CN104184735B - Power marketing mobile application security guard system - Google Patents

Power marketing mobile application security guard system Download PDF

Info

Publication number
CN104184735B
CN104184735B CN201410423475.1A CN201410423475A CN104184735B CN 104184735 B CN104184735 B CN 104184735B CN 201410423475 A CN201410423475 A CN 201410423475A CN 104184735 B CN104184735 B CN 104184735B
Authority
CN
China
Prior art keywords
access
network
security
safety
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410423475.1A
Other languages
Chinese (zh)
Other versions
CN104184735A (en
Inventor
涂莹
肖世杰
张燕
裘华东
叶盛
郑斌
胡若云
丁麒
沈然
金良峰
颜拥
黄瑞章
刘欢
李南
马闯
沈超
孙申
孙一申
和巍
糜晓波
畅伟
吕诗宁
谷泓杰
林恺丰
吴慧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Zhejiang Electric Power Co Ltd
Jiaxing Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Zhejiang Electric Power Co Ltd
Jiaxing Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Zhejiang Electric Power Co Ltd, Jiaxing Power Supply Co of State Grid Zhejiang Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201410423475.1A priority Critical patent/CN104184735B/en
Publication of CN104184735A publication Critical patent/CN104184735A/en
Application granted granted Critical
Publication of CN104184735B publication Critical patent/CN104184735B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

Power marketing mobile application security guard system, it is related to a kind of power marketing mobile application system.At present, using safety problem will be produced after mobile terminal, using third-party secondary encryption, easily crack, produce the leakage of information.The present invention includes:Security terminal layer;Escape way layer;Secure accessing podium level;Mobile solution layer:For supporting the service application of mobile terminal, systematic difference safety is realized.The technical program realizes the secure accessing of mobile terminal, and the strong isolation of information Intranet, information outer net is realized by isolating means, the attack of outer net is cut off, effectively improves information security.

Description

Mobile application safety protection system for power marketing
Technical Field
The invention relates to a mobile application safety protection system for power marketing.
Background
In the process of continuously advancing informatization of the power industry, an information system becomes a basic means for daily work of employees of a power enterprise company, and plays an increasingly important role in power production control and company operation and management. However, more and more inconveniences are difficult to solve by the traditional information system, and the traditional management software which must be used in the local area network of the power company causes great restrictions to field communication and service quality improvement. In the process of continuously deepening electric marketing informatization work, information system users of marketing business management provide specific requirements on the aspect of mobile application, how to process work at a client site and a construction site at any time, how to complete various information management works outside an office by field staff, how to solve the problem that various original field manual record data cannot be timely input into a management system in a more flexible and convenient mode, and the problems can be solved by using a mobile terminal, so that the convenience and the processing efficiency of an information system are improved, and meanwhile, the safety requirement is met.
However, the mobile terminal is adopted, so that the safety problem is caused, and the secondary encryption of a third party is adopted, so that the decryption is easy, and the information leakage is caused. The access condition of the intranet is strict, and the development of the power marketing mobile application is restricted. How to use the intelligent mobile terminal to safely access the power marketing service through the external network becomes an important subject which needs to be solved urgently.
Disclosure of Invention
The technical problem to be solved and the technical task to be solved by the invention are to perfect and improve the prior technical scheme and provide a mobile application safety protection system for electric power marketing so as to achieve the aim of safely accessing the electric power marketing system by an external network. Therefore, the invention adopts the following technical scheme.
Electric power marketing mobile application safety protection system, its characterized in that includes:
a security terminal layer: the mobile terminal uses an encryption algorithm and stores a private key or a digital certificate on the mobile terminal; when the mobile terminal communicates, a secure channel is established with a secure access gateway group through a mobile public network, identity authentication is carried out by adopting a digital certificate, and communication key data are encrypted and transmitted;
a safe channel layer: the method comprises the steps of realizing connection of each external link and a system access network, realizing network-level identity authentication through routing access control and an encrypted virtual private channel constructed by VPN, and ensuring confidentiality and integrity of data; access control of the boundary region is carried out through a firewall, and access application of illegal equipment is prevented; configuring a corresponding safety monitoring system, monitoring, protecting and managing access application potential safety hazards, and ensuring the safety of a safety access and system access network part; isolating all the communication protocols from a physical layer to an application layer between an access network and an enterprise intranet, establishing and maintaining a special data exchange mechanism for each allowed application, limiting the source, the destination, the data format and the data content of data exchange, and monitoring the data exchange;
a secure access platform layer: the intermediate area for external information publishing, information acquisition and data exchange is the terminal point of the access terminal network connection, and all application access is terminated at the security authentication gateway; the safety access platform layer carries out safety detection and audit on the registration and operation conditions of the exchange service, configuration management and daily operation maintenance of network equipment and safety equipment, safety strategy management, flow monitoring, statistical analysis and safety audit, and displays the safety strategy management, the flow monitoring, the statistical analysis and the safety audit in a friendly and humanized interface;
mobile application layer: the method is used for supporting the service application of the mobile terminal and realizing the application safety of the system.
As a further improvement and supplement to the above technical solutions, the present invention also includes the following additional technical features.
The security access platform layer is provided with an access gateway, a data filtering and exchanging system, an identity authentication server and an access platform centralized monitoring and management system, wherein the access gateway comprises a security access gateway for notebook access, a mobile security access gateway for PDA/smart phone access and a meter security access gateway for meter access.
When the intelligent terminal is a tablet personal computer, a PDA or an intelligent mobile phone, a security algorithm private key or a digital certificate used by a security terminal layer is stored by adopting a MicroSD card; an SIM card is arranged on the intelligent terminal, and the network channel safety is realized by binding the SIM card of the special APN; and safety special control software is deployed at the intelligent terminal to realize the establishment of a safety channel and the authentication management of the user.
The mobile application layer is provided with a mobile application server, and the application server is provided with an anti-virus module, so that each application server in the application service area is prevented from being infected by viruses and trojans, and the propagation and illegal control of the viruses are prevented.
The system comprises a security access platform layer, a mobile application development platform, a mobile operation platform, a mobile workflow support unit and a platform management unit, wherein the security access platform layer, the security access platform layer and the mobile application development platform form the mobile operation platform; the information security and protection unit is used for the security access platform VPN wireless access support, the message encryption communication of application services and the database security encryption of the mobile terminal so as to realize high-efficiency and security access; the cross-platform service supporting unit is used for supporting various mobile terminal operating systems, supporting various operating systems, establishing a set of uniform and standard API (application programming interface) to adapt to each operating system to realize cross-platform support and supporting various terminal hardware; the application supporting unit is used for supporting a hardware bottom layer; the support unit of the mobile GIS is used for displaying geographic graphs, displaying power grid resources, analyzing GIS space, navigating paths and reporting positions; the mobile workflow supporting unit is used for managing a service end and a client of the electric power mobile application release platform; the platform management unit is used for equipment management, authority management, service menu management, state monitoring of the mobile terminal, service monitoring and standardized field operation analysis.
The hardware bottom layer supporting unit applying the supporting function is used for: printing, position service, bar code scanning, high radio frequency card reading and writing, user electronic signature authentication, mobile terminal network state notification and other hardware characteristic encapsulation; auditing login of equipment, user login audit and auditing login authentication of a service assembly are configured; preparing video files, image files and pattern management system integrated file services; issuing, downloading and importing the task data to be audited; user authentication and security policy management.
The secure access platform layer safely separates the third-party network from the enterprise information network to realize the secure access of the mobile terminal; the safety access platform layer carries out authentication of user identity, data encryption, audit/authorization of user data and online encryption of files to realize transmission safety; the VPN gateway access service layer comprises a security access gateway system function component, an identity authentication system function component, a data encryption and decryption function component and a centralized monitoring management user logic function component, and the function components are communicated through a high-speed message bus to realize various security services.
The safety access platform layer carries out sectional type combination deployment and seamless butt joint of the network layer; the identity authentication system adopts the terminal and the VPN gateway to carry out bidirectional authentication and passes CA service authentication authorization.
When the security access platform layer performs auditing/authorization work, the communication content, network behaviors and network flow are dynamically monitored in real time through the acquisition, analysis and identification of network data, various sensitive information and illegal behaviors are found and captured, real-time alarm response is carried out, various sessions and events in a network system are comprehensively recorded, the intelligent correlation analysis and evaluation of network information and the accurate whole-course tracking and positioning of security events are realized, and the authoritative and reliable support is provided for the formulation of the whole network security strategy.
The security/audit work includes:
a) content auditing
The system is used for providing a deep content auditing function and providing complete content detection and information restoration functions for website access, mail receiving and sending, remote terminal access, database access, data transmission, file sharing and the like; the keyword library can be customized, and fine-grained audit trail is carried out;
b) behavioral auditing
The system is used for providing a comprehensive network behavior auditing function, monitoring network application behaviors of website access, mail receiving and sending, database access, remote terminal access, data transmission, file sharing and network resource abuse according to a set behavior auditing strategy, and giving an alarm and recording events conforming to the behavior strategy in real time;
c) flow audit
The method is used for providing a flow analysis function based on protocol identification, counting various message flows in the current network in real time, carrying out comprehensive flow analysis and providing reliable support for formulating a flow management strategy.
Has the advantages that: unified information interaction, centralized configuration management, unified monitoring and the like are realized, and credibility and controllability of access of various terminals are realized. Based on the invention, the electric marketing mobile operation (such as marketing business application of field business expansion, field meter reading, field customer service and the like) is realized, the field service capability and the high-quality service level of a marketing business customer are improved, the customer service is extended in space and time, the marketing service is extended to the customer field, and the images of high-quality service and efficiency service are established in the customer perception. The technical scheme realizes the safe access of the mobile terminal. The strong isolation of the information inner network and the information outer network is realized by an isolation means, the attack of the outer network is cut off, and the information safety is effectively improved.
Drawings
FIG. 1 is a diagram of the safety shield structure of the present invention.
FIG. 2 is a sub-diagram of a security shield of the present invention.
Detailed Description
The technical scheme of the invention is further explained in detail by combining the drawings in the specification.
As shown in fig. 1, the power marketing mobile application security protection system includes a security terminal layer, a security channel layer, a security access platform layer, a mobile application development platform, an application system, and the like.
Wherein,
a security terminal layer: the mobile terminal uses an encryption algorithm and stores a private key or a digital certificate on the mobile terminal; when the mobile terminal communicates, a secure channel is established with a secure access gateway group through a mobile public network, identity authentication is carried out by adopting a digital certificate, and communication key data are encrypted and transmitted;
a safe channel layer: the method comprises the steps of realizing connection of each external link and a system access network, realizing network-level identity authentication through routing access control and an encrypted virtual private channel constructed by VPN, and ensuring confidentiality and integrity of data; access control of the boundary region is carried out through a firewall, and access application of illegal equipment is prevented; configuring a corresponding safety monitoring system, monitoring, protecting and managing access application potential safety hazards, and ensuring the safety of a safety access and system access network part; isolating all the communication protocols from a physical layer to an application layer between an access network and an enterprise intranet, establishing and maintaining a special data exchange mechanism for each allowed application, limiting the source, the destination, the data format and the data content of data exchange, and monitoring the data exchange;
a secure access platform layer: the intermediate area for external information publishing, information acquisition and data exchange is the terminal point of the access terminal network connection, and all application access is terminated at the security authentication gateway; the safety access platform layer carries out safety detection and audit on the registration and operation conditions of the exchange service, configuration management and daily operation maintenance of network equipment and safety equipment, safety strategy management, flow monitoring, statistical analysis and safety audit, and displays the safety strategy management, the flow monitoring, the statistical analysis and the safety audit in a friendly and humanized interface.
Mobile application layer: the method is used for supporting the service application of the mobile terminal and realizing the application safety of the system.
The safety access platform layer is provided with an access gateway, a data filtering and exchanging system, an identity authentication server and an access platform centralized monitoring and management system.
In order to treat the accessed devices differently, the access gateways comprise a security access gateway for notebook access, a mobile security access gateway for PDA/smart phone access and a meter security access gateway for meter access.
When the intelligent terminal is a tablet personal computer, a PDA or an intelligent mobile phone, a security algorithm private key or a digital certificate used by a security terminal layer is stored by adopting a MicroSD card; an SIM card is arranged on the intelligent terminal, and the network channel safety is realized by binding the SIM card of the special APN; and safety special control software is deployed at the intelligent terminal to realize the establishment of a safety channel and the authentication management of the user.
The mobile application layer is provided with a mobile application server, and the application server is provided with an anti-virus module, so that each application server in the application service area is prevented from being infected by viruses and trojans, and the propagation and illegal control of the viruses are prevented.
As shown in fig. 2, the marketing mobile application security protection hierarchy chart mainly includes:
1) the security access is the core of the whole platform, and a security access area is constructed between the third-party network and the enterprise information network to perform the security separation of the network. And performing safe access through safe access, authentication, access control service and the like of the platform.
2) The data transmission security is enhanced by establishing a secondary encryption tunnel independent of a third-party operator, and authentication of user identity (a digital certificate system), data encryption (the encryption algorithm uses a security algorithm special for the State Bureau of China, the cryptographic operation intensity is high, the data security can be effectively guaranteed), audit/authorization of user data and online encryption of files are performed through a security access area.
3) The VPN gateway access service layer is a core part and mainly comprises logic function components such as a security access gateway system, an identity authentication system, data encryption and decryption, centralized monitoring and management users and the like, and the function components are communicated through a high-speed message bus to realize various security services.
4) According to user demand difference, application difference, network transformation demand and the like, functional components such as a safety access platform system functional group, a data safety protection system and the like can be combined and deployed in a sectional mode according to the access platform idea, and seamless connection of network layers is carried out.
5) The identity authentication system, the terminal and the VPN carry out bidirectional authentication and pass CA service authentication authorization. The digital certificate guarantees that users who log in the security platform system are all users who pass management authentication. The issuing, the canceling and the overdue reapplication of the digital certificate can be realized in an online mode through an OCSP protocol; and can be manually managed by a specially-assigned person in an off-line mode.
6) Firewall, access boundary of security platform, which is the first security filtering of data for user to enter the security platform. The firewall is a comprehensive technology and relates to the aspects of computer network technology, cryptographic technology, security technology, software technology, security protocol and the like; is a means for guaranteeing network security; is a scale of access control performed during network communication, and its main objective is to control the right to enter and exit a network and force all links to go through such checking.
All the service flows from external (user) data to internal (intranet) are passed through firewall, and the network to be protected is protected by using the function of network address translation of firewall and the safety filtering of data.
7) Secure access gateway
The IPSEC VPN access gateway provides security protection for a user to remotely access network services, and has the main functions of:
identity authentication: the remote visitor is ensured not to be a malicious user by matching with a digital certificate system;
and (3) access control: ensuring that the visitor can only access services and information that the visitor is authorized to access;
data encryption: the matching of the cryptographic algorithm provided in the SDKey ensures that all data are encrypted in the network transmission process, and the decryption is prevented;
the SSL VPN access gateway provides safety protection for a user to remotely access network services, and has the main functions of:
identity authentication: the remote visitor is ensured not to be a malicious user by matching with a digital certificate system;
and (3) access control: ensuring that the visitor can only access services and information that the visitor is authorized to access;
data encryption: and by matching with a cryptographic algorithm provided in the SDKey, all data are ensured to be encrypted in the network transmission process, and are prevented from being cracked.
8) Safety isolation system
The security isolation and information exchange system is commonly called 'gateway', and the network isolation technology aims to ensure that harmful attacks are isolated, and the security exchange of data between networks is completed outside a trusted network and on the premise of ensuring that information in the trusted network is not leaked. The network isolation technology is developed on the basis of the original safety technology, overcomes the defects of the original safety technology, highlights the advantages of the network isolation technology, is a safety isolation system of a safety subnet and an enterprise intranet, and guarantees the safety of accessing the business intranet.
9) Auditing and authorizing system
The safety audit system dynamically monitors communication content, network behaviors and network flow in real time through acquisition, analysis and identification of network data, discovers and captures various sensitive information and illegal behaviors, gives an alarm in real time, comprehensively records various sessions and events in the network system, realizes intelligent correlation analysis and evaluation of network information and accurate whole-course tracking and positioning of safety events, and provides authoritative and reliable support for formulation of the whole network safety strategy. The safety audit system has three functions:
a. content auditing
The SAS system provides a deep content auditing function and can provide complete content detection and information restoration functions for website access, mail receiving and sending, remote terminal access, database access, data transmission, file sharing and the like; and the keyword library can be customized, and fine-grained audit trail can be carried out.
b. Behavioral auditing
The SAS system provides a comprehensive network behavior auditing function, monitors network application behaviors such as website access, mail receiving and sending, database access, remote terminal access, data transmission, file sharing, network resource abuse (instant messaging, forums, online videos, P2P downloading, network games and the like) and the like according to a set behavior auditing strategy, and alarms and records events conforming to the behavior strategy in real time.
c. Flow audit
The SAS system provides a flow analysis function based on protocol identification, counts various message flows in the current network in real time, performs comprehensive flow analysis, and provides reliable support for making a flow management strategy.
The safe access platform layer comprises a safe channel layer, a safe access platform layer and a mobile application development platform, and the construction and deployment of the mobile operation platform mainly comprise the following steps:
the information security and protection of the platform comprise national power grid company security access platform support, message encryption communication of application service and database security encryption of the mobile terminal.
And the cross-platform service support supports various mobile terminal operating systems. For example, ios, windows mobile, windows, android, windows xp, by supporting multiple operating systems, and establishing a set of unified standard API, adapt to each operating system to realize cross-platform support; and various terminal hardware such as iphone, ipad, android mobile phones of various models, android flat boards of various models, and windows, wince and pad of various models are supported.
Application support functions, including hardware bottom layer support: printing, position service, bar code scanning, high radio frequency card reading and writing, user electronic signature authentication, mobile terminal network state notification, other hardware characteristic encapsulation and the like; auditing login of equipment, user login audit and auditing login authentication of a service assembly are configured; the method is provided with file service functions such as video files, image files, pattern management system integration and the like; the task data is released, downloaded and imported into the auditing function; user authentication and security policy management functions.
The support function of the mobile GIS is based on the support of a GIS service platform of a national grid company, the display of geographic graphs, the display of grid resources, the analysis of GIS space, path navigation, position reporting and other functions.
And the mobile workflow support function comprises the management of a service end and a client of the electric power mobile application release platform.
And the platform management function comprises the functions of equipment management, authority management, service menu management, state monitoring of the mobile terminal, service monitoring and standardized field operation analysis.
Nine technical means are utilized to ensure that the application performance is efficient, stable and reliable, a service table is independently designed, and information such as users and authorities is stored; asynchronous task scheduling, which realizes high-efficiency real-time downloading of work list information; the work single flow information is pushed in real time through a short message, so that the impact of manual refreshing on the system is reduced; independently designing a business table, and storing the work order information of the mobile operation terminal; the mobile operation link can be configured in a parameterization mode, and the service influence range is controlled; the downloading of the work order service data can be asynchronous, and the impact on a BOSS professional system is reduced to the maximum extent; the uploading of the operation data can be asynchronous, and the success rate of data transmission is improved; the batch work list can be uploaded in a detachable mode, the data volume of single uploading is reduced, structured data and unstructured data are processed in a separated mode, and the data uploading efficiency is improved.
The data storage and the real-time data interaction with the professional BOSS system of the power upper computer adopt a data channel which is communicated in two directions, the data transmission format adopts JSON data transmission, and the multimedia file is realized by means of FTP service transmission.
The information safety is ensured through a safety access platform authenticated by a national network company, and the deployment of a safety access system mainly comprises the following steps: the method comprises the steps that a security gateway device is deployed at an enterprise end, a customized encryption chip is arranged in a security terminal, the enterprise has a two-stage CA system, the SM1 algorithm is adopted for data encryption, the SM2 algorithm is adopted for digital certificates, and the IPSEC/SSL VPN technology is used as an encryption protocol of a data channel.
The above-mentioned electric marketing mobile application safety protection system shown in fig. 1 and 2 is a specific embodiment of the present invention, which has embodied the substantial features and advantages of the present invention, and it is within the scope of the present invention to modify the same in shape, structure, etc. according to the actual use requirement.

Claims (10)

1. Electric power marketing mobile application safety protection system, its characterized in that includes:
a security terminal layer: the mobile terminal uses an encryption algorithm and stores a private key or a digital certificate on the mobile terminal; when the mobile terminal communicates, a secure channel is established with a secure access gateway group through a mobile public network, identity authentication is carried out by adopting a digital certificate, and communication key data are encrypted and transmitted;
a safe channel layer: the method comprises the steps of realizing connection of each external link and a system access network, realizing network-level identity authentication through routing access control and an encrypted virtual private channel constructed by VPN, and ensuring confidentiality and integrity of data; access control of the boundary region is carried out through a firewall, and access application of illegal equipment is prevented; configuring a corresponding safety monitoring system, monitoring, protecting and managing access application potential safety hazards, and ensuring the safety of a safety access and system access network part; isolating all the communication protocols from a physical layer to an application layer between an access network and an enterprise intranet, establishing and maintaining a special data exchange mechanism for each allowed application, limiting the source, the destination, the data format and the data content of data exchange, and monitoring the data exchange;
a secure access platform layer: the intermediate area for external information publishing, information acquisition and data exchange is the terminal point of the access terminal network connection, and all application access is terminated at the security authentication gateway; the safety access platform layer carries out safety detection and audit on the registration and operation conditions of the exchange service, maintains the configuration management and daily operation of the network equipment and the safety equipment, and displays the safety strategy management, flow monitoring, statistical analysis and safety audit in a friendly and humanized interface;
mobile application layer: the system is used for supporting the service application of the mobile terminal and realizing the application safety of the system;
the marketing mobile application security protection level is as follows:
the enterprise intranet realizes the safety of application data through data encryption and realizes the safety of an application system through audit/authorization and safety isolation;
the client security access system realizes the security of the operating system through KEY authentication/guidance and a desktop control system; access security is realized through VPN security access and digital certificate authentication; the physical network security is realized through encryption of a cryptographic algorithm and secondary authentication;
marketing mobile application security protection layer secondary content includes:
1) the security access is the core of the whole platform, and a security access area is constructed between a third-party network and an enterprise information network to perform the security separation of the networks; performing safe access through safe access, authentication and access control services of the platform;
2) the data transmission safety is enhanced by establishing a secondary encryption tunnel independent of a third-party operator, and authentication of user identity, data encryption, audit/authorization of user data and online encryption of files are carried out through a safe access area;
3) the VPN gateway access service layer is a core part and comprises a safety access gateway system, an identity authentication system, data encryption and decryption and a centralized monitoring and management user logic function component, wherein the function components are communicated through a high-speed message bus to realize various safety services;
4) according to user demand difference, application difference and network reconstruction demand, a safety access platform system functional component and a data safety protection system functional component are combined and deployed in a sectional mode according to the access platform idea, and seamless connection of network layers is carried out;
5) the terminal and the VPN carry out bidirectional authentication and pass CA service authentication authorization; the digital certificate guarantees that users who log in the security platform system are all users who pass management authentication; the issuing, the canceling and the overdue reapplication of the digital certificate can be manually managed by a specially-assigned person in an online mode through an OCSP (online communications protocol) protocol and an offline mode;
6) a firewall, an access boundary of the security platform, which is the first security filtering of data when a user enters the security platform; the firewall is a comprehensive technology and relates to the aspects of computer network technology, cryptographic technology, security technology, software technology and security protocol; is a means for guaranteeing network security; is an access control scale executed during network communication, and the target of the access control scale comprises the authority of controlling the access to and from a network and forcing all links to pass through the check;
all business flows from external user data to an internal enterprise intranet pass through a firewall, and the network needing to be protected is protected by utilizing the network address translation function of the firewall and the safety filtration of the data;
7) secure access gateway
The IPSEC VPN access gateway provides security protection for a user to remotely access network services, and the functions comprise:
identity authentication: the remote visitor is ensured not to be a malicious user by matching with a digital certificate system;
and (3) access control: ensuring that the visitor can only access services and information that the visitor is authorized to access;
data encryption: the matching of the cryptographic algorithm provided in the SDKey ensures that all data are encrypted in the network transmission process, and the decryption is prevented;
the SSL VPN access gateway provides safety protection for a user to remotely access network services, and the functions comprise:
identity authentication: the remote visitor is ensured not to be a malicious user by matching with a digital certificate system;
and (3) access control: ensuring that the visitor can only access services and information that the visitor is authorized to access;
data encryption: the matching of the cryptographic algorithm provided in the SDKey ensures that all data are encrypted in the network transmission process, and the decryption is prevented;
8) safety isolation system
The safety isolation and information exchange system is commonly called as a 'network gate', and the aim of the network isolation technology is to ensure that harmful attacks are isolated, and the safety exchange of data between networks is completed outside a trusted network and on the premise of ensuring that the information in the trusted network is not leaked; the network isolation technology is developed on the basis of the original safety technology, makes up the defects of the original safety technology, highlights the advantages of the network isolation technology, is a safety isolation system of a safety subnet and an enterprise intranet, and guarantees the safety of accessing the business intranet;
9) auditing and authorizing system
The safety audit system dynamically monitors communication content, network behaviors and network flow in real time through acquisition, analysis and identification of network data, discovers and captures various sensitive information and illegal behaviors, gives an alarm in real time, comprehensively records various sessions and events in the network system, realizes intelligent correlation analysis and evaluation of network information and accurate whole-course tracking and positioning of safety events, and provides authoritative and reliable support for formulation of the whole network safety strategy.
2. The power marketing mobile application security system of claim 1, wherein: the security access platform layer is provided with an access gateway, a data filtering and exchanging system, an identity authentication server and an access platform centralized monitoring and management system, wherein the access gateway comprises a security access gateway for notebook access, a mobile security access gateway for PDA/smart phone access and a meter security access gateway for meter access.
3. The power marketing mobile application security system of claim 2, wherein: when the intelligent terminal is a tablet personal computer, a PDA or an intelligent mobile phone, a security algorithm private key or a digital certificate used by a security terminal layer is stored by adopting a MicroSD card; an SIM card is arranged on the intelligent terminal, and the network channel safety is realized by binding the SIM card of the special APN; and safety special control software is deployed at the intelligent terminal to realize the establishment of a safety channel and the authentication management of the user.
4. The power marketing mobile application security system of claim 3, wherein: the mobile application layer is provided with a mobile application server, and the application server is provided with an anti-virus module, so that each application server in the application service area is prevented from being infected by viruses and trojans, and the propagation and illegal control of the viruses are prevented.
5. The power marketing mobile application security system of claim 1, wherein: the system comprises a security access platform layer, a mobile application development platform, a mobile operation platform, a mobile workflow support unit and a platform management unit, wherein the security access platform layer, the security access platform layer and the mobile application development platform form the mobile operation platform; the information security and protection unit is used for the security access platform VPN wireless access support, the message encryption communication of application services and the database security encryption of the mobile terminal so as to realize high-efficiency and security access; the cross-platform service supporting unit is used for supporting various mobile terminal operating systems, supporting various operating systems, establishing a set of uniform and standard API (application programming interface) to adapt to each operating system to realize cross-platform support and supporting various terminal hardware; the application supporting unit is used for supporting a hardware bottom layer; the support unit of the mobile GIS is used for displaying geographic graphs, displaying power grid resources, analyzing GIS space, navigating paths and reporting positions; the mobile workflow supporting unit is used for managing a service end and a client of the electric power mobile application release platform; the platform management unit is used for equipment management, authority management, service menu management, state monitoring of the mobile terminal, service monitoring and standardized field operation analysis.
6. The power marketing mobile application security system of claim 5, wherein: the hardware bottom layer supporting unit applying the supporting function is used for: printing, position service, bar code scanning, high radio frequency card reading and writing, user electronic signature authentication, mobile terminal network state notification and other hardware characteristic encapsulation; auditing login of equipment, user login audit and auditing login authentication of a service assembly are configured; preparing video files, image files and pattern management system integrated file services; issuing, downloading and importing the task data to be audited; user authentication and security policy management.
7. The power marketing mobile application security system of claim 1, wherein:
the secure access platform layer safely separates the third-party network from the enterprise information network to realize the secure access of the mobile terminal; the safety access platform layer carries out authentication of user identity, data encryption, audit/authorization of user data and online encryption of files to realize transmission safety; the VPN gateway access service layer comprises a security access gateway system function component, an identity authentication system function component, a data encryption and decryption function component and a centralized monitoring management user logic function component, and the function components are communicated through a high-speed message bus to realize various security services.
8. The electricity marketing mobile application security system of claim 7, wherein: the safety access platform layer carries out sectional type combination deployment and seamless butt joint of the network layer; the identity authentication system adopts the terminal and the VPN gateway to carry out bidirectional authentication and passes CA service authentication authorization.
9. The power marketing mobile application security system of claim 8, wherein: when the security access platform layer performs auditing/authorization work, the communication content, network behaviors and network flow are dynamically monitored in real time through the acquisition, analysis and identification of network data, various sensitive information and illegal behaviors are found and captured, real-time alarm response is carried out, various sessions and events in a network system are comprehensively recorded, the intelligent correlation analysis and evaluation of network information and the accurate whole-course tracking and positioning of security events are realized, and the authoritative and reliable support is provided for the formulation of the whole network security strategy.
10. The electricity marketing mobile application security system of claim 9, wherein: the security/audit work includes:
content auditing
The system is used for providing a deep content auditing function and providing complete content detection and information restoration functions for website access, mail receiving and sending, remote terminal access, database access, data transmission and file sharing; the keyword library can be customized, and fine-grained audit trail is carried out;
behavioral auditing
The system is used for providing a comprehensive network behavior auditing function, monitoring network application behaviors of website access, mail receiving and sending, database access, remote terminal access, data transmission, file sharing and network resource abuse according to a set behavior auditing strategy, and giving an alarm and recording events conforming to the behavior strategy in real time;
flow audit
The method is used for providing a flow analysis function based on protocol identification, counting various message flows in the current network in real time, carrying out comprehensive flow analysis and providing reliable support for formulating a flow management strategy.
CN201410423475.1A 2014-08-26 2014-08-26 Power marketing mobile application security guard system Active CN104184735B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410423475.1A CN104184735B (en) 2014-08-26 2014-08-26 Power marketing mobile application security guard system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410423475.1A CN104184735B (en) 2014-08-26 2014-08-26 Power marketing mobile application security guard system

Publications (2)

Publication Number Publication Date
CN104184735A CN104184735A (en) 2014-12-03
CN104184735B true CN104184735B (en) 2018-03-09

Family

ID=51965477

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410423475.1A Active CN104184735B (en) 2014-08-26 2014-08-26 Power marketing mobile application security guard system

Country Status (1)

Country Link
CN (1) CN104184735B (en)

Families Citing this family (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3348032A1 (en) * 2015-09-08 2018-07-18 Siemens Aktiengesellschaft Method for operating an industrial network, and industrial network
CN105243603A (en) * 2015-09-29 2016-01-13 国网浙江省电力公司温州供电公司 Power supply scheme assistant establishment system and working method therefor
CN105243440A (en) * 2015-09-29 2016-01-13 国网浙江省电力公司温州供电公司 Marketing mobile working platform based paperless office on-site working method
CN105704149A (en) * 2016-03-24 2016-06-22 国网江苏省电力公司电力科学研究院 Safety protection method for power mobile application
CN106454824A (en) * 2016-08-12 2017-02-22 中国南方电网有限责任公司 System and method for enabling wireless terminal to securely access information Intranet
CN106713337B (en) * 2017-01-03 2020-04-21 北京并行科技股份有限公司 Method and system for accessing super computing center and scheduling server
CN106850408A (en) * 2017-01-22 2017-06-13 山东鲁能软件技术有限公司 Power informatization system is based on the multi-protocols message mechanism of mobile mixed architecture
CN106982204A (en) * 2017-02-15 2017-07-25 深圳市中科智库互联网信息安全技术有限公司 Credible and secure platform
CN106992984A (en) * 2017-04-01 2017-07-28 国网福建省电力有限公司 A kind of method of the mobile terminal safety access information Intranet based on electric power acquisition net
CN107231378A (en) * 2017-07-21 2017-10-03 云南电网有限责任公司信息中心 A kind of security control method based on electric power mobile office equipment, apparatus and system
CN107295312A (en) * 2017-08-10 2017-10-24 上海辰锐信息科技公司 A kind of wireless video safety access system based on SSL VPN
CN109150702B (en) * 2018-08-16 2021-02-05 南京南瑞信息通信科技有限公司 High-performance mobile access gateway for communicating information internal and external networks and method thereof
CN110691064B (en) * 2018-09-27 2022-01-04 国家电网有限公司 Safety access protection and detection system for field operation terminal
CN109413604A (en) * 2018-11-02 2019-03-01 国网浙江省电力有限公司 A kind of SC collaboration method based on mobile Internet
CN110035085A (en) * 2019-04-19 2019-07-19 无锡京和信息技术有限公司 A kind of security system based on mixed architecture
CN112437031A (en) * 2019-08-23 2021-03-02 金田产业发展(山东)集团有限公司 Multi-terminal converged homeland resource mobile government system based on heterogeneous network
CN110519275A (en) * 2019-08-28 2019-11-29 江苏秉信科技有限公司 A kind of mobile terminal safety operation desktop application implementation method based on electric power Intranet
CN110719284B (en) * 2019-10-08 2024-06-18 腾讯科技(深圳)有限公司 Data sharing method and related equipment
CN111132136B (en) * 2019-11-11 2023-04-14 广东电网有限责任公司广州供电局 Mobile application information security system application system
CN111277607A (en) * 2020-02-14 2020-06-12 南京南瑞信息通信科技有限公司 Communication tunnel module, application monitoring module and mobile terminal security access system
CN111510431B (en) * 2020-03-16 2022-04-15 国网辽宁省电力有限公司信息通信分公司 Universal terminal access control platform, client and control method
CN111538992A (en) * 2020-03-20 2020-08-14 贵州电网有限责任公司 Network security unified management platform in electric power information
CN112104604B (en) * 2020-08-07 2024-03-29 国电南瑞科技股份有限公司 System and method for realizing secure access service based on electric power Internet of things management platform
CN111984999B (en) * 2020-08-20 2021-11-30 海南电网有限责任公司信息通信分公司 Safety management and control method and system for power failure first-aid repair system
CN112492602B (en) * 2020-11-19 2023-08-01 武汉武钢绿色城市技术发展有限公司 5G terminal safety access device, system and equipment
CN113420084B (en) * 2021-06-07 2023-09-26 广东辰宜信息科技有限公司 Block chain system
CN115942310A (en) * 2022-11-10 2023-04-07 中国电力科学研究院有限公司 Bluetooth management link authentication negotiation method based on Z algorithm
CN117201131B (en) * 2023-09-12 2024-10-18 上海好芯好翼智能科技有限公司 Safety management platform for informationized data transmission
CN117914892A (en) * 2024-01-19 2024-04-19 鲁臻文化传媒发展有限公司 Business service management system based on SAAS and digital file verification method thereof

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN202652534U (en) * 2012-06-15 2013-01-02 辽宁省电力有限公司信息通信分公司 Mobile terminal safety access platform
CN103441991A (en) * 2013-08-12 2013-12-11 江苏华大天益电力科技有限公司 Mobile terminal security access platform

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130005524A (en) * 2011-07-06 2013-01-16 한국전자통신연구원 Method for guaranteeing web based mobility, system, apparatus and computer-readable recording medium with program therefor

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN202652534U (en) * 2012-06-15 2013-01-02 辽宁省电力有限公司信息通信分公司 Mobile terminal safety access platform
CN103441991A (en) * 2013-08-12 2013-12-11 江苏华大天益电力科技有限公司 Mobile terminal security access platform

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
基于数字证书认证的电力移动作业安全接入系统;秦超等;《中国电机工程学会电力通信专委会第八届学术会议论文集》;20111231;全文 *
电力企业移动办公系统的研究与设计;赵永彬等;《辽宁电力信息化建设成果专栏》;20110430;全文 *
电力生产现场作业和终端安全防护研究;郭宝等;《深信服科技》;20101231;正文第1-5节,图7 *
电力移动作业PDA安全接入系统设计与实现;秦超等;《电力系统自动化》;20120630;全文 *
电力营销移动作业安全分析及防护研究;凌行龙等;《ELECTRIC POWER ICT》;20131130;全文 *

Also Published As

Publication number Publication date
CN104184735A (en) 2014-12-03

Similar Documents

Publication Publication Date Title
CN104184735B (en) Power marketing mobile application security guard system
US11818129B2 (en) Communicating with client device to determine security risk in allowing access to data of a service provider
CN105027493B (en) Safety moving application connection bus
US20160269445A1 (en) Cloud-based network security and access control
CN104754582B (en) Safeguard the client and method of BYOD safety
CN109460660A (en) A kind of mobile device safety management system
CN107209659A (en) Mobile authentication in mobile virtual network
CN104838630A (en) Policy-based application management
JP2016530814A (en) Gateway device to block a large number of VPN connections
CN106992984A (en) A kind of method of the mobile terminal safety access information Intranet based on electric power acquisition net
Kravets et al. Mobile security solution for enterprise network
Crossman et al. Study of authentication with IoT testbed
Li et al. A comprehensive overview of government hacking worldwide
CN112308236B (en) Method, device, electronic equipment and storage medium for processing user request
US20230013356A1 (en) System and process implementing a secure network
Dini et al. Internet of Things security problems
CN108401262A (en) A kind of method and device that terminal applies communication data is obtained and analyzed
KHVOSTOV et al. Security threats to personal data in the implementation of distance educational services using mobile technologies
Dashtinejad Security system for mobile messaging applications
Androulidakis et al. Industrial espionage and technical surveillance counter measurers
US10893035B2 (en) Network architecture for controlling data signalling
CN204206214U (en) A kind of secure access control system
JP2015138336A (en) Management method of electronic data, program therefor, and recording medium for program
CN110417638B (en) Communication data processing method and device, storage medium and electronic device
Phumkaew et al. Android forensic and security assessment for hospital and stock-and-trade applications in thailand

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 310007 Huanglong Road, Hangzhou, Zhejiang, No. 8, No.

Applicant after: STATE GRID ZHEJIANG ELECTRIC POWER Co.,Ltd.

Applicant after: JIAXING POWER SUPPLY COMPANY OF STATE GRID ZHEJIANG ELECTRIC POWER Co.

Applicant after: State Grid Corporation of China

Address before: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing

Applicant before: State Grid Corporation of China

Applicant before: STATE GRID ZHEJIANG ELECTRIC POWER Co.,Ltd.

Applicant before: JIAXING POWER SUPPLY COMPANY OF STATE GRID ZHEJIANG ELECTRIC POWER Co.

Address after: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing

Applicant after: State Grid Corporation of China

Applicant after: STATE GRID ZHEJIANG ELECTRIC POWER Co.,Ltd.

Applicant after: JIAXING POWER SUPPLY COMPANY OF STATE GRID ZHEJIANG ELECTRIC POWER Co.

Address before: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing

Applicant before: State Grid Corporation of China

Applicant before: STATE GRID ZHEJIANG ELECTRIC POWER Co.

Applicant before: JIAXING POWER SUPPLY COMPANY OF STATE GRID ZHEJIANG ELECTRIC POWER Co.

CB02 Change of applicant information
CB03 Change of inventor or designer information

Inventor after: Tu Ying

Inventor after: Jin Liangfeng

Inventor after: Yan Yong

Inventor after: Huang Ruizhang

Inventor after: Liu Huan

Inventor after: Li Nan

Inventor after: Ma Chuang

Inventor after: Shen Chao

Inventor after: Sun Yishen

Inventor after: He Wei

Inventor after: Mi Xiaobo

Inventor after: Xiao Shijie

Inventor after: Changwei

Inventor after: Lv Shining

Inventor after: Gu Hongjie

Inventor after: Lin Kaifeng

Inventor after: Wu Hui

Inventor after: Zhang Yan

Inventor after: Qiu Huadong

Inventor after: Ye Sheng

Inventor after: Zheng Bin

Inventor after: Hu Ruoyun

Inventor after: Ding Qi

Inventor after: Shen Ran

Inventor before: Tu Ying

Inventor before: Ma Chuang

Inventor before: Shen Chao

Inventor before: Sun Yishen

Inventor before: He Wei

Inventor before: Mi Xiaobo

Inventor before: Changwei

CB03 Change of inventor or designer information
GR01 Patent grant
GR01 Patent grant