10)

1. A method for processing data between terminals in a local area network, wherein the local area network has a first terminal and a second terminal directly connected to the first terminal, the method being applied to the first terminal, the method comprising:
receiving an access request for accessing the second terminal;
judging whether the access request meets the access condition of accessing the second terminal or not, wherein the access condition is used for representing that the first terminal and the second terminal have the same security program;
and when the access request meets the access condition of accessing the second terminal, sending the access request to the second terminal.
2. The data processing method according to claim 1, wherein when the access request does not satisfy an access condition for accessing the second terminal, the method further comprises:
judging whether the IP address of the second terminal exists in the white list of the first terminal;
and when the IP address of the second terminal exists in the white list of the first terminal, the access request is sent to the second terminal.
3. The data processing method according to claim 2, wherein when the IP address of the second terminal does not exist in the whitelist of the first terminal, further comprising:
initiating a whitewashing dotting connection to the second terminal, and judging whether the IP address of the second terminal is added to the whitelist of the first terminal;
when the first terminal and the second terminal are successfully connected by adding white dotting, the IP address of the second terminal is added to a white list of the first terminal;
and when the first terminal and the second terminal are successfully connected by white dotting, the access request is forbidden to be sent to the second terminal.
4. A data processing method according to claim 3, wherein said adding the IP address of the second terminal to the whitelist of the first terminal comprises:
transmitting dotting data to the second terminal;
judging whether a dotting data packet fed back by the second terminal is received or not;
and if the dotting data packet fed back by the second terminal is received, adding the access IP address of the second terminal to the white list of the first terminal, and sending the access request to the second terminal.
5. The data processing method according to claim 1, wherein when the access request does not satisfy an access condition for accessing the second terminal, the method further comprises:
judging whether the IP address of the first terminal is the IP address of a special access terminal or not, wherein the special access terminal comprises: a DHCP server, domain name system server, or console server;
and if the IP of the first terminal is the IP of the characteristic access terminal, sending the access request to the second terminal.
6. A data processing device between terminals in a local area network, wherein the local area network has a first terminal and a second terminal directly connected to the first terminal, the device being applied to the first terminal, the device comprising:
a first processing unit, configured to receive an access request for accessing the second terminal;
the second processing unit is used for judging whether the access request meets the access condition of accessing the second terminal or not, and the access condition is used for representing that the first terminal and the second terminal have the same security program;
and the third processing unit is used for sending the access request to the second terminal when the access request meets the access condition of accessing the second terminal.
7. The data processing apparatus according to claim 6, wherein when the access request does not satisfy an access condition for accessing the second terminal, the apparatus further comprises:
a fourth processing unit, configured to determine whether an IP address of the second terminal exists in a whitelist of the first terminal;
and when the IP address of the second terminal exists in the white list of the first terminal, the access request is sent to the second terminal.
8. The data processing apparatus of claim 7, wherein when the IP address of the second terminal does not exist in the whitelist of the first terminal, the apparatus further comprises:
a fifth processing unit, configured to initiate a whitewashing dotting connection to the second terminal, and determine whether to add the IP address of the second terminal to the whitelist of the first terminal;
when the first terminal and the second terminal are successfully connected by adding white dotting, the IP address of the second terminal is added to a white list of the first terminal;
and when the first terminal and the second terminal are successfully connected by white dotting, the access request is forbidden to be sent to the second terminal.
9. An electronic device, comprising:
a processor; and
a memory having executable code stored thereon which, when executed by the processor, causes the processor to perform the data processing method of any of claims 1-5.
10. A non-transitory machine-readable storage medium having stored thereon executable code, which when executed by a processor of an electronic device, causes the processor to perform the data processing method of any of claims 1-5.
CN202211684590.5A 2022-12-27 2022-12-27 Data processing method and device between terminals in local area network Pending CN116015872A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211684590.5A CN116015872A (en) 2022-12-27 2022-12-27 Data processing method and device between terminals in local area network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211684590.5A CN116015872A (en) 2022-12-27 2022-12-27 Data processing method and device between terminals in local area network

Publications (1)

Publication Number Publication Date
CN116015872A true CN116015872A (en) 2023-04-25

Family

ID=86032108

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211684590.5A Pending CN116015872A (en) 2022-12-27 2022-12-27 Data processing method and device between terminals in local area network

Country Status (1)

Country Link
CN (1) CN116015872A (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101072102A (en) * 2007-03-23 2007-11-14 南京联创网络科技有限公司 Information leakage preventing technology based on safety desktop for network environment
CN101361082A (en) * 2005-12-15 2009-02-04 雷曼兄弟有限公司 System and method for secure remote desktop access
CN104574082A (en) * 2013-10-29 2015-04-29 江苏华御信息技术有限公司 Method for secure and quick payment based on fingerprint verification
CN104619039A (en) * 2014-12-30 2015-05-13 北京奇虎科技有限公司 Terminal equipment interconnection method and system in wireless local area network (WLAN) and terminal equipment
CN109905407A (en) * 2019-04-03 2019-06-18 北京奇安信科技有限公司 Management method, system, equipment and medium based on vpn server access Intranet
CN112395020A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Safety protection method of intranet, client, target server and storage medium
CN113992414A (en) * 2021-10-28 2022-01-28 马上消费金融股份有限公司 Data access method, device and equipment
CN114143077A (en) * 2021-11-29 2022-03-04 北京天融信网络安全技术有限公司 Terminal safety protection method and device

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101361082A (en) * 2005-12-15 2009-02-04 雷曼兄弟有限公司 System and method for secure remote desktop access
CN101072102A (en) * 2007-03-23 2007-11-14 南京联创网络科技有限公司 Information leakage preventing technology based on safety desktop for network environment
CN104574082A (en) * 2013-10-29 2015-04-29 江苏华御信息技术有限公司 Method for secure and quick payment based on fingerprint verification
CN104619039A (en) * 2014-12-30 2015-05-13 北京奇虎科技有限公司 Terminal equipment interconnection method and system in wireless local area network (WLAN) and terminal equipment
CN109905407A (en) * 2019-04-03 2019-06-18 北京奇安信科技有限公司 Management method, system, equipment and medium based on vpn server access Intranet
CN112395020A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Safety protection method of intranet, client, target server and storage medium
CN113992414A (en) * 2021-10-28 2022-01-28 马上消费金融股份有限公司 Data access method, device and equipment
CN114143077A (en) * 2021-11-29 2022-03-04 北京天融信网络安全技术有限公司 Terminal safety protection method and device

Similar Documents

Publication Publication Date Title
CN112100675B (en) Zero-trust data storage access method and system
US10015168B2 (en) System and method for secure control of resources of wireless mobile communication devices
WO2015096695A1 (en) Installation control method, system and device for application program
CN106506511B (en) A kind of address list information processing method, device
CN102149092A (en) Method and device for processing user illegal access
WO2017118330A1 (en) Application program data access isolation method and device
CN105991624B (en) A security management method and device for a server
CN111459673A (en) Secure memory expansion and release method and device and electronic equipment
CN104822127A (en) Bluetooth device, data channel real-time management and control method and system thereof
CN117251837A (en) A system access method, device, electronic equipment and storage medium
CN113168440B (en) Altering device behavior with limited-purpose account
CN115604103A (en) Configuration method, device, storage medium and electronic equipment of cloud computing system
KR100418445B1 (en) Method and system for restricting access from external
US8635692B2 (en) System and method for user friendly detection of spammers
CN116015872A (en) Data processing method and device between terminals in local area network
JP2011182352A (en) Electronic mail processing apparatus, electronic mail processing method, and electronic mail processing program
CN113507432B (en) Alliance chain authority management method and device
CN115048333A (en) Inter-core communication method, device, system and storage medium
EP4633085A1 (en) Policy-based transparent packet inspection for last mile zerotrust workload protection
CN112491830B (en) Ceph distributed block storage access authentication method, medium and device
CN116055153B (en) Method, device and equipment for preventing unauthorized access
US11683196B2 (en) Communication control device and non-transitory computer readable medium
CN101656607A (en) Method, system and device for determining assertion sender
HK40034049A (en) Secure memory expansion method and device, secure memory release method and device and electronic equipment
CN116527316A (en) Service calling method and device, electronic equipment and machine-readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination