Enterprise mobile safety gateway method of application flow management, application acceleration and safety

Technical Field

The invention relates to a flow management, application delivery, such as acceleration and security field of application, in particular to the use of different network environment and various hand-held mobile terminal to access the sensitive data with the interaction of the data security.

Background Art

With the widespread use of intelligent terminal, to the mobile phone, the representative flat panel computers to personal intelligent terminal device gradually enters the enterprise application field. According to Gartner International authority the forecast advisory Company, to 2014 years 90% enterprise will support staff running on the personal mobile equipment enterprise office application program, using a personal intelligent terminal device staff office has become a the trend can be reversed. This class is called BYOD (Bring   Your   Own   Device, with equipment office) the phenomenon of security and management for the enterprise brings new challenges:

1. Enterprise employees can be a mobile device at any time, any place access mobile Internet or public/family Wi-Fi network, enterprise data in the mobile terminal will be exposed from under the attack of the Internet.

2. Enterprise employees can be random access, access enterprise data, thus exist enterprise data is personal illegal uploading, the risk of sharing and leakage. If it is stored in the mobile phone the office-mail, documents, pictures, and the record of communication related with the business content of the short message, the leakage of these sensitive information to enterprise brings great risk of information security.

3. Lost or stolen mobile device, the mobile device stored in the sensitive data as a result of leakage risks facing.

4. Exponential growth virus of the mobile phone, the mobile equipment become a springboard for infiltration enterprise intranet.

Commercial mobile device usually work by the enterprise or organization in controlling the exterior and a distal end, to access enterprise application and sensitive data may be stolen equipment, leakage, or misconfiguration, the enterprise assets in danger.

Now the mobile enterprise security issues to there are two main solutions:

1st solution still proceed to the terminal, for deployment in the terminal, on a mobile device an independent regional, isolating the enterprise information and personal information, avoidance of enterprises data is 3rd party application acquisition. The technical framework and APP by the mobile end of a server-side console, the console to enterprises private goes or the way of public cloud , the deployment of the enterprise intranet on a universal server or a computer, realizing mobile terminal management, policy management issue, enterprise application management, and the like. On the mobile terminal the APP the establishment of a safe working area, the working area of the protected application and data, through monitoring, the enterprise data encrypting means to ensure the security of the mobile terminal. Its structure system as shown in Figure 1.

2nd solution start to the gateway, with the mobile terminal is connected with a middle of enterprise servers establish a gateway, the gateway on the safety configuration, the use of the mobile terminal in the access enterprise data by the gateway, the gateway and in accordance with a security configuration visit and allow its access of the data, so as to achieve the management of mobile equipment, the purpose of the protection of the enterprise data.

The above two kinds of solutions, there are certain defects, mainly have the following questions:

(1) SUMMARY scheme of the current solution user only is suitable for the mobile terminal, but can not effectively transplanted to the use of larger, higher utilization rate of the computer terminal.

(2) protective measures for the mobile terminal, without using standard user management system, the management of the difficulties there is an extremely large, cannot be effectively centralized management user and the mobile device.

(3) with the mobile terminal for data exchange public cloud intermediate device is increased, increasing the access time.

(4) since all virus protection, security monitoring operation carried out by the mobile terminal, greatly increases the load of the mobile terminal, the mobile terminal to reduce performance, increase energy consumption. At the same time, because a software update personal completed by the mobile terminal, if not timely updating, at the same time will cause the potential safety hazard.

(5) if some of the file need to call the office personal area if the program is opened, then the information is also transferred to the jump from the office personal area, this will still be to an enterprise information security cause great a hazard.

Content of the invention

The technical problem to be solved by the invention lies in avoiding the shortcomings of the above-mentioned prior art, and proposes a kind of application of the flow management, application acceleration and security mobile enterprise security gateway method. Now the enterprise is not changed under the condition of the network structure, can be rapidly, safely put the in various different access enterprise network environment, the various types of sensitive data, the mobile terminal performs unified standard management, to achieve protection device, the management device, the role of the control data.

The invention for solving the technical problems can be through adopting the following technical scheme to realize:

Application of the flow management, application acceleration and security mobile enterprise security gateway method, running on the mobile terminal using the software module and the operation of the switch the software module, the end of the mobile terminal with the server application delivery, mainly comprises the following steps:

(1) running on the mobile terminal to the gateway software module of the software running on the identity of the mobile terminal module transmits authentication information;

(2) authentication information of the mobile terminal by the gateway software modules running on the transmission to the mobile security administrator.

(3) the received mobile security administrator authentication information to verify the identity of, and the result of the verification is transmission back to the gateway;

(4) mobile security administrator gateway receives the authentication result, according to the authentication result of the operation of the corresponding;

(5) of the mobile terminal according to different security level of the gateway, the configuration allows for the corresponding access policy of the enterprise data; gateway software modules running on the embedded with application delivery and flow management module, application acceleration module and application security module, used for the protection of equipment, management apparatus and control data.

On running on the mobile terminal the software module, the use of single-point landing technology for a landing and maintain a sustained connection; the user verification mode Active   Directory user management method or other criteria to access enterprise internal server unify the identity of the mobile terminal authentication management.

In the process the transmit data using encryption technology to establish a secure channel, forced the mobile equipment of all of the information access channel for transmission through this, to prevent the data in the course of transmission of the illegal stealing.

Said step (4) in, the gateway according to the validation result to perform the corresponding operation: the operation of the gateway module of software on the mobile terminal authentication information transmitted according to the identity of the inherent security policy evaluation whether the mobile terminal legitimate, if the result of the judgement of the mobile terminal is not legitimate, refuse to the mobile terminal to access the system; if the result of the judgement the mobile terminal is legal, allows the mobile terminal to access the system; at the same time provide the mobile terminal based on user identity, access to a content, the use of equipment and equipment state information to the login user divide the authority.

Compared with the prior art, the beneficial results of this invention are as follows:

(1) in the present invention in the structure of the complete system, in view of the current problem existing in solution, using Active   Directory microsoft-assembly or other standard user management mode, the mobile terminal cannot be unified management of the computer of the client, the client mobile terminal and computer implemented with a standard, the enterprise's face of the various types of terminals unified management problem.

(2) in the system of this invention in the structure, all the virus protection, safety monitoring operation completed by a mobile security gateway processing, completely solves the high energy consumption of the mobile terminal, the problem of high usage of resources, the resources of the mobile terminal from the complete liberation, greatly improves the performance of the mobile terminal with the endurance capacity.

(3) in the system of this invention in the structure, a mobile security gateway simultaneously with application delivery, application acceleration with security function module, data exchange speed to increase, improve the enterprise server security plays a critical role in promoting, has been solved because the mobile terminal and the enterprise server is added between the other devices access speed due to slow, delay and other problems.

Description of drawings

Combined with the Figure below the further detailed description of this invention:

Figure 1 is a schematic diagram of the prior art system structure;

Figure 2 is a system chart of the present invention;

Figure 3 is a schematic diagram of the invention process.

Mode of execution

When the mobile enterprise user needs access to enterprise server-sensitive data, the mobile terminal design of a running software module and the gateway to establish VPN security channel, and through the gateway to the mobile security administrator provides user-identity, access to a content, the use of equipment and equipment state information, gateway module according to the software running on the user identity, access to a content, the use of equipment and apparatus for implementation of the corresponding state information of the mobile terminal can be the security strategy control authority of accessing data, the mobile terminal application interaction with the enterprise server. At the same time through the gateway software modules running on the implementation of the application delivery, application of accelerating and application safety.

In the above-mentioned is installed in the gateway software module, includes the following functional modules:

A. Application delivery and flow management module

By using the content exchange, load-balanced, dynamic routing, access control list technology, integrated hardware and software system, providing a high-quality operation level and high availability, guarantees the safety of the users eventually, high-efficient to access enterprise-sensitive data.

B. Accelerating module application

Integration SSL unloading, applied to the compression, application cache, buffer and optimization technology such as TCP, through infrastructure optimization, intelligent HTTP compression, emancipate the server resources, to ensure that high priority application receive priority processing, greatly improving server performance and reduce the cost of bandwidth.

C. Application security module

Support to the denial of service attack (DoS) protection, security content hiding, application attack filtering, HTTP re-write, priority queue, surge protection and other application security function, to add a number of other places in the network key safety characteristics, a comprehensive data security ensure that the server.

Fig. 3 is a processing flowchart: when the mobile enterprise user needs access to enterprise server-sensitive data, the mobile terminal design of a running software module and the gateway to establish VPN security channel, and through the gateway to the mobile security administrator provides user-identity, access to a content, the use of equipment and equipment state, the authentication information, gateway software module running on the return of the mobile security administrator according to the result of the verification is the implementation of the corresponding operation. If the result of the verification does not pass, the gateway is rejected and the mobile terminal to the mobile terminal returns a result of the verification; if the result of the verification, a mobile security administrator according to the mobile terminal with the user identification, access to a content, such as the use of equipment and equipment state of the corresponding security configuration information, gateway mobile security administrator configuration of the implementation of security policy, at the same time by the flow management, application delivery, application acceleration and security function module, such as, mobile terminal, the data interaction with the server, the data interaction process at the same time guarantee the safety and the high speed.