面向虚拟桌面内外部数据流的安全控制机制研究

桌面虚拟化需要借助虚拟桌面协议来实现内部应用数据和外部操作平台的数据交互。然而该类协议中的数据流控制机制并不完善,存在数据非法交互的安全隐患。为解决该问题,基于网关模式提出了一种面向虚拟桌面内外部数据流的安全控制机制SCIED。它不仅能对协议中的虚拟通道进行全面管控,避免修改协议和大量的终端,还具有较高的兼容性、拓展性。将它部署于网关并用于防护边界攻击,能显著减少服务器端的负载和安全隐患。实验表明,该SCIED能够有效保证数据流的安全交互,并且对现有桌面会话的性能影响较小。

Secure Control Mechanism of Internal and External Data-flow Oriented to Virtual-desktop

The data interaction of desktop virtualization between internal application data and external user operation platform are realized by virtual desktop protocol.Because of the deficiency of the data flow control mechanism in this kind of protocol,it may lead to the illegal interaction.In order to resolve this problem,based on gateway,this paper proposed a secure control mechanism of internal and external data-flow oriented to virtual-desktop.It not only has the overall control of virtual channel,avoiding modifying lots of transport protocols or terminals,but also has high compatibilities,expansibilities and usability.Deploying it at the gateway to protect from boundaries attack can reduce the server load and safety concerns significantly.Experiments prove that this mechanism can control the direction of data flow effectively.Meanwhile,it has little impact on existing desktop session.